Replacing the HyperMetro Arbitration Security Certificate

Prerequisites

The quorum server software must be configured under the same user used to install it.

Process Flow

Figure 1 Process flow of replacing the HyperMetro arbitration security certificate

Procedure

Export the certificate request file of the quorum server.
In the CLI of the quorum server software, run the export tls_cert command to export the device information. The qs_certreq.csr file is generated in the /opt/quorum_server/export_import directory on the quorum server.
```
admin:/>export tls_cert 
Command executed successfully.     
```
- The certificates must be replaced in user mode where the quorum server software is running.
- After installing the quorum server software, you are advised to grant the SFTP permission only to the /opt/quorum_server/export_import/ directory. This allows the security certificates to be imported and exported.
Log in to DeviceManager of the local storage cluster and export the certificate request file of the local storage cluster in the HyperMetro arbitration security certificate scenario. For details, see Exporting a Certificate Signing Request (CSR) File.
Log in to DeviceManager of the remote storage cluster and export the certificate request file of the remote storage cluster in the HyperMetro arbitration security certificate scenario. For details, see Exporting a Certificate Signing Request (CSR) File.
Select a certificate authority (CA) and use the certificate request files to generate certificates.
- To ensure normal and secure communication between devices, the quorum server and the storage clusters must use the same CA to issue certificates.
- This section describes three methods for issuing certificates. You are advised to use the customer's CA or a trusted third-party CA. If no CA is available, use the built-in CA of the quorum server or the built-in CA of a storage cluster.
- When using the customer's CA or a third-party CA to issue certificates:
  1. Send certificate request file qs_certreq.csr of the quorum server to the customer's CA or the third-party CA to generate the certificate of the quorum server.
  2. Send the certificate request file of the local storage cluster to the customer's CA or the third-party CA to generate the certificate of the local storage cluster.
  3. Send the certificate request file of the remote storage cluster to the customer's CA or the third-party CA to generate the certificate of the remote storage cluster.
- When using the built-in CA of the quorum server to issue certificates:
  - To issue certificates one by one, perform steps a to c to issue the certificates of the quorum server, local storage cluster, and remote storage cluster, respectively:
    1. Copy the certificate request file (for example, qs_certreq.csr) to the /opt/quorum_server/export_import directory on the quorum server, change the owner and owner group of the certificate request file to the installation user and owner group of the quorum server software, and ensure that the certificate request file can be read.
```
chown quorumsvr:quorumsvr qs_certreq.csr
```
      In this example, quorumsvr is the default installation user of the quorum server software. Change it to the actual user and user group you use to install the quorum server software.
    2. Run the generate tls_cert csr=qs_certreq.csr [days=1095] [cert_name=qs_certreq.crt] [sign_algorithm=0] command to issue the certificate.
      csr (mandatory): specifies the name of the certificate request file. The file needs to be stored in a specified location. Its name can contain letters, digits, periods (.), hyphens (-), and underscores (_), and must start with a letter or digit and end with .csr.
      
      days (optional): specifies the validity period of the certificate. The value can only contain digits.
      
      cert_name (optional): specifies the name of the certificate file to be issued. The file needs to be stored in a specified location. Its name can contain letters, digits, periods (.), hyphens (-), and underscores (_), and must start with a letter or digit and end with .crt.
      
      sign_algorithm (optional): specifies the signature algorithm suite required by users. This parameter is related to the generation of the CA private key. The value can be SHA256RSA or SHA256ECDSA.
      0. SHA256RSA
      
      1. SHA256ECDSA
```
admin:/>generate tls_cert csr=qs_certreq.csr cert_name=qs_certreq.crt
Command executed successfully. 
```
    3. Obtain the issued certificate and CA certificate file from the /opt/quorum_server/export_import directory on the quorum server. In this example, qs_certreq.crt (or a specified name) is the certificate file, and cps_ca.crt is the CA certificate file.
  - To issue certificates in batches:
    1. Copy certificate request files (for example, qs_certreq.csr, qs_certreq_1.csr, and qs_certreq_2.csr) of the quorum server, local storage cluster, and remote storage cluster to the /opt/quorum_server/export_import directory on the quorum server. Change the owner and owner group of the certificate request files to the installation user and owner group of the quorum server software, and ensure that the certificate request files can be read.
```
chown quorumsvr:quorumsvr *.csr
```
      In this example, quorumsvr is the default installation user of the quorum server software. Change it to the actual user and user group you use to install the quorum server software.
    2. Run the generate tls_cert_multi [days=1095] [sign_algorithm=0] command to issue certificates in batches.
      A certificate request file can be issued successfully only when its name meets the following requirements: The file needs to be stored in a specified location. Its name can contain letters, digits, periods (.), hyphens (-), and underscores (_), and must start with a letter or digit and end with .csr.
      
      days (optional): specifies the validity period of the certificate. The value can only contain digits.
      
      sign_algorithm (optional): specifies the signature algorithm suite required by users. This parameter is related to the generation of the CA private key. The value can be SHA256RSA or SHA256ECDSA.
      0. SHA256RSA
      
      1. SHA256ECDSA
```
admin:/>generate tls_cert_multi
[SUCCEED]generate cert for csr file:[qs_certreq.csr] succeed!
[SUCCEED]generate cert for csr file:[qs_certreq_1.csr] succeed!
[SUCCEED]generate cert for csr file:[qs_certreq_2.csr] succeed!
------all 3 csr files<succeed 3 files and failed 0 files>------
Command executed successfully. 
```
    3. Obtain the issued certificates and CA certificate file from the /opt/quorum_server/export_import directory on the quorum server. In this example, qs_certreq.crt, qs_certreq_1.crt, and qs_certreq_2.crt are the certificate files (with the same names as the request files), and cps_ca.crt is the CA certificate file.
```
ll /opt/quorum_server/export_import
total 28
-rw-r--r--. 1 quorumsvr quorumsvr 1927 Jun  3 09:03 cps_ca.crt
-rw-r--r--. 1 quorumsvr quorumsvr 1476 Jun  3 09:03 qs_certreq_2.crt
-r--------. 1 quorumsvr quorumsvr  976 Jun  3 09:00 qs_certreq_2.csr
-rw-r--r--. 1 quorumsvr quorumsvr 1476 Jun  3 09:03 qs_certreq_1.crt
-r--------. 1 quorumsvr quorumsvr  976 Jun  3 09:00 qs_certreq_1.csr
-rw-r--r--. 1 quorumsvr quorumsvr 1476 Jun  3 09:03 qs_certreq.crt
-r--------. 1 quorumsvr quorumsvr  976 Jun  3 08:55 qs_certreq.csr 
```
- When using the built-in CA of a storage cluster to issue certificates (the local storage cluster is used as an example):
  1. Log in to DeviceManager of the local storage cluster, choose Settings > Certificate > Built-In CA, and use the subordinate CA certificate named External to issue certificates of the quorum server, local storage cluster, and remote storage cluster. For details, see Using Built-In CA to Issue Digital Certificates.
  2. Export the issued digital certificates of the quorum server, local storage cluster, and remote storage cluster. For details, see Exporting Issued Digital Certificates.
  3. Export the subordinate CA certificate named External in the local storage cluster. For details, see Exporting a Built-In CA Certificate.
Import the issued certificate of the quorum server and the CA certificate to the quorum server.
1. Copy the certificate of the quorum server to the quorum server.
  After the certificates are generated, copy the digital certificate of the quorum server (for example, qs_cert.crt) and the CA certificate (for example, cps_ca.crt) to the /opt/quorum_server/export_import directory.
2. Import the certificate of the quorum server to the quorum server software.
  In the CLI of the quorum server software, run the import tls_cert cert_name=hm_third_cert ca=cps_ca.crt cert=qs_cert.crt [private_key=privateKeyFileName] class=hm command to import the certificate to the quorum server software.
```
admin:/>import tls_cert cert_name=hm_third_cert ca=cps_ca.crt cert=qs_cert.crt class=hm
Command executed successfully.
```
  When importing a HyperMetro certificate, you must set cert_name to hm_third_cert and class to hm.
Log in to DeviceManager of the local storage cluster, select the HyperMetro arbitration security certificate scenario, and import the issued certificate of the local storage cluster and the CA certificate. For details, see Importing and Activating a Certificate.
Log in to DeviceManager of the remote storage cluster, select the HyperMetro arbitration security certificate scenario, and import the issued certificate of the remote storage cluster and the CA certificate. For details, see Importing and Activating a Certificate.
After certificate replacement is complete, you need to reconfigure an arbitration whitelist. For details, see Configuring an Arbitration Whitelist in the product documentation of the corresponding version.