ECS: Strumento per i certificati SSL di dati e gestione
Riepilogo: Lo strumento dei certificati ECS consente di caricare i certificati SSL nelle interfacce di gestione e dati ECS.
Questo articolo si applica a
Questo articolo non si applica a
Questo articolo non è legato a un prodotto specifico.
Non tutte le versioni del prodotto sono identificate in questo articolo.
Istruzioni
Dal rilascio di ObjectScale, lo strumento è stato riscritto a causa delle diverse versioni di Python tra ECS e ObjectScale. L'ultima versione è la ecs_certificate_tool-1.7.
- Per l'utilizzo di ECS: ecs_certificate_tool.py
- Per l'utilizzo di ObjectScale: obs_certificate_tool.py
Index:
- Installazione
- Configuration
- Visualizzazione dei certificati correnti
- Creazione di una richiesta di firma del certificato
- Creazione di un certificato autofirmato
- Uploadding il tuo certificato
Installazione
- Scarica la versione più recente dello strumento allegata a questo articolo della knowledgebase
- Caricare lo strumento in
/home/adminsu uno dei nodi ECS. - Passare alla scheda
/home/admined estrarre il pacchetto.
$ cd /home/admin $ unzip ecs_certificate_tool-1.7.zip
- Passare alla directory dello strumento certificati.
$ cd ecs_certificate_tool-1.7
- Configurare le credenziali dell'interfaccia utente root per lo strumento da utilizzare.
Comando:
$ python ecs_certificate_tool.py configure_credentials
Esempio:
admin@:~/ecs_certificate_tool-1.7> python ecs_certificate_tool.py configure_credentials ecs_certificate_tool v1.7 =======> Configuring Credentials Please enter the password for the root management user: Authenticating using configured credentials..PASS Successfully configured credentials!
- Utilizzare lo strumento per i certificati per generare la configurazione SAN (Subject Alternative Name). È necessario aggiungere manualmente il
b>fqdneip-addressdel tuo sistema di bilanciamento del carico, se ne stai utilizzando uno.
Comando:
python ecs_certificate_tool.py generate_san
Esempio:
$ python ecs_certificate_tool.py generate_san ecs_certificate_tool v1.7 log_file: /home/admin/ecs_certificate_tool-1.7/certificate_tool.log ====================================================================== Generating SAN (subject alternative name) config. ====================================================================== ---------------------------------------------------------------------- Setting DATA_SUBJECT_ALTERNATIVE_NAME config ---------------------------------------------------------------------- Set DNS_NAMES to : ['layton-ex3000.example.com', 'ogden-ex3000.example.com', 'orem-ex3000.example.com', 'provo-ex3000.example.com', 'sandy-ex3000.example.com'] Set IP_ADDRESSES to : ['192.0.2.104', '192.0.2.105', '192.0.2.106', '192.0.2.107', '192.0.2.108'] ---------------------------------------------------------------------- Setting MANAGEMENT_SUBJECT_ALTERNATIVE_NAME config ---------------------------------------------------------------------- Set DNS_NAMES to : ['layton-ex3000.example.com', 'ogden-ex3000.example.com', 'orem-ex3000.example.com', 'provo-ex3000.example.com', 'sandy-ex3000.example.com'] Set IP_ADDRESSES to : ['192.0.2.104', '192.0.2.105', '192.0.2.106', '192.0.2.107', '192.0.2.108'] Wrote changes to: /home/admin/ecs_certificate_tool-1.7/config.ini DONE
Configuration
- La variabile
config.iniFile è la posizione in cui vengono impostati tutti i valori per il certificato. - Se non si desidera utilizzare un valore, lasciarlo vuoto come nell'esempio riportato di seguito:
# optional unit name ORGANIZATIONAL_UNIT_NAME =
- Di seguito è riportato un esempio dell'aspetto del config.ini predefinito:
[GENERAL] COMMON_NAME = *.ecs.example.com # Two letter country name COUNTRY_NAME = US LOCALITY_NAME = Salt Lake City STATE_OR_PROVINCE_NAME = Utah STREET_ADDRESS = 123 Example Street ORGANIZATION_NAME = Example Inc. # optional unit name ORGANIZATIONAL_UNIT_NAME = # optional email address EMAIL_ADDRESS = example@example.com [UI_CREDENTIALS] USERNAME = root PASSWORD = ChangeMe [SELF_SIGNED] # 1825 days = 5 years VALID_DAYS = 1825 [DATA_SUBJECT_ALTERNATIVE_NAME] DNS_NAMES = node1.ecs.example.com node2.ecs.example.com node3.ecs.example.com IP_ADDRESSES = 192.0.2.1 192.0.2.2 192.0.2.3 192.0.2.4 [MANAGEMENT_SUBJECT_ALTERNATIVE_NAME] DNS_NAMES = node1.ecs.example.com node2.ecs.example.com node3.ecs.example.com IP_ADDRESSES = 198.51.100.1 198.51.100.2 198.51.100.3 198.51.100.4 [ADVANCED] # Probably dont use these unless you really know what your doing SERIAL_NUMBER = SURNAME = GIVEN_NAME = TITLE = GENERATION_QUALIFIER = X500_UNIQUE_IDENTIFIER = DN_QUALIFIER = PSEUDONYM = USER_ID = DOMAIN_COMPONENT = JURISDICTION_COUNTRY_NAME = JURISDICTION_LOCALITY_NAME = BUSINESS_CATEGORY = POSTAL_ADDRESS = POSTAL_CODE = INN = OGRN = SNILS = UNSTRUCTURED_NAME =
Visualizzazione dei certificati correnti
- Eseguire
ecs_certificate_tool view_certsoperazione.
Comando:
$ python ecs_certificate_tool.py view_certs
Esempio:
ecs_certificate_tool v7.0
log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log
Authenticating using configured credentials..PASS
----------------------------------------------------------------------
View certificates
----------------------------------------------------------------------
======================================================================
Data Certificate:
======================================================================
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3b:0f:a3:e2:fa:0a:90:14:86:6c:a3:3a:26:5c:0b:8d:6e:18:7d:eb
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=*.ecs.example.com, C=US, L=Salt Lake City, ST=Utah/street=123 Example Street, O=Example Inc./emailAddress=example@example.com
Validity
Not Before: Oct 17 18:35:06 2020 GMT
Not After : Oct 16 18:35:06 2025 GMT
Subject: CN=*.ecs.example.com, C=US, L=Salt Lake City, ST=Utah/street=123 Example Street, O=Example Inc./emailAddress=example@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ad:13:ea:31:bb:13:30:fc:ad:75:1a:84:16:53:
76:9d:0d:96:60:69:04:70:ad:00:76:c5:e4:f0:39:
3d:e3:9b:2e:2a:06:0b:ae:29:16:22:69:73:1d:2b:
27:73:68:7a:42:62:84:37:9b:7e:7f:60:48:aa:80:
14:96:07:52:ac:d5:dd:1f:af:59:3b:88:5e:15:43:
f1:9e:29:91:0a:6d:19:8e:41:4b:3c:9f:0c:64:16:
5c:c6:61:a6:c7:28:a9:9e:14:81:10:7e:4a:4f:25:
93:20:d9:5b:fe:b3:ac:56:28:f0:89:2c:e3:97:18:
df:1d:e3:1b:6d:c5:08:fb:d6:97:81:82:b1:6b:33:
45:1d:de:7a:30:5c:6d:4a:70:96:06:f8:05:48:a7:
89:ad:ce:db:99:f2:61:88:92:75:e5:cf:d2:b1:2c:
28:60:6f:5e:ba:6c:02:f4:12:90:be:eb:6d:48:ae:
b2:3a:6e:76:a6:02:b1:9e:f7:95:2c:65:8a:80:1a:
64:52:ec:f5:0c:2b:c8:87:a7:e5:4d:f7:34:60:a5:
49:03:30:27:10:8d:ad:4e:92:52:8b:d9:6b:ad:2d:
15:60:a5:26:fc:1b:1d:69:9f:5c:a3:0f:d9:cb:b9:
1d:68:30:6c:c8:ca:e1:71:4b:88:bd:98:d7:10:ae:
89:c5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:node1.ecs.example.com, DNS:node2.ecs.example.com, DNS:node3.ecs.example.com, IP Address:192.0.2.1, IP Address:192.0.2.2, IP Address:192.0.2.3, IP Address:192.0.2.4
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
X509v3 Authority Key Identifier:
0.
Signature Algorithm: sha256WithRSAEncryption
33:85:7e:3b:fd:fd:3a:35:97:17:11:2d:4d:e1:7e:03:35:82:
8a:47:30:ed:b2:f9:1b:b4:22:a2:60:00:b5:9c:aa:6c:0d:e7:
ea:c7:0a:e6:05:24:7d:bd:50:ab:23:9b:16:6a:e7:be:e9:21:
26:61:0e:e5:e1:62:7e:d8:01:3a:3e:19:14:89:c2:ef:62:a0:
17:5c:80:2b:24:6b:96:73:fa:b0:8f:4d:09:0e:69:4f:72:f0:
4d:b1:13:8d:90:4e:18:4b:82:be:fd:48:b0:c2:9d:9c:43:d9:
d9:73:e6:15:88:79:1f:3e:13:ec:c9:6f:5f:2a:08:7c:a7:5d:
b4:e1:50:0f:3c:49:e3:e4:9f:8f:dd:e0:b5:b5:2d:d8:2d:29:
94:2d:4b:66:20:36:f0:ae:3a:ae:a4:c5:91:3c:f4:2a:d6:f5:
24:ec:7b:3a:96:d6:75:91:f9:b3:1c:8a:93:87:1b:d7:f2:f7:
72:4d:0c:02:b9:2e:ab:f6:76:ca:c5:74:39:e0:a0:54:2b:85:
4d:dd:e6:c7:fc:d0:e7:bc:3e:9e:98:19:e5:ed:ad:5f:4b:ea:
20:17:c5:23:eb:09:ad:8e:13:57:75:78:f9:68:bb:18:34:fc:
3a:26:94:90:5e:ed:a6:09:bb:14:5c:bd:2e:d3:5b:c4:43:08:
66:95:e7:ee
======================================================================
Management Certificate:
======================================================================
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3b:0f:a3:e2:fa:0a:90:14:86:6c:a3:3a:26:5c:0b:8d:6e:18:7d:eb
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=*.ecs.example.com, C=US, L=Salt Lake City, ST=Utah/street=123 Example Street, O=Example Inc./emailAddress=example@example.com
Validity
Not Before: Oct 17 18:35:06 2020 GMT
Not After : Oct 16 18:35:06 2025 GMT
Subject: CN=*.ecs.example.com, C=US, L=Salt Lake City, ST=Utah/street=123 Example Street, O=Example Inc./emailAddress=example@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ad:13:ea:31:bb:13:30:fc:ad:75:1a:84:16:53:
76:9d:0d:96:60:69:04:70:ad:00:76:c5:e4:f0:39:
3d:e3:9b:2e:2a:06:0b:ae:29:16:22:69:73:1d:2b:
27:73:68:7a:42:62:84:37:9b:7e:7f:60:48:aa:80:
14:96:07:52:ac:d5:dd:1f:af:59:3b:88:5e:15:43:
f1:9e:29:91:0a:6d:19:8e:41:4b:3c:9f:0c:64:16:
5c:c6:61:a6:c7:28:a9:9e:14:81:10:7e:4a:4f:25:
93:20:d9:5b:fe:b3:ac:56:28:f0:89:2c:e3:97:18:
df:1d:e3:1b:6d:c5:08:fb:d6:97:81:82:b1:6b:33:
45:1d:de:7a:30:5c:6d:4a:70:96:06:f8:05:48:a7:
89:ad:ce:db:99:f2:61:88:92:75:e5:cf:d2:b1:2c:
28:60:6f:5e:ba:6c:02:f4:12:90:be:eb:6d:48:ae:
b2:3a:6e:76:a6:02:b1:9e:f7:95:2c:65:8a:80:1a:
64:52:ec:f5:0c:2b:c8:87:a7:e5:4d:f7:34:60:a5:
49:03:30:27:10:8d:ad:4e:92:52:8b:d9:6b:ad:2d:
15:60:a5:26:fc:1b:1d:69:9f:5c:a3:0f:d9:cb:b9:
1d:68:30:6c:c8:ca:e1:71:4b:88:bd:98:d7:10:ae:
89:c5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:node1.ecs.example.com, DNS:node2.ecs.example.com, DNS:node3.ecs.example.com, IP Address:192.0.2.1, IP Address:192.0.2.2, IP Address:192.0.2.3, IP Address:192.0.2.4
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
X509v3 Authority Key Identifier:
0.
Signature Algorithm: sha256WithRSAEncryption
33:85:7e:3b:fd:fd:3a:35:97:17:11:2d:4d:e1:7e:03:35:82:
8a:47:30:ed:b2:f9:1b:b4:22:a2:60:00:b5:9c:aa:6c:0d:e7:
ea:c7:0a:e6:05:24:7d:bd:50:ab:23:9b:16:6a:e7:be:e9:21:
26:61:0e:e5:e1:62:7e:d8:01:3a:3e:19:14:89:c2:ef:62:a0:
17:5c:80:2b:24:6b:96:73:fa:b0:8f:4d:09:0e:69:4f:72:f0:
4d:b1:13:8d:90:4e:18:4b:82:be:fd:48:b0:c2:9d:9c:43:d9:
d9:73:e6:15:88:79:1f:3e:13:ec:c9:6f:5f:2a:08:7c:a7:5d:
b4:e1:50:0f:3c:49:e3:e4:9f:8f:dd:e0:b5:b5:2d:d8:2d:29:
94:2d:4b:66:20:36:f0:ae:3a:ae:a4:c5:91:3c:f4:2a:d6:f5:
24:ec:7b:3a:96:d6:75:91:f9:b3:1c:8a:93:87:1b:d7:f2:f7:
72:4d:0c:02:b9:2e:ab:f6:76:ca:c5:74:39:e0:a0:54:2b:85:
4d:dd:e6:c7:fc:d0:e7:bc:3e:9e:98:19:e5:ed:ad:5f:4b:ea:
20:17:c5:23:eb:09:ad:8e:13:57:75:78:f9:68:bb:18:34:fc:
3a:26:94:90:5e:ed:a6:09:bb:14:5c:bd:2e:d3:5b:c4:43:08:
66:95:e7:ee
DONE
Selezionare dall'elenco seguente il tipo di certificato che si desidera creare:
Creazione di una richiesta di firma del certificato
Uso:
ecs_certificate_tool v1.3
usage: ecs_certificate_tool.py create_csr [-h] [-k {1024,2048,4096}] (-d | -m)
optional arguments:
-h, --help show this help message and exit
-k {1024,2048,4096}, --key_size {1024,2048,4096}
Private key size for RSA private key generation
(default=2048)
-d, --data Create certificate signing request for data interface
(ports 9020, 9021, 3218) (S3, CAS, NFS, etc)
-m, --management Create certificate signing request for management
interface (WEB UI)
Creazione di un CSR per l'interfaccia dati:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py create_csr -d ecs_certificate_tool v1.0 log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log ---------------------------------------------------------------------- Validating REST API Credentials ---------------------------------------------------------------------- Authenticating using configured credentials..PASS ---------------------------------------------------------------------- Validating GENERAL configuration ---------------------------------------------------------------------- Validating COMMON_NAME = *.ecs.example.com..PASS Validating COUNTRY_NAME = US..PASS Validating LOCALITY_NAME = Salt Lake City..PASS Validating STATE_OR_PROVINCE_NAME = Utah..PASS Validating STREET_ADDRESS = 123 Example Street..PASS Validating ORGANIZATION_NAME = Example Inc...PASS Validating EMAIL_ADDRESS = example@example.com..PASS ---------------------------------------------------------------------- Validating DNS_NAMES configuration ---------------------------------------------------------------------- Validating DNSName: node1.ecs.example.com..PASS Validating DNSName: node2.ecs.example.com..PASS Validating DNSName: node3.ecs.example.com..PASS ---------------------------------------------------------------------- Validating IP_ADDRESSES configuration ---------------------------------------------------------------------- Validating IPv4Address: 192.0.2.1..PASS Validating IPv4Address: 192.0.2.2..PASS Validating IPv4Address: 192.0.2.3..PASS Validating IPv4Address: 192.0.2.4..PASS Validating SELF_SIGNED..PASS All configurations items validated successfully! Creating RSA private key..DONE Wrote private key to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-data_private.key ---------------------------------------------------------------------- Certificate Signing Request ---------------------------------------------------------------------- Creating Certificate Signing Request..DONE Wrote certificate signing request to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-data.csr
Creazione di un CSR per l'interfaccia di gestione:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py create_csr -m ecs_certificate_tool v1.0 log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log ---------------------------------------------------------------------- Validating REST API Credentials ---------------------------------------------------------------------- Authenticating using configured credentials..PASS ---------------------------------------------------------------------- Validating GENERAL configuration ---------------------------------------------------------------------- Validating COMMON_NAME = *.ecs.example.com..PASS Validating COUNTRY_NAME = US..PASS Validating LOCALITY_NAME = Salt Lake City..PASS Validating STATE_OR_PROVINCE_NAME = Utah..PASS Validating STREET_ADDRESS = 123 Example Street..PASS Validating ORGANIZATION_NAME = Example Inc...PASS Validating EMAIL_ADDRESS = example@example.com..PASS ---------------------------------------------------------------------- Validating DNS_NAMES configuration ---------------------------------------------------------------------- Validating DNSName: node1.ecs.example.com..PASS Validating DNSName: node2.ecs.example.com..PASS Validating DNSName: node3.ecs.example.com..PASS ---------------------------------------------------------------------- Validating IP_ADDRESSES configuration ---------------------------------------------------------------------- Validating IPv4Address: 198.51.100.1..PASS Validating IPv4Address: 198.51.100.2..PASS Validating IPv4Address: 198.51.100.3..PASS Validating IPv4Address: 198.51.100.4..PASS Validating SELF_SIGNED..PASS All configurations items validated successfully! Creating RSA private key..DONE Wrote private key to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-management_private.key ---------------------------------------------------------------------- Certificate Signing Request ---------------------------------------------------------------------- Creating Certificate Signing Request..DONE Wrote certificate signing request to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-management.csr
Creazione di un certificato autofirmato
Uso:
ecs_certificate_tool v1.3
usage: ecs_certificate_tool.py create_ssc [-h] [-k {1024,2048,4096}] (-d | -m)
optional arguments:
-h, --help show this help message and exit
-k {1024,2048,4096}, --key_size {1024,2048,4096}
Private key size for RSA private key generation
(default=2048)
-d, --data Create self-signed certificate for data interface
(ports 9020, 9021, 3218) (S3, CAS, NFS, etc)
-m, --management Create self-signed certificate for management
interface (WEB UI)
Creazione di un certificato autofirmato per l'interfaccia dati:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py create_ssc -d ecs_certificate_tool v1.0 log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log ---------------------------------------------------------------------- Validating REST API Credentials ---------------------------------------------------------------------- Authenticating using configured credentials..PASS ---------------------------------------------------------------------- Validating GENERAL configuration ---------------------------------------------------------------------- Validating COMMON_NAME = *.ecs.example.com..PASS Validating COUNTRY_NAME = US..PASS Validating LOCALITY_NAME = Salt Lake City..PASS Validating STATE_OR_PROVINCE_NAME = Utah..PASS Validating STREET_ADDRESS = 123 Example Street..PASS Validating ORGANIZATION_NAME = Example Inc...PASS Validating EMAIL_ADDRESS = example@example.com..PASS ---------------------------------------------------------------------- Validating DNS_NAMES configuration ---------------------------------------------------------------------- Validating DNSName: node1.ecs.example.com..PASS Validating DNSName: node2.ecs.example.com..PASS Validating DNSName: node3.ecs.example.com..PASS ---------------------------------------------------------------------- Validating IP_ADDRESSES configuration ---------------------------------------------------------------------- Validating IPv4Address: 192.0.2.1..PASS Validating IPv4Address: 192.0.2.2..PASS Validating IPv4Address: 192.0.2.3..PASS Validating IPv4Address: 192.0.2.4..PASS Validating SELF_SIGNED..PASS All configurations items validated successfully! Creating RSA private key..DONE Wrote private key to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-data_private.key ---------------------------------------------------------------------- Self-signed certificate ---------------------------------------------------------------------- Creating self-signed certificate..DONE Wrote Certificate to: /home/admin/ecs_certificate_tool-1.0/FNM00181300310-data.crt admin@provo-ex3000:~/ecs_certificate_tool-1.0>
Creazione di un certificato autofirmato per l'interfaccia di gestione:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py create_ssc -m ecs_certificate_tool v1.0 log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log ---------------------------------------------------------------------- Validating REST API Credentials ---------------------------------------------------------------------- Authenticating using configured credentials..PASS ---------------------------------------------------------------------- Validating GENERAL configuration ---------------------------------------------------------------------- Validating COMMON_NAME = *.ecs.example.com..PASS Validating COUNTRY_NAME = US..PASS Validating LOCALITY_NAME = Salt Lake City..PASS Validating STATE_OR_PROVINCE_NAME = Utah..PASS Validating STREET_ADDRESS = 123 Example Street..PASS Validating ORGANIZATION_NAME = Example Inc...PASS Validating EMAIL_ADDRESS = example@example.com..PASS ---------------------------------------------------------------------- Validating DNS_NAMES configuration ---------------------------------------------------------------------- Validating DNSName: node1.ecs.example.com..PASS Validating DNSName: node2.ecs.example.com..PASS Validating DNSName: node3.ecs.example.com..PASS ---------------------------------------------------------------------- Validating IP_ADDRESSES configuration ---------------------------------------------------------------------- Validating IPv4Address: 198.51.100.1..PASS Validating IPv4Address: 198.51.100.2..PASS Validating IPv4Address: 198.51.100.3..PASS Validating IPv4Address: 198.51.100.4..PASS Validating SELF_SIGNED..PASS All configurations items validated successfully! Creating RSA private key..DONE Wrote private key to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-management_private.key ---------------------------------------------------------------------- Self-signed certificate ---------------------------------------------------------------------- Creating self-signed certificate..DONE Wrote Certificate to: /home/admin/ecs_certificate_tool-1.0/FNM00181300310-management.crt
Caricamento del certificato
Se si utilizza un certificato autofirmato generato da questo strumento, la chiave privata e il certificato si trovano già nella directory corrente.
Se si dispone di un certificato firmato da una CA, caricarlo in ECS e inserirlo nella directory dello strumento per i certificati.
Nota: se necessario, caricare la catena di certificati completa (root/intermedia) per l'ambiente in uso. Vedere #ECS: Strumento per i certificati SSL di dati e gestione , se necessario.
Certificato dati
Comando:
$ python ecs_certificate_tool.py upload_certificate -c <path to certificate> -p <path to private key> --data
Esempio:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ecs_certificate_tool.py upload_certificate -c ./FNM00181300310-data.crt -p FNM00181300310-data_private.key --data ecs_certificate_tool v1.0 log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log ---------------------------------------------------------------------- Upload Certificate ---------------------------------------------------------------------- Authenticating using configured credentials..PASS Reading certificate from: ./FNM00181300310-data.crt..DONE Reading private key from: FNM00181300310-data_private.key..DONE Verifying the private key matches the certificate..DONE Uploading the certificate to ECS..DONE admin@provo-ex3000:~/ecs_certificate_tool-1.0>
Dopo aver caricato il certificato, sono disponibili due opzioni:
- Attendere 2 ore per:
dataheadsvcper propagare il nuovo certificato nel cluster. - Riavvio manuale
dataheadsvcsul nodo da cui è stato eseguito lo strumento, tenere presente che ciò può avere un breve impatto.
Comando per riavviare dataheadsvc:
# sudo kill -9 `pidof dataheadsvc`
Certificato di gestione
Comando:
$ python ./ecs_certificate_tool.py upload_certificate -c <path to certificate> -p <path to private key> --management
Esempio:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py upload_certificate -c ./FNM00181300310-management.crt -p FNM00181300310-management_private.key -m ecs_certificate_tool v1.0 log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log ---------------------------------------------------------------------- Upload Certificate ---------------------------------------------------------------------- Authenticating using configured credentials..PASS Reading certificate from: ./FNM00181300310-management.crt..DONE Reading private key from: FNM00181300310-management_private.key..DONE Verifying the private key matches the certificate..DONE Uploading the certificate to ECS..DONE
Dopo aver caricato il nuovo certificato di gestione, è necessario eseguire i riavvii in sequenza di objcontrolsvc/nginx in tutto il cluster. Ciò potrebbe avere un impatto minimo sull'accesso all'interfaccia utente.
- Generare un file MACHINES a livello di cluster:
$ sudo getclusterinfo -a /root/MACHINES.VDC && sudo viprscp -f /root/MACHINES.VDC /root/MACHINES.VDC /root/;sudo viprscp -f /root/MACHINES.VDC /root/MACHINES.VDC /home/admin/;sudo viprexec -i -f /home/admin/MACHINES.VDC "pingall; md5sum /root/MACHINES.VDC /home/admin/MACHINES.VDC"
- Riavvia
objcontrolsvcIn tutto il cluster:
$ viprexec -f ~/MACHINES.VDC -i 'pidof objcontrolsvc; kill -9 `pidof objcontrolsvc`; sleep 60; pidof objcontrolsvc'
- Riavvia
nginxIn tutto il cluster:
$ viprexec -f ~/MACHINES.VDC -i -c "/etc/init.d/nginx restart;sleep 60;/etc/init.d/nginx status"
Certificati di esempio
Catena completa (root/intermediate/ecs)
-----BEGIN CERTIFICATE----- <content of your ECS certificate> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <content of intermediate certificate> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <content of root certificate> -----END CERTIFICATE-----
Informazioni aggiuntive
Note di rilascio:
12/12/2020 1.0 - Fix outputting when password not configured in config.ini during view_certs operation
02/12/2021 1.1 - Support different hostnames for data/management interfaces #3
- Rewrote view_certs so it works if no certs have been uploaded yet. #2
- backup original certifiate before uploading new one. #1
04/07/2021 1.2 - nuke certs #10
- fix urllib3 warnings
- fix logging
- output additional info when viewing certs #9
07/06/2021 1.3 - Support 1024/2048/4096 private key sizes #14
09/24/2021 1.4 - #18 - Fix bug in get_issuer
- #19 - Remove sudo requirement and force admin user
- #23 - Handle Credentials with ?{}|&~![()^"
05/11/2025 1.7 - ObjectScale is running SLES 15 SP4, which has no Python 2 support any longer. So the tool got separated into two scripts:
For ECS use ecs_certificate_tool.py
For ObjectScale use: obs_certificate_tool.py
- Modified the key-length to minimum as 3072 and default as 4096 for ObjectScale version (for ECS its 2048). (OBSDEF-52084]: Update self generated certificate key length (#16329) )
Azioni:
admin@provo-ex3000:~/ecs_certificate_tool-0.9> sudo python ./ecs_certificate_tool.py -h
ecs_certificate_tool v0.9
log_file: /home/admin/ecs_certificate_tool-0.9/certificate_tool.log
usage: ecs_certificate_tool.py [-h]
{view_certs,generate_san,create_csr,create_ssc,upload_certificate}
...
positional arguments:
{view_certs,generate_san,create_csr,create_ssc,upload_certificate}
sub-command help
view_certs Shows the current certificates on the data and
management interfaces
generate_san Generates the subject alternative name IP addresses
and domain names from fabric and adds them to the ini
config file
create_csr Create certificate signing request
create_ssc Create self-signed certificate
upload_certificate Upload certificate to the data interface
optional arguments:
-h, --help show this help message and exit
Creare una richiesta di firma del certificato:
admin@provo-ex3000:~/ecs_certificate_tool-0.9> sudo python ./ecs_certificate_tool.py create_csr -h
ecs_certificate_tool v1.3
usage: ecs_certificate_tool.py create_csr [-h] [-k {1024,2048,4096}] (-d | -m)
optional arguments:
-h, --help show this help message and exit
-k {1024,2048,4096}, --key_size {1024,2048,4096}
Private key size for RSA private key generation
(default=2048)
-d, --data Create certificate signing request for data interface
(ports 9020, 9021, 3218) (S3, CAS, NFS, etc)
-m, --management Create certificate signing request for management
interface (WEB UI)
Creare un certificato autofirmato:
admin@provo-ex3000:~/ecs_certificate_tool-0.9> sudo python ./ecs_certificate_tool.py create_ssc -h
ecs_certificate_tool v1.3
usage: ecs_certificate_tool.py create_ssc [-h] [-k {1024,2048,4096}] (-d | -m)
optional arguments:
-h, --help show this help message and exit
-k {1024,2048,4096}, --key_size {1024,2048,4096}
Private key size for RSA private key generation
(default=2048)
-d, --data Create self-signed certificate for data interface
(ports 9020, 9021, 3218) (S3, CAS, NFS, etc)
-m, --management Create self-signed certificate for management
interface (WEB UI)
Caricare un certificato:
admin@provo-ex3000:~/ecs_certificate_tool-0.9> sudo python ./ecs_certificate_tool.py upload_certificate -h
ecs_certificate_tool v0.9
log_file: /home/admin/ecs_certificate_tool-0.9/certificate_tool.log
usage: ecs_certificate_tool.py upload_certificate [-h] -c CERTIFICATE -p
PRIVATE_KEY (-d | -m)
optional arguments:
-h, --help show this help message and exit
-c CERTIFICATE, --certificate CERTIFICATE
Filepath to the data certificate
-p PRIVATE_KEY, --private_key PRIVATE_KEY
Filepath to private key with no password
-d, --data Upload certificate to the data interface
-m, --management Upload certificate to the management interface
I certificati devono essere formattati come segue:
——BEGIN CERTIFICATE—— host certificate ——END CERTIFICATE—— ——BEGIN CERTIFICATE—— intermediate certificate ——END CERTIFICATE—— ——BEGIN CERTIFICATE—— root certificate ——END CERTIFICATE——
Prodotti interessati
ECS, ECS Appliance, ECS Appliance Gen 1, ECS Appliance Gen 2, ECS Appliance Gen 3, ECS Appliance Hardware Gen1 U-Series, ECS Appliance Hardware Gen1 C-Series, ECS Appliance Hardware Gen2 C-Series, ECS Appliance Hardware Gen2 D-Series
, ECS Appliance Hardware Gen2 U-Series
...
Prodotti
ECS Appliance Hardware Gen3 EX300, ECS Appliance Hardware Gen3 EX3000, ECS Appliance Hardware Gen3 EX500, ECS Appliance Hardware Gen3 EXF900, ECS Appliance Hardware Series, ECS Appliance Software with Encryption
, ECS Appliance Software without Encryption
...
Proprietà dell'articolo
Numero articolo: 000181006
Tipo di articolo: How To
Ultima modifica: 11 ago 2025
Versione: 21
Trova risposta alle tue domande dagli altri utenti Dell
Support Services
Verifica che il dispositivo sia coperto dai Servizi di supporto.