Skip to main content
SANtricity 11.6
A newer release of this product is available.

Use CA-signed certificates for authentication with a key management server

Contributors netapp-jolieg

For secure communications between a key management server and the storage array controllers, you must configure the appropriate sets of certificates.

Before you begin
  • You must be logged in with a user profile that includes Security admin permissions. Otherwise, certificate functions do not appear.

About this task

Authenticating between the controllers and a key management server is a two-step procedure.

Step 1: Complete and submit CSR for authentication with a key management server

You must first generate a certificate signing request (CSR) file, and then use the CSR to request a signed client certificate from a certificate authority (CA) that is trusted by the key management server. You can also create and download a client certificate from the key management server using the downloaded CSR file.

Before you begin
  • You must be logged in with a user profile that includes Security admin permissions. Otherwise, certificate functions do not appear.

About this task

This task describes how to generate the CSR file, which you will then use to request a signed client certificate from a CA that is trusted by the key management server. A client certificate validates the storage array's controllers, so the key management server can trust their Key Management Interoperability Protocol (KMIP) requests. During this task, you must provide information about your organization.

Steps
  1. Select Settings  Certificates.

  2. From the Key Management tab, select Complete CSR.

  3. Enter the following information:

    • Common name — A name that identifies this CSR, such as the storage array name, which will be displayed in the certificate files.

    • Organization — The full, legal name of your company or organization. Include suffixes, such as Inc. or Corp.

    • Organizational unit (optional) — The division of your organization that is handling the certificate.

    • City/Locality — The city or locality where your organization is located.

    • State/Region (optional) — The state or region where your organization is located.

    • Country ISO code — The two-digit ISO (International Organization for Standardization) code, such as US, where your organization is located.

  4. Click Download.

    A CSR file is saved to your local system.

  5. Request a signed client certificate from a CA that is trusted by the key management server.

  6. When you have a client certificate, go to Step 2: Import certificates for the key management server.

Step 2: Import certificates for the key management server

As the next step, you import certificates for authentication between the storage array and the key management server. There are two types of certificates: the client certificate validates the storage array's controllers, while the key management server certificate validates the server.

Before you begin
  • You must be logged in with a user profile that includes Security admin permissions. Otherwise, certificate functions do not appear.

  • You have a signed client certificate file (see Step 1: Complete and submit CSR for authentication with a key management server), and you have copied that file to the host where you are accessing System Manager. A client certificate validates the storage array's controllers, so the key management server can trust their Key Management Interoperability Protocol (KMIP) requests.

  • You must retrieve the server certificate file from the key management server, and then copy that file to the host where you are accessing System Manager. A key management server certificate validates the key management server, so the storage array can trust its IP address.

    Note

    For more information about the server certificate, consult the documentation for your key management server.

About this task

This task describes how to upload certificate files for authentication between the storage array controllers and the key management server. You must load both the client certificate file for the controllers and the server certificate file for the key management server.

Steps
  1. Select Settings  Certificates.

  2. From the Key Management tab, select Import.

    A dialog box opens for importing the certificate files.

  3. Next to Select client certificate, click the Browse button to select the client certificate file for the storage array's controllers.

    The file name displays in the dialog box.

  4. Next to Select key management server's server certificate, click the Browse button to select the server certificate file for your key management server.

    The file name displays in the dialog box.

  5. Click Import.

    The files are uploaded and validated.