Setting up the client certificate

Encryption License Key User Guide

Version
9.8.7
Audience
anonymous
Part Number
MK-98RD9017-17

Use the following procedure to prepare the client certificate. Encryption keys backed up on the key management server (KMS) are managed with the client certificate. The client certificate on the KMS must remain current and not expired. If the client certificate expires or is not current, the storage system will not be able to access the KMS.

CAUTION:
  • If the client certificate is lost and the SVP is replaced due to a failure, the encryption keys that were backed up before the SVP replacement cannot be restored.
  • When the connection settings are backed up to the KMS, the storage system does not back up the client certificate. Make sure that you back up a copy of the connection settings to the KMS and save a copy of the client certificate separately. Refer to your corporate security policy for procedures related to backups.
  • The encryption keys backed up on the KMS are managed with the client certificate. If the client certificate is changed, the encryption keys that were backed up before the change cannot be restored. Make sure to back up the encryption keys immediately after changing the client certificate.
  • Your storage system must have a physical or virtual SVP.
  1. For VSP 5000 series, download and install openssl.exe from http://www.openssl.org/ to the C:\openssl folder.
    For VSP E series, perform either of the following:
    • Download and install openssl.exe from http://www.openssl.org/ to the C:\openssl folder.
    • Use OpenSSL on the SVP stored in C:\Mapp\OSS\apache\bin\openssl.
  2. Create the key file. You can create the following types of key files:
    • Private key (.key) file
    • Public key (.csr) file

    For details about creating a Private or Public key, see the System Administrator Guide.

  3. If you created a Public key (.csr) file, submit the Public key file to an appropriate trusted internal or third party Certificate Authority for signing. For details, see the documentation for the key management server.
  4. Convert the client certificate to PKCS#12 format.
    1. From an open command prompt, change the current directory to the folder where you want to save the client certificate in the PKCS#12 format.
    2. Move the private SSL key file (.key) and the client certificate to the folder in the current directory, and run the command.
      Example of an output folder of c:\key, private key file (client.key), and a client certificate file (client.crt:):
      • When OpenSSL is installed: C:\key>c:\openssl\bin\openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
      • (VSP E series) When using OpenSSL on the SVP: C:\key>c:\Mapp\OSS\apache\bin\openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
        Tip: C:\Mapp indicates the installation directory for the storage management software and SVP software. If another directory is specified for the installation directory, change the installation directory.
    3. Type the client certificate password. The password can be from 0 to 128 characters in length. The valid characters for the password are:
      • Numbers (0 to 9)
      • Upper case letters (A-Z)
      • Lower case letters (a-z)
      • The following symbols: ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
  5. Upload the root and client certificates to the SVP.
    1. In the Device Manager - Storage Navigator main window, select Administration in Explorer, and select Encryption Keys.
    2. In the Encryption Keys window, click Edit Encryption Environmental Settings.
    3. Upload the certificates.