SSL encryption of the storage system

System Administrator Guide for VSP E990 and VSP G130, G/F350, G/F370, G/F700, G/F900

Version
88-08-0x
Audience
anonymous
Part Number
MK-97HM85028-11

The storage systems can use SSL encryption for all connection paths, as shown in the following figure and table. The encryption protocol used for SSL encryption is TLS version 1.2.
Note: The cipher suites for RSA key exchange used by SSL communication are set to enabled by default.


  • A: Path between the management client and the storage system.
  • B: Path between the SVP and the management client.
  • C: Path between the SVP and the storage system.
  • D: Path between the management client and the storage system.
Management model Path Description Cipher suites
Using embedded interfaces A Between management PC and storage system
For VSP E series:
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
For VSP G130, G/F350, G/F370, G/F700, G/F900 when the cipher suites for RSA key exchange are enabled:
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
If either of these two cipher suites is selected, you can use the following cipher suites:
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
If both of these two cipher suites are not selected, you can use the following cipher suites:
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Using Device Manager - Storage Navigator B Between the SVP and client PC
For VSP E series:
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_PSK_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_PSK_WITH_AES_128_CBC_SHA
For VSP G130, G/F350, G/F370, G/F700, G/F900 when the cipher suites for RSA key exchange are enabled (default):
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
For VSP G130, G/F350, G/F370, G/F700, G/F900 when the cipher suites for RSA key exchange are disabled:
  • TLS_ECDHE_RSA_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
C Between the SVP and the storage system
For VSP E series:
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
For VSP G130, G/F350, G/F370, G/F700, G/F900 you can select the following cipher suites or select not to use both cipher suites in the maintenance utility:
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
You can specify the following cipher suites, regardless of the setting in Maintenance Utility:
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
D Between the client PC and storage system

For VSP E series:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
For VSP G130, G/F350, G/F370, G/F700, G/F900:
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
If either of the above cipher suites is selected, you can use the following cipher suites:
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
If neither of the above cipher suites is selected, you can use the following cipher suites:
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Note: When the TLSv1.0/1.1 communication is disabled, pages might not appear properly depending on the TLS settings of browsers. Perform the following TLS settings of browsers:
  • Using Internet Explorer: Click Tool > Internet Option, go to the Advanced tab, and then select Use TLS 1.2.
  • Using Firefox: Enter a about:config into the address bar, open the configuration editor (about: config page) and set the value of security.tls.version.max to 3.
  • Using Google Chrome: Click Chrome menu > Settings > Show advanced settings > Advanced settings, and then select Use TLS 1.2.

To prevent a man-in-the middle attack, the SSL encryption on path B (between the SVP and storage system) verifies the validity of the connection by using the certificate that was uploaded to the SVP in advance and by using the certificate of the storage system. The same certificate must be uploaded to the SVP and the storage system.

Note:
  • If a certificate for the SVP or the storage system is changed, the SVP does not operate normally. Upload the certificate to the storage system before uploading the certificate to the SVP.
  • Different certificates can be used to connect to the SVP and web server.
Certificate Upload destination Comments
A signed certificate of SSL encryption between the SVP and client PC SVP N/A
For connecting to the SVP SVP and storage system If a certificate for the SVP or the storage system was uploaded, the SVP will not operate normally.
For connecting to the web server SVP and storage system If a certificate for the SVP or storage system was uploaded, the SVP will not operate normally.