Custom SSL TLS Security
Enhanced Default security starting with QuantaStor 3.15 and custom TLS Ciphers
Many recent security vulnerabilities have been discovered in SSL, it is advised that support for the SSLv2 and SSLv3 be deprecated in favor of the more secure TLS protocols. In the past, QuantaStor has used the preferred TLS protocols for all Grid, API and Web Manager communication. However, there was still legacy support included for the older SSL based protocols.
Starting with the QuantaStor 3.15 release, communication will be limited to the TLSv1.0 or greater protocols for all QuantaStor Grid communication, the QuantaStor RestAPI service and the QuantaStor Web Manager. SSLv2/v3 and the less secure crypto ciphers will be disabled by default.
The file that defines the crypto ciphers list is available at the below location on a QuantaStor appliance running 3.15 or newer and can be modified if you so choose to implement your own custom list of ciphers.
crypto cipher definition file: /var/opt/osnexus/quantastor/ssl/qsciphers Default crypto cipher list: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
With 3.15, you can now enable support for the TLSv1.2 protocol with modern Web Clients such as Google Chrome or Mozilla Firefox. TLSv1.2 requires an upgrade in the Java version used by the web server, the command to enable the java release that supports TLSv1.2 for existing deployments is below.
Generating or installing Custom SSL Certificates
Starting with the QuantaStor 3.15 release, we have included the qs-sslcertgen utility that makes it easy to install custom SSL certificates or generate your own security certificates for use with the QuantaStor Grid communication, the QuantaStor RestAPI service and the QuantaStor Web Manager.
qs-sslcertgen qs-sslcertgen is a helper utility to generate strong SSL certificates for a QuantaStor Storage Appliance Please run this command inside of a directory where you would like to create your certificate chain Usage: General Commands qs-sslcertgen createall :Creates all Certificates CA, Grid Client and Server(qs-service, restsrv and tomcat) and tarball qs-sslcertgen createca :Creates a Certificate Authority(CA) qs-sslcertgen createclient :Creates a Grid Client Certificate qs-sslcertgen createserver :Creates a Server(qs-service, restsrv and tomcat) Certificate qs-sslcertgen certcreatetar :Creates a tar archive of the Generated Certificates to allow for deployment on other QuantaStor Appliances Advanced Commands qs-sslcertgen cleanupca :Cleans up Certificate Authority(CA) and Certificates qs-sslcertgen setpempassword :Sets the PEM Password to be used for Certificate and Private Key generation qs-sslcertgen createdir :Creates the directory qscerts and changes into that working directory qs-sslcertgen convertcustom :Converts custom .pem files into QuantaStor style Certificates
Self Generating 2048-bit Certificates
The qs-sslcertgen utility can generate an entire CA trust chain with 2048-bit SSL certificates and SHA256 protected private keys using the below command and following the onscreen prompts to specify the Certificate properties. If you are unsure what properties to provide, we provide defaults that you can accept by hitting the return/enter key. It is recommended that you provide a password to secure your private keys unless you are running on a trusted private network.
This command will generate a .tgz archive with the certificates that you can then deploy on your other QuantaStor grid nodes.
If you would prefer to have some certificates be identified by region (for A set of QuantaStor systems in London and a different set of certificates for units in Dallas for instance), you can run the below commands multiple times after first running a 'qs-sslcertgen createca' or 'qs-sslcertgen createall' to estabilish your Certificate authority chain. The last command will generate a .tgz archive of certificates that have those specific properties:
qs-sslcertgen createclient qs-sslcertgen createserver qs-sslcertgen certcreatetar
Certificates from your own CA
If you would prefer to use your own custom certificates generated from your own Certificate Authority, you can create a certificate deployment package for QuantaStor from your customer certificates using the below commands. If you wish to have many certificates for different regions or specific server FQDN's, you would place your custom certificates and run the commands for each. The first command will provide the location to place your customer certificates into, the second command will convert those certificates into the forms support by QuantaStor. The last command will generate a .tgz archive of the final certificates.
qs-sslcertgen createdir qs-sslcertgen convertcustom qs-sslcertgen certcreatetar
Please note that the Certificates need to be provided in .pem format typically with the certificate and keyfile in the same file (except for the CA Certificate, which should not include the Private key for your CA). Detailed below are what these files should be called and what their specific contents should be. If you have custom certificates that are not available in pem format or do not appear to work correctly with the script we have provided, please contact OSNEXUS support for additional assistance.
custom_qscacert.pem - should contain your Certificate Authorities root certificate custom_qsserver.pem - should contain the private key and CA signed certificate intended for the QuantaStor Management and RestAPI services. custom_qsclient.pem - should contain the private key and CA signed certificate intended for the QuantaStor client certificate used for node-to-node grid communication. (does not need to be unique) custom_webmanager.pem - (optional) should contain the private key and CA signed certificate intended for the QuantaStor WebManagement interface. You can provide this file if you wish to have the FQDN that you use to login to the WebUI match the Certificate and remove the need to force a security override in your browser. If you do not provide this certificate it is instead generated based on the custom_qsserver.pem certificate.