SSL encryption of the storage system

System Administrator Guide for Virtual Storage Platform E Series

Version
93-07-0x
Audience
anonymous
Part Number
MK-97HM85028-18

The storage systems can use SSL encryption for all connection paths, as shown in the following figure and table. The encryption protocol used for SSL encryption is TLS version 1.2.
Note: The cipher suites for RSA key exchange used by SSL communication are set to enabled by default.


  • A: Path between the management client and the storage system.
  • B: Path between the SVP and the management client.
  • C: Path between the SVP and the storage system.
  • D: Path between the management client and the storage system.
Management model Path Description Cipher suites
Using embedded interfaces A Between management PC and storage system
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
Using Device Manager - Storage Navigator B Between the SVP and client PC
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_PSK_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_PSK_WITH_AES_128_CBC_SHA
C Between the SVP and the storage system
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
D Between the client PC and storage system
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
Note: When the TLSv1.0/1.1 communication is disabled, pages might not appear properly depending on the TLS settings of browsers. Perform the following TLS settings of browsers:
  • Using Internet Explorer: Click Tool > Internet Option, go to the Advanced tab, and then select Use TLS 1.2.
  • Using Firefox: Enter a about:config into the address bar, open the configuration editor (about: config page), and set the value of security.tls.version.max to 3.
  • Using Google Chrome: Click Chrome menu > Settings > Show advanced settings > Advanced settings, and then select Use TLS 1.2.

To prevent a man-in-the middle attack, the SSL encryption on path B (between the SVP and storage system) verifies the validity of the connection by using the certificate that was uploaded to the SVP in advance and by using the certificate of the storage system. The same certificate must be uploaded to the SVP and the storage system.

Note:
  • If a certificate for the SVP or the storage system is changed, the SVP does not operate normally. Upload the certificate to the storage system before uploading the certificate to the SVP.
  • Different certificates can be used to connect to the SVP and web server.
Certificate Upload destination Comments
A signed certificate of SSL encryption between the SVP and client PC SVP N/A
For connecting to the SVP* SVP and storage system If a certificate for the SVP or the storage system was uploaded, the SVP will not operate normally.
For connecting to the web server* SVP and storage system If a certificate for the SVP or storage system was uploaded, the SVP will not operate normally.
* You can use the same certificate for connecting to the SVP and connecting to the web server.