Requirements for connection with server certificate validation enabled
(Virtual machine) To establish a connection with server certificate verification enabled, the Subject Alternative Name (SAN) or CN information in the server certificate must include the connection destinations to be specified when operations (for example, adding/replacing storage nodes, changing/setting configuration information, and importing/exporting configuration files) is performed from the REST API, CLI, VSP One SDS Block Administrator (browser), or maintenance node.
(Bare metal)(Cloud) To establish a connection with server certificate verification enabled, the Subject Alternative Name (SAN) or CN information in the server certificate must include the connection destinations to be specified when operation is performed from the REST API, CLI, or VSP One SDS Block Administrator (browser).
In this section, "Subject Alternative Name" is abbreviated to "SAN".
In server certificate verification of SSL/TLS communication, the connection source verifies whether the IP address or FQDN specified by the connection source as the connection destination is included in the SAN or CN information in the server certificate for the connection destination.
The following table shows examples of the connection destinations to be specified in SAN or CN in the server certificate when server certificate verification is performed.
If you create a server certificate as described in Creating a certificate signing request, the created server certificate content corresponds to item 1 or 2 of the following table.
No. |
SAN |
CN |
Connection destination to be specified when server certificate verification is performed |
---|---|---|---|
1 |
(Virtual machine)(Bare metal)
(Cloud)
|
- |
(Virtual machine)(Bare metal) Specify either of the following items:
Specifying an IP address results in a server certificate verification error. (Cloud) Specify either of the following items:
Specifying an IP address results in a server certificate verification error. |
2 |
(Virtual machine)(Bare metal)
(Cloud)
|
- |
|
3 |
- |
(Virtual machine)(Bare metal)
(Cloud)
|
|
4 |
(Virtual machine)(Bare metal)
(Cloud)
|
- |
(Virtual machine)(Bare metal) Specify either of the following items:
Specifying an FQDN results in a server certificate verification error. (Cloud) Specify either of the following items:
Specifying an FQDN results in a server certificate verification error. |
Cipher suite requirements
The client software from which REST APIs are used and the browser from which the VSP One SDS Block Administrator is used must meet the following requirements for SSL/TLS cipher suites.
Type of server certificates imported to VSP One SDS Block |
Cipher suite requirements |
---|---|
RSA certificate |
At least one of the following is supported.
|
ECC certificate |
At least one of the following is supported.
|
-
Cipher suite requirements differ depending on whether an RSA server certificate or ECC server certificate is imported to VSP One SDS Block. By default, an RSA server certificate is imported. If you have created and imported a server certificate according to this manual, an RSA certificate is imported.
-
If the cipher suite requirements are not met, SSL/TLS communication cannot be established.
-
CLIs running on the Linux* controller nodes support the preceding cipher suites.
-
CLIs running on the Windows* controller nodes support the preceding cipher suites only when cipher suites are enabled. Cipher suites are enabled by default on the OS. For details, see the Microsoft documentation.
-
For whether other than CLIs on the controller nodes support the preceding cipher suites, see the documentation of the client software from which you use REST APIs or the browser from which you use the VSP One SDS Block Administrator.
-
(Virtual machine)
The preceding cipher suites are supported for operations on the maintenance node (adding and replacing nodes, changing and setting configuration information, importing and exporting configuration files, CLIs, and curl).