Skip to main content
A newer release of this product is available.

Hardening guidelines for TLS and SSH

Contributors netapp-madkat netapp-perveilerk netapp-lhalbert

You should replace the default certificates created during installation and select the appropriate security policy for TLS and SSH connections.

Hardening guidelines for certificates

You should replace the default certificates created during installation with your own custom certificates.

For many organizations, the self-signed digital certificate for StorageGRID web access is not compliant with their information security policies. On production systems, you should install a CA-signed digital certificate for use in authenticating StorageGRID.

Specifically, you should use custom server certificates instead of these default certificates:

  • Management interface certificate: Used to secure access to the Grid Manager, the Tenant Manager, the Grid Management API, and the Tenant Management API.

  • S3 and Swift API certificate: Used to secure access to Storage Nodes and Gateway Nodes, which S3 and Swift client applications use to upload and download object data.

See Manage security certificates for details and instructions.

Note StorageGRID manages the certificates used for load balancer endpoints separately. To configure load balancer certificates, see Configure load balancer endpoints.

When using custom server certificates, follow these guidelines:

  • Certificates should have a subjectAltName that matches DNS entries for StorageGRID. For details, see section 4.2.1.6, “Subject Alternative Name,” in RFC 5280: PKIX Certificate and CRL Profile.

  • When possible, avoid the use of wildcard certificates. An exception to this guideline is the certificate for an S3 virtual hosted style endpoint, which requires the use of a wildcard if bucket names aren't known in advance.

  • When you must use wildcards in certificates, you should take additional steps to reduce the risks. Use a wildcard pattern such as *.s3.example.com, and don't use the s3.example.com suffix for other applications. This pattern also works with path-style S3 access, such as dc1-s1.s3.example.com/mybucket.

  • Set the certificate expiration times to be short (for example, 2 months), and use the Grid Management API to automate certificate rotation. This especially important for wildcard certificates.

In addition, clients should use strict hostname checking when communicating with StorageGRID.

Hardening guidelines for TLS and SSH policy

You can select a security policy to determine which protocols and ciphers are used to establish secure TLS connections with client applications and secure SSH connections to internal StorageGRID services.

The security policy controls how TLS and SSH encrypt data in motion. As a best practice, you should disable encryption options that aren't required for application compatibility. Use the default Modern policy, unless your system needs to be Common Criteria-compliant or you need to use other ciphers.

See Manage the TLS and SSH policy for details and instructions.