Skip to main content
A newer release of this product is available.

Using StorageGRID security certificates

Contributors netapp-lhalbert

Security certificates are small data files used to create secure, trusted connections between StorageGRID components and between StorageGRID components and external systems.

StorageGRID uses two types of security certificates:

  • Server certificates are required when you use HTTPS connections. Server certificates are used to establish secure connections between clients and servers, authenticating the identity of a server to its clients and providing a secure communication path for data. The server and the client each have a copy of the certificate.

  • Client certificates authenticate a client or user identity to the server, providing more secure authentication than passwords alone. Client certificates do not encrypt data.

When a client connects to the server using HTTPS, the server responds with the server certificate, which contains a public key. The client verifies this certificate by comparing the server signature to the signature on its copy of the certificate. If the signatures match, the client starts a session with the server using the same public key.

StorageGRID functions as the server for some connections (such as the load balancer endpoint) or as the client for other connections (such as the CloudMirror replication service).

An external certificate authority (CA) can issue custom certificates that are fully compliant with your organization's information security policies. StorageGRID also includes a built-in certificate authority (CA) that generates internal CA certificates during system installation. These internal CA certificates are used, by default, to secure internal StorageGRID traffic. Although you can use the internal CA certificates for a non-production environment, the best practice for a production environment is to use custom certificates signed by an external certificate authority. Unsecured connections with no certificate are also supported but are not recommended.

  • Custom CA certificates do not remove the internal certificates; however, the custom certificates should be the ones specified for verifying server connections.

  • All custom certificates must meet the system hardening guidelines for server certificates.

  • StorageGRID supports bundling of certificates from a CA into a single file (known as a CA certificate bundle).

Note StorageGRID also includes operating system CA certificates that are the same on all grids. In production environments, make sure that you specify a custom certificate signed by an external certificate authority in place of the operating system CA certificate.

Variants of the server and client certificate types are implemented in several ways. You should have all the certificates needed for your specific StorageGRID configuration ready before you configure the system.

Certificate Certificate type Description Navigation location Details

Administrator client certificate

Client

Installed on each client, allowing StorageGRID to authenticate external client access.

  • Allows authorized external clients to access the StorageGRID Prometheus database.

  • Allows secure monitoring of StorageGRID using external tools.

Configuration > Access Control > Client Certificates

Identity federation certificate

Server

Authenticates the connection between StorageGRID and an external Active Directory, OpenLDAP, or Oracle Directory Server.Used for identity federation, which allows admin groups and users to be managed by an external system.

Configuration > Access Control > Identity Federation

Single sign-on (SSO) certificate

Server

Authenticates the connection between Active Directory Federation Services (AD FS) and StorageGRID that is used for single sign-on (SSO) requests.

Configuration > Access Control > Single Sign-on

Key management server (KMS) certificate

Server and client

Authenticates the connection between StorageGRID and an external key management server (KMS), which provides encryption keys to StorageGRID appliance nodes.

Configuration > System Settings > Key Management Server

Email alert notification certificate

Server and client

Authenticates the connection between an SMTP email server and StorageGRID that is used for alert notifications.

  • If communications with the SMTP server requires Transport Layer Security (TLS), you must specify the email server CA certificate.

  • Specify a client certificate only if the SMTP email server requires client certificates for authentication.

Alerts > Email Setup

Load balancer endpoint certificate

Server

Authenticates the connection between S3 or Swift clients and the StorageGRID Load Balancer service on Gateway Nodes or Admin Nodes. You upload or generate a load balancer certificate when you configure a load balancer endpoint.Client applications use the load balancer certificate when connecting to StorageGRID to save and retrieve object data.

Note: The load balancer certificate is the most used certificate during normal StorageGRID operation.

Configuration > Network Settings > Load Balancer Endpoints

Management Interface Server Certificate

Server

Authenticates the connection between client web browsers and the StorageGRID management interface, allowing users to access the Grid Manager and Tenant Manager without security warnings.

This certificate also authenticates Grid Management API and Tenant Management API connections.

You can use the internal CA certificate or upload a custom certificate.

Configuration > Network Settings > Server Certificates

Cloud Storage Pool endpoint certificate

Server

Authenticates the connection from the StorageGRID Cloud Storage Pool to an external storage location (such as S3 Glacier or Microsoft Azure Blob storage). A different certificate is required for each cloud provider type.

ILM > Storage Pools

Platform services endpoint certificate

Server

Authenticates the connection from the StorageGRID platform service to an S3 storage resource.

Tenant Manager > STORAGE (S3) > Platform services endpoints

Object Storage API Service Endpoint Server Certificate

Server

Authenticates secure S3 or Swift client connections to the Local Distribution Router (LDR) service on a Storage Node or to the deprecated Connection Load Balancer (CLB) service on a Gateway Node.

Configuration > Network Settings > Load Balancer Endpoints

Example 1: Load Balancer service

In this example, StorageGRID acts as the server.

  1. You configure a load balancer endpoint and upload or generate a server certificate in StorageGRID.

  2. You configure an S3 or Swift client connection to the load balancer endpoint and upload the same certificate to the client.

  3. When the client wants to save or retrieve data, it connects to the load balancer endpoint using HTTPS.

  4. StorageGRID responds with the server certificate, which contains a public key, and with a signature based on the private key.

  5. The client verifies this certificate by comparing the server signature to the signature on its copy of the certificate. If the signatures match, the client starts a session using the same public key.

  6. The client sends object data to StorageGRID.

Example 2: External key management server (KMS)

In this example, StorageGRID acts as the client.

  1. Using external Key Management Server software, you configure StorageGRID as a KMS client and obtain a CA-signed server certificate, a public client certificate, and the private key for the client certificate.

  2. Using the Grid Manager, you configure a KMS server and upload the server and client certificates and the client private key.

  3. When a StorageGRID node needs an encryption key, it makes a request to the KMS server that includes data from the certificate and a signature based on the private key.

  4. The KMS server validates the certificate signature and decides that it can trust StorageGRID.

  5. The KMS server responds using the validated connection.