Custom SSL TLS Security
Enhanced Default security starting with QuantaStor 3.15 and custom TLS Ciphers
Many recent security vulnerabilities have been discovered in SSL, it is advised that support for the SSLv2 and SSLv3 be deprecated in favor of the more secure TLS protocols. In the past, QuantaStor has used the preferred TLS protocols for all Grid, API and Web Manager communication. However, there was still legacy support included for the older SSL based protocols.
Starting with the QuantaStor 3.15 release, communication will be limited to the TLSv1.0 or greater protocols for all QuantaStor Grid communication, the QuantaStor RestAPI service and the QuantaStor Web Manager. SSLv2/v3 and the less secure crypto ciphers will be disabled by default.
The file that defines the crypto ciphers list is available at the below location on a QuantaStor appliance running 3.15 or newer and can be modified if you so choose to implement your own custom list of ciphers.
crypto cipher definition file: /var/opt/osnexus/quantastor/ssl/qsciphers Default crypto cipher list: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
With 3.15, you can now enable support for the TLSv1.2 protocol with modern Web Clients such as Google Chrome or Mozilla Firefox. TLSv1.2 requires an upgrade in the Java version used by the web server, the command to enable the java release that supports TLSv1.2 for existing deployments is below.
Generating or installing Custom SSL Certificates
We have the ability to install custom SSL certificates or generate your own security certificates for use with the QuantaStor Grid communication, the QuantaStor RestAPI service and the QuantaStor Web Manager.
qs-sslcert qs-sslcert is a helper utility for installing, reseting and generating strong SSL certificates for QuantaStor grid management. Usage: qs-sslcert printcerts : Shows information about what certificates are in use. qs-sslcert generatecerts : Creates all storage grid certificates (CA, Client, Server, REST) and generates a tar based installer. : NOTE, please run this command inside of a directory where you would like to create your certificate chain tar qs-sslcert installcerts : Installs all storage grid certificates (CA, Client, Server, REST) included in the extracted tar. qs-sslcert resetcerts : Resets the certificates back to the default certificates included with QuantaStor. Advanced Commands (Support Use Only) qs-sslcert createca : Generates a self-signed Certificate Authority(CA) from which other certs can be generated. qs-sslcert createclient : Generates a QuantaStor Client certificate using the CA. qs-sslcert createserver : Generates a QuantaStor Server and REST interface certificates using the CA. qs-sslcert certcreatetar : Creates a tar archive of the generated self-signed certificates. You must copy this via scp to all systems in the storage grid and manually run the install.sh script within the tar file. qs-sslcert certtarrm : Removes the generated Certificate Authority(CA) and associated certificates qs-sslcert setpempassword : Sets the PEM Password to be used for Certificate and Private Key generation qs-sslcert certtarmkdir : Creates the directory qscerts and changes into that working directory qs-sslcert convertcustom : Converts custom .pem files into QuantaStor style Certificates qs-sslcert resetlegacycerts : Resets the certificates back to the old legacy certs from QS v3 (not recommended).
Self Generating 2048-bit Certificates
The qs-sslcert utility can generate an entire CA trust chain with 2048-bit SSL certificates and SHA256 protected private keys using the below command and following the onscreen prompts to specify the Certificate properties. If you are unsure what properties to provide, we provide defaults that you can accept by hitting the return/enter key. It is recommended that you provide a password to secure your private keys unless you are running on a trusted private network.
This command will generate a .tgz archive with the certificates that you can then deploy on your other QuantaStor grid nodes.
If you would prefer to have some certificates be identified by region (for A set of QuantaStor systems in London and a different set of certificates for units in Dallas for instance), you can run the below commands multiple times after first running a 'qs-sslcertgen createca' or 'qs-sslcertgen createall' to estabilish your Certificate authority chain. The last command will generate a .tgz archive of certificates that have those specific properties:
qs-sslcert createclient qs-sslcert createserver qs-sslcert certcreatetar
Certificates from your own CA
If you would prefer to use your own custom certificates generated from your own Certificate Authority, you can create a certificate deployment package for QuantaStor from your customer certificates using the below commands. If you wish to have many certificates for different regions or specific server FQDN's, you would place your custom certificates and run the commands for each. The first command will provide the location to place your customer certificates into, the second command will convert those certificates into the forms support by QuantaStor. The last command will generate a .tgz archive of the final certificates.
qs-sslcert createdir qs-sslcert convertcustom qs-sslcert certcreatetar
Please note that the Certificates need to be provided in .pem format typically with the certificate and keyfile in the same file (except for the CA Certificate, which should not include the Private key for your CA). Detailed below are what these files should be called and what their specific contents should be. If you have custom certificates that are not available in pem format or do not appear to work correctly with the script we have provided, please contact OSNEXUS support for additional assistance.
custom_qscacert.pem - should contain your Certificate Authorities root certificate custom_qsserver.pem - should contain the private key and CA signed certificate intended for the QuantaStor Management and RestAPI services. custom_qsclient.pem - should contain the private key and CA signed certificate intended for the QuantaStor client certificate used for node-to-node grid communication. (does not need to be unique) custom_webmanager.pem - (optional) should contain the private key and CA signed certificate intended for the QuantaStor WebManagement interface. You can provide this file if you wish to have the FQDN that you use to login to the WebUI match the Certificate and remove the need to force a security override in your browser. If you do not provide this certificate it is instead generated based on the custom_qsserver.pem certificate.