Skip to main content

Manage security certificates

Contributors netapp-lhalbert netapp-pcarriga

Security certificates are small data files used to create secure, trusted connections between StorageGRID components and between StorageGRID components and external systems.

StorageGRID uses two types of security certificates:

  • Server certificates are required when you use HTTPS connections. Server certificates are used to establish secure connections between clients and servers, authenticating the identity of a server to its clients and providing a secure communication path for data. The server and the client each have a copy of the certificate.

  • Client certificates authenticate a client or user identity to the server, providing more secure authentication than passwords alone. Client certificates don't encrypt data.

When a client connects to the server using HTTPS, the server responds with the server certificate, which contains a public key. The client verifies this certificate by comparing the server signature to the signature on its copy of the certificate. If the signatures match, the client starts a session with the server using the same public key.

StorageGRID functions as the server for some connections (such as the load balancer endpoint) or as the client for other connections (such as the CloudMirror replication service).

Default Grid CA certificate

StorageGRID includes a built-in certificate authority (CA) that generates an internal Grid CA certificate during system installation. The Grid CA certificate is used, by default, to secure internal StorageGRID traffic. An external certificate authority (CA) can issue custom certificates that are fully compliant with your organization's information security policies. Although you can use the Grid CA certificate for a non-production environment, the best practice for a production environment is to use custom certificates signed by an external certificate authority. Unsecured connections with no certificate are also supported but aren't recommended.

  • Custom CA certificates don't remove the internal certificates; however, the custom certificates should be the ones specified for verifying server connections.

  • All custom certificates must meet the system hardening guidelines for server certificates.

  • StorageGRID supports bundling of certificates from a CA into a single file (known as a CA certificate bundle).

Note StorageGRID also includes operating system CA certificates that are the same on all grids. In production environments, make sure that you specify a custom certificate signed by an external certificate authority in place of the operating system CA certificate.

Variants of the server and client certificate types are implemented in several ways. You should have all the certificates needed for your specific StorageGRID configuration ready before you configure the system.

Access security certificates

You can access information about all StorageGRID certificates in a single location, along with links to the configuration workflow for each certificate.

Steps
  1. From Grid Manager, select CONFIGURATION > Security > Certificates.

    Certificates page
  2. Select a tab on the Certificates page for information about each certificate category and to access the certificate settings. You can access a tab if you have the appropriate permission.

Security certificate details

Each type of security certificate is described below, with links to the implementation instructions.

Management interface certificate

Certificate type Description Navigation location Details

Server

Authenticates the connection between client web browsers and the StorageGRID management interface, allowing users to access the Grid Manager and Tenant Manager without security warnings.

This certificate also authenticates Grid Management API and Tenant Management API connections.

You can use the default certificate created during installation or upload a custom certificate.

CONFIGURATION > Security > Certificates, select the Global tab, and then select Management interface certificate

S3 API certificate

Certificate type Description Navigation location Details

Server

Authenticates secure S3 client connections to a Storage Node and to load balancer endpoints (optional).

CONFIGURATION > Security > Certificates, select the Global tab, and then select S3 API certificate

Grid CA certificate

Administrator client certificate

Certificate type Description Navigation location Details

Client

Installed on each client, allowing StorageGRID to authenticate external client access.

  • Allows authorized external clients to access the StorageGRID Prometheus database.

  • Allows secure monitoring of StorageGRID using external tools.

CONFIGURATION > Security > Certificates and then select the Client tab

Load balancer endpoint certificate

Certificate type Description Navigation location Details

Server

Authenticates the connection between S3 clients and the StorageGRID Load Balancer service on Gateway Nodes and Admin Nodes. You can upload or generate a load balancer certificate when you configure a load balancer endpoint. Client applications use the load balancer certificate when connecting to StorageGRID to save and retrieve object data.

You can also use a custom version of the global S3 API certificate certificate to authenticate connections to the Load Balancer service. If the global certificate is used to authenticate load balancer connections, you don't need to upload or generate a separate certificate for each load balancer endpoint.

Note: The certificate used for load balancer authentication is the most used certificate during normal StorageGRID operation.

CONFIGURATION > Network > Load balancer endpoints

Cloud Storage Pool endpoint certificate

Certificate type Description Navigation location Details

Server

Authenticates the connection from a StorageGRID Cloud Storage Pool to an external storage location, such as S3 Glacier or Microsoft Azure Blob storage. A different certificate is required for each cloud provider type.

ILM > Storage pools

Email alert notification certificate

Certificate type Description Navigation location Details

Server and client

Authenticates the connection between an SMTP email server and StorageGRID that is used for alert notifications.

  • If communications with the SMTP server requires Transport Layer Security (TLS), you must specify the email server CA certificate.

  • Specify a client certificate only if the SMTP email server requires client certificates for authentication.

ALERTS > Email setup

External syslog server certificate

Certificate type Description Navigation location Details

Server

Authenticates the TLS or RELP/TLS connection between an external syslog server that logs events in StorageGRID.

Note: An external syslog server certificate is not required for TCP, RELP/TCP, and UDP connections to an external syslog server.

CONFIGURATION > Monitoring > Audit and syslog server

Grid federation connection certificate

Certificate type Description Navigation location Details

Server and client

Authenticate and encrypt information sent between the current StorageGRID system and another grid in a grid federation connection.

CONFIGURATION > System > Grid federation

Identity federation certificate

Certificate type Description Navigation location Details

Server

Authenticates the connection between StorageGRID and an external identity provider, such as Active Directory, OpenLDAP, or Oracle Directory Server. Used for identity federation, which allows admin groups and users to be managed by an external system.

CONFIGURATION > Access Control > Identity federation

Key management server (KMS) certificate

Certificate type Description Navigation location Details

Server and client

Authenticates the connection between StorageGRID and an external key management server (KMS), which provides encryption keys to StorageGRID appliance nodes.

CONFIGURATION > Security > Key management server

Platform services endpoint certificate

Certificate type Description Navigation location Details

Server

Authenticates the connection from the StorageGRID platform service to an S3 storage resource.

Tenant Manager > STORAGE (S3) > Platform services endpoints

Single sign-on (SSO) certificate

Certificate type Description Navigation location Details

Server

Authenticates the connection between identity federation services, such as Active Directory Federation Services (AD FS), and StorageGRID that are used for single sign-on (SSO) requests.

CONFIGURATION > Access control > Single sign-on

Certificate examples

Example 1: Load Balancer service

In this example, StorageGRID acts as the server.

  1. You configure a load balancer endpoint and upload or generate a server certificate in StorageGRID.

  2. You configure an S3 client connection to the load balancer endpoint and upload the same certificate to the client.

  3. When the client wants to save or retrieve data, it connects to the load balancer endpoint using HTTPS.

  4. StorageGRID responds with the server certificate, which contains a public key, and with a signature based on the private key.

  5. The client verifies this certificate by comparing the server signature to the signature on its copy of the certificate. If the signatures match, the client starts a session using the same public key.

  6. The client sends object data to StorageGRID.

Example 2: External key management server (KMS)

In this example, StorageGRID acts as the client.

  1. Using external Key Management Server software, you configure StorageGRID as a KMS client and obtain a CA-signed server certificate, a public client certificate, and the private key for the client certificate.

  2. Using the Grid Manager, you configure a KMS server and upload the server and client certificates and the client private key.

  3. When a StorageGRID node needs an encryption key, it makes a request to the KMS server that includes data from the certificate and a signature based on the private key.

  4. The KMS server validates the certificate signature and decides that it can trust StorageGRID.

  5. The KMS server responds using the validated connection.