Using StorageGRID security certificates

Security certificates are small data files used to create secure, trusted connections between StorageGRID components and between StorageGRID components and external systems.

StorageGRID uses two types of security certificates:

When a client connects to the server using HTTPS, the server responds with the server certificate, which contains a public key. The client verifies this certificate by comparing the server signature to the signature on its copy of the certificate. If the signatures match, the client starts a session with the server using the same public key.

StorageGRID functions as the server for some connections (such as the load balancer endpoint) or as the client for other connections (such as the CloudMirror replication service).

An external certificate authority (CA) can issue custom certificates that are fully compliant with your organization's information security policies. StorageGRID also includes a built-in certificate authority (CA) that generates internal CA certificates during system installation. These internal CA certificates are used, by default, to secure internal StorageGRID traffic. Although you can use the internal CA certificates for a non-production environment, the best practice for a production environment is to use custom certificates signed by an external certificate authority. Unsecured connections with no certificate are also supported but are not recommended.

Note: StorageGRID also includes operating system CA certificates that are the same on all grids. In production environments, make sure that you specify a custom certificate signed by an external certificate authority in place of the operating system CA certificate.

Variants of the server and client certificate types are implemented in several ways. You should have all the certificates needed for your specific StorageGRID configuration ready before you configure the system.

Certificate Certificate type Description Navigation location Details
Administrator client certificate Client

Installed on each client, allowing StorageGRID to authenticate external client access.

  • Allows authorized external clients to access the StorageGRID Prometheus database.
  • Allows secure monitoring of StorageGRID using external tools.
Configuration > Access Control > Client Certificates Configuring administrator client certificates
Identity federation certificate Server Authenticates the connection between StorageGRID and an external Active Directory, OpenLDAP, or Oracle Directory Server.

Used for identity federation, which allows admin groups and users to be managed by an external system.

Configuration > Access Control > Identity Federation Configuring identity federation
Single sign-on (SSO) certificate Server Authenticates the connection between Active Directory Federation Services (AD FS) and StorageGRID that is used for single sign-on (SSO) requests. Configuration > Access Control > Single Sign-on Configuring single sign-on
Key management server (KMS) certificate Server and client Authenticates the connection between StorageGRID and an external key management server (KMS), which provides encryption keys to StorageGRID appliance nodes. Configuration > System Settings > Key Management Server Adding a key management server (KMS)
Email alert notification certificate Server and client Authenticates the connection between an SMTP email server and StorageGRID that is used for alert notifications.
  • If communications with the SMTP server requires Transport Layer Security (TLS), you must specify the email server CA certificate.
  • Specify a client certificate only if the SMTP email server requires client certificates for authentication.
Alerts > Email Setup Monitoring and troubleshooting StorageGRID
Load balancer endpoint certificate Server Authenticates the connection between S3 or Swift clients and the StorageGRID Load Balancer service on Gateway Nodes or Admin Nodes. You upload or generate a load balancer certificate when you configure a load balancer endpoint.

Client applications use the load balancer certificate when connecting to StorageGRID to save and retrieve object data.

Note: The load balancer certificate is the most used certificate during normal StorageGRID operation.
Configuration > Network Settings > Load Balancer Endpoints
Management Interface Server Certificate Server

Authenticates the connection between client web browsers and the StorageGRID management interface, allowing users to access the Grid Manager and Tenant Manager without security warnings.

This certificate also authenticates Grid Management API and Tenant Management API connections.

You can use the internal CA certificate or upload a custom certificate.

Configuration > Network Settings > Server Certificates
Cloud Storage Pool endpoint certificate Server Authenticates the connection from the StorageGRID Cloud Storage Pool to an external storage location (such as S3 Glacier or Microsoft Azure Blob storage).

A different certificate is required for each cloud provider type.

ILM > Storage Pools Managing objects with information lifecycle management
Platform services endpoint certificate Server Authenticates the connection from the StorageGRID platform service to an S3 storage resource. Tenant Manager > STORAGE (S3) > Platform services endpoints Using tenant accounts
Object Storage API Service Endpoint Server Certificate Server Authenticates secure S3 or Swift client connections to the Local Distribution Router (LDR) service on a Storage Node or to the deprecated Connection Load Balancer (CLB) service on a Gateway Node. Configuration > Network Settings > Load Balancer Endpoints Configuring a custom server certificate for connections to the Storage Node or the CLB service

Example 1: Load Balancer service

In this example, StorageGRID acts as the server.

  1. You configure a load balancer endpoint and upload or generate a server certificate in StorageGRID.
  2. You configure an S3 or Swift client connection to the load balancer endpoint and upload the same certificate to the client.
  3. When the client wants to save or retrieve data, it connects to the load balancer endpoint using HTTPS.
  4. StorageGRID responds with the server certificate, which contains a public key, and with a signature based on the private key.
  5. The client verifies this certificate by comparing the server signature to the signature on its copy of the certificate. If the signatures match, the client starts a session using the same public key.
  6. The client sends object data to StorageGRID.

Example 2: External key management server (KMS)

In this example, StorageGRID acts as the client.

  1. Using external Key Management Server software, you configure StorageGRID as a KMS client and obtain a CA-signed server certificate, a public client certificate, and the private key for the client certificate.
  2. Using the Grid Manager, you configure a KMS server and upload the server and client certificates and the client private key.
  3. When a StorageGRID node needs an encryption key, it makes a request to the KMS server that includes data from the certificate and a signature based on the private key.
  4. The KMS server validates the certificate signature and decides that it can trust StorageGRID.
  5. The KMS server responds using the validated connection.