Setting SSL/TLS communications using the Tool Panel

System Administrator Guide for VSP 5000 Series

Version
90-09-2x
Audience
anonymous
Part Number
MK-98RD9009-16

Use the following procedure to create the security settings used for SSL/TLS communications with the SVP.

CAUTION:
  • If an SSL/TLS communication setting is not correct, SSL/TLS communication with the SVP might fail. If SSL communication fails, you need to configure the security settings again using the Tool Panel dialog box by using HTTP connection. Therefore, it is recommended to release the HTTP communication blocking using the Tool Panel dialog box before making security settings. For more information about how to release the HTTP communication blocking, see Releasing HTTP communication blocking.
  • When you perform this procedure, use HTTPS connection for access. If you access via an HTTP connection, the ID and password used for login are communicated in clear text.
  • If the self-signed certificates for the following communication paths are registered in the SVP, some of the test items are not verified in the communication test in this procedure:
    • SVP – Syslog Server
    • SVP – Key Management Server
    • SVP – LDAP Server
    • SVP – HCS server

    If this is the case, communication will be performed while security requirements are not met. Use certificates issued by trusted CA (Certificate Authority).

  • Verify the security settings of the SVP communication destination before the setting. If the protocol is TLS1.3 only, make sure that the communication destination supports TLS1.3.

    When you use Device Manager - Storage Navigator with Adobe AIR, you must enable TLS1.2. Adobe AIR does not support TLS1.3.

  • Verify that no other management or maintenance operations are being performed onDevice Manager - Storage Navigator.
  • You must have Security Administrator (View & Modify) role to perform this task.
  1. Close all Device Manager - Storage Navigator sessions on the SVP.
  2. On the management client, open a web browser, and then type the following URL to open the Tool Panel dialog box by using HTTPS connection.
    https://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
  3. In the Tool Panel dialog box, click TLS Security Settings to open the TLS Security Settings login dialog box.
    If SSL/TLS communication has been established, the Security Alert dialog box opens before the login dialog box opens. In the Security Alert dialog box, click OK.

    If the Security Alert dialog box for the certificate opens, click View Certificate to display the certificate, confirm that the certificate is correct, and then click Yes.

  4. In the TLS Security Settings login dialog box, enter the administrator user ID and password, and then click Login.
  5. In the TLS Security Settings dialog box, enter the required items.
    CAUTION:
    When using TLS1.2, select the cipher suites corresponding to the key type of the certificate uploaded to the SVP.
    • If the key type is RSA, select a cipher suite whose name contains “RSA”.
    • If the key type is ECDSA, select a cipher suite whose name contains “ECDSA”.

    If the cipher suites are not set correctly, the SSL/TLS communications with the SVP fail, and then a problem, such as a Device Manager - Storage Navigator login error, occurs.

    When using TLS1.3, you can select both cipher suites regardless of whether the certificate key type is RSA or ECDSA.

  6. In the TLS Security Settings dialog box, confirm the messages about the possible TLS communication failures and recommendations, and then select the check box for I understood that I canceled HTTP blocking or TLS communication might fail.
  7. Click Next to perform a communication test. The Communication Test dialog box for TLS Security Settings opens.
  8. The communication test using the security settings specified in step 5 starts automatically for the following communication paths:
    • SVP – Syslog Server
    • SVP – Key Management Server
    • SVP – LDAP Server
    • SVP – HCS server
    The communication test verifies the following items:
    • Protocol
    • Cipher suites
    • Key length of the key exchange algorithm
    • Expiration date of the certificate
    • Certificate chain to the root CA certificate
  9. Verify the results of the communication test for each communication path performed in the previous step. In the Communication Test dialog box for TLS Security Settings, wait until any of the following is displayed as the communication test result:
    • Normal: Communication is complete correctly.
    • Skipped: Connection settings are not made on Device Manager - Storage Navigator.
    • Error:Communication failed.
  10. Confirm the communication test result, and then click Submit in the Communication Test dialog box for TLS Security Settings.
  11. When prompted if you are sure you want to change the settings, click OK.
    The SVP web server restarts to reflect the security settings. When the SVP Web server restart is complete, the setting completion dialog box for TLS Security Settings opens.
  12. Click OK to return to the login dialog box.
  13. Back up the new security settings. For details, see Backing up HDvM - SN configuration files.