Skip to main content

Configuring administrator client certificates

Contributors netapp-lhalbert

You can use client certificates to allow authorized external clients to access the StorageGRID Prometheus database. Client certificates provide a secure way to use external tools to monitor StorageGRID.

If you need to access StorageGRID using an external monitoring tool, you must upload or generate a client certificate using the Grid Manager and copy the certificate information to the external tool.

Adding administrator client certificates

To add a client certificate, you can provide your own certificate or generate one using the Grid Manager.

What you'll need
  • You must have the Root Access permission.

  • You must be signed in to the Grid Manager using a supported browser.

  • You must know the IP address or domain name of the Admin Node.

  • You must have configured the StorageGRID Management Interface Server Certificate and have the corresponding CA bundle

  • If you want to upload your own certificate, the public key and private key for the certificate must be available on your local computer.

Steps
  1. In the Grid Manager, select Configuration > Access Control > Client Certificates.

    The Client Certificates page appears.

    Certificates Page - Admin Clients
  2. Select Add.

    The Upload Certificate page appears.

    Certificate -Admin - Upload
  3. Type a name between 1 and 32 characters for the certificate.

  4. To access Prometheus metrics using your external monitoring tool, select the Allow Prometheus check box.

  5. Upload or generate a certificate:

    1. To upload a certificate, go here.

    2. To generate a certificate, go here.

  6. To upload a certificate:

    1. Select Upload Client Certificate.

    2. Browse for the public key for the certificate.

      After you upload the public key for the certificate, the Certificate metadata and Certificate PEM fields are populated.

      Certificate - Admin - Upload Cert File
    3. Select Copy certificate to clipboard and paste the certificate to your external monitoring tool.

    4. Use an editing tool to copy and paste the private key to your external monitoring tool.

    5. Select Save to save the certificate in the Grid Manager.

  7. To generate a certificate:

    1. Select Generate Client Certificate.

    2. Enter the domain name or IP address of the Admin Node.

    3. Optionally, enter an X.509 subject, also referred to as the Distinguished Name (DN), to identify the administrator who owns the certificate.

    4. Optionally, select the number of days the certificate is valid. The default is 730 days.

    5. Select Generate.

      The Certificate metadata, Certificate PEM, and Certificate private key fields are populated.

      Certificate - Admin - Upload Generated
    6. Select Copy certificate to clipboard and paste the certificate to your external monitoring tool.

    7. Select Copy private key to clipboard and paste the key to your external monitoring tool.

      Important You will not be able to view the private key after you close the dialog box. Copy the key to a safe location.
    8. Select Save to save the certificate in the Grid Manager.

  8. Configure the following settings on your external monitoring tool, such as Grafana.

    A Grafana example is shown in the following screenshot:

    Grafana - Add URL and Auth
    1. Name: Enter a name for the connection.

      StorageGRID does not require this information, but you must provide a name to test the connection.

    2. URL: Enter the domain name or IP address for the Admin Node. Specify HTTPS and port 9091.

      For example: https://admin-node.example.com:9091

    3. Enable TLS Client Authorization and With CA Cert.

    4. Copy and paste the Management Interface Server Certificate or CA bundle toCA Cert under TLS/SSL Auth Details.

    5. ServerName: Enter the domain name of the Admin Node.

      ServerName must match the domain name as it appears in the Management Interface Server Certificate.

    6. Save and test the certificate and private key that you copied from StorageGRID or a local file.

      You can now access the Prometheus metrics from StorageGRID with your external monitoring tool.

      For information about the metrics, see the instructions for monitoring and troubleshooting StorageGRID.

Editing administrator client certificates

You can edit a certificate to change its name, enable or disable Prometheus access, or upload a new certificate when the current one has expired.

What you'll need
  • You must have the Root Access permission.

  • You must be signed in to the Grid Manager using a supported browser.

  • You must know the IP address or domain name of the Admin Node.

  • If you want to upload a new certificate and private key, they must be available on your local computer.

Steps
  1. Select Configuration > Access Control > Client Certificates.

    The Client Certificates page appears. The existing certificates are listed.

    Certificate expiration dates are listed in the table. If a certificate will expire soon or is already expired, a message appears in the table and an alert is triggered.

    Certificate - Admin - List
  2. Select the radio button to the left of the certificate you want to edit.

  3. Select Edit.

    The Edit Certificate dialog box appears.

    Certificate - Admin - Edit
  4. Make the desired changes to the certificate.

  5. Select Save to save the certificate in the Grid Manager.

  6. If you uploaded a new certificate:

    1. Select Copy certificate to clipboard to paste the certificate to your external monitoring tool.

    2. Use an editing tool to copy and paste the new private key to your external monitoring tool.

    3. Save and test the certificate and private key in your external monitoring tool.

  7. If you generated a new certificate:

    1. Select Copy certificate to clipboard to paste the certificate to your external monitoring tool.

    2. Select Copy private key to clipboard to paste the certificate to your external monitoring tool.

      Important You will not be able to view or copy the private key after you close the dialog box. Copy the key to a safe location.
    3. Save and test the certificate and private key in your external monitoring tool.

Removing administrator client certificates

If you no longer need a certificate, you can remove it.

What you'll need
  • You must have the Root Access permission.

  • You must be signed in to the Grid Manager using a supported browser.

Steps
  1. Select Configuration > Access Control > Client Certificates.

    The Client Certificates page appears. The existing certificates are listed.

    Certificate - Admin - List
  2. Select the radio button to the left of the certificate you want to remove.

  3. Select Remove.

    A confirmation dialog box appears.

    Certificate - Confirm Delete
  4. Select OK.

    The certificate is removed.