Custom SSL TLS Security

From OSNEXUS Wiki
Jump to: navigation, search

Enhanced Default security starting with QuantaStor 3.15 and custom TLS Ciphers

Many recent security vulnerabilities have been discovered in SSL, it is advised that support for the SSLv2 and SSLv3 be deprecated in favor of the more secure TLS protocols. In the past, QuantaStor has used the preferred TLS protocols for all Grid, API and Web Manager communication. However, there was still legacy support included for the older SSL based protocols.

Starting with the QuantaStor 3.15 release, communication will be limited to the TLSv1.0 or greater protocols for all QuantaStor Grid communication, the QuantaStor RestAPI service and the QuantaStor Web Manager. SSLv2/v3 and the less secure crypto ciphers will be disabled by default.

The file that defines the crypto ciphers list is available at the below location on a QuantaStor appliance running 3.15 or newer and can be modified if you so choose to implement your own custom list of ciphers.

crypto cipher definition file:

/var/opt/osnexus/quantastor/ssl/qsciphers

Default crypto cipher list:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

With 3.15, you can now enable support for the TLSv1.2 protocol with modern Web Clients such as Google Chrome or Mozilla Firefox. TLSv1.2 requires an upgrade in the Java version used by the web server, the command to enable the java release that supports TLSv1.2 for existing deployments is below.

qs-util java7upgrade

Generating or installing Custom SSL Certificates

Starting with the QuantaStor 3.15 release, we have included the qs-sslcertgen utility that makes it easy to install custom SSL certificates or generate your own security certificates for use with the QuantaStor Grid communication, the QuantaStor RestAPI service and the QuantaStor Web Manager.

qs-sslcertgen

qs-sslcertgen is a helper utility to generate strong SSL certificates for a QuantaStor Storage Appliance
Please run this command inside of a directory where you would like to create your certificate chain

Usage:

  General Commands

     qs-sslcertgen createall                     :Creates all Certificates CA, Grid Client and Server(qs-service, restsrv and tomcat) and tarball
     qs-sslcertgen createca                      :Creates a Certificate Authority(CA)
     qs-sslcertgen createclient                  :Creates a Grid Client Certificate
     qs-sslcertgen createserver                  :Creates a Server(qs-service, restsrv and tomcat) Certificate
     qs-sslcertgen certcreatetar                 :Creates a tar archive of the Generated Certificates to allow for deployment on other QuantaStor Appliances

  Advanced Commands
     qs-sslcertgen cleanupca                     :Cleans up Certificate Authority(CA) and Certificates
     qs-sslcertgen setpempassword                :Sets the PEM Password to be used for Certificate and Private Key generation
     qs-sslcertgen createdir               	 :Creates the directory qscerts and changes into that working directory
     qs-sslcertgen convertcustom                 :Converts custom .pem files into QuantaStor style Certificates

Self Generating 2048-bit Certificates

The qs-sslcertgen utility can generate an entire CA trust chain with 2048-bit SSL certificates and SHA256 protected private keys using the below command and following the onscreen prompts to specify the Certificate properties. If you are unsure what properties to provide, we provide defaults that you can accept by hitting the return/enter key. It is recommended that you provide a password to secure your private keys unless you are running on a trusted private network.

qs-sslcertgen createall

This command will generate a .tgz archive with the certificates that you can then deploy on your other QuantaStor grid nodes.

If you would prefer to have some certificates be identified by region (for A set of QuantaStor systems in London and a different set of certificates for units in Dallas for instance), you can run the below commands multiple times after first running a 'qs-sslcertgen createca' or 'qs-sslcertgen createall' to estabilish your Certificate authority chain. The last command will generate a .tgz archive of certificates that have those specific properties:

qs-sslcertgen createclient
qs-sslcertgen createserver   
qs-sslcertgen certcreatetar 


Certificates from your own CA

If you would prefer to use your own custom certificates generated from your own Certificate Authority, you can create a certificate deployment package for QuantaStor from your customer certificates using the below commands. If you wish to have many certificates for different regions or specific server FQDN's, you would place your custom certificates and run the commands for each. The first command will provide the location to place your customer certificates into, the second command will convert those certificates into the forms support by QuantaStor. The last command will generate a .tgz archive of the final certificates.

qs-sslcertgen createdir 
qs-sslcertgen convertcustom
qs-sslcertgen certcreatetar 

Please note that the Certificates need to be provided in .pem format typically with the certificate and keyfile in the same file (except for the CA Certificate, which should not include the Private key for your CA). Detailed below are what these files should be called and what their specific contents should be. If you have custom certificates that are not available in pem format or do not appear to work correctly with the script we have provided, please contact OSNEXUS support for additional assistance.

custom_qscacert.pem   - should contain your Certificate Authorities root certificate
custom_qsserver.pem   - should contain the private key and CA signed certificate intended for the QuantaStor Management and RestAPI services.
custom_qsclient.pem   - should contain the private key and CA signed certificate intended for the QuantaStor client certificate used for
                        node-to-node grid communication. (does not need to be unique)
custom_webmanager.pem - (optional) should contain the private key and CA signed certificate intended for the QuantaStor WebManagement interface.
                        You can provide this file if you wish to have the FQDN that you use to login to the WebUI match the Certificate and
                        remove the need to force a security override in your browser. If you do not provide this certificate it is instead
                        generated based on the custom_qsserver.pem certificate.