Setting up SSL encryption using Device Manager

Setting up SSL encryption using Device Manager - Storage Navigator

System Administrator Guide for VSP 5000 Series

Version

90-09-2x

Audience

anonymous

Part Number

MK-98RD9009-16

To improve security of remote operations from a Device Manager - Storage Navigator SVP to a storage system, you can set up Secure Sockets Layer (SSL) encrypted communication. By setting SSL encryption, the Device Manager - Storage Navigator User ID and Password are encrypted.

SSL communication can be established between the management client and the SVP using the protocols and port numbers specified in the following table.

Protocol	Port Number
HTTPS	443
RMI	11099
RMI	51100
SMI-S	5989

SSL communication can be established between the following servers and the SVP:

Syslog Server
Key management server
External authentication or authorization server
Hitachi Ops Center server
Hitachi Command Suite server

The user with the Security Administrator (View & Modify) role can configure the following security settings used for the SSL/TLS communications with the SVP by using the Tool Panel dialog box on Device Manager - Storage Navigator:

Protocol
Cipher suites
Minimum key length of keys used for key exchange
Enabling renegotiation

Device Manager - Storage Navigator must satisfy the following security requirements:

Protocol
- TLS1.2
- TLS1.3
Cipher suites
- Cipher suites supported by TLS1.2
  TLS_RSA_WITH_AES_128_CBC_SHA
  
  TLS_RSA_WITH_AES_128_CBC_SHA256
  
  TLS_RSA_WITH_AES_256_CBC_SHA256
  
  TLS_RSA_WITH_AES_256_GCM_SHA384
  
  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  
  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  
  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  
  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  
  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  
  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- Cipher suite supported by TLS1.3
  TLS_AES_128_GCM_SHA256
  
  TLS_AES_256_GCM_SHA384
Minimum key length supported by key exchange algorithm
- RSA: Supports the key length of 2048 bits, 3072 bits, or 4096 bits. It can be used when TLS1.2 is enabled.
- DHE: Supports the key length of 2048 bits. It can be used when TLS1.2 or TLS1.3 is enabled.
- ECDHE: Supports elliptic curve parameters of secp256r1, secp384r1, or secp521r1. It can be used when TLS1.2 or TLS1.3 is enabled.
Enabling renegotiation
- It can be used when TLS1.2 is enabled, however it is recommended to disable renegotiation.

Note: To enable SSL, the private and public key pair and SVP server certificate must be valid. If either the keys or the certificate is expired, the user cannot connect to the SVP.

Note: To add the Secure attribute to cookies using Device Manager - Storage Navigator, you must block HTTP communication. For details, see Blocking HTTP communication to the storage system.

Note: Device Manager - Storage Navigator supports HTTP Strict Transport Security (HSTS) with a max range of 31,536,000 seconds (1 year). To enable HSTS, you must use the security certificate issued by a trusted root certificate authority for your Device Manager - Storage Navigator domain. HSTS is valid for one year (31,536,000 seconds), and it is renewed automatically every time the HSTS header is sent to the browser. The security certificate to use is determined by the browser. For details, contact your browser vendor.

Note: If HSTS is enabled on a Web application on a server you wish to install Device Manager - Storage Navigator, use a domain that is written to the security certificate specific to each application. If you use the same domain, the HSTS settings are applied to all Web applications that use the domain, and all connections are switched to https. If you have an application that can be accessed only through http, you cannot establish the connection.

Note: The minimum key length supported by the key exchange algorithm set on the TLS Security Setting dialog box in the Tool Panel dialog box is applied when a certificate with RSA public key is set during the communications between the management client and the SVP.

When the following cipher suites are valid, and when a server certificate, root certificate, or client certificate with an RSA public key is uploaded to the SVP, the key length of the RSA public key of the certificate must be longer than the key length selected on the TLS Security Setting dialog box in the Tool Panel dialog box.

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384

When the SVP communicates with a Syslog server, key management server, external authentication and authorization server, or Hitachi Command Suite server, the key length of the key exchange key set on the server must satisfy the following:

RSA: 2048 bits or more
DHE: 2048 bits
ECDHE: secp256r1, secp384r1, or secp521r1

Note:

When using a certificate with a key type of ECDSA and a key length of secp521r1, the Tool Panel dialog box might not open depending on the web browser of the HDvM - SN management client. Take the following actions for each web browser:
- Internet Explorer
  Configure the group policy setting from the management client. For details, see Configuring the ECC curve order.
- Microsoft Edge or Google Chrome
  The certificate with a key type of ECDSA and a key length of secp521r1 cannot be used as of January 2022. If the key type is ECDSA, the key length must be less than secp521r1. For more information about future availability, check the support status of the security settings for the web browser because whether it can be used in the future depends on the web browser specifications.
- Firefox
  The problem that the Tool Panel dialog box might not open does not occur.
When using a certificate with a key type of ECDSA and a key length of secp521r1, HDvM - SN might not open depending on the web browser of the HDvM - SN management client. Take the following actions for each web browser:
- Internet Explorer, Microsoft Edge, or Google Chrome
  Configure the group policy setting from the management client. For details, see Configuring the ECC curve order.
- Firefox
  The problem that the Tool Panel dialog box might not open does not occur.