This post is more than 5 years old
5 Posts
0
16168
configuring a SSL Certificate for ECS Community edition
we have a (more or less) running ECS server, how can I configure it to support a signed SSL certification.
I have a configured domain name to point to the server and a wildcard SSL certificate.
Presumably I configure the web server process (nginix ?) running in the docker container.
coneryj
22 Posts
0
February 24th, 2016 06:00
There is a python cli in /opt/storageos/bin/cli with a command called 'keystore' that has two subcommands that can be used: 'show' and 'update'.
to update the object cert:
python ecscli.py keystore update -h -p -cookiefile -certificatevaluefile -privatekeyvaluefile -selfsign
The -ipaddresses arg is optional for specifying a rollout order is generally not needed.
The --help arg for info on usage
In order to use any of the ecscli.py commands, you first needed to have generated a cookiefile that contains an auth token.
python ecscli.py authenticate -hostname -port 4443 -cookiedir -username
where the is some mgmt user, possibly 'root', 'admin' or some previously created mgmt user.
This cli package is installed on all ECS nodes and is also available as a tar file available for download from our community site which can be run from a client machine. Here is the latest ECS 2.2 download link: https://community.emc.com/docs/DOC-52139
This package requires the python "requests" module to be installed (pip install requests)
JasonCwik
281 Posts
1
February 23rd, 2016 07:00
Are you looking to install an SSL certificate for the management API/GUI or for the data path (S3, Swift, Atmos)? You can use the CLI to configure certificates. coneryj can help you out.
VCJohnR
5 Posts
0
February 23rd, 2016 16:00
ideally we want a specified domain and certificates for both the management api.gui and the data path - in our case S3.
I was able to install a certificate and set the server name for the nginx webserver, however the configuration for the data path - storageos is not clear.
I'll have a look at the api - I see there is an item in the REST API /object-cert
VCJohnR
5 Posts
0
February 23rd, 2016 21:00
I looked at the startup script for storageos and storageos-datastore and saw they were accessing a java keystore at /opt/storageos/conf/keystore
I imported my certificate into it, is there anything else I need to do ?
I do not think the dataservice is picking up and using the certificate, still returning the "localhost" cert.
VCJohnR
5 Posts
0
February 24th, 2016 21:00
thanks for your response.
I was able to use the api as you suggest and both the update and show calls appeared to work, the example below is listing the certificate.
However when I connect using Cloudberry to a S3 endpoint I still get the "DataService" self signed certificate.
This is after both connecting before and after a restarting the docker container.
The modification date for the file /opt/storageos/conf/keystore doesn't appear to change (which doesn't worry me if that is not where they are stored); but the encoded certificate as shown below does change.
I ran these update on a newly installed and configured ecs cloud instance.
VCJohnR
5 Posts
0
February 24th, 2016 22:00
Doing some more testing and configuration it is working
!
I deleted and recreated the cloudberry saved account, after trying again with a new one it gets the updated certificate and is good.
For completeness I also configured the SSL certificates for the nginx web server for 443 and 4443.
JasonCwik
281 Posts
1
February 25th, 2016 08:00
Glad it works! Sorry, we should have mentioned that it can take up to 2 hours for the new certificate to propagate to all nodes (that's the cache TTL for the cert).
coneryj
22 Posts
0
February 25th, 2016 11:00
Fantastic! I'm glad you found this helpful and it was able to resolve your issue.
Tiws1
3 Posts
0
May 19th, 2016 09:00
Our CA provides certificate in DER encoded form as well as Base 64 encoded form. Which one of these is supported by ECS ?
Also, we get a certificate and then a certificate chain(a *.p7b file). For the -certificatevaluefile, should one use the certificate file or the certificate chain file ?
Tiws1
3 Posts
0
May 19th, 2016 09:00
While installing the SSL for 443, I did not add the "selfsign false" at the end. The command did go through successfully and a "keystore show" command does list the certficate.
However, when I now try to access it over a browser, it still defaults to the self signed cert installed earlier. Is there a way to delete the self signed cert and force ECS to use the SSL cert provided by the CA ?coneryj
coneryj
22 Posts
0
May 19th, 2016 12:00
1)
The certificate should be in .pem base64 fomat.
The RSA key file should start with:
-----BEGIN RSA PRIVATE KEY-----
instead of:
-----BEGIN PRIVATE KEY-----
or you can verify with:
openssl x509 -in -text
2)
you should append the chain file to your certificate file. This combined file is being referred to as the "certificate chain file"
3)You can use either curl directly or the ecscli command line too to install them:
via curl you'd need to use xml format to have "cat" wouldn't handle the carriage returns properly in .json format)
curl -svk -H "X-SDS-AUTH-TOKEN: $TOKEN" -H "Content-type: application/xml" -H "X-EMC-REST-CLIENT: TRUE" -X PUT -d " `cat privateFile.key` `cat certChainFile.pem` " https://X.X.X.X:4443/object-cert/keystore
python ecscli.py keystore update -h -p -cookiefile -certificatevaluefile -privatekeyvaluefile -selfsign
coneryj
22 Posts
0
May 20th, 2016 11:00
Keep in mind that it can take up to 2 hours for the cert to be distributed. This can be more of an issue when using a load balancer.
If the problem persists you may need to restart the nginx service on the node where you uploaded the cert.