Isilon:OneFS 如何設定 SyncIQ 原則以使用 SSL 加密
Summary: 在 8.2 及更新版本中,如何建立、驗證及使用 SSL 憑證與 SyncIQ 原則的步驟。
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
關於 Dell KB 文章 153928:DSA-2020-039:Dell Isilon OneFS 安全性更新,以因應 SyncIQ 漏洞,以及使用 SyncIQ 與 SSL 加密功能的要求。
以下是有關如何在實驗室中配置此功能的步驟。
便條:
- 以下使用的憑證是在實驗室中使用 OpenSSL 公用程式建立。但是,客戶可以根據其特定的安全要求自由使用自己的證書。
- 在我們的示例中,有效期設置為 365 天(一年)。輸入有效期長度、金鑰類型、金鑰大小和哈希演演演算法時,請遵循最新的行業標準和本地安全策略
- 產生的所有憑證,包括認證機構 (CA) 憑證,都必須具有唯一的公用名 (CN) 值。
程序:
- 建立 CA 自我簽署憑證:
Source-1# mkdir /ifs/data/Isilon_Support/synciq_certs Source-1# chmod 700 /ifs/data/Isilon_Support/synciq_certs Source-1# cd /ifs/data/Isilon_Support/synciq_certs Source-1# openssl req -new -newkey rsa:4096 -sha256 -nodes -out ca.csr -keyout ca.key Source-1# openssl x509 -days 365 -trustout -signkey ca.key -req -in ca.csr -out ca.crt Signature ok subject=/C=XX/ST=Some-State/L=city/O=XXXX/OU=section/CN=isilon.lab Getting Private key Source-1# openssl x509 -in ca.crt -outform PEM -out ca.pem Source-1# ls ca* ca.crt ca.csr ca.key ca.pem
- 建立來源憑證「子憑證」,並根據步驟 1 中建立的 CA 簽署。
Source-1# openssl req -new -newkey rsa:4096 -sha256 -nodes -out source.csr -keyout source.key Source-1# openssl x509 -days 365 -req -in source.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out source.crt Signature ok subject=/C=XX/ST=Some-State/L=city/O=XXXX/OU=section/CN=source.isilon.lab Getting CA Private Key Source-1# openssl x509 -in source.crt -outform PEM -out source.pem Source-1# ls source* source.crt source.csr source.key source.pem Source-1# openssl verify -CAfile ca.pem source.pem source.pem: OK
- 建立目標憑證「子憑證」,並根據步驟 1 中建立的 CA 簽署。
Source-1# openssl req -new -newkey rsa:4096 -sha256 -nodes -out target.csr -keyout target.key Source-1# openssl x509 -days 365 -req -in target.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out target.crt Signature ok subject=/C=XX/ST=Some-State/L=city/O=XXXX/OU=section/CN=target.isilon.lab Getting CA Private Key Source-1# openssl x509 -in target.crt -outform PEM -out target.pem Source-1# ls target* target.crt target.csr target.key target.pem Source-1# openssl verify -CAfile ca.pem target.pem target.pem: OK
- 將所需的憑證和金鑰複製到目標叢集。
Target-1# mkdir /ifs/data/Isilon_Support/synciq_certs Source-1# scp target.* xxx.xxx.xxx.xxx:/ifs/data/Isilon_Support/synciq_certs Source-1# scp source.pem xxx.xxx.xxx.xxx:/ifs/data/Isilon_Support/synciq_certs Source-1# scp ca.pem xxx.xxx.xxx.xxx:/ifs/data/Isilon_Support/synciq_certs
在來源叢集上:
- 建立用於測試的 SyncIQ 原則:
Source-1# mkdir /ifs/data/<test-dir-name> Source-1# isi sync policies create --name=Test_SSL --source-root-path=/ifs/data/<test-dir-name> --target-host=xxx.xxx.xxx.xxx --target-path=/ifs/data/<test-dir-name> --action=sync
- 將 CA 憑證匯入 Isilon 憑證存放區。
Source-1# isi certificate authority import --name=CA_Sync --certificate-path=/ifs/data/Isilon_Support/synciq_certs/ca.pem
- 將來源憑證和金鑰匯入 SyncIQ 伺服器 憑證存放區,然後使用匯入憑證的 ID 更新全域 SyncIQ 組態。
Source-1# isi sync certificates server import --certificate-path=/ifs/data/Isilon_Support/synciq_certs/source.pem --certificate-key-path=/ifs/data/Isilon_Support/synciq_certs/source.key Source-1# isi sync certificates server list -v ID: e0a3377a5ed27808bbd8eba759d90335060ac53dc6f4da1f15fcb6c44ac743a8 Name: Description: Subject: C=XX, ST=Some-State, L=city, O=XXXX, OU=section, CN=source.isilon.lab Issuer: C=XX, ST=Some-State, L=city, O=XXXX, OU=section, CN=isilon.lab Status: valid Not Before: 2020-05-03T08:27:42 Not After: 2025-05-03T08:27:42 Fingerprints Type: SHA1 Value: b5:d1:21:30:a6:b5:ed:79:65:7d:e6:e3:6f:10:a8:23:63:81:2b:1c Type: SHA256 Value: e0:a3:37:7a:5e:d2:78:08:bb:d8:eb:a7:59:d9:03:35:06:0a:c5:3d:c6:f4:da:1f:15:fc:b6:c4:4a:c7:43:a8 Source-1# isi sync settings modify --cluster-certificate-id=e0a3377a5ed27808bbd8eba759d90335060ac53dc6f4da1f15fcb6c44ac743a8
- 將目標憑證匯入 SyncIQ 對等 憑證存放區。
Source-1# isi sync certificates peer import --certificate-path=/ifs/data/Isilon_Support/synciq_certs/target.pem Source-1# isi sync certificates peer list -v ID: 3180c616bae639c27b422f0c4608855d6888f20327ca85e9e869733e85bf5b06 Name: Description: Subject: C=XX, ST=Some-State, L=city, O=XXXX, OU=section, CN=target.isilon.lab Issuer: C=XX, ST=Some-State, L=city, O=XXXX, OU=section, CN=isilon.lab Status: valid Not Before: 2020-05-03T08:43:06 Not After: 2025-05-03T08:43:06 Fingerprints Type: SHA1 Value: 8e:12:52:c1:8c:12:1d:f8:ed:cf:da:8e:3d:3c:a3:47:21:79:43:0d Type: SHA256 Value: 31:80:c6:16:ba:e6:39:c2:7b:42:2f:0c:46:08:85:5d:68:88:f2:03:27:ca:85:e9:e8:69:73:3e:85:bf:5b:06
- 修改 SyncIQ 原則,以使用匯入的目標憑證 ID
Source-1# isi sync policies modify --policy=Test_SSL --target-certificate-id=3180c616bae639c27b422f0c4608855d6888f20327ca85e9e869733e85bf5b06
在目標上:
- 將 CA 憑證匯入 Isilon 憑證存放區。
Target-1# isi certificate authority import --name=CA_Sync --certificate-path=/ifs/data/Isilon_Support/synciq_certs/ca.pem
- 將來源憑證匯入 SyncIQ 對等 憑證存放區。
Target-1# isi sync certificates peer import --certificate-path=/ifs/data/Isilon_Support/synciq_certs/source.pem
- 將目標憑證和金鑰匯入 SyncIQ 伺服器憑證存放區,並使用匯入憑證的 ID 更新全域 SyncIQ 組態。
Target-1# isi sync certificates server import --certificate-path=/ifs/data/Isilon_Support/synciq_certs/target.pem --certificate-key-path=/ifs/data/Isilon_Support/synciq_certs/target.key Target-1# isi sync certificates server list -v ID: 3180c616bae639c27b422f0c4608855d6888f20327ca85e9e869733e85bf5b06 Name: Description: Subject: C=XX, ST=Some-State, L=city, O=XXXX, OU=section, CN=target.isilon.lab Issuer: C=XX, ST=Some-State, L=city, O=XXXX, OU=section, CN=isilon.lab Status: valid Not Before: 2020-05-03T08:43:06 Not After: 2025-05-03T08:43:06 Fingerprints Type: SHA1 Value: 8e:12:52:c1:8c:12:1d:f8:ed:cf:da:8e:3d:3c:a3:47:21:79:43:0d Type: SHA256 Value: 31:80:c6:16:ba:e6:39:c2:7b:42:2f:0c:46:08:85:5d:68:88:f2:03:27:ca:85:e9:e8:69:73:3e:85:bf:5b:06 Target-1# isi sync settings modify --cluster-certificate-id=3180c616bae639c27b422f0c4608855d6888f20327ca85e9e869733e85bf5b06
在來源上:
- 執行 SyncIQ 原則,並確認其執行成功。
Source-1# isi sync jobs start Test_SSL 2020-05-03T08:56:05+0000 Source-1 siq_coord[14712]coord: Job specified by name Test_SSL 2020-05-03T08:56:05+0000 Source-1 siq_coord[14712]coord[Test_SSL:1588496165]: Starting job 'Test_SSL' (e5fc89d623dda31b58437c86c59cbdfb) 2020-05-03T08:56:05+0000 Source-1 siq_coord[14712]coord[Test_SSL:1588496165]: Cipher being used for encryption: AES256-GCM-SHA384 ... ... ... 2020-05-03T08:56:10+0000 Source-1 siq_coord[14712]coord[Test_SSL:1588496165]: Finished job 'Test_SSL' (e5fc89d623dda31b58437c86c59cbdfb) to xxx.xxx.xxx.xxx in 0h 0m 5s with status success and 0 checksum errors
注意:
- 每個群集都有一個證書充當伺服器存儲中的群集證書
"# isi sync settings modify --cluster-certificate-id." - 默認情況下,每個策略都使用群集的證書作為源證書。
- 在對等存儲中,更新目標群集的唯一群集證書。
- 設定原則以使用目標的正確憑證
"imported in the peer certificate." - 如果在憑證中使用 extv3,請考慮下列文章,Dell KB 文章186531:加密的 SyncIQ 原則失敗,並顯示「sslv3 alert unsupported certificate」。
Affected Products
PowerScale OneFS, Isilon SyncIQArticle Properties
Article Number: 000021507
Article Type: How To
Last Modified: 11 Dec 2025
Version: 12
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.