Uploading a signed certificate to the SMI-S provider

System Administrator Guide for VSP 5000 Series

Version
90-08-8x
Audience
anonymous
Part Number
MK-98RD9009-13

To use certificates in SSL communication with the SMI-S provider, you must update and upload the private key and the signed server certificate (public key) to the SMI-S provider to update the certificate. Use the following procedure to upload and update certificates using a certificate update tool.

Ensure that the following items have been completed:

  • You must have the Storage Administrator (View & Modify) role to perform this task.
  • A private key (.key file) has been created. Change the file name to server.key unless the file is already named that. See Creating a private key using the OpenSSL command.
  • The passphrase for the private key (server.key file) is released.
  • A signed public key certificate (.crt file) has been acquired. Change the file name to server.crt unless the file is already named that. See Creating a public key using the OpenSSL command.
  • When using TLS1.2, you must set the cipher suites corresponding to the key type of the certificate that is uploaded to the SVP or the SMI-S provider.

    Verify the settings of the cipher suites on the TLS Security Settings dialog box using the Tool Panel dialog box:

    • If the key type is RSA, select a cipher suite whose name contains “RSA”.
    • If the key type is ECDSA, select a cipher suite whose name contains “ECDSA”.

    If the cipher suites corresponding to the key type of the certificate are not set, you cannot connect the storage system using the management software.

  • You must be an external authentication user whose external user group mapping is disabled, or a local authentication user.
  • If the public key of the certificate to be uploaded is RSA, the key length must not be less than the key length that is set for Minimum Key Length (Key Exchange) in the TLS Security Settings dialog box.
  • If the public key of the certificate to be uploaded is ECDSA, the public key parameter must be any of the following:
    • ECDSA_P256 (secp256r1)
    • ECDSA_P384 (secp384r1)
    • ECDSA_P521 (secp521r1)
  • The signature hash algorithm of the certificate to be uploaded must be SHA-256, SHA-384, or SHA-512.
  • The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
    • subjectAltName
    • CRLDistributionPoint
    • AuthorityInfoAccess
    • BasicConstraints
    • KeyUsage
    • SubjectKeyIdentifier

    Enter the host name or the IP address of the SVP in subjectAltName or CommonName of the certificate to be uploaded.

  • When you perform a certificate revocation check by using CRL, set the CRL repository URI for the cRLDistributionPoint (CRL distribution point) of the intermediate certificate and server certificate.
  • When you perform a certificate revocation check by using OCSP, set the OCSP responder URI for authorityInfoAccess (Authority Information Access) of the intermediate certificate and server certificate.
  • When you perform a certificate revocation check on the management client, the CRL repository or the OCSP responder must be on the network that can be accessed by the management client so that they can be accessed by the management client. If the management client cannot communicate with the CRL repository or the OCSP responder, the connection to Device Manager - Storage Navigator is established without certificate revocation check.
  • If an intermediate certificate exists, prepare a signed public key certificate file (server.crt) that has a certificate chain that includes the intermediate certificate.
  • The number of tiers of the certificate chain for the certificate to be uploaded must be 20 tiers or less including the root CA certificate.
  1. Close all Device Manager - Storage Navigator sessions on the SVP.
  2. On the Device Manager - Storage Navigator computer, open a web browser and enter the following URL to open the Tool Panel dialog box.
    http://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
  3. In the Tool Panel dialog box, click Update Certificate Files for SMI-S. The login dialog box for Update Certificate Files for SMI-S opens.
    If SSL communication has been established, the Security Alert dialog box opens before the login dialog box. In the Security Alert dialog box, click OK.
  4. In the login dialog box for Update Certificate Files for SMI-S, enter the administrator's user ID and password, and click Login. The upload dialog box for Update Certificate Files for SMI-S opens.
  5. In the upload dialog box for Update Certificate Files for SMI-S, enter both the public key certificate file name in the Certificate file (server.crt file) box and the Private Key file (server.key file) box. You can enter the file names directly or by clicking Browse or Select File. The name of the button to click depends on the browser.
  6. Click Upload. The execution confirmation dialog box for Update Certificate Files for SMI-S opens.
  7. Click OK to update the certificate. Update of the certificate starts.
    Upon completion of the certificate update, the SMI-S provider restarts to reflect the update.

    Upon completion of the restart of the SMI-S provider, the update completion dialog box for Update Certificate Files for SMI-S opens

  8. In the update completion dialog box for Update Certificate Files for SMI-S, click OK. The display returns to the login dialog box.
    Note: If an error occurs during update of the certificate, an error message displays. Resolve the problem and then run the procedure again, starting with logging in, to upload configuration files for SMI-S.
    Note: If the Security Alert dialog box for the certificate opens at other times, click View Certificate to confirm that the certificate is correct and then click Yes.