Create Self-signed SSL Certificate

Overview

This function performs settings for creating the SSL server key and the self-signed SSL certificate to be used when encrypting communication using Secure Socket Layer (SSL).

SSL is used when accessing from Web GUI via the HTTPS connection.

When creating a self-signed SSL certificate, the following operations and confirmations are required. Follow the procedure to perform the required operations.

  1. Back up the self-signed SSL certificate that is currently registered in the storage system.

  2. Stop access from the SMI-S client and RESTful API client and log out all the Web GUI users (other than yourself) currently logged in to the storage system.

  3. Use this function to create an SSL server key and a self-signed SSL certificate, and then log out from Web GUI.

    After the creation is instructed, HTTP/HTTPS communications are stopped to apply the certificate. Access from Web GUI or RESTful API via the HTTP/HTTPS connection is not available until the certificate is applied.

  4. After Step 3 is completed, wait a few minutes and then check the following error log. Refer to "Display/Delete Event Log" for details.

    • When RESTful API is disabled

      Network service startup error. service=GUI <ce#$b cm#$c factor=$d>

    • When RESTful API is enabled

      Network service startup error. service=GUI <ce#$b cm#$c factor=$d>

      and

      Network service startup error. service=Restful API <ce#$b cm#$c factor=$d>

  5. If an error log is output in Step 4, re-execute the procedure from Step 2. If no error logs are output in Step 4, proceed to Step 6.

  6. Register the self-signed SSL certificate on the browser. Refer to "Note" for details.

    If RESTful API is enabled, apply the self-signed SSL certificate to the RESTful API client and then restart the HTTPS communication.

Caution

  • The HTTPS connection from Web GUI is disabled in the factory settings.

  • After the SSL server key and the self-signed SSL certificate are created, access from RESTful API and Web GUI via the HTTP/HTTPS connection is not available until they are applied to the storage system.

  • The self-signed SSL certificate must be registered on the browser in the setting PC. Until the registration has been completed, a warning message is displayed when accessing from Web GUI via the HTTPS connection.

  • If this function is executed while the following conditions are all satisfied, a message requesting the reboot of SMI-S appears in the result screen. Refer to the [Setup SMI-S Environment] function for details.

    • "Enable" is selected for "SMI-S"

    • "Web GUI SSL Certificate" is selected for "SSL Certificate"

Note

  • There are two types of SSL certificates: the "self-signed SSL certificate" that is created by this function and the "SSL server certificate". Register either of the certificates in the storage system when using the HTTPS connection. To use the "SSL server certificate", use the [Create Key/CSR] function and the [Register SSL Certificate] function.

  • When using the key server to manage the SED authentication key, a trusted SSL certificate (a "self-signed SSL certificate" or an "SSL server certificate") is required to establish communication between the storage system and the key server. When using the key management server linkage function to manage the key, register the SSL certificate for the storage system. The SSL certificate is transferred to the key server from the storage system when the key is updated. Refer to the [Update SED Authentication Key] function for details.

  • Refer to "Installing the Security Certificate" in "Configuration Guide (Web GUI)" for procedure to install the self-signed SSL certificate.

User Privileges

Availability of Executions in the Default Role

Default role Availability of executions
Monitor  
Admin
StorageAdmin  
AccountAdmin  
SecurityAdmin  
Maintainer

Refer to "User Roles and Policies" for details on the policies and roles.

Settings

Create Self-signed SSL Certificate Setting

Item Description Setting values

Key Length

Select the SSL server key length.

The SSL server key length is equivalent to the encryption level. In general, the longer the key is, the higher the encryption level becomes (meaning that decrypting the encrypted data is difficult).

1024 bit

2048 bit (Default)

4096 bit

Common Name

Enter the main IP address or a Fully Qualified Domain Name (FQDN) of the port (an MNT port, an RMT port, or an FST (*1) port) for using with HTTPS access from Web GUI (required).

*1  :  FST can be used for the ETERNUS DX500 S5/DX600 S5/DX900 S5, the ETERNUS DX8100 S4/DX8900 S4, and the ETERNUS AF650 S3.

There are two methods to specify the main IP address; "IPv4" and "IPv6". The following IPv6 addresses can be used; "link local address", "global address", "unique local address", or "6to4 address". Refer to "Available IPv6 Address" for details. When the current setting is displayed, the IPv6 address is displayed as an abbreviation.

  • For IPv4 address

    • xxx.xxx.xxx.xxx

      xxx: 1 - 255 for the top field (decimal)

      xxx: 0 - 255 for other fields (decimal)

    • Class must be A, B, or C.

  • For IPv6 address

    xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

    xxxx: 0 - ffff (FFFF) (hexadecimal, alphanumeric characters)

    Refer to "IPv6 Address Notation" for details.

  • For FQDN

    Up to 63 alphanumeric characters and symbols

    (except "<", ">", "~", "!", "@", "#", "$", "%", "^", "\", "?", "&", and space)

Subject Alt Name

Enter IP addresses or FQDNs of the ports (multiple MNT ports, RMT ports, and FST (*1) ports) to use with HTTPS access from Web GUI. For the IP address or the FQDN, the primary IP address or FQDN that is entered in the "Common Name" field is included.

*1  :  FST can be used for the ETERNUS DX500 S5/DX600 S5/DX900 S5, the ETERNUS DX8100 S4/DX8900 S4, and the ETERNUS AF650 S3.

There are two methods to specify an IP address; "IPv4" and "IPv6". The following IPv6 addresses can be used; "link local address", "global address", "unique local address", or "6to4 address". Refer to "Available IPv6 Address" for details. When the current setting is displayed, the IPv6 address is displayed as an abbreviation.

  • For IPv4 address

    • xxx.xxx.xxx.xxx

      xxx: 1 - 255 for the top field (decimal)

      xxx: 0 - 255 for other fields (decimal)

    • Class must be A, B, or C.

  • For IPv6 address

    xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

    xxxx: 0 - ffff (FFFF) (hexadecimal, alphanumeric characters)

    Refer to "IPv6 Address Notation" for details.

  • For FQDN

    Up to 511 alphanumeric characters and symbols

    (A linefeed code is also counted as one character. Except "<", ">", "~", "!", "@", "#", "$", "%", "^", "\", "?", "&", and space.)

Multiple IP addresses and FQDNs can be specified. Start a new line for each IP address or FQDN when specifying multiple IP addresses and FQDNs.

If IPv4 addresses, IPv6 addresses, and FQDNs exist in the setting field, up to 511 characters that include a "." (dot), a ":" (colon), and a linefeed code can be entered.

Operating Procedures

  1. Click [Create SSL Certificate] in [Action].

  2. Specify the parameters, and click the [Create] button.

    → A confirmation screen appears.

    Caution
    • An error screen appears in the following conditions:

      • When items do not satisfy the input conditions

      • When all of the required items are not input

  3. Click the [OK] button.

    → Creation of the self-signed SSL certificate starts.

  4. Click the [Done] button to return to the [Network] screen.

    Note

    • Access from RESTful API and Web GUI via the HTTP/HTTPS connection is not available until the certificate is applied to the storage system.

    • If SMI-S is enabled, a message requesting the reboot of SMI-S appears. Refer to the [Setup SMI-S Environment] function for details.