Skip to main content
SANtricity 11.8

Use CA-signed certificates for authentication with a key management server

Contributors netapp-jolieg

For secure communications between a key management server and the storage array controllers, you must configure the appropriate sets of certificates.

Before you begin

You must be logged in with a user profile that includes Security admin permissions. Otherwise, certificate functions do not appear.

About this task

Authenticating between the controllers and a key management server is a two-step procedure.

Step 1: Complete and submit CSR for authentication with a key management server

You must first generate a certificate signing request (CSR) file, and then use the CSR to request a signed client certificate from a certificate authority (CA) that is trusted by the key management server. You can also create and download a client certificate from the key management server using the downloaded CSR file. A client certificate validates the storage array's controllers, so the key management server can trust their Key Management Interoperability Protocol (KMIP) requests.

Steps
  1. Select Settings  Certificates.

  2. From the Key Management tab, select Complete CSR.

  3. Enter the following information:

    • Common name — A name that identifies this CSR, such as the storage array name, which will be displayed in the certificate files.

    • Organization — The full, legal name of your company or organization. Include suffixes, such as Inc. or Corp.

    • Organizational unit (optional) — The division of your organization that is handling the certificate.

    • City/Locality — The city or locality where your organization is located.

    • State/Region (optional) — The state or region where your organization is located.

    • Country ISO code — The two-digit ISO (International Organization for Standardization) code, such as US, where your organization is located.

  4. Click Download.

    A CSR file is saved to your local system.

  5. Request a signed client certificate from a CA that is trusted by the key management server.

  6. When you have a client certificate, go to Step 2: Import certificates for the key management server.

Step 2: Import certificates for the key management server

As the next step, you import certificates for authentication between the storage array and the key management server. There are two types of certificates: the client certificate validates the storage array's controllers, while the key management server certificate validates the server. You must load both the client certificate file for the controllers and the server certificate file for the key management server.

Before you begin
  • You have a signed client certificate file (see Step 1: Complete and submit CSR for authentication with a key management server), and you have copied that file to the host where you are accessing System Manager. A client certificate validates the storage array's controllers, so the key management server can trust their Key Management Interoperability Protocol (KMIP) requests.

  • You must retrieve a certificate file from the key management server, and then copy that file to the host where you are accessing System Manager. A key management server certificate validates the key management server, so the storage array can trust its IP address. You can use a root, intermediate, or server certificate for the key management server.

    Note

    For more information about the server certificate, consult the documentation for your key management server.

Steps
  1. Select Settings  Certificates.

  2. From the Key Management tab, select Import.

    A dialog box opens for importing the certificate files.

  3. Next to Select client certificate, click the Browse button to select the client certificate file for the storage array's controllers.

    The file name displays in the dialog box.

  4. Next to Select key management server's server certificate, click the Browse button to select the server certificate file for your key management server. You can choose a root, intermediate, or server certificate for the key management server.

    The file name displays in the dialog box.

  5. Click Import.

    The files are uploaded and validated.