ECS: 데이터 및 관리 SSL 인증서 도구

요약: ECS 인증서 툴을 사용하면 SSL 인증서를 ECS 데이터 및 관리 인터페이스에 업로드할 수 있습니다.

이 문서는 다음에 적용됩니다. 이 문서는 다음에 적용되지 않습니다. 이 문서는 특정 제품과 관련이 없습니다. 모든 제품 버전이 이 문서에 나와 있는 것은 아닙니다.
기타 리소스 확인

지침

ObjectScale 릴리스 이후 ECS와 ObjectScale 간의 Python 버전이 다르기 때문에 툴이 다시 작성되었습니다.   두 도구 모두 기사 다운로드에 첨부되어 있습니다.

 

  • 버전 4.2 이하에는 ecs_certificate_tool를 사용합니다.
  • 버전 4.3 이상obs_certificate_tool 사용합니다.

 

참고: DNS는 ECS/OBS 인증서 툴의 요구 사항입니다.
ECS 인증서 툴을 사용하기 전에 데이터 인터페이스에 대해 DNS 항목이 생성되었는지 확인합니다. 이러한 항목이 없으면 인증서 생성 스크립트가 데이터 인터페이스에 대한 DNS 확인에 의존하므로 실패합니다.

 

Index:

설치

  1. 이 기술 자료 문서에 첨부된 툴의 올바른 버전을 다운로드합니다.
  2. 툴을 다음 위치로 업로드 /home/admin ECS 노드 중 하나에서
  3. 로 변경합니다. /home/admin 디렉토리에 저장하고 패키지를 추출합니다.
$ cd /home/admin
$ unzip <ecs/obs>_certificate_tool-1.9.zip
  1. 인증서 툴 디렉토리로 변경합니다.
$ cd <ecs/obs>_certificate_tool-1.9
  1. 사용할 툴의 루트 UI 자격 증명을 구성합니다.
명령:
$ python <ecs/obs>_certificate_tool.py configure_credentials
예: 
admin@:~/ecs_certificate_tool-1.7> python ecs_certificate_tool.py configure_credentials
ecs_certificate_tool v1.7

=======> Configuring Credentials

Please enter the password for the root management user:
Authenticating using configured credentials..PASS

Successfully configured credentials!
  1. 인증서 툴을 사용하여 SAN(Subject Alternative Name) 구성을 생성합니다. 수동으로 추가해야 합니다. b>fqdnip-address 로드 밸런서를 사용하는 경우.
명령: 
python <ecs/obs>_certificate_tool.py generate_san
예: 
$ python ecs_certificate_tool.py generate_san
ecs_certificate_tool v1.7
log_file: /home/admin/ecs_certificate_tool-1.7/certificate_tool.log

======================================================================
Generating SAN (subject alternative name) config.
======================================================================

----------------------------------------------------------------------
Setting DATA_SUBJECT_ALTERNATIVE_NAME config
----------------------------------------------------------------------
Set DNS_NAMES to :
['layton-ex3000.example.com',
 'ogden-ex3000.example.com',
 'orem-ex3000.example.com',
 'provo-ex3000.example.com',
 'sandy-ex3000.example.com']

Set IP_ADDRESSES to :
['192.0.2.104',
 '192.0.2.105',
 '192.0.2.106',
 '192.0.2.107',
 '192.0.2.108']

----------------------------------------------------------------------
Setting MANAGEMENT_SUBJECT_ALTERNATIVE_NAME config
----------------------------------------------------------------------
Set DNS_NAMES to :
['layton-ex3000.example.com',
 'ogden-ex3000.example.com',
 'orem-ex3000.example.com',
 'provo-ex3000.example.com',
 'sandy-ex3000.example.com']

Set IP_ADDRESSES to :
['192.0.2.104',
 '192.0.2.105',
 '192.0.2.106',
 '192.0.2.107',
 '192.0.2.108']

Wrote changes to: /home/admin/ecs_certificate_tool-1.7/config.ini
DONE

구성

  • config.ini 파일은 인증서의 모든 값을 설정하는 곳입니다.
  • 값을 사용하지 않으려면 아래 예와 같이 비워 둡니다.
# optional unit name
ORGANIZATIONAL_UNIT_NAME =
  • 다음은 기본값의 예입니다. config.ini 다음과 같이 보입니다.
[GENERAL]
COMMON_NAME = *.ecs.example.com
# Two letter country name
COUNTRY_NAME = US
LOCALITY_NAME = Salt Lake City
STATE_OR_PROVINCE_NAME = Utah
STREET_ADDRESS = 123 Example Street
ORGANIZATION_NAME = Example Inc.
# optional unit name
ORGANIZATIONAL_UNIT_NAME =
# optional email address
EMAIL_ADDRESS = example@example.com

[UI_CREDENTIALS]
USERNAME = root
PASSWORD = ChangeMe

[SELF_SIGNED]
# 1825 days = 5 years
VALID_DAYS = 1825

[DATA_SUBJECT_ALTERNATIVE_NAME]
DNS_NAMES = node1.ecs.example.com node2.ecs.example.com node3.ecs.example.com
IP_ADDRESSES = 192.0.2.1 192.0.2.2 192.0.2.3 192.0.2.4

[MANAGEMENT_SUBJECT_ALTERNATIVE_NAME]
DNS_NAMES = node1.ecs.example.com node2.ecs.example.com node3.ecs.example.com
IP_ADDRESSES = 198.51.100.1 198.51.100.2 198.51.100.3 198.51.100.4

[ADVANCED]
# Probably dont use these unless you really know what your doing
SERIAL_NUMBER =
SURNAME =
GIVEN_NAME =
TITLE =
GENERATION_QUALIFIER =
X500_UNIQUE_IDENTIFIER =
DN_QUALIFIER =
PSEUDONYM =
USER_ID =
DOMAIN_COMPONENT =
JURISDICTION_COUNTRY_NAME =
JURISDICTION_LOCALITY_NAME =
BUSINESS_CATEGORY =
POSTAL_ADDRESS =
POSTAL_CODE =
INN =
OGRN =
SNILS =
UNSTRUCTURED_NAME =

현재 인증서 보기

  1. Windows 업그레이드를 실행하라는 프롬프트에 아래 내용이 표시될 때까지 ecs_certificate_tool view_certs 작업.
명령: 
$ python <ecs/obs>_certificate_tool.py view_certs
예: 
ecs_certificate_tool v7.0
log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log

Authenticating using configured credentials..PASS

----------------------------------------------------------------------
View certificates
----------------------------------------------------------------------

======================================================================
Data Certificate:
======================================================================

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3b:0f:a3:e2:fa:0a:90:14:86:6c:a3:3a:26:5c:0b:8d:6e:18:7d:eb
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=*.ecs.example.com, C=US, L=Salt Lake City, ST=Utah/street=123 Example Street, O=Example Inc./emailAddress=example@example.com
        Validity
            Not Before: Oct 17 18:35:06 2020 GMT
            Not After : Oct 16 18:35:06 2025 GMT
        Subject: CN=*.ecs.example.com, C=US, L=Salt Lake City, ST=Utah/street=123 Example Street, O=Example Inc./emailAddress=example@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ad:13:ea:31:bb:13:30:fc:ad:75:1a:84:16:53:
                    76:9d:0d:96:60:69:04:70:ad:00:76:c5:e4:f0:39:
                    3d:e3:9b:2e:2a:06:0b:ae:29:16:22:69:73:1d:2b:
                    27:73:68:7a:42:62:84:37:9b:7e:7f:60:48:aa:80:
                    14:96:07:52:ac:d5:dd:1f:af:59:3b:88:5e:15:43:
                    f1:9e:29:91:0a:6d:19:8e:41:4b:3c:9f:0c:64:16:
                    5c:c6:61:a6:c7:28:a9:9e:14:81:10:7e:4a:4f:25:
                    93:20:d9:5b:fe:b3:ac:56:28:f0:89:2c:e3:97:18:
                    df:1d:e3:1b:6d:c5:08:fb:d6:97:81:82:b1:6b:33:
                    45:1d:de:7a:30:5c:6d:4a:70:96:06:f8:05:48:a7:
                    89:ad:ce:db:99:f2:61:88:92:75:e5:cf:d2:b1:2c:
                    28:60:6f:5e:ba:6c:02:f4:12:90:be:eb:6d:48:ae:
                    b2:3a:6e:76:a6:02:b1:9e:f7:95:2c:65:8a:80:1a:
                    64:52:ec:f5:0c:2b:c8:87:a7:e5:4d:f7:34:60:a5:
                    49:03:30:27:10:8d:ad:4e:92:52:8b:d9:6b:ad:2d:
                    15:60:a5:26:fc:1b:1d:69:9f:5c:a3:0f:d9:cb:b9:
                    1d:68:30:6c:c8:ca:e1:71:4b:88:bd:98:d7:10:ae:
                    89:c5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:node1.ecs.example.com, DNS:node2.ecs.example.com, DNS:node3.ecs.example.com, IP Address:192.0.2.1, IP Address:192.0.2.2, IP Address:192.0.2.3, IP Address:192.0.2.4
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication
            X509v3 Authority Key Identifier:
                0.
    Signature Algorithm: sha256WithRSAEncryption
         33:85:7e:3b:fd:fd:3a:35:97:17:11:2d:4d:e1:7e:03:35:82:
         8a:47:30:ed:b2:f9:1b:b4:22:a2:60:00:b5:9c:aa:6c:0d:e7:
         ea:c7:0a:e6:05:24:7d:bd:50:ab:23:9b:16:6a:e7:be:e9:21:
         26:61:0e:e5:e1:62:7e:d8:01:3a:3e:19:14:89:c2:ef:62:a0:
         17:5c:80:2b:24:6b:96:73:fa:b0:8f:4d:09:0e:69:4f:72:f0:
         4d:b1:13:8d:90:4e:18:4b:82:be:fd:48:b0:c2:9d:9c:43:d9:
         d9:73:e6:15:88:79:1f:3e:13:ec:c9:6f:5f:2a:08:7c:a7:5d:
         b4:e1:50:0f:3c:49:e3:e4:9f:8f:dd:e0:b5:b5:2d:d8:2d:29:
         94:2d:4b:66:20:36:f0:ae:3a:ae:a4:c5:91:3c:f4:2a:d6:f5:
         24:ec:7b:3a:96:d6:75:91:f9:b3:1c:8a:93:87:1b:d7:f2:f7:
         72:4d:0c:02:b9:2e:ab:f6:76:ca:c5:74:39:e0:a0:54:2b:85:
         4d:dd:e6:c7:fc:d0:e7:bc:3e:9e:98:19:e5:ed:ad:5f:4b:ea:
         20:17:c5:23:eb:09:ad:8e:13:57:75:78:f9:68:bb:18:34:fc:
         3a:26:94:90:5e:ed:a6:09:bb:14:5c:bd:2e:d3:5b:c4:43:08:
         66:95:e7:ee


======================================================================
Management Certificate:
======================================================================

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3b:0f:a3:e2:fa:0a:90:14:86:6c:a3:3a:26:5c:0b:8d:6e:18:7d:eb
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=*.ecs.example.com, C=US, L=Salt Lake City, ST=Utah/street=123 Example Street, O=Example Inc./emailAddress=example@example.com
        Validity
            Not Before: Oct 17 18:35:06 2020 GMT
            Not After : Oct 16 18:35:06 2025 GMT
        Subject: CN=*.ecs.example.com, C=US, L=Salt Lake City, ST=Utah/street=123 Example Street, O=Example Inc./emailAddress=example@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ad:13:ea:31:bb:13:30:fc:ad:75:1a:84:16:53:
                    76:9d:0d:96:60:69:04:70:ad:00:76:c5:e4:f0:39:
                    3d:e3:9b:2e:2a:06:0b:ae:29:16:22:69:73:1d:2b:
                    27:73:68:7a:42:62:84:37:9b:7e:7f:60:48:aa:80:
                    14:96:07:52:ac:d5:dd:1f:af:59:3b:88:5e:15:43:
                    f1:9e:29:91:0a:6d:19:8e:41:4b:3c:9f:0c:64:16:
                    5c:c6:61:a6:c7:28:a9:9e:14:81:10:7e:4a:4f:25:
                    93:20:d9:5b:fe:b3:ac:56:28:f0:89:2c:e3:97:18:
                    df:1d:e3:1b:6d:c5:08:fb:d6:97:81:82:b1:6b:33:
                    45:1d:de:7a:30:5c:6d:4a:70:96:06:f8:05:48:a7:
                    89:ad:ce:db:99:f2:61:88:92:75:e5:cf:d2:b1:2c:
                    28:60:6f:5e:ba:6c:02:f4:12:90:be:eb:6d:48:ae:
                    b2:3a:6e:76:a6:02:b1:9e:f7:95:2c:65:8a:80:1a:
                    64:52:ec:f5:0c:2b:c8:87:a7:e5:4d:f7:34:60:a5:
                    49:03:30:27:10:8d:ad:4e:92:52:8b:d9:6b:ad:2d:
                    15:60:a5:26:fc:1b:1d:69:9f:5c:a3:0f:d9:cb:b9:
                    1d:68:30:6c:c8:ca:e1:71:4b:88:bd:98:d7:10:ae:
                    89:c5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:node1.ecs.example.com, DNS:node2.ecs.example.com, DNS:node3.ecs.example.com, IP Address:192.0.2.1, IP Address:192.0.2.2, IP Address:192.0.2.3, IP Address:192.0.2.4
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication
            X509v3 Authority Key Identifier:
                0.
    Signature Algorithm: sha256WithRSAEncryption
         33:85:7e:3b:fd:fd:3a:35:97:17:11:2d:4d:e1:7e:03:35:82:
         8a:47:30:ed:b2:f9:1b:b4:22:a2:60:00:b5:9c:aa:6c:0d:e7:
         ea:c7:0a:e6:05:24:7d:bd:50:ab:23:9b:16:6a:e7:be:e9:21:
         26:61:0e:e5:e1:62:7e:d8:01:3a:3e:19:14:89:c2:ef:62:a0:
         17:5c:80:2b:24:6b:96:73:fa:b0:8f:4d:09:0e:69:4f:72:f0:
         4d:b1:13:8d:90:4e:18:4b:82:be:fd:48:b0:c2:9d:9c:43:d9:
         d9:73:e6:15:88:79:1f:3e:13:ec:c9:6f:5f:2a:08:7c:a7:5d:
         b4:e1:50:0f:3c:49:e3:e4:9f:8f:dd:e0:b5:b5:2d:d8:2d:29:
         94:2d:4b:66:20:36:f0:ae:3a:ae:a4:c5:91:3c:f4:2a:d6:f5:
         24:ec:7b:3a:96:d6:75:91:f9:b3:1c:8a:93:87:1b:d7:f2:f7:
         72:4d:0c:02:b9:2e:ab:f6:76:ca:c5:74:39:e0:a0:54:2b:85:
         4d:dd:e6:c7:fc:d0:e7:bc:3e:9e:98:19:e5:ed:ad:5f:4b:ea:
         20:17:c5:23:eb:09:ad:8e:13:57:75:78:f9:68:bb:18:34:fc:
         3a:26:94:90:5e:ed:a6:09:bb:14:5c:bd:2e:d3:5b:c4:43:08:
         66:95:e7:ee
DONE

 

아래 목록에서 생성하려는 인증서 유형을 선택합니다.

인증서 서명 요청 생성

사용법:

ecs_certificate_tool v1.3
usage: ecs_certificate_tool.py create_csr [-h] [-k {1024,2048,4096}] (-d | -m)

optional arguments:
  -h, --help            show this help message and exit
  -k {1024,2048,4096}, --key_size {1024,2048,4096}
                        Private key size for RSA private key generation
                        (default=2048)
  -d, --data            Create certificate signing request for data interface
                        (ports 9020, 9021, 3218) (S3, CAS, NFS, etc)
  -m, --management      Create certificate signing request for management
                        interface (WEB UI)

데이터 인터페이스에 대한 CSR 생성:

admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py create_csr -d
ecs_certificate_tool v1.0
log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log

----------------------------------------------------------------------
Validating REST API Credentials
----------------------------------------------------------------------

Authenticating using configured credentials..PASS


----------------------------------------------------------------------
Validating GENERAL configuration
----------------------------------------------------------------------

Validating COMMON_NAME = *.ecs.example.com..PASS
Validating COUNTRY_NAME = US..PASS
Validating LOCALITY_NAME = Salt Lake City..PASS
Validating STATE_OR_PROVINCE_NAME = Utah..PASS
Validating STREET_ADDRESS = 123 Example Street..PASS
Validating ORGANIZATION_NAME = Example Inc...PASS
Validating EMAIL_ADDRESS = example@example.com..PASS
----------------------------------------------------------------------
Validating DNS_NAMES configuration
----------------------------------------------------------------------

Validating DNSName: node1.ecs.example.com..PASS
Validating DNSName: node2.ecs.example.com..PASS
Validating DNSName: node3.ecs.example.com..PASS

----------------------------------------------------------------------
Validating IP_ADDRESSES configuration
----------------------------------------------------------------------

Validating IPv4Address: 192.0.2.1..PASS
Validating IPv4Address: 192.0.2.2..PASS
Validating IPv4Address: 192.0.2.3..PASS
Validating IPv4Address: 192.0.2.4..PASS

Validating SELF_SIGNED..PASS

All configurations items validated successfully!

Creating RSA private key..DONE
Wrote private key to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-data_private.key
----------------------------------------------------------------------
Certificate Signing Request
----------------------------------------------------------------------

Creating Certificate Signing Request..DONE
Wrote certificate signing request to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-data.csr

관리 인터페이스에 대한 CSR 생성:

admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py create_csr -m
ecs_certificate_tool v1.0
log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log

----------------------------------------------------------------------
Validating REST API Credentials
----------------------------------------------------------------------

Authenticating using configured credentials..PASS


----------------------------------------------------------------------
Validating GENERAL configuration
----------------------------------------------------------------------

Validating COMMON_NAME = *.ecs.example.com..PASS
Validating COUNTRY_NAME = US..PASS
Validating LOCALITY_NAME = Salt Lake City..PASS
Validating STATE_OR_PROVINCE_NAME = Utah..PASS
Validating STREET_ADDRESS = 123 Example Street..PASS
Validating ORGANIZATION_NAME = Example Inc...PASS
Validating EMAIL_ADDRESS = example@example.com..PASS
----------------------------------------------------------------------
Validating DNS_NAMES configuration
----------------------------------------------------------------------

Validating DNSName: node1.ecs.example.com..PASS
Validating DNSName: node2.ecs.example.com..PASS
Validating DNSName: node3.ecs.example.com..PASS

----------------------------------------------------------------------
Validating IP_ADDRESSES configuration
----------------------------------------------------------------------

Validating IPv4Address: 198.51.100.1..PASS
Validating IPv4Address: 198.51.100.2..PASS
Validating IPv4Address: 198.51.100.3..PASS
Validating IPv4Address: 198.51.100.4..PASS

Validating SELF_SIGNED..PASS

All configurations items validated successfully!

Creating RSA private key..DONE
Wrote private key to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-management_private.key
----------------------------------------------------------------------
Certificate Signing Request
----------------------------------------------------------------------

Creating Certificate Signing Request..DONE
Wrote certificate signing request to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-management.csr

자체 서명 인증서 생성

사용법:

ecs_certificate_tool v1.3
usage: ecs_certificate_tool.py create_ssc [-h] [-k {1024,2048,4096}] (-d | -m)

optional arguments:
  -h, --help            show this help message and exit
  -k {1024,2048,4096}, --key_size {1024,2048,4096}
                        Private key size for RSA private key generation
                        (default=2048)
  -d, --data            Create self-signed certificate for data interface
                        (ports 9020, 9021, 3218) (S3, CAS, NFS, etc)
  -m, --management      Create self-signed certificate for management
                        interface (WEB UI)

데이터 인터페이스에 대한 자체 서명 인증서 생성:

admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py create_ssc -d
ecs_certificate_tool v1.0
log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log

----------------------------------------------------------------------
Validating REST API Credentials
----------------------------------------------------------------------

Authenticating using configured credentials..PASS


----------------------------------------------------------------------
Validating GENERAL configuration
----------------------------------------------------------------------

Validating COMMON_NAME = *.ecs.example.com..PASS
Validating COUNTRY_NAME = US..PASS
Validating LOCALITY_NAME = Salt Lake City..PASS
Validating STATE_OR_PROVINCE_NAME = Utah..PASS
Validating STREET_ADDRESS = 123 Example Street..PASS
Validating ORGANIZATION_NAME = Example Inc...PASS
Validating EMAIL_ADDRESS = example@example.com..PASS
----------------------------------------------------------------------
Validating DNS_NAMES configuration
----------------------------------------------------------------------

Validating DNSName: node1.ecs.example.com..PASS
Validating DNSName: node2.ecs.example.com..PASS
Validating DNSName: node3.ecs.example.com..PASS

----------------------------------------------------------------------
Validating IP_ADDRESSES configuration
----------------------------------------------------------------------

Validating IPv4Address: 192.0.2.1..PASS
Validating IPv4Address: 192.0.2.2..PASS
Validating IPv4Address: 192.0.2.3..PASS
Validating IPv4Address: 192.0.2.4..PASS

Validating SELF_SIGNED..PASS

All configurations items validated successfully!

Creating RSA private key..DONE
Wrote private key to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-data_private.key
----------------------------------------------------------------------
Self-signed certificate
----------------------------------------------------------------------

Creating self-signed certificate..DONE
Wrote Certificate to: /home/admin/ecs_certificate_tool-1.0/FNM00181300310-data.crt
admin@provo-ex3000:~/ecs_certificate_tool-1.0>

관리 인터페이스에 대한 자체 서명 인증서 생성:

admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py create_ssc -m
ecs_certificate_tool v1.0
log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log

----------------------------------------------------------------------
Validating REST API Credentials
----------------------------------------------------------------------

Authenticating using configured credentials..PASS


----------------------------------------------------------------------
Validating GENERAL configuration
----------------------------------------------------------------------

Validating COMMON_NAME = *.ecs.example.com..PASS
Validating COUNTRY_NAME = US..PASS
Validating LOCALITY_NAME = Salt Lake City..PASS
Validating STATE_OR_PROVINCE_NAME = Utah..PASS
Validating STREET_ADDRESS = 123 Example Street..PASS
Validating ORGANIZATION_NAME = Example Inc...PASS
Validating EMAIL_ADDRESS = example@example.com..PASS
----------------------------------------------------------------------
Validating DNS_NAMES configuration
----------------------------------------------------------------------

Validating DNSName: node1.ecs.example.com..PASS
Validating DNSName: node2.ecs.example.com..PASS
Validating DNSName: node3.ecs.example.com..PASS

----------------------------------------------------------------------
Validating IP_ADDRESSES configuration
----------------------------------------------------------------------

Validating IPv4Address: 198.51.100.1..PASS
Validating IPv4Address: 198.51.100.2..PASS
Validating IPv4Address: 198.51.100.3..PASS
Validating IPv4Address: 198.51.100.4..PASS

Validating SELF_SIGNED..PASS

All configurations items validated successfully!

Creating RSA private key..DONE
Wrote private key to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-management_private.key
----------------------------------------------------------------------
Self-signed certificate
----------------------------------------------------------------------

Creating self-signed certificate..DONE
Wrote Certificate to: /home/admin/ecs_certificate_tool-1.0/FNM00181300310-management.crt

인증서 업로드

이 도구에서 생성한 자체 서명된 인증서를 사용하는 경우 개인 키와 인증서는 이미 현재 디렉터리에 있습니다.

CA에서 서명한 인증서가 있는 경우 이를 ECS에 업로드하고 인증서 툴 디렉토리에 넣습니다.
 

참고: 사용자 환경에 필요한 경우 전체 인증서 체인(루트/중간)을 업로드해야 합니다. #ECS: 필요한 경우 데이터 및 관리 SSL 인증서 도구


데이터 인증서

명령:

$ python ecs_certificate_tool.py upload_certificate -c <path to certificate> -p <path to private key> --data

예:

admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ecs_certificate_tool.py upload_certificate -c ./FNM00181300310-data.crt -p FNM00181300310-data_private.key --data
ecs_certificate_tool v1.0
log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log

----------------------------------------------------------------------
Upload Certificate
----------------------------------------------------------------------

Authenticating using configured credentials..PASS

Reading certificate from: ./FNM00181300310-data.crt..DONE
Reading private key from: FNM00181300310-data_private.key..DONE
Verifying the private key matches the certificate..DONE
Uploading the certificate to ECS..DONE

admin@provo-ex3000:~/ecs_certificate_tool-1.0>

인증서를 업로드한 후 다음 두 가지 옵션이 있습니다.

  1. 2시간 동안 기다립니다. dataheadsvc 클러스터 전체에 새 인증서를 전파합니다.
  2. 수동으로 재시작 dataheadsvc 하지만 이는 일시적인 영향을 미칠 수 있습니다.

재시작 명령 dataheadsvc파일로 교체합니다.

# sudo kill -9 `pidof dataheadsvc`


관리 인증서

명령:

$ python ./ecs_certificate_tool.py upload_certificate -c <path to certificate> -p <path to private key> --management

예:

admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py upload_certificate -c ./FNM00181300310-management.crt -p FNM00181300310-management_private.key -m
ecs_certificate_tool v1.0
log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log

----------------------------------------------------------------------
Upload Certificate
----------------------------------------------------------------------

Authenticating using configured credentials..PASS

Reading certificate from: ./FNM00181300310-management.crt..DONE
Reading private key from: FNM00181300310-management_private.key..DONE
Verifying the private key matches the certificate..DONE
Uploading the certificate to ECS..DONE


새 관리 인증서를 업로드한 후 objcontrolsvc/nginx 클러스터 전체에 걸쳐 있습니다. 이는 UI 액세스에 최소한의 영향만 미칠 수 있습니다.

  1. 클러스터 전체 MACHINES 파일을 생성합니다.
$ sudo getclusterinfo -a /root/MACHINES.VDC && sudo viprscp -f /root/MACHINES.VDC /root/MACHINES.VDC /root/;sudo viprscp -f /root/MACHINES.VDC /root/MACHINES.VDC /home/admin/;sudo viprexec -i -f /home/admin/MACHINES.VDC "pingall; md5sum /root/MACHINES.VDC /home/admin/MACHINES.VDC"
  1. 다시 시작 objcontrolsvc 클러스터 전체:
$ viprexec -f ~/MACHINES.VDC -i 'pidof objcontrolsvc; kill -9 `pidof objcontrolsvc`; sleep 60; pidof objcontrolsvc'
  1. 다시 시작 nginx 클러스터 전체:
$ viprexec -f ~/MACHINES.VDC -i -c "/etc/init.d/nginx restart;sleep 60;/etc/init.d/nginx status"

 

지역 인증서

명령:

# python obs_certificate_tool.py create_csr -g --vdc_id <VDC_ID>

예:

admin@node1:~/obs_certificate_tool-1.9> python obs_certificate_tool.py create_csr -g --vdc_id 94e608f4-b5b8-4cb1-bc3e-e49bac831b9f
obs_certificate_tool v1.9

----------------------------------------------------------------------
Validating GENERAL configuration
----------------------------------------------------------------------

Validating COMMON_NAME = *.ecs.example.com..PASS
Validating COUNTRY_NAME = US..PASS
Validating LOCALITY_NAME = Salt Lake City..PASS
Validating STATE_OR_PROVINCE_NAME = Utah..PASS
Validating STREET_ADDRESS = 123 Example Street..PASS
Validating ORGANIZATION_NAME = Example Inc...PASS
Validating EMAIL_ADDRESS = example@example.com..PASS
----------------------------------------------------------------------
Validating DNS_NAMES configuration
----------------------------------------------------------------------

Validating DNSName: node1.ecs.example.com..PASS
Validating DNSName: node2.ecs.example.com..PASS
Validating DNSName: node3.ecs.example.com..PASS

----------------------------------------------------------------------
Validating IP_ADDRESSES configuration
----------------------------------------------------------------------

Validating IPv4Address: 192.0.2.1..PASS
Validating IPv4Address: 192.0.2.2..PASS
Validating IPv4Address: 192.0.2.3..PASS
Validating IPv4Address: 192.0.2.4..PASS

Validating SELF_SIGNED..PASS

All configurations items validated successfully!

Creating RSA private key..DONE
Wrote private key to /home/admin/obs_certificate_tool-1.9/generated_files/HHL6704-geo_private.key
----------------------------------------------------------------------
Certificate Signing Request
----------------------------------------------------------------------

Creating Certificate Signing Request..Added VDC ID URN to SAN: urn:storageos:VirtualDataCenterData:94e608f4-b5b8-4cb1-bc3e-e49bac831b9f
DONE
Wrote certificate signing request to /home/admin/obs_certificate_tool-1.9/generated_files/HHL6704-geo.csr

Geo 인증서를 확인합니다.

# openssl req -in generated_files/HHL6704-geo.csr -noout -text

확인:

  • SAN에는 모든 DNS 이름, IP 및 VDC ID URN이 포함됩니다. 
  • 주요 사용법: Digital Signature, Key Encipherment (부인 금지 없음)
  • 확장 키 사용: TLS Web Server Authentication, TLS Web Client Authentication
  • 주체 키 식별자 있음
  • 개인 키는 다음으로 시작합니다. -----BEGIN PRIVATE KEY----- 

인증서 예시

전체 체인 (root/intermediate/ecs)

-----BEGIN CERTIFICATE-----
<content of your ECS certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<content of intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<content of root certificate>
-----END CERTIFICATE-----

추가 정보

릴리스 노트:

12/12/2020     1.0 - Fix outputting when password not configured in config.ini during view_certs operation

02/12/2021     1.1 - Support different hostnames for data/management interfaces #3
                   - Rewrote view_certs so it works if no certs have been uploaded yet. #2
                   - backup original certifiate before uploading new one. #1

04/07/2021     1.2 - nuke certs #10
                   - fix urllib3 warnings
                   - fix logging
                   - output additional info when viewing certs #9
07/06/2021     1.3 - Support 1024/2048/4096 private key sizes #14

09/24/2021     1.4 - #18 - Fix bug in get_issuer
                   - #19 - Remove sudo requirement and force admin user
                   - #23 - Handle Credentials with ?{}|&~![()^"

10/08/2021     1.5 - #25 - admin userid 1001

               1.6 - Set log file permissions to 0755 and chown os.geteuid/os.getegid
                   - fix userid check
05/11/2025    1.7 - added ObjectScale compatible tool , changed the minimum key length for ObjectScale and added Readme

08/12/2025    1.8 - added support for ObjectScale 4.2 - python 3.12 compatible

11/25/2025    1.9 - added support for geo certificate generation with VDC ID in SAN

 

조치:

admin@provo-ex3000:~/ecs_certificate_tool-0.9> sudo python ./ecs_certificate_tool.py -h
ecs_certificate_tool v0.9
log_file: /home/admin/ecs_certificate_tool-0.9/certificate_tool.log
 
usage: ecs_certificate_tool.py [-h]
                               {view_certs,generate_san,create_csr,create_ssc,upload_certificate}
                               ...
 
positional arguments:
  {view_certs,generate_san,create_csr,create_ssc,upload_certificate}
                        sub-command help
    view_certs          Shows the current certificates on the data and
                        management interfaces
    generate_san        Generates the subject alternative name IP addresses
                        and domain names from fabric and adds them to the ini
                        config file
    create_csr          Create certificate signing request
    create_ssc          Create self-signed certificate
    upload_certificate  Upload certificate to the data interface
 
optional arguments:
  -h, --help            show this help message and exit

인증서 서명 요청 생성:

admin@provo-ex3000:~/ecs_certificate_tool-0.9> sudo python ./ecs_certificate_tool.py create_csr -h
ecs_certificate_tool v1.3
usage: ecs_certificate_tool.py create_csr [-h] [-k {1024,2048,4096}] (-d | -m)

optional arguments:
  -h, --help            show this help message and exit
  -k {1024,2048,4096}, --key_size {1024,2048,4096}
                        Private key size for RSA private key generation
                        (default=2048)
  -d, --data            Create certificate signing request for data interface
                        (ports 9020, 9021, 3218) (S3, CAS, NFS, etc)
  -m, --management      Create certificate signing request for management
                        interface (WEB UI)

자체 서명된 인증서를 생성합니다.

admin@provo-ex3000:~/ecs_certificate_tool-0.9> sudo python ./ecs_certificate_tool.py create_ssc -h
ecs_certificate_tool v1.3
usage: ecs_certificate_tool.py create_ssc [-h] [-k {1024,2048,4096}] (-d | -m)

optional arguments:
  -h, --help            show this help message and exit
  -k {1024,2048,4096}, --key_size {1024,2048,4096}
                        Private key size for RSA private key generation
                        (default=2048)
  -d, --data            Create self-signed certificate for data interface
                        (ports 9020, 9021, 3218) (S3, CAS, NFS, etc)
  -m, --management      Create self-signed certificate for management
                        interface (WEB UI)

인증서 업로드:

admin@provo-ex3000:~/ecs_certificate_tool-0.9> sudo python ./ecs_certificate_tool.py upload_certificate -h
ecs_certificate_tool v0.9
log_file: /home/admin/ecs_certificate_tool-0.9/certificate_tool.log
 
usage: ecs_certificate_tool.py upload_certificate [-h] -c CERTIFICATE -p
                                                  PRIVATE_KEY (-d | -m)
 
optional arguments:
  -h, --help            show this help message and exit
  -c CERTIFICATE, --certificate CERTIFICATE
                        Filepath to the data certificate
  -p PRIVATE_KEY, --private_key PRIVATE_KEY
                        Filepath to private key with no password
  -d, --data            Upload certificate to the data interface
  -m, --management      Upload certificate to the management interface

인증서는 형식은 다음과 같아야 합니다.

——BEGIN CERTIFICATE——
host certificate
——END CERTIFICATE——
——BEGIN CERTIFICATE——
intermediate certificate
——END CERTIFICATE——
——BEGIN CERTIFICATE——
root certificate
——END CERTIFICATE——

해당 제품

ECS, ECS Appliance, ECS Appliance Gen 1, ECS Appliance Gen 2, ECS Appliance Gen 3, ECS Appliance Hardware Gen1 U-Series, ECS Appliance Hardware Gen1 C-Series, ECS Appliance Hardware Gen2 C-Series, ECS Appliance Hardware Gen2 D-Series , ECS Appliance Hardware Gen2 U-Series ...

제품

ECS Appliance Hardware Gen3 EX300, ECS Appliance Hardware Gen3 EX3000, ECS Appliance Hardware Gen3 EX500, ECS Appliance Hardware Gen3 EXF900, ECS Appliance Hardware Series, ECS Appliance Software with Encryption , ECS Appliance Software without Encryption ...
문서 속성
문서 번호: 000181006
문서 유형: How To
마지막 수정 시간: 22 6월 2026
버전:  27
다른 Dell 사용자에게 질문에 대한 답변 찾기
지원 서비스
디바이스에 지원 서비스가 적용되는지 확인하십시오.