Configure management interface certificates

Contributors netapp-perveilerk netapp-madkat netapp-lhalbert

You can replace the default management interface certificate with a single custom certificate that allows users to access the Grid Manager and the Tenant Manager without encountering security warnings. You can also revert to the default management interface certificate or generate a new one.

About this task

By default, every Admin Node is issued a certificate signed by the grid CA. These CA signed certificates can be replaced by a single common custom management interface certificate and corresponding private key.

Because a single custom management interface certificate is used for all Admin Nodes, you must specify the certificate as a wildcard or multi-domain certificate if clients need to verify the hostname when connecting to the Grid Manager and Tenant Manager. Define the custom certificate such that it matches all Admin Nodes in the grid.

You need to complete configuration on the server, and depending on the root certificate authority (CA) you are using, users might also need to install the Grid CA certificate in the web browser they will use to access the Grid Manager and the Tenant Manager.

Note To ensure that operations are not disrupted by a failed server certificate, the Expiration of server certificate for Management Interface alert is triggered when this server certificate is about to expire. As required, you can view when the current certificate expires by selecting CONFIGURATION > Security > Certificates and looking at the Expiration date for the management interface certificate on the Global tab.
Note

If you are accessing the Grid Manager or Tenant Manager using a domain name instead of an IP address, the browser shows a certificate error without an option to bypass if either of the following occurs:

Add a custom management interface certificate

To add a custom management interface certificate, you can provide your own certificate or generate one using the Grid Manager.

Steps
  1. Select CONFIGURATION > Security > Certificates.

  2. On the Global tab, select Management interface certificate.

  3. Select Use custom certificate.

  4. Upload or generate the certificate.

    Upload certificate

    Upload the required server certificate files.

    1. Select Upload certificate.

    2. Upload the required server certificate files:

      • Server certificate: The custom server certificate file (PEM encoded).

      • Certificate private key: The custom server certificate private key file (.key).

        Note EC private keys must be 224 bits or larger. RSA private keys must be 2048 bits or larger.
      • CA bundle: A single optional file containing the certificates from each intermediate issuing certificate authority (CA). The file should contain each of the PEM-encoded CA certificate files, concatenated in certificate chain order.

    3. Expand Certificate details to see the metadata for each certificate you uploaded. If you uploaded an optional CA bundle, each certificate displays on its own tab.

      • Select Download certificate to save the certificate file or select Download CA bundle to save the certificate bundle.

        Specify the certificate file name and download location. Save the file with the extension .pem.

        For example: storagegrid_certificate.pem

      • Select Copy certificate PEM or Copy CA bundle PEM to copy the certificate contents for pasting elsewhere.

    4. Select Save.
      The custom management interface certificate is used for all subsequent new connections to the Grid Manager, Tenant Manager, Grid Manager API or Tenant Manager API.

    Generate certificate

    Generate the server certificate files.

    Note The best practice for a production environment is to use a custom management interface certificate signed by an external certificate authority.
    1. Select Generate certificate.

    2. Specify the certificate information:

      • Domain name: One or more fully qualified domain names to include in the certificate. Use an * as a wildcard to represent multiple domain names.

      • IP: One or more IP addresses to include in the certificate.

      • Subject: X.509 subject or distinguished name (DN) of the certificate owner.

      • Days valid: Number of days after creation that the certificate expires.

    3. Select Generate.

    4. Select Certificate details to see the metadata for the generated certificate.

      • Select Download certificate to save the certificate file.

        Specify the certificate file name and download location. Save the file with the extension .pem.

        For example: storagegrid_certificate.pem

      • Select Copy certificate PEM to copy the certificate contents for pasting elsewhere.

    5. Select Save.
      The custom management interface certificate is used for all subsequent new connections to the Grid Manager, Tenant Manager, Grid Manager API or Tenant Manager API.

  5. Refresh the page to ensure the web browser is updated.

    Note After uploading or generating a new certificate, allow up to one day for any related certificate expiration alerts to clear.
  6. After you add a custom management interface certificate, the Management interface certificate page displays detailed certificate information for the certificates that are in use.
    You can download or copy the certificate PEM as required.

Restore the default management interface certificate

You can revert to using the default management interface certificate for Grid Manager and Tenant Manager connections.

Steps
  1. Select CONFIGURATION > Security > Certificates.

  2. On the Global tab, select Management interface certificate.

  3. Select Use default certificate.

    When you restore the default management interface certificate, the custom server certificate files you configured are deleted and cannot be recovered from the system. The default management interface certificate is used for all subsequent new client connections.

  4. Refresh the page to ensure the web browser is updated.

Use a script to generate a new self-signed management interface certificate

If strict hostname validation is required, you can use a script to generate the management interface certificate.

What you’ll need
  • You have specific access permissions.

  • You have the Passwords.txt file.

About this task

The best practice for a production environment is to use a certificate signed by an external certificate authority.

Steps
  1. Obtain the fully qualified domain name (FQDN) of each Admin Node.

  2. Log in to the primary Admin Node:

    1. Enter the following command: ssh admin@primary_Admin_Node_IP

    2. Enter the password listed in the Passwords.txt file.

    3. Enter the following command to switch to root: su -

    4. Enter the password listed in the Passwords.txt file.

      When you are logged in as root, the prompt changes from $ to #.

  3. Configure StorageGRID with a new self-signed certificate.

    $ sudo make-certificate --domains wildcard-admin-node-fqdn --type management

    • For --domains, use wildcards to represent the fully qualified domain names of all Admin Nodes. For example, *.ui.storagegrid.example.com uses the * wildcard to represent admin1.ui.storagegrid.example.com and admin2.ui.storagegrid.example.com.

    • Set --type to management to configure the management interface certificate, which is used by Grid Manager and Tenant Manager.

    • By default, generated certificates are valid for one year (365 days) and must be recreated before they expire. You can use the --days argument to override the default validity period.

      Note A certificate’s validity period begins when make-certificate is run. You must ensure the management client is synchronized to the same time source as StorageGRID; otherwise, the client might reject the certificate.
      $ sudo make-certificate --domains *.ui.storagegrid.example.com --type management --days 720

      The resulting output contains the public certificate needed by your management API client.

  4. Select and copy the certificate.

    Include the BEGIN and the END tags in your selection.

  5. Log out of the command shell. $ exit

  6. Confirm the certificate was configured:

    1. Access the Grid Manager.

    2. Select CONFIGURATION > Security > Certificates

    3. On the Global tab, select Management interface certificate.

  7. Configure your management client to use the public certificate you copied. Include the BEGIN and END tags.

Download or copy the management interface certificate

You can save or copy the management interface certificate contents for use elsewhere.

Steps
  1. Select CONFIGURATION > Security > Certificates.

  2. On the Global tab, select Management interface certificate.

  3. Select the Server or CA bundle tab and then download or copy the certificate.

    Download certificate file or CA bundle

    Download the certificate or CA bundle .pem file. If you are using an optional CA bundle, each certificate in the bundle displays on its own sub-tab.

    1. Select Download certificate or Download CA bundle.

      If you are downloading a CA bundle, all the certificates in the CA bundle secondary tabs download as a single file.

    2. Specify the certificate file name and download location. Save the file with the extension .pem.

      For example: storagegrid_certificate.pem

    Copy certificate or CA bundle PEM

    Copy the certificate text to paste elsewhere. If you are using an optional CA bundle, each certificate in the bundle displays on its own sub-tab.

    1. Select Copy certificate PEM or Copy CA bundle PEM.

      If you are copying a CA bundle, all the certificates in the CA bundle secondary tabs copy together.

    2. Paste the copied certificate into a text editor.

    3. Save the text file with the extension .pem.

      For example: storagegrid_certificate.pem