Difference between revisions of "Custom SSL TLS Security"

From OSNEXUS Online Documentation Site
Jump to: navigation, search
m (Certificates from your own CA)
m (Generating or installing Custom SSL Certificates)
 
(3 intermediate revisions by the same user not shown)
Line 25: Line 25:
 
== Generating or installing Custom SSL Certificates ==
 
== Generating or installing Custom SSL Certificates ==
  
Starting with the QuantaStor 3.15 release, we have included the qs-sslcertgen utility that makes it easy to install custom SSL certificates or generate your own security certificates for use with the QuantaStor Grid communication, the QuantaStor RestAPI service and the QuantaStor Web Manager.
+
We have the ability to install custom SSL certificates or generate your own security certificates for use with the QuantaStor Grid communication, the QuantaStor RestAPI service and the QuantaStor Web Manager.
  
 
<pre>
 
<pre>
qs-sslcertgen
+
qs-sslcert
  
qs-sslcertgen is a helper utility to generate strong SSL certificates for a QuantaStor Storage Appliance
+
qs-sslcert is a helper utility for installing, reseting and generating strong SSL certificates for QuantaStor grid management.
Please run this command inside of a directory where you would like to create your certificate chain
+
  
 
Usage:
 
Usage:
  
  General Commands
+
    qs-sslcert printcerts            : Shows information about what certificates are in use.
  
     qs-sslcertgen createall                    :Creates all Certificates CA, Grid Client and Server(qs-service, restsrv and tomcat) and tarball
+
     qs-sslcert generatecerts          : Creates all storage grid certificates (CA, Client, Server, REST) and generates a tar based installer.
    qs-sslcertgen createca                      :Creates a Certificate Authority(CA)
+
                                      : NOTE, please run this command inside of a directory where you would like to create your certificate chain tar
    qs-sslcertgen createclient                  :Creates a Grid Client Certificate
+
    qs-sslcertgen createserver                  :Creates a Server(qs-service, restsrv and tomcat) Certificate
+
    qs-sslcertgen certcreatetar                :Creates a tar archive of the Generated Certificates to allow for deployment on other QuantaStor Appliances
+
  
   Advanced Commands
+
    qs-sslcert installcerts          : Installs all storage grid certificates (CA, Client, Server, REST) included in the extracted tar.
     qs-sslcertgen cleanupca                    :Cleans up Certificate Authority(CA) and Certificates
+
 
     qs-sslcertgen setpempassword               :Sets the PEM Password to be used for Certificate and Private Key generation
+
    qs-sslcert resetcerts            : Resets the certificates back to the default certificates included with QuantaStor.
     qs-sslcertgen createdir                :Creates the directory qscerts and changes into that working directory
+
 
     qs-sslcertgen convertcustom                 :Converts custom .pem files into QuantaStor style Certificates
+
   Advanced Commands (Support Use Only)
 +
 
 +
     qs-sslcert createca              : Generates a self-signed Certificate Authority(CA) from which other certs can be generated.
 +
    qs-sslcert createclient          : Generates a QuantaStor Client certificate using the CA.
 +
    qs-sslcert createserver          : Generates a QuantaStor Server and REST interface certificates using the CA.
 +
     qs-sslcert certcreatetar          : Creates a tar archive of the generated self-signed certificates. You must copy this via scp to all systems in the storage grid and manually run the install.sh script within the tar file.
 +
    qs-sslcert certtarrm              : Removes the generated Certificate Authority(CA) and associated certificates
 +
    qs-sslcert setpempassword         : Sets the PEM Password to be used for Certificate and Private Key generation
 +
     qs-sslcert certtarmkdir          : Creates the directory qscerts and changes into that working directory
 +
     qs-sslcert convertcustom         : Converts custom .pem files into QuantaStor style Certificates
 +
    qs-sslcert resetlegacycerts      : Resets the certificates back to the old legacy certs from QS v3 (not recommended).
 
</pre>
 
</pre>
  
 
=== Self Generating 2048-bit Certificates ===
 
=== Self Generating 2048-bit Certificates ===
  
The qs-sslcertgen utility can generate an entire CA trust chain with 2048-bit SSL certificates and SHA256 protected private keys using the below command and following the onscreen prompts to specify the Certificate properties. If you are unsure what properties to provide, we provide defaults that you can accept by hitting the return/enter key. It is recommended that you provide a password to secure your private keys unless you are running on a trusted private network.
+
The qs-sslcert utility can generate an entire CA trust chain with 2048-bit SSL certificates and SHA256 protected private keys using the below command and following the onscreen prompts to specify the Certificate properties. If you are unsure what properties to provide, we provide defaults that you can accept by hitting the return/enter key. It is recommended that you provide a password to secure your private keys unless you are running on a trusted private network.
  
 
<pre>
 
<pre>
qs-sslcertgen createall
+
qs-sslcert generatecerts
 
</pre>
 
</pre>
  
Line 63: Line 69:
  
 
<pre>
 
<pre>
qs-sslcertgen createclient
+
qs-sslcert createclient
qs-sslcertgen createserver   
+
qs-sslcert createserver   
qs-sslcertgen certcreatetar  
+
qs-sslcert certcreatetar  
 
</pre>
 
</pre>
 
  
 
=== Certificates from your own CA ===
 
=== Certificates from your own CA ===
  
If you would prefer to use your own custom certificates generated from your own Certificate Authority, you can create a certificate deployment package for QuantaStor from your customer certificates using the below commands. If you wish to have many certificates for different regions or specific server FQDN's, you would place your custom certificates and run the commands for each. The first command will provide the location to place your customer certificates into, the second command will convert those certificates into the forms support by quantastor. The last command will generate a .tgz archive of the final certificates.
+
If you would prefer to use your own custom certificates generated from your own Certificate Authority, you can create a certificate deployment package for QuantaStor from your customer certificates using the below commands. If you wish to have many certificates for different regions or specific server FQDN's, you would place your custom certificates and run the commands for each. The first command will provide the location to place your customer certificates into, the second command will convert those certificates into the forms support by QuantaStor. The last command will generate a .tgz archive of the final certificates.
  
 
<pre>
 
<pre>
qs-sslcertgen createdir  
+
qs-sslcert createdir  
qs-sslcertgen convertcustom
+
qs-sslcert convertcustom
qs-sslcertgen certcreatetar  
+
qs-sslcert certcreatetar  
 
</pre>
 
</pre>
  
Line 82: Line 87:
  
 
<pre>
 
<pre>
custom_qscacert.pem - should contain your Certificate Authorities root certificate
+
custom_qscacert.pem   - should contain your Certificate Authorities root certificate
custom_qsserver.pem - should contain the private key and CA signed certificate intended for the QuantaStor Management and RestAPI services.
+
custom_qsserver.pem   - should contain the private key and CA signed certificate intended for the QuantaStor Management and RestAPI services.
custom_qsclient.pem - should contain the private key and CA signed certificate intended for the QuantaStor client certificate used for node-to-node grid communication. (does not need to be unique)
+
custom_qsclient.pem   - should contain the private key and CA signed certificate intended for the QuantaStor client certificate used for
custom_webmanager.pem - (optional) should contain the private key and CA signed certificate intended for the QuantaStor WebManagement interface. You can provide this file if you wish to have the FQDN that you use to login to the WebUI match the Certificate and remove the need to force a security overrirde in your browser. If you do not provide this certificate it is instead generated based on the custom_qsserver.pem certificate.
+
                        node-to-node grid communication. (does not need to be unique)
 +
custom_webmanager.pem - (optional) should contain the private key and CA signed certificate intended for the QuantaStor WebManagement interface.
 +
                        You can provide this file if you wish to have the FQDN that you use to login to the WebUI match the Certificate and
 +
                        remove the need to force a security override in your browser. If you do not provide this certificate it is instead
 +
                        generated based on the custom_qsserver.pem certificate.
 
</pre>
 
</pre>

Latest revision as of 07:59, 15 June 2022

Enhanced Default security starting with QuantaStor 3.15 and custom TLS Ciphers

Many recent security vulnerabilities have been discovered in SSL, it is advised that support for the SSLv2 and SSLv3 be deprecated in favor of the more secure TLS protocols. In the past, QuantaStor has used the preferred TLS protocols for all Grid, API and Web Manager communication. However, there was still legacy support included for the older SSL based protocols.

Starting with the QuantaStor 3.15 release, communication will be limited to the TLSv1.0 or greater protocols for all QuantaStor Grid communication, the QuantaStor RestAPI service and the QuantaStor Web Manager. SSLv2/v3 and the less secure crypto ciphers will be disabled by default.

The file that defines the crypto ciphers list is available at the below location on a QuantaStor appliance running 3.15 or newer and can be modified if you so choose to implement your own custom list of ciphers.

crypto cipher definition file:

/var/opt/osnexus/quantastor/ssl/qsciphers

Default crypto cipher list:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

With 3.15, you can now enable support for the TLSv1.2 protocol with modern Web Clients such as Google Chrome or Mozilla Firefox. TLSv1.2 requires an upgrade in the Java version used by the web server, the command to enable the java release that supports TLSv1.2 for existing deployments is below.

qs-util java7upgrade

Generating or installing Custom SSL Certificates

We have the ability to install custom SSL certificates or generate your own security certificates for use with the QuantaStor Grid communication, the QuantaStor RestAPI service and the QuantaStor Web Manager.

qs-sslcert

qs-sslcert is a helper utility for installing, reseting and generating strong SSL certificates for QuantaStor grid management.

Usage:

     qs-sslcert printcerts             : Shows information about what certificates are in use.

     qs-sslcert generatecerts          : Creates all storage grid certificates (CA, Client, Server, REST) and generates a tar based installer.
                                       : NOTE, please run this command inside of a directory where you would like to create your certificate chain tar

     qs-sslcert installcerts           : Installs all storage grid certificates (CA, Client, Server, REST) included in the extracted tar.

     qs-sslcert resetcerts             : Resets the certificates back to the default certificates included with QuantaStor.

  Advanced Commands (Support Use Only)

     qs-sslcert createca               : Generates a self-signed Certificate Authority(CA) from which other certs can be generated.
     qs-sslcert createclient           : Generates a QuantaStor Client certificate using the CA.
     qs-sslcert createserver           : Generates a QuantaStor Server and REST interface certificates using the CA.
     qs-sslcert certcreatetar          : Creates a tar archive of the generated self-signed certificates. You must copy this via scp to all systems in the storage grid and manually run the install.sh script within the tar file.
     qs-sslcert certtarrm              : Removes the generated Certificate Authority(CA) and associated certificates
     qs-sslcert setpempassword         : Sets the PEM Password to be used for Certificate and Private Key generation
     qs-sslcert certtarmkdir           : Creates the directory qscerts and changes into that working directory
     qs-sslcert convertcustom          : Converts custom .pem files into QuantaStor style Certificates
     qs-sslcert resetlegacycerts       : Resets the certificates back to the old legacy certs from QS v3 (not recommended).

Self Generating 2048-bit Certificates

The qs-sslcert utility can generate an entire CA trust chain with 2048-bit SSL certificates and SHA256 protected private keys using the below command and following the onscreen prompts to specify the Certificate properties. If you are unsure what properties to provide, we provide defaults that you can accept by hitting the return/enter key. It is recommended that you provide a password to secure your private keys unless you are running on a trusted private network.

qs-sslcert generatecerts

This command will generate a .tgz archive with the certificates that you can then deploy on your other QuantaStor grid nodes.

If you would prefer to have some certificates be identified by region (for A set of QuantaStor systems in London and a different set of certificates for units in Dallas for instance), you can run the below commands multiple times after first running a 'qs-sslcertgen createca' or 'qs-sslcertgen createall' to estabilish your Certificate authority chain. The last command will generate a .tgz archive of certificates that have those specific properties:

qs-sslcert createclient
qs-sslcert createserver   
qs-sslcert certcreatetar 

Certificates from your own CA

If you would prefer to use your own custom certificates generated from your own Certificate Authority, you can create a certificate deployment package for QuantaStor from your customer certificates using the below commands. If you wish to have many certificates for different regions or specific server FQDN's, you would place your custom certificates and run the commands for each. The first command will provide the location to place your customer certificates into, the second command will convert those certificates into the forms support by QuantaStor. The last command will generate a .tgz archive of the final certificates.

qs-sslcert createdir 
qs-sslcert convertcustom
qs-sslcert certcreatetar 

Please note that the Certificates need to be provided in .pem format typically with the certificate and keyfile in the same file (except for the CA Certificate, which should not include the Private key for your CA). Detailed below are what these files should be called and what their specific contents should be. If you have custom certificates that are not available in pem format or do not appear to work correctly with the script we have provided, please contact OSNEXUS support for additional assistance.

custom_qscacert.pem   - should contain your Certificate Authorities root certificate
custom_qsserver.pem   - should contain the private key and CA signed certificate intended for the QuantaStor Management and RestAPI services.
custom_qsclient.pem   - should contain the private key and CA signed certificate intended for the QuantaStor client certificate used for
                        node-to-node grid communication. (does not need to be unique)
custom_webmanager.pem - (optional) should contain the private key and CA signed certificate intended for the QuantaStor WebManagement interface.
                        You can provide this file if you wish to have the FQDN that you use to login to the WebUI match the Certificate and
                        remove the need to force a security override in your browser. If you do not provide this certificate it is instead
                        generated based on the custom_qsserver.pem certificate.