To enhance system security, you are advised to import CA certificates of all devices before adding devices or systems (vCenter servers, FusionCompute components, storage devices, hosts, and email servers) to eReplication. If CA certificates of devices are not imported, the communication between eReplication and devices and system communication are not affected. However, the system may encounter spoofing risks. After CA certificates are imported, you need to restart eReplication to make the certificates take effect. You are advised to restart eReplication in off-peak hours.
Prerequisites
- A cross-platform remote access tool, such as PuTTY, has been obtained.
- If the eReplication management server runs Linux, the password of user root or DRManager has been obtained.
- Devices' CA certificates to be added have been obtained and the certificates are in the X.509v3 format.
Context
- The eReplication Server provides key store bcm.keystore. You need to import CA certificates to the key store. The fixed save path of the key store is /opt/BCManager/Runtime/LegoRuntime/certs in Linux.
- The CA certificate of the Agent is not preset on the eReplication Server. Therefore, you need to manually import the CA certificate (cacert.pem) of the Agent. For details about how to obtain the CA certificate of the Agent, see Exporting the eReplication Agent Server Certificate in OceanStor BCManager 8.5.1 eReplication Agent Installation Guide.
- Note the following when importing CA certificates to the eReplication Server:
- If there are CA certificates of multiple levels, import all the CA certificates.
- If multiple devices use a same CA certificate, import the CA certificate once only.
- If the system reports a certificate alarm, restart the eReplication Server after CA certificates are imported.
- Before stopping the eReplication Server, if a protection task or recovery plan is running on eReplication, select the time when no protection task or recovery plan is running on eReplication.
If no CA certificate is imported or the device certificate expires, eReplication generates a certificate alarm by default. You can disable certificate alarming if you do not want eReplication to generate certificate alarms. For details about how to disable certificate alarming, see Disabling Certificate Alarming.
Procedure
For details about how to import a device CA certificate, see Importing a Client Certificate.
Follow-up Procedure
When CA on the device is updated, you need to import the new CA certificate by referring to Importing a Client Certificate. Replace the old certificate by keeping the certificate alias the same as the old certificate alias.