VCJohnR
1 Copper

configuring a SSL Certificate for ECS Community edition

Jump to solution

we have a (more or less) running ECS server, how can I configure it to support a signed SSL certification.

I have a configured domain name to point to the server and a wildcard SSL certificate.

Presumably I configure the web server process (nginix ?) running in the docker container.

0 Kudos
1 Solution

Accepted Solutions
coneryj
1 Copper

Re: configuring a SSL Certificate for ECS Community edition

Jump to solution

There is a python cli in /opt/storageos/bin/cli with a  command called 'keystore' that has two subcommands that can be used: 'show' and 'update'.

to update the object cert:

python ecscli.py keystore update -h <host> -p <port ie 4443> -cookiefile <cookiefilename> -certificatevaluefile <filnamewithfullpath> -privatekeyvaluefile <filnamewithfullpath> -selfsign <true or false>

The -ipaddresses arg is optional for specifying a rollout order is generally not needed.

The --help arg for info on usage

In order to use any of the ecscli.py commands, you first needed to have generated a cookiefile that contains an auth token.

python ecscli.py authenticate -hostname <hostname>  -port 4443 -cookiedir <someDirectory> -username <user>

where the <user> is some mgmt user, possibly 'root', 'admin' or some previously created mgmt user.

This cli package is installed on all ECS nodes and is also available as a tar file available for download from our community site which can be run from a client machine. Here is the latest ECS 2.2 download link: https://community.emc.com/docs/DOC-52139

This package requires the python "requests" module to be installed (pip install requests)

0 Kudos
12 Replies
JasonCwik
3 Argentium

Re: configuring a SSL Certificate for ECS Community edition

Jump to solution

Are you looking to install an SSL certificate for the management API/GUI or for the data path (S3, Swift, Atmos)?  You can use the CLI to configure certificates. coneryj can help you out.

VCJohnR
1 Copper

Re: configuring a SSL Certificate for ECS Community edition

Jump to solution

ideally we want a specified domain and certificates for both the management api.gui and the data path - in our case S3.

I was able to install a certificate and set the server name for the nginx webserver, however the configuration for the data path - storageos is not clear.

I'll have a look at the api - I see there is an item in the REST API /object-cert

0 Kudos
VCJohnR
1 Copper

Re: configuring a SSL Certificate for ECS Community edition

Jump to solution

I looked at the startup script for storageos and storageos-datastore and saw they were accessing a java keystore at /opt/storageos/conf/keystore

I imported my certificate into it, is there anything else I need to do ?

I do not think the dataservice is picking up and using the certificate, still returning the "localhost" cert.

0 Kudos
coneryj
1 Copper

Re: configuring a SSL Certificate for ECS Community edition

Jump to solution

There is a python cli in /opt/storageos/bin/cli with a  command called 'keystore' that has two subcommands that can be used: 'show' and 'update'.

to update the object cert:

python ecscli.py keystore update -h <host> -p <port ie 4443> -cookiefile <cookiefilename> -certificatevaluefile <filnamewithfullpath> -privatekeyvaluefile <filnamewithfullpath> -selfsign <true or false>

The -ipaddresses arg is optional for specifying a rollout order is generally not needed.

The --help arg for info on usage

In order to use any of the ecscli.py commands, you first needed to have generated a cookiefile that contains an auth token.

python ecscli.py authenticate -hostname <hostname>  -port 4443 -cookiedir <someDirectory> -username <user>

where the <user> is some mgmt user, possibly 'root', 'admin' or some previously created mgmt user.

This cli package is installed on all ECS nodes and is also available as a tar file available for download from our community site which can be run from a client machine. Here is the latest ECS 2.2 download link: https://community.emc.com/docs/DOC-52139

This package requires the python "requests" module to be installed (pip install requests)

0 Kudos
VCJohnR
1 Copper

Re: Re: configuring a SSL Certificate for ECS Community edition

Jump to solution

thanks for your response.

I was able to use the api as you suggest and both the update and show calls appeared to work, the example below is listing the certificate.

However when I connect using Cloudberry to a S3 endpoint I still get the "DataService" self signed certificate.

This is after both connecting before and after a restarting the docker container.

The modification date for the file /opt/storageos/conf/keystore doesn't appear to change (which doesn't worry me if that is not where they are stored); but the encoded certificate as shown below does change.

[root@ecscloud cli]# python ./build/lib/ecscli/ecscli.py keystore show -hostname ecscloud.viostream.com -port 4443 -cookiefile /tmp/cookie/rootcookie29384

/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html

  InsecureRequestWarning)

{

  "chain": "-----BEGIN CERTIFICATE-----\nMIIDATCCAemgAwIBAgIIYVjVFqUMgQAwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UE\r\nAxMLRGF0YVNlcnZpY2Uw...

...

\ntRQHQm7z85WmOlkl0TjPQj/VNmGZ6uFo/YxTZoE+62iVm1zLP9WKFfXON1XkC4Nl\r\n4LilLfE=\r\n-----END CERTIFICATE-----"

}

I ran these update on a newly installed and configured ecs cloud instance.

0 Kudos
VCJohnR
1 Copper

Re: Re: configuring a SSL Certificate for ECS Community edition

Jump to solution

Doing some more testing and configuration it is working !

I deleted and recreated the cloudberry saved account, after trying again with a new one it gets the updated certificate and is good.

For completeness I also configured the SSL certificates for the nginx web server for 443 and 4443.

0 Kudos
JasonCwik
3 Argentium

Re: Re: configuring a SSL Certificate for ECS Community edition

Jump to solution

Glad it works!  Sorry, we should have mentioned that it can take up to 2 hours for the new certificate to propagate to all nodes (that's the cache TTL for the cert).

coneryj
1 Copper

Re: Re: configuring a SSL Certificate for ECS Community edition

Jump to solution

Fantastic! I'm glad you found this helpful and it was able to resolve your issue.

0 Kudos
Highlighted
Tiws1
1 Copper

Re: configuring a SSL Certificate for ECS Community edition

Jump to solution

Our CA provides certificate in DER encoded form as well as Base 64 encoded form. Which one of these is supported by ECS ?

Also, we get a certificate and then a certificate chain(a *.p7b file). For the -certificatevaluefile, should one use the certificate file or the certificate chain file ?

0 Kudos