When using either the OneFS WebUI or PlatformAPI, all communication are encrypted using Transport Layer Security (TLS). TLS requires a certificate that serves two prinicple functions: Granting permission to use encrypted communication via Public Key Infrastructure (PKI), and authenticating the identity of the certificate's holder. OneFS defaults to the best supported version of TLS based on the client request.

 

An Isilon cluster initially contains a self-signed certificate for this purpose. The existing self-signed certificate can be used, or it can be replaced with a third-party certificate authority (CA)-issued certificate. If the self-signed certificate is used, when it expires it must be replaced with either a third-party (public or private) CA-issued certificate or another self-signed certificate that is generated on the cluster. The following folders are the default locations for the server.crt and server.key files.


  • TLS certificate: /usr/local/apache2/conf/ssl.crt/server.crt
  • TLS certificate key: /usr/local/apache2/conf/ssl.key/server.key


The following steps can be used to replace the existing TLS certificate with a public or private third-party certificate authority (CA)-issued TLS certificate.


1) Connect to a cluster node via SSH and log in as root and create a backup directory:


# mkdir /ifs/data/backup/


2) Set the permissions on the backup directory to 700:


# chmod 700 /ifs/data/backup


3) Copy the server.crt and server.key files to the backup directory:


# cp /usr/local/apache2/conf/ssl.crt/server.crt \ /ifs/data/backup/server.crt.bak

# cp /usr/local/apache2/conf/ssl.key/server.key \ /ifs/data/backup/server.crt.bak


4) Create a temporary directory for the files:


# mkdir /ifs/local


5) Set the temporary directory permissions to 700:


# chmod 700 /ifs/local


6) Change to the temporary directory:


# cd /ifs/local


7) Generate a new Certificate Signing Request (CSR) and a new key by running the following command. This name identifies the new .key and .csr files. Eventually, the files will be renamed, copied back to the default location and deleted. Although any name can be selected, the recommendation is to use the name the Common Name for the new TLS certificate (for example, the server FQDN or server name, such as isilon.example.com). This helps distinguish the new files from the originals.


# openssl req -new -nodes -newkey rsa:1024 -keyout \ .key -out .csr


8) When prompted, type the information to be incorporated into the certificate request. After entering this information, the .csr and .key files appear in the /ifs/local directory.


9) Send the contents of the .csr file from the cluster to the Certificate Authority (CA) for signing.


10) When you receive the signed certificate (now a .crt file) from the CA, copy the certificate to /ifs/local/.crt (where is the name you assigned earlier).


11) To verify the attributes in the TLS certificate, run the following command using the name that you assigned earlier:


# openssl x509 -text -noout -in .crt


12) Run the following five commands to install the certificate and key, and restart the isi_webui service. In the commands, replace with the name that you assigned earlier.


# isi services -a isi_webui disable chmod 640 .key

# isi_for_array -s 'cp /ifs/local/.key \ /usr/local/apache2/conf/ssl.key/server.key'

# isi_for_array -s 'cp /ifs/local/.crt \ /usr/local/apache2/conf/ssl.crt/server.crt'

# isi services -a isi_webui enable


13) Verify that the installation succeeded. For instructions, see the Verify a TLS certificate update section of this guide.


14) Delete the temporary files from the /ifs/local directory:


# rm /ifs/local/.csr \ /ifs/local/.key /ifs/local/.crt


15) Delete the backup files from the /ifs/data/backup directory:


# rm /ifs/data/backup/server.crt.bak \ /ifs/data/backup/server.key.bak

 

The following steps replace an expired self-signed TLS certificate by generating a new certificate based on the existing server key.


1) Open a secure shell (SSH) connection to any node in the cluster and log in as root.


2) Create a backup directory by running the following command:


# mkdir /ifs/data/backup/


3) Set the permissions on the backup directory to 700:


# chmod 700 /ifs/data/backup


4) Make backup copies of the existing server.crt and server.key files by running the following two commands:


# cp /usr/local/apache2/conf/ssl.crt/server.crt \ /ifs/data/backup.bak

# cp /usr/local/apache2/conf/ssl.key/server.key \ /ifs/data/backup.bak


Note: If files with the same names exist in the backup directory, either overwrite the existing files, or, to save the old backups, rename the new files with a timestamp or other identifier.


5) Create a temporary directory to hold the files while you complete this procedure:


# mkdir /ifs/local


6) Set the permissions on the temporary directory to 700:


# chmod 700 /ifs/local


7) Change to the temporary directory:


# cd /ifs/local


8) At the command prompt, run the following two commands to create a certificate that will expire in 2 years (365 days). Increase or decrease the value for -days to generate a certificate with a different expiration date.


# cp /usr/local/apache2/conf/ssl.key/server.key ./ openssl req -new -days 365 -nodes -x509 -key \ server.key -out server.crt


Note: the -x509 value is a certificate format.


9) When prompted, type the information to be incorporated into the certificate request. When you finish entering the information, a renewal certificate is created, based on the existing (stock) server key. The renewal certificate is named server.crt and it appears in the /ifs/local directory.


10) To verify the attributes in the TLS certificate, run the following command:


# openssl x509 -text -noout -in server.crt


11) Run the following five commands to install the certificate and key, and restart the isi_webui service:


# isi services -a isi_webui disable

# chmod 640 server.key

# isi_for_array -s 'cp /ifs/local/server.key \ /usr/local/apache2/conf/ssl.key/server.key'

# isi_for_array -s 'cp /ifs/local/server.crt \ /usr/local/apache2/conf/ssl.crt/server.crt'

# isi services -a isi_webui enable


12) Verify that the installation succeeded.


TLS certificate renewal or replacement requires you to provide data such as a fully qualified domain name and a contact email address. When you renew or replace a TLS certificate, you are asked to provide data in the format that is shown in the following example:


You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:Washington

Locality Name (eg, city) []:Seattle

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company

Organizational Unit Name (eg, section) []:System

AdministrationCommon Name (e.g. server FQDN or YOUR name) []:localhost.example.org

Email Address []:support@example.com


In addition, if you are requesting a third-party CA-issued certificate, you should include additional attributes that are shown in the following example:


Please enter the following 'extra' attributes to be sent with your certificate request


A challenge password []:password

An optional company name []:Another Name

 

13) Delete the temporary files from the /ifs/local directory:


# rm /ifs/local/.csr \ /ifs/local/.key /ifs/local/.crt


14)  Delete the backup files from the /ifs/data/backup directory:


# rm /ifs/data/backup/server.crt.bak \ /ifs/data/backup/server.key.bak