Preparing the server certificate for Common Services

Ops Center Installation and Configuration Guide

Version
11.0.x
Audience
anonymous
Part Number
MK-99OPS001-23

Prepare the server certificate for Common Services. Make sure the certificate has not expired. For details on how to check this, see Checking the validity period of the server certificate. Common Services supports both RSA and Elliptic Curve Digital Signature Algorithm (ECDSA). You cannot configure ECDSA alone. Prepare secret keys and server certificates for RSA only or for both RSA and ECDSA.

  1. Log in to the management server as the root user.
    If you log in as an ordinary user, use the sudo command to complete the following procedure as the root user.
  2. Run the following command to create a private key (in X.509 PEM format) and a certificate signing request (CSR).
    Note: When you use the certificate for enabling SSL encryption for real time data collection in the Analyzer detail view server, enter the IP address of SubjectAltName and issue a certificate that includes the IP address specified in the SubjectAltName field.
    Example of the command for RSA:
    installation-directory-of-Common-Services/openssl/bin/openssl req -new -newkey rsa:4096 -nodes -keyout privateRSA.pem -sha256 -out serverRSA.csr -subj "/C=ww/ST=xx/L=yy/O=zz/CN=host-name-or-IP-address" -addext 'subjectAltName = {DNS:host-name|IP:IP-address|DNS:host-name,IP:IP-address}' -config installation-directory-of-Common-Services/openssl/openssl.cnf
    Example of the command for ECDSA:
    installation-directory-of-Common-Services/openssl/bin/openssl req -new -newkey ec:<(installation-directory-of-Common-Services/openssl/bin/openssl ecparam -name secp384r1) -nodes -keyout privateECDSA.pem -sha256 -out serverECDSA.csr -subj "/C=ww/ST=xx/L=yy/O=zz/CN=host-name-or-IP-address" -addext 'subjectAltName = {DNS:host-name|IP:IP-address|DNS:host-name,IP:IP-address}' -config installation-directory-of-Common-Services/openssl/openssl.cnf
    

    When running the command, specify parameters according to the Cipher Suite supported by Common Services. For details on the Cipher Suite supported by Common Services, see the Hitachi Ops Center Release Notes.

    Specify /C=ww/ST=xx/L=yy/O=zz according to your environment. For CN, specify a host name (or FQDN) or IP address that can be used to access the Hitachi Ops Center Portal.

    If you specify a host name for CN, specify DNS:host-name for subjectAltName. If you specify an IP address for CN, specify IP:IP-address for subjectAltName. If you specify a host name for CN, and specify that an IP address can also be used to access the Hitachi Ops Center Portal, specify DNS:host-name,IP:IP-address for subjectAltName.

    To create a CSR by using the openssl command in the Common Services installation directory, you must specify the -config option to load the settings file.

  3. Run the following command to check the results of creating the CSR:
    installation-directory-of-Common-Services/openssl/bin/openssl req -text -in CSR-file -config installation-directory-of-Common-Services/openssl/openssl.cnf
  4. Access the CSR from the directory that you specified when creating the request and submit the CSR to the certificate authority requesting that they issue a signed certificate.
    For details, follow the procedure provided by the certificate authority.
  5. After obtaining a server certificate signed by the certificate authority, run the following command to check the results of creating the server certificate:
    installation-directory-of-Common-Services/openssl/bin/openssl x509 -text -in server-certificate-signed-by-certificate-authority