Pre-Integration

This section lists the following procedure that needs to be performed before integration.

1. Creating Certificates

2. Creating Client Keystore (PKCS#12 file)

3. Configuring the RKM.conf File

Creating Certificates

You can create and use the certificate using any of the following methods:

• Using KSCTL Utility: Use this method if you want to create and use certificates generated on the CipherTrust Manager using KSCTL utility.

• Using openssl: Use this method if you want to create and use certificates generated using openssl.

Creating Certificates Using KSCTL Utility

Creating the CA Certificate

The rootCA is by default available at the CipherTrust Manager. If you want to create a Local CA other than rootCA, use the following command:

ksctl ca locals create --cn "Test CA" --csr-outfile csrfile

To self-sign the CA for a specific duration, use the id returned in the above command:

ksctl ca locals self-sign --id <id of CA> -x <duration>

For Example:

ksctl ca locals self-sign --id 3593c53b-fbeb-4edb-b84d-c85526ae2f83 -x 365

Creating Client Certificate

To create the client certificate, use the following steps:

1. Create CSR and its private key.

   ksctl ca csr --cn "client" --csr-outfile client.csr --key-outfile client.key
   

   This command generates a CSR along with its private key.

   Note

   In this document, common name CN=client is used, which will be further used as a user name on the CipherTrust Manager.

2. Sign the CSR with CA.

   ksctl ca locals certs issue --ca-id <id of CA> --csr-infile client.csr -x <duration> -o client
   

   For Example:

   ksctl ca locals certs issue --ca-id c84d66e1-2101-4a46-ad44-3656354b5097 --csr-infile client.csr -x 700 -o client
   

   --ca-id is the id which can be obtained from CA details on the Ciphertrust Manager.
   

   Note

   --csr-infile is the csr name which is created in the previous step.

Creating Server Certificate

To create a server certificate, you need to create the CSR and its Private key, using the following command:

ksctl ca csr --cn "server" --csr-outfile server.csr --key-outfile server.key

This command generates a CSR along with its private key.

You can sign the above created CSR using external CA. The generated certificate will be uploaded to the CipherTrust Manager. Refer to Adding User and Configuring Interface for details.

Creating Certificates Using openssl

You can use openssl to create external CA and CSRs outside CipherTrust Manager.

Before creating the CA and CSRs, ensure that the openssl is configured properly.

• To create the external CA, client, and server certificate, you will need:

  • bash (version 4.4.20 or above)

  • openssl (version 1.1.1 or above)

• openssl.conf file is at the following location:

  • /etc/pki/tls for RHEL

  • /etc/ssl for Ubuntu

• Open openssl.conffile and go to [ v3_ca ] tab and add basicConstraints = critical, CA:true.

Creating the CA Certificate

To create an External CA and upload it on the CipherTrust Manager, follow the below steps:

1. Create a RSA key using the following openssl command:

   openssl genrsa -out rootCAKey.pem 2048
   

   This command will generate rootCAKey.pem file.

2. Create a CA certificate using the generated RSA key.

   openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem
   

   The above command uses rootCAKey.pem generated in previous step to generate the CA Certificate, rootCACert.pem.

3. Upload the CA on the CipherTrust Manager, using the following steps:

   1. Go to CA > External.

   2. On the CA page, click Add External CA.

   3. Paste the contents of the rootCACert.pem and click Save.

Creating Client Certificate

To create a client certificate, perform the following steps:

1. Create a key to be used in the client certificate.

   openssl genrsa -out client.key 2048
   

   This command generates the RSA key client.key.

2. Create a client CSR using the key generated above.

   openssl req -key client.key -new -sha256 -out client.csr -subj /O=my-org/OU=my-org/OU=client/CN=client
   

   In this document, common name CN=client is used, which will be further used as a user name on the CipherTrust Manager.

   This command uses the client.key generated in previous step to generate the client CSR client.csr.

3. Sign the CSR using the RSA key generated above and the CA.

   openssl x509 -req -days 360 -in client.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out client.cert -sha256
   

Creating Server Certificate

To create a server certificate, perform the following steps:

1. Create a server key using the following command.

   openssl genrsa -out server.key 2048
   

2. Create a CSR for the server using the above generated key.

   openssl req -key server.key -new -sha256 -out server.csr -subj /O=my-org/OU=my-org/OU=server/CN=server
   

3. Create a server certificate using the following openssl command.

   openssl x509 -req -days 7300 -in server.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out server.cert -sha256
   

Creating a Client Keystore (PKCS#12 file)

Create a PKCS#12 file by packaging the client key, client certificate, and CA file using the following openssl command.

openssl pkcs12 -export -in client.cert -inkey client.key -certfile rootCACert.pem -out client.p12 -name client

• You will be prompted to set a password for the keystore file. Specify the client keystore password, then the client.p12 file will be created. This password and the keystore path will be used later in the Remote Key Management configuration file RKM.conf of the Spectrum Scale. For simplicity, let's assume that the client keystore password specified for this integration is abcd.

• In the above command, the name client is applied to the collection of files contained within the PKCS#12 package.

Configuring the RKM.conf File

1. Create a directory /var/mmfs/etc/RKMcerts on all nodes of the Spectrum Scale cluster and copy the client keystore client.p12 created in the previous step to this directory.

2. Create the Remote Key Management (RKM) configuration file (/var/mmfs/etc/RKM.conf) and add a stanza that contains the information necessary to communicate with the CipherTrust Manager. The stanza should be in the following format:

   client {
   type = KMIP
   kmipServerUri = tls://10.164.x.xxx:5696
   keyStore = /var/mmfs/etc/RKMcerts/client.p12
   passphrase = abcd
   clientCertLabel = client
   }
   

   Stanza contains the following fields:

   • client: Name of the RKM stanza. It can be set as desired, "client" here is just an example name for the stanza.

   • type: Must be KMIP.

   • kmipServerUri: IP addresses or the DNS names of the CipherTrust Managers and their SSL ports.

     In the above example, 10.164.x.xxx is the CipherTrust Manager IP and 5696 is the SSL port.

     Note

     • For high availability (HA), multiple kmipServerUri entries can be added.
       

     • In an event when a CipherTrust Manager fails or is inaccessible, then request is sent to the other CipherTrust Managers configured using kmipServerUri.

     Refer to High Availability for High Availability.

   • keyStore: The name and path of the client.p12 file (for example: /var/mmfs/etc/RKMcerts/client.p12).

   • passphrase: The password of the client keystore and client certificate. This is the same password which you specified while creating client.p12 file.

   • clientCertLabel: The label of the client certificate in the client keystore. This is the same label which you specified while creating client.p12 file.

3. Copy the /var/mmfs/etc/RKM.conf and the client keystore /var/mmfs/etc/RKMcerts/client.p12 file to all nodes in the cluster.

   Caution

   Ensure the user has READ and WRITE permissions (mode '0600') for the files var/mmfs/etc/RKM.conf and var/mmfs/etc/RKMcerts/client.12.