VCJohnR
1 Copper

configuring a SSL Certificate for ECS Community edition

we have a (more or less) running ECS server, how can I configure it to support a signed SSL certification.

I have a configured domain name to point to the server and a wildcard SSL certificate.

Presumably I configure the web server process (nginix ?) running in the docker container.

0 Kudos
JasonCwik
3 Argentium

Re: configuring a SSL Certificate for ECS Community edition

Are you looking to install an SSL certificate for the management API/GUI or for the data path (S3, Swift, Atmos)?  You can use the CLI to configure certificates. coneryj can help you out.

VCJohnR
1 Copper

Re: configuring a SSL Certificate for ECS Community edition

ideally we want a specified domain and certificates for both the management api.gui and the data path - in our case S3.

I was able to install a certificate and set the server name for the nginx webserver, however the configuration for the data path - storageos is not clear.

I'll have a look at the api - I see there is an item in the REST API /object-cert

0 Kudos
VCJohnR
1 Copper

Re: configuring a SSL Certificate for ECS Community edition

I looked at the startup script for storageos and storageos-datastore and saw they were accessing a java keystore at /opt/storageos/conf/keystore

I imported my certificate into it, is there anything else I need to do ?

I do not think the dataservice is picking up and using the certificate, still returning the "localhost" cert.

0 Kudos
coneryj
1 Copper

Re: configuring a SSL Certificate for ECS Community edition

There is a python cli in /opt/storageos/bin/cli with a  command called 'keystore' that has two subcommands that can be used: 'show' and 'update'.

to update the object cert:

python ecscli.py keystore update -h <host> -p <port ie 4443> -cookiefile <cookiefilename> -certificatevaluefile <filnamewithfullpath> -privatekeyvaluefile <filnamewithfullpath> -selfsign <true or false>

The -ipaddresses arg is optional for specifying a rollout order is generally not needed.

The --help arg for info on usage

In order to use any of the ecscli.py commands, you first needed to have generated a cookiefile that contains an auth token.

python ecscli.py authenticate -hostname <hostname>  -port 4443 -cookiedir <someDirectory> -username <user>

where the <user> is some mgmt user, possibly 'root', 'admin' or some previously created mgmt user.

This cli package is installed on all ECS nodes and is also available as a tar file available for download from our community site which can be run from a client machine. Here is the latest ECS 2.2 download link: https://community.emc.com/docs/DOC-52139

This package requires the python "requests" module to be installed (pip install requests)

0 Kudos
VCJohnR
1 Copper

Re: Re: configuring a SSL Certificate for ECS Community edition

thanks for your response.

I was able to use the api as you suggest and both the update and show calls appeared to work, the example below is listing the certificate.

However when I connect using Cloudberry to a S3 endpoint I still get the "DataService" self signed certificate.

This is after both connecting before and after a restarting the docker container.

The modification date for the file /opt/storageos/conf/keystore doesn't appear to change (which doesn't worry me if that is not where they are stored); but the encoded certificate as shown below does change.

[root@ecscloud cli]# python ./build/lib/ecscli/ecscli.py keystore show -hostname ecscloud.viostream.com -port 4443 -cookiefile /tmp/cookie/rootcookie29384

/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html

  InsecureRequestWarning)

{

  "chain": "-----BEGIN CERTIFICATE-----\nMIIDATCCAemgAwIBAgIIYVjVFqUMgQAwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UE\r\nAxMLRGF0YVNlcnZpY2Uw...

...

\ntRQHQm7z85WmOlkl0TjPQj/VNmGZ6uFo/YxTZoE+62iVm1zLP9WKFfXON1XkC4Nl\r\n4LilLfE=\r\n-----END CERTIFICATE-----"

}

I ran these update on a newly installed and configured ecs cloud instance.

0 Kudos
VCJohnR
1 Copper

Re: Re: configuring a SSL Certificate for ECS Community edition

Doing some more testing and configuration it is working !

I deleted and recreated the cloudberry saved account, after trying again with a new one it gets the updated certificate and is good.

For completeness I also configured the SSL certificates for the nginx web server for 443 and 4443.

0 Kudos
JasonCwik
3 Argentium

Re: Re: configuring a SSL Certificate for ECS Community edition

Glad it works!  Sorry, we should have mentioned that it can take up to 2 hours for the new certificate to propagate to all nodes (that's the cache TTL for the cert).

coneryj
1 Copper

Re: Re: configuring a SSL Certificate for ECS Community edition

Fantastic! I'm glad you found this helpful and it was able to resolve your issue.

0 Kudos
Tiws1
1 Copper

Re: configuring a SSL Certificate for ECS Community edition

Our CA provides certificate in DER encoded form as well as Base 64 encoded form. Which one of these is supported by ECS ?

Also, we get a certificate and then a certificate chain(a *.p7b file). For the -certificatevaluefile, should one use the certificate file or the certificate chain file ?

0 Kudos