Use CA-signed certificates for authentication with a key management server
For secure communications between a key management server and the storage array controllers, you must configure the appropriate sets of certificates.
You must be logged in with a user profile that includes Security admin permissions. Otherwise, certificate functions do not appear.
Authenticating between the controllers and a key management server is a two-step procedure.
Step 1: Complete and submit CSR for authentication with a key management server
You must first generate a certificate signing request (CSR) file, and then use the CSR to request a signed client certificate from a certificate authority (CA) that is trusted by the key management server. You can also create and download a client certificate from the key management server using the downloaded CSR file. A client certificate validates the storage array's controllers, so the key management server can trust their Key Management Interoperability Protocol (KMIP) requests.
CSR files generated externally through private and public key pairs can be imported through the Create External Security Key dialog. For more information on importing an externally generated CSR file, see Step 2: Import certificates for the key management server. |
-
Select
. -
From the Key Management tab, select Complete CSR.
-
Enter the following information:
-
Common name — A name that identifies the client. It is common practice to match what is in the common name with the KMS server’s requirements for client certificate naming conventions. The common name typically helps the KMS identify the client’s certificate when it is presented during a handshake.
-
Organization — The full, legal name of your company or organization. Include suffixes, such as Inc. or Corp.
-
Organizational unit (optional) — The division of your organization that is handling the certificate.
-
City/Locality — The city or locality where your organization is located.
-
State/Region (optional) — The state or region where your organization is located.
-
Country ISO code — The two-digit ISO (International Organization for Standardization) code, such as US, where your organization is located.
-
-
Click Download.
A CSR file is saved to your local system.
-
Request a signed client certificate from the CA that is trusted by the key management server.
It is common for the key management server to have a facility that generates signed certificates directly, as it functions as its own CA. -
When you have a client certificate, go to Step 2: Import certificates for the key management server.
Step 2: Import certificates for the key management server
As the next step, you import certificates for authentication between the storage array and the key management server. There are two types of certificates: the client certificate validates the storage array's controllers, while the key management server certificate validates the server. You must load both the client certificate file for the controllers and the server certificate file for the key management server.
-
You have a signed client certificate file (see Step 1: Complete and submit CSR for authentication with a key management server), and you have copied that file to the host where you are accessing System Manager. A client certificate validates the storage array's controllers, so the key management server can trust their Key Management Interoperability Protocol (KMIP) requests.
-
You must retrieve a certificate file from the key management server, and then copy that file to the host where you are accessing System Manager. A key management server certificate validates the key management server, so the storage array can trust its IP address. You can use a root, intermediate, or server certificate for the key management server.
For more information about the server certificate, consult the documentation for your key management server.
-
Select
. -
From the Key Management tab, select Import.
A dialog box opens for importing the certificate files.
-
Next to Select client certificate, click the Browse button to select the client certificate file for the storage array's controllers.
The file name displays in the dialog box.
-
If you generated a certificate file externally using a private and public key pair, click the Browse button next to Select private key file to select the certificate file for the storage array's controllers.
The file name displays in the dialog box.
-
Next to Select key management server's server certificate, click the Browse button to select the server certificate file for your key management server. You can choose a root, intermediate, or server certificate for the key management server.
The file name displays in the dialog box.
-
Click Import.
The files are uploaded and validated.