Configure client certificates
Client certificates allow authorized external clients to access the StorageGRID Prometheus database, providing a secure way for external tools to monitor StorageGRID.
If you need to access StorageGRID using an external monitoring tool, you must upload or generate a client certificate using the Grid Manager and copy the certificate information to the external tool.
To ensure that operations aren't disrupted by a failed server certificate, the Expiration of client certificates configured on the Certificates page alert is triggered when this server certificate is about to expire. As required, you can view when the current certificate expires by selecting CONFIGURATION > Security > Certificates and looking at the Expiration date for the client certificate on the Client tab. |
If you are using a key management server (KMS) to protect the data on specially configured appliance nodes, see the specific information about uploading a KMS client certificate. |
-
You have Root access permission.
-
You are signed in to the Grid Manager using a supported web browser.
-
To configure a client certificate:
-
You have the IP address or domain name of the Admin Node.
-
If you have configured the StorageGRID management interface certificate, you have the CA, client certificate, and private key used to configure the management interface certificate.
-
To upload your own certificate, the private key for the certificate is available on your local computer.
-
The private key must have been saved or recorded at the time it was created. If you don't have the original private key, you must create a new one.
-
-
To edit a client certificate:
-
You have the IP address or domain name of the Admin Node.
-
To upload your own certificate or a new certificate, the private key, client certificate, and CA (if used) are available on your local computer.
-
Add client certificates
To add the client certificate, use one of these procedures:
Management interface certificate already configured
Use this procedure to add a client certificate if a management interface certificate is already configured using a customer-supplied CA, client certificate, and private key.
-
In the Grid Manager, select CONFIGURATION > Security > Certificates and then select the Client tab.
-
Select Add.
-
Enter a certificate name.
-
To access Prometheus metrics using your external monitoring tool, select Allow prometheus.
-
Select Continue.
-
For the Attach certificates step, upload the management interface certificate.
-
Select Upload certificate.
-
Select Browse and select the management interface certificate file (
.pem
).-
Select Client certificate details to display the certificate metadata and certificate PEM.
-
Select Copy certificate PEM to copy the certificate contents for pasting elsewhere.
-
-
Select Create to save the certificate in the Grid Manager.
The new certificate appears on the Client tab.
-
-
Configure an external monitoring tool, such as Grafana.
CA issued client certificate
Use this procedure to add an administrator client certificate if a management interface certificate was not configured and you plan to add a client certificate for Prometheus that uses a CA issued client certificate and private key.
-
Perform the steps to configure a management interface certificate.
-
In the Grid Manager, select CONFIGURATION > Security > Certificates and then select the Client tab.
-
Select Add.
-
Enter a certificate name.
-
To access Prometheus metrics using your external monitoring tool, select Allow prometheus.
-
Select Continue.
-
For the Attach certificates step, upload the client certificate, private key, and CA bundle files:
-
Select Upload certificate.
-
Select Browse and select the client certificate, private key, and CA bundle files (
.pem
).-
Select Client certificate details to display the certificate metadata and certificate PEM.
-
Select Copy certificate PEM to copy the certificate contents for pasting elsewhere.
-
-
Select Create to save the certificate in the Grid Manager.
The new certificates appear on the Client tab.
-
-
Configure an external monitoring tool, such as Grafana.
Generated certificate from Grid Manager
Use this procedure to add an administrator client certificate if a management interface certificate was not configured and you plan to add a client certificate for Prometheus that uses the generate certificate function in Grid Manager.
-
In the Grid Manager, select CONFIGURATION > Security > Certificates and then select the Client tab.
-
Select Add.
-
Enter a certificate name.
-
To access Prometheus metrics using your external monitoring tool, select Allow prometheus.
-
Select Continue.
-
For the Attach certificates step, select Generate certificate.
-
Specify the certificate information:
-
Subject (optional): X.509 subject or distinguished name (DN) of the certificate owner.
-
Days valid: The number of days the generated certificate is valid, starting at the time it is generated.
-
Add key usage extensions: If selected (default and recommended), key usage and extended key usage extensions are added to the generated certificate.
These extensions define the purpose of the key contained in the certificate.
Leave this checkbox selected unless you experience connection problems with older clients when certificates include these extensions.
-
-
Select Generate.
-
Select Client certificate details to display the certificate metadata and certificate PEM.
You will not be able to view the certificate private key after you close the dialog. Copy or download the key to a safe location. -
Select Copy certificate PEM to copy the certificate contents for pasting elsewhere.
-
Select Download certificate to save the certificate file.
Specify the certificate file name and download location. Save the file with the extension
.pem
.For example:
storagegrid_certificate.pem
-
Select Copy private key to copy the certificate private key for pasting elsewhere.
-
Select Download private key to save the private key as a file.
Specify the private key file name and download location.
-
-
Select Create to save the certificate in the Grid Manager.
The new certificate appears on the Client tab.
-
In the Grid Manager, select CONFIGURATION > Security > Certificates and then select the Global tab.
-
Select Management Interface certificate.
-
Select Use custom certificate.
-
Upload the certificate.pem and private_key.pem files from the client certificate details step. There is no need to upload CA bundle.
-
Select Upload certificate and then select Continue.
-
Upload each certificate file (
.pem
). -
Select Save to save the certificate in the Grid Manager.
The new certificate appears on the Management Interface certificate page.
-
-
Configure an external monitoring tool, such as Grafana.
Configure an external monitoring tool
-
Configure the following settings on your external monitoring tool, such as Grafana.
-
Name: Enter a name for the connection.
StorageGRID does not require this information, but you must provide a name to test the connection.
-
URL: Enter the domain name or IP address for the Admin Node. Specify HTTPS and port 9091.
For example:
https://admin-node.example.com:9091
-
Enable TLS Client Auth and With CA Cert.
-
Under TLS/SSL Auth Details, copy and paste:
-
The management interface CA certificate to CA Cert
-
The client certificate to Client Cert
-
The private key to Client Key
-
-
ServerName: Enter the domain name of the Admin Node.
ServerName must match the domain name as it appears in the management interface certificate.
-
-
Save and test the certificate and private key that you copied from StorageGRID or a local file.
You can now access the Prometheus metrics from StorageGRID with your external monitoring tool.
For information about the metrics, see the instructions for monitoring StorageGRID.
Edit client certificates
You can edit an administrator client certificate to change its name, enable or disable Prometheus access, or upload a new certificate when the current one has expired.
-
Select CONFIGURATION > Security > Certificates and then select the Client tab.
Certificate expiration dates and Prometheus access permissions are listed in the table. If a certificate will expire soon or is already expired, a message appears in the table and an alert is triggered.
-
Select the certificate you want to edit.
-
Select Edit and then select Edit name and permission
-
Enter a certificate name.
-
To access Prometheus metrics using your external monitoring tool, select Allow prometheus.
-
Select Continue to save the certificate in the Grid Manager.
The updated certificate displays on the Client tab.
Attach new client certificate
You can upload a new certificate when the current one has expired.
-
Select CONFIGURATION > Security > Certificates and then select the Client tab.
Certificate expiration dates and Prometheus access permissions are listed in the table. If a certificate will expire soon or is already expired, a message appears in the table and an alert is triggered.
-
Select the certificate you want to edit.
-
Select Edit and then select an edit option.
Upload certificateCopy the certificate text to paste elsewhere.
-
Select Upload certificate and then select Continue.
-
Upload the client certificate name (
.pem
).Select Client certificate details to display the certificate metadata and certificate PEM.
-
Select Download certificate to save the certificate file.
Specify the certificate file name and download location. Save the file with the extension
.pem
.For example:
storagegrid_certificate.pem
-
Select Copy certificate PEM to copy the certificate contents for pasting elsewhere.
-
-
Select Create to save the certificate in the Grid Manager.
The updated certificate displays on the Client tab.
Generate certificateGenerate the certificate text to paste elsewhere.
-
Select Generate certificate.
-
Specify the certificate information:
-
Subject (optional): X.509 subject or distinguished name (DN) of the certificate owner.
-
Days valid: The number of days the generated certificate is valid, starting at the time it is generated.
-
Add key usage extensions: If selected (default and recommended), key usage and extended key usage extensions are added to the generated certificate.
These extensions define the purpose of the key contained in the certificate.
Leave this checkbox selected unless you experience connection problems with older clients when certificates include these extensions.
-
-
Select Generate.
-
Select Client certificate details to display the certificate metadata and certificate PEM.
You will not be able to view the certificate private key after you close the dialog. Copy or download the key to a safe location. -
Select Copy certificate PEM to copy the certificate contents for pasting elsewhere.
-
Select Download certificate to save the certificate file.
Specify the certificate file name and download location. Save the file with the extension
.pem
.For example:
storagegrid_certificate.pem
-
Select Copy private key to copy the certificate private key for pasting elsewhere.
-
Select Download private key to save the private key as a file.
Specify the private key file name and download location.
-
-
Select Create to save the certificate in the Grid Manager.
The new certificate appears on the Client tab.
-
Download or copy client certificates
You can download or copy a client certificate for use elsewhere.
-
Select CONFIGURATION > Security > Certificates and then select the Client tab.
-
Select the certificate you want to copy or download.
-
Download or copy the certificate.
Download certificate fileDownload the certificate
.pem
file.-
Select Download certificate.
-
Specify the certificate file name and download location. Save the file with the extension
.pem
.For example:
storagegrid_certificate.pem
Copy certificateCopy the certificate text to paste elsewhere.
-
Select Copy certificate PEM.
-
Paste the copied certificate into a text editor.
-
Save the text file with the extension
.pem
.For example:
storagegrid_certificate.pem
-
Remove client certificates
If you no longer need an administrator client certificate, you can remove it.
-
Select CONFIGURATION > Security > Certificates and then select the Client tab.
-
Select the certificate you want to remove.
-
Select Delete and then confirm.
To remove up to 10 certificates, select each certificate to remove on the Client tab and then select Actions > Delete. |
After a certificate is removed, clients that used the certificate must specify a new client certificate to access the StorageGRID Prometheus database.