Create Self-signed SSL Certificate
Overview
This function performs settings for creating the SSL server key and the self-signed SSL certificate to be used when encrypting communication using Secure Socket Layer (SSL).
SSL is used when accessing from Web GUI via the HTTPS connection.
When creating a self-signed SSL certificate, the following operations and confirmations are required. Follow the procedure to perform the required operations.
Back up the self-signed SSL certificate that is currently registered in the storage system.
Stop access from the SMI-S client and RESTful API client and log out all the Web GUI users (other than yourself) currently logged in to the storage system.
Use this function to create an SSL server key and a self-signed SSL certificate, and then log out from Web GUI.
After the creation is instructed, HTTP/HTTPS communications are stopped to apply the certificate. Access from Web GUI or RESTful API via the HTTP/HTTPS connection is not available until the certificate is applied.
After Step 3 is completed, wait a few minutes and then check the following error log. Refer to "Display/Delete Event Log" for details.
When RESTful API is disabled
Network service startup error. service=GUI <ce#$b cm#$c factor=$d>
When RESTful API is enabled
Network service startup error. service=GUI <ce#$b cm#$c factor=$d>
and
Network service startup error. service=Restful API <ce#$b cm#$c factor=$d>
If an error log is output in Step 4, re-execute the procedure from Step 2. If no error logs are output in Step 4, proceed to Step 6.
Register the self-signed SSL certificate on the browser. Refer to "Note" for details.
If RESTful API is enabled, apply the self-signed SSL certificate to the RESTful API client and then restart the HTTPS communication.
The HTTPS connection from Web GUI is disabled in the factory settings.
After the SSL server key and the self-signed SSL certificate are created, access from RESTful API and Web GUI via the HTTP/HTTPS connection is not available until they are applied to the storage system.
The self-signed SSL certificate must be registered on the browser in the setting PC. Until the registration has been completed, a warning message is displayed when accessing from Web GUI via the HTTPS connection.
- If this function is executed while the following conditions are all satisfied, a message requesting the reboot of SMI-S appears in the result screen. Refer to the [Setup SMI-S Environment] function for details.
"Enable" is selected for "SMI-S"
"Web GUI SSL Certificate" is selected for "SSL Certificate"
There are two types of SSL certificates: the "self-signed SSL certificate" that is created by this function and the "SSL server certificate". Register either of the certificates in the storage system when using the HTTPS connection. To use the "SSL server certificate", use the [Create Key/CSR] function and the [Register SSL Certificate] function.
When using the key server to manage the SED authentication key, a trusted SSL certificate (a "self-signed SSL certificate" or an "SSL server certificate") is required to establish communication between the storage system and the key server. When using the key management server linkage function to manage the key, register the SSL certificate for the storage system. The SSL certificate is transferred to the key server from the storage system when the key is updated. Refer to the [Update SED Authentication Key] function for details.
Refer to "Installing the Security Certificate" in "Configuration Guide (Web GUI)" for procedure to install the self-signed SSL certificate.
User Privileges
Availability of Executions in the Default Role
Default role | Availability of executions |
---|---|
Monitor | |
Admin | |
StorageAdmin | |
AccountAdmin | |
SecurityAdmin | |
Maintainer |
Refer to "User Roles and Policies" for details on the policies and roles.
Settings
Create Self-signed SSL Certificate Setting
Item | Description | Setting values | |||
---|---|---|---|---|---|
Key Length |
Select the SSL server key length. The SSL server key length is equivalent to the encryption level. In general, the longer the key is, the higher the encryption level becomes (meaning that decrypting the encrypted data is difficult). |
1024 bit 2048 bit (Default) 4096 bit |
|||
Common Name |
Enter the main IP address or a Fully Qualified Domain Name (FQDN) of the port (an MNT port, an RMT port, or an FST (*1) port) for using with HTTPS access from Web GUI (required).
There are two methods to specify the main IP address; "IPv4" and "IPv6". The following IPv6 addresses can be used; "link local address", "global address", "unique local address", or "6to4 address". Refer to "Available IPv6 Address" for details. When the current setting is displayed, the IPv6 address is displayed as an abbreviation. |
|
|||
Subject Alt Name |
Enter IP addresses or FQDNs of the ports (multiple MNT ports, RMT ports, and FST (*1) ports) to use with HTTPS access from Web GUI. For the IP address or the FQDN, the primary IP address or FQDN that is entered in the "Common Name" field is included.
There are two methods to specify an IP address; "IPv4" and "IPv6". The following IPv6 addresses can be used; "link local address", "global address", "unique local address", or "6to4 address". Refer to "Available IPv6 Address" for details. When the current setting is displayed, the IPv6 address is displayed as an abbreviation. |
Multiple IP addresses and FQDNs can be specified. Start a new line for each IP address or FQDN when specifying multiple IP addresses and FQDNs. If IPv4 addresses, IPv6 addresses, and FQDNs exist in the setting field, up to 511 characters that include a "." (dot), a ":" (colon), and a linefeed code can be entered. |
Operating Procedures
Click [Create SSL Certificate] in [Action].
Specify the parameters, and click the [Create] button.
→ A confirmation screen appears.
Caution- An error screen appears in the following conditions:
When items do not satisfy the input conditions
When all of the required items are not input
- An error screen appears in the following conditions:
Click the [OK] button.
→ Creation of the self-signed SSL certificate starts.
Click the [Done] button to return to the [Network] screen.
NoteAccess from RESTful API and Web GUI via the HTTP/HTTPS connection is not available until the certificate is applied to the storage system.
If SMI-S is enabled, a message requesting the reboot of SMI-S appears. Refer to the [Setup SMI-S Environment] function for details.