When a storage system is communicating with an external device, you are advised to use the certificate verification mode to improve service security. It is recommended that you replace the default security certificate with a certificate applied from an official authority and replace the certificate that has expired or is about to expire in a timely manner. This section describes how to import and activate a certificate.
Context
- Only super administrators can import and activate certificates.
- In the multi-cluster scenario, when importing security certificates of the same type to different clusters, ensure that the certificate file, CA certificate file, and private key file imported to each cluster are the same.
- When updating the security certificate of an internal service, wait until the certificate update is complete (that is, until the system records a log indicating that the certificate update is successful or failed) before updating certificates in other scenarios.
- During certificate update, you must not scale in or out a cluster, replace components, or power on or off a cluster.
Prerequisites
- You have obtained the request file. For details, see Exporting a Certificate Signing Request (CSR) File.
- After exporting the request file, you have issued a certificate file through the CA and obtained the issued digital certificate and CA certificate of the CA:
- Issue a certificate using the built-in CA of the storage system:
- Issue a certificate by referring to Using Built-In CA to Issue Digital Certificates.
- Export the certificate file by referring to Exporting Issued Digital Certificates.
- Export the CA certificate file by referring to Exporting a Built-In CA Certificate.
- Use the customer's CA or a trusted third-party CA to issue a certificate: Send the request file to the customer's CA or a trusted third-party CA to generate a certificate file and obtain the CA certificate.
- Issue a certificate using the built-in CA of the storage system:
Procedure
- Choose Settings > Certificate > Certificate Management.
- Select a desired certificate and click Import and Activate.
- The prompt messages for importing and activating certificates vary in different scenarios. This online help uses importing and activating HyperMetro arbitration certificates as an example.
- When a customer updates the DeviceManager and DswareTool certificates, if a third-party NMS connects to the storage system through a RESTful interface and the customer wants to obtain the complete certificate chain information during link negotiation, the imported certificate must contain the complete certificate chain information. To obtain the complete certificate chain file, perform the following steps:
- Use Notepad to open the server certificate, intermediate CA certificate, and root CA certificate.
- Add the intermediate CA certificate and root CA certificate to the server certificate file based on the SSL certificate chain format. Generally, an organization describes the complete certificate chain format when issuing a certificate. For details, see related rules. The common format is as follows (there is no blank line between certificates):
Server certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate CA certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root CA certificate
-----END CERTIFICATE-----
- Save the server certificate to obtain a certificate that contains a complete certificate chain.
- When importing the CA certificates of the Heterogeneous device access certificate and Heterogeneous device service certificate scenarios, you need to select a heterogeneous device.
If you want to add multiple heterogeneous devices with the same management IP address, import the same access CA certificate for each heterogeneous device. Otherwise, a verification exception may occur, and device details cannot be obtained.
Click Add Now. The page for adding a heterogeneous device is displayed. You can add a heterogeneous device.
- Set Certificate File, CA Certificate File, and Private Key File as required.
Only plaintext private keys are supported.
- Click OK.
- After you import and activate a certificate in one scenario, choose Monitor > Alarms and Events > Events. Wait until certificate import success, certificate activation success, and certificate update success events are displayed in sequence, and then import and activate the certificate in the next scenario. Before a certificate is updated, related service operations may fail. Try again after the certificate is updated.
- HA-related alarms may be generated during the update of Internal system service security certificate. The alarms will be automatically cleared after the certificate is updated.