Client requirements for SSL/TLS communication

Virtual Storage Platform One SDS Block System Administrator Guide

Version
1.15.x
Audience
anonymous
Part Number
MK-24VSP1SDS001-02

Requirements for connection with server certificate validation enabled

(Virtual machine) To establish a connection with server certificate verification enabled, the Subject Alternative Name (SAN) or CN information in the server certificate must include the connection destinations to be specified when operations (for example, adding/replacing storage nodes, changing/setting configuration information, and importing/exporting configuration files) is performed from the REST API, CLI, VSP One SDS Block Administrator (browser), or maintenance node.

(Bare metal)(Cloud) To establish a connection with server certificate verification enabled, the Subject Alternative Name (SAN) or CN information in the server certificate must include the connection destinations to be specified when operation is performed from the REST API, CLI, or VSP One SDS Block Administrator (browser).

In this section, "Subject Alternative Name" is abbreviated to "SAN".

Note:

In server certificate verification of SSL/TLS communication, the connection source verifies whether the IP address or FQDN specified by the connection source as the connection destination is included in the SAN or CN information in the server certificate for the connection destination.

The following table shows examples of the connection destinations to be specified in SAN or CN in the server certificate when server certificate verification is performed.

If you create a server certificate as described in Creating a certificate signing request, the created server certificate content corresponds to item 1 or 2 of the following table.

No.

SAN

CN

Connection destination to be specified when server certificate verification is performed

1

(Virtual machine)(Bare metal)

  • FQDN corresponding to the representative cluster IP address

    (Example: storage.example.com)

  • FQDN corresponding to the IP address of the control port for each storage node

    (Example: storage-node1.example.com, storage-node2.example.com, ...)

(Cloud)

  • FQDN of the load balancer (ELB)

    (Example: storage.example.com)

  • FQDN corresponding to the IP address of each storage node control port (for the number of nodes)

    (Example: storage-node1.example.com, storage-node2.example.com, ...)

-

(Virtual machine)(Bare metal)

Specify either of the following items:

  • FQDN corresponding to the representative cluster IP address

  • FQDN corresponding to the IP address of the control port for each storage node

Specifying an IP address results in a server certificate verification error.

(Cloud)

Specify either of the following items:

  • FQDN of the load balancer (ELB)

  • FQDN corresponding to the IP address of each storage node control port

Specifying an IP address results in a server certificate verification error.

2

(Virtual machine)(Bare metal)

  • Generic FQDN that uses a wildcard character to represent the FQDN that corresponds to the representative cluster IP address and the FQDNs that correspond to the IP addresses of the control ports for the storage nodes

    (Example: *.example.com)

(Cloud)

  • Generic FQDN that uses a wildcard character to represent the subdomain of the FQDN for the load balancer (ELB) and the FQDNs that correspond to the IP addresses of the control ports for the storage nodes

    (Example: *.example.com)

-

3

-

(Virtual machine)(Bare metal)

  • Generic FQDN that uses a wildcard character to represent the FQDN that corresponds to the representative cluster IP address and the FQDNs that correspond to the IP addresses of the control ports for the storage nodes

    (Example: *.example.com)

(Cloud)

  • Generic FQDN that uses a wildcard character to represent the subdomain of the FQDN for the load balancer (ELB) and the FQDNs that correspond to the IP addresses of the control ports for the storage nodes

    (Example: *.example.com)

4

(Virtual machine)(Bare metal)

  • Representative cluster IP address

    (Example: 192.0.2.100)

  • IP address of the control port for each storage node

    (Example: 192.0.2.101, 192.0.2.102, ...)

(Cloud)

  • IP address of the load balancer (ELB)

    (Example: 192.0.2.100)

  • IP address of the control port for each storage node (for the number of nodes)

    (Example: 192.0.2.101,192.0.2.102, ...)

-

(Virtual machine)(Bare metal)

Specify either of the following items:

  • Representative cluster IP address

  • IP address of the control port for the storage node

Specifying an FQDN results in a server certificate verification error.

(Cloud)

Specify either of the following items:

  • IP address of the load balancer (ELB)

  • IP address of the control port for the storage node

Specifying an FQDN results in a server certificate verification error.

Cipher suite requirements

The client software from which REST APIs are used and the browser from which the VSP One SDS Block Administrator is used must meet the following requirements for SSL/TLS cipher suites.

Type of server certificates imported to VSP One SDS Block

Cipher suite requirements

RSA certificate

At least one of the following is supported.

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ECC certificate

At least one of the following is supported.

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Note:
  • Cipher suite requirements differ depending on whether an RSA server certificate or ECC server certificate is imported to VSP One SDS Block. By default, an RSA server certificate is imported. If you have created and imported a server certificate according to this manual, an RSA certificate is imported.

  • If the cipher suite requirements are not met, SSL/TLS communication cannot be established.

  • CLIs running on the Linux* controller nodes support the preceding cipher suites.

  • CLIs running on the Windows* controller nodes support the preceding cipher suites only when cipher suites are enabled. Cipher suites are enabled by default on the OS. For details, see the Microsoft documentation.

  • For whether other than CLIs on the controller nodes support the preceding cipher suites, see the documentation of the client software from which you use REST APIs or the browser from which you use the VSP One SDS Block Administrator.

  • (Virtual machine)

    The preceding cipher suites are supported for operations on the maintenance node (adding and replacing nodes, changing and setting configuration information, importing and exporting configuration files, CLIs, and curl).