Isilon:OneFS 如何配置 SyncIQ 策略以使用 SSL 加密

Summary: 有关如何在 8.2 及更高版本中通过 SyncIQ 策略创建、验证和使用 SSL 证书的步骤。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

关于戴尔知识库文章 153928:DSA-2020-039:针对 SyncIQ 漏洞以及将 SyncIQ 与 SSL 加密结合使用的要求的戴尔 Isilon OneFS 安全更新

以下是有关如何在实验室中配置它的步骤。

注意:    

  1. 下面使用的证书是在实验室中使用 OpenSSL 实用程序创建的。但是,客户可以根据其特定的安全要求自由使用自己的证书。
  2. 在我们的示例中,有效期设置为 365 天(一年)。在输入有效期长度、密钥类型、密钥大小和哈希算法时,请遵循最新的行业标准和本地安全策略
  3. 生成的所有证书(包括证书颁发机构 (CA) 证书)都必须具有唯一的通用名称 (CN) 值。


步骤:      

  1. 创建 CA 自签名证书:       
Source-1# mkdir /ifs/data/Isilon_Support/synciq_certs
Source-1# chmod 700 /ifs/data/Isilon_Support/synciq_certs
Source-1# cd /ifs/data/Isilon_Support/synciq_certs
Source-1# openssl req -new -newkey rsa:4096 -sha256 -nodes -out ca.csr -keyout ca.key
Source-1# openssl x509 -days 365 -trustout -signkey ca.key -req -in ca.csr -out ca.crt
Signature ok
subject=/C=XX/ST=Some-State/L=city/O=XXXX/OU=section/CN=isilon.lab
Getting Private key
Source-1# openssl x509 -in ca.crt -outform PEM -out ca.pem
Source-1# ls ca*
ca.crt  ca.csr  ca.key  ca.pem
  1. 创建源证书“子证书”,并根据步骤 1 中创建的 CA 对其进行签名。
Source-1# openssl req -new -newkey rsa:4096 -sha256 -nodes -out source.csr -keyout source.key
Source-1# openssl x509 -days 365 -req -in source.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out source.crt
Signature ok
subject=/C=XX/ST=Some-State/L=city/O=XXXX/OU=section/CN=source.isilon.lab
Getting CA Private Key
Source-1# openssl x509 -in source.crt -outform PEM -out source.pem
Source-1# ls source*
source.crt      source.csr      source.key      source.pem
Source-1# openssl verify -CAfile ca.pem source.pem
source.pem: OK
  1. 创建目标证书“子证书”,并根据步骤 1 中创建的 CA 进行签名。
Source-1# openssl req -new -newkey rsa:4096 -sha256 -nodes -out target.csr -keyout target.key
Source-1# openssl x509 -days 365 -req -in target.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out target.crt
Signature ok
subject=/C=XX/ST=Some-State/L=city/O=XXXX/OU=section/CN=target.isilon.lab
Getting CA Private Key
Source-1# openssl x509 -in target.crt -outform PEM -out target.pem
Source-1# ls target*
target.crt      target.csr      target.key      target.pem
Source-1# openssl verify -CAfile ca.pem target.pem
target.pem: OK
  1. 将所需的证书和密钥复制到目标群集。 
Target-1# mkdir /ifs/data/Isilon_Support/synciq_certs
Source-1# scp target.* xxx.xxx.xxx.xxx:/ifs/data/Isilon_Support/synciq_certs
Source-1# scp source.pem xxx.xxx.xxx.xxx:/ifs/data/Isilon_Support/synciq_certs
Source-1# scp ca.pem xxx.xxx.xxx.xxx:/ifs/data/Isilon_Support/synciq_certs

在源群集上:     

  1. 创建用于测试的 SyncIQ 策略:     
Source-1# mkdir /ifs/data/<test-dir-name>
Source-1# isi sync policies create --name=Test_SSL --source-root-path=/ifs/data/<test-dir-name> --target-host=xxx.xxx.xxx.xxx --target-path=/ifs/data/<test-dir-name> --action=sync
  1. 将 CA 证书导入 Isilon 证书存储区。 
Source-1# isi certificate authority import --name=CA_Sync --certificate-path=/ifs/data/Isilon_Support/synciq_certs/ca.pem 
  1. 将源证书和密钥导入 SyncIQ 服务器 证书存储区,然后使用导入的证书的 ID 更新全局 SyncIQ 配置。
Source-1# isi sync certificates server import --certificate-path=/ifs/data/Isilon_Support/synciq_certs/source.pem --certificate-key-path=/ifs/data/Isilon_Support/synciq_certs/source.key
Source-1# isi sync certificates server list -v
          ID: e0a3377a5ed27808bbd8eba759d90335060ac53dc6f4da1f15fcb6c44ac743a8
        Name:
 Description:
     Subject: C=XX, ST=Some-State, L=city, O=XXXX, OU=section, CN=source.isilon.lab
      Issuer: C=XX, ST=Some-State, L=city, O=XXXX, OU=section, CN=isilon.lab
      Status: valid
  Not Before: 2020-05-03T08:27:42
   Not After: 2025-05-03T08:27:42
Fingerprints
            Type: SHA1
           Value: b5:d1:21:30:a6:b5:ed:79:65:7d:e6:e3:6f:10:a8:23:63:81:2b:1c

            Type: SHA256
           Value: e0:a3:37:7a:5e:d2:78:08:bb:d8:eb:a7:59:d9:03:35:06:0a:c5:3d:c6:f4:da:1f:15:fc:b6:c4:4a:c7:43:a8

Source-1# isi sync settings modify --cluster-certificate-id=e0a3377a5ed27808bbd8eba759d90335060ac53dc6f4da1f15fcb6c44ac743a8
  1. 将目标证书导入 SyncIQ 对等 证书存储中。
Source-1# isi sync certificates peer import --certificate-path=/ifs/data/Isilon_Support/synciq_certs/target.pem
Source-1# isi sync certificates peer list -v
          ID: 3180c616bae639c27b422f0c4608855d6888f20327ca85e9e869733e85bf5b06
        Name:
 Description:
     Subject: C=XX, ST=Some-State, L=city, O=XXXX, OU=section, CN=target.isilon.lab
      Issuer: C=XX, ST=Some-State, L=city, O=XXXX, OU=section, CN=isilon.lab
      Status: valid
  Not Before: 2020-05-03T08:43:06
   Not After: 2025-05-03T08:43:06
Fingerprints
            Type: SHA1
           Value: 8e:12:52:c1:8c:12:1d:f8:ed:cf:da:8e:3d:3c:a3:47:21:79:43:0d

            Type: SHA256
           Value: 31:80:c6:16:ba:e6:39:c2:7b:42:2f:0c:46:08:85:5d:68:88:f2:03:27:ca:85:e9:e8:69:73:3e:85:bf:5b:06
  1. 修改 SyncIQ 策略以使用导入的目标证书的 ID
Source-1# isi sync policies modify --policy=Test_SSL --target-certificate-id=3180c616bae639c27b422f0c4608855d6888f20327ca85e9e869733e85bf5b06

准确:      

  1. 将 CA 证书导入 Isilon 证书存储区。
Target-1# isi certificate authority import --name=CA_Sync --certificate-path=/ifs/data/Isilon_Support/synciq_certs/ca.pem
  1. 将源证书导入 SyncIQ 对等 证书存储中。
Target-1# isi sync certificates peer import --certificate-path=/ifs/data/Isilon_Support/synciq_certs/source.pem
  1. 将目标证书和密钥导入 SyncIQ 服务器证书存储区,并使用导入的证书的 ID 更新全局 SyncIQ 配置。
Target-1# isi sync certificates server import --certificate-path=/ifs/data/Isilon_Support/synciq_certs/target.pem --certificate-key-path=/ifs/data/Isilon_Support/synciq_certs/target.key
Target-1# isi sync certificates server list -v
          ID: 3180c616bae639c27b422f0c4608855d6888f20327ca85e9e869733e85bf5b06
        Name:
 Description:
     Subject: C=XX, ST=Some-State, L=city, O=XXXX, OU=section, CN=target.isilon.lab
      Issuer: C=XX, ST=Some-State, L=city, O=XXXX, OU=section, CN=isilon.lab
      Status: valid
  Not Before: 2020-05-03T08:43:06
   Not After: 2025-05-03T08:43:06
Fingerprints
            Type: SHA1
           Value: 8e:12:52:c1:8c:12:1d:f8:ed:cf:da:8e:3d:3c:a3:47:21:79:43:0d

            Type: SHA256
           Value: 31:80:c6:16:ba:e6:39:c2:7b:42:2f:0c:46:08:85:5d:68:88:f2:03:27:ca:85:e9:e8:69:73:3e:85:bf:5b:06

Target-1# isi sync settings modify --cluster-certificate-id=3180c616bae639c27b422f0c4608855d6888f20327ca85e9e869733e85bf5b06


在源上:       

  1. 运行 SyncIQ 策略并确认它正在成功运行。 
Source-1# isi sync jobs start  Test_SSL
2020-05-03T08:56:05+0000 Source-1 siq_coord[14712]coord: Job specified by name Test_SSL
2020-05-03T08:56:05+0000 Source-1 siq_coord[14712]coord[Test_SSL:1588496165]: Starting job 'Test_SSL' (e5fc89d623dda31b58437c86c59cbdfb)
2020-05-03T08:56:05+0000 Source-1 siq_coord[14712]coord[Test_SSL:1588496165]: Cipher being used for encryption: AES256-GCM-SHA384
...
...
...
2020-05-03T08:56:10+0000 Source-1 siq_coord[14712]coord[Test_SSL:1588496165]: Finished job 'Test_SSL' (e5fc89d623dda31b58437c86c59cbdfb) to xxx.xxx.xxx.xxx in 0h 0m 5s with status success and 0 checksum errors

提醒:       

  • 每个群集都有一个证书,充当服务器存储中的群集证书 "# isi sync settings modify --cluster-certificate-id."
  • 默认情况下,每个策略都使用群集的证书作为源证书。
  • 在对等存储中,更新目标群集的唯一群集证书。
  • 配置策略以使用目标的正确证书 "imported in the peer certificate."
  • 如果证书中使用 extv3,请考虑以下文章,戴尔知识库文章 186531:加密的 SyncIQ 策略失败,并显示“sslv3 alert unsupported certificate”。

Affected Products

PowerScale OneFS, Isilon SyncIQ
Article Properties
Article Number: 000021507
Article Type: How To
Last Modified: 13 Nov 2025
Version:  11
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.