Custom SSL TLS Security

From OSNEXUS Online Documentation Site
Revision as of 06:59, 15 June 2022 by Qadmin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Enhanced Default security starting with QuantaStor 3.15 and custom TLS Ciphers

Many recent security vulnerabilities have been discovered in SSL, it is advised that support for the SSLv2 and SSLv3 be deprecated in favor of the more secure TLS protocols. In the past, QuantaStor has used the preferred TLS protocols for all Grid, API and Web Manager communication. However, there was still legacy support included for the older SSL based protocols.

Starting with the QuantaStor 3.15 release, communication will be limited to the TLSv1.0 or greater protocols for all QuantaStor Grid communication, the QuantaStor RestAPI service and the QuantaStor Web Manager. SSLv2/v3 and the less secure crypto ciphers will be disabled by default.

The file that defines the crypto ciphers list is available at the below location on a QuantaStor appliance running 3.15 or newer and can be modified if you so choose to implement your own custom list of ciphers.

crypto cipher definition file:


Default crypto cipher list:


With 3.15, you can now enable support for the TLSv1.2 protocol with modern Web Clients such as Google Chrome or Mozilla Firefox. TLSv1.2 requires an upgrade in the Java version used by the web server, the command to enable the java release that supports TLSv1.2 for existing deployments is below.

qs-util java7upgrade

Generating or installing Custom SSL Certificates

We have the ability to install custom SSL certificates or generate your own security certificates for use with the QuantaStor Grid communication, the QuantaStor RestAPI service and the QuantaStor Web Manager.


qs-sslcert is a helper utility for installing, reseting and generating strong SSL certificates for QuantaStor grid management.


     qs-sslcert printcerts             : Shows information about what certificates are in use.

     qs-sslcert generatecerts          : Creates all storage grid certificates (CA, Client, Server, REST) and generates a tar based installer.
                                       : NOTE, please run this command inside of a directory where you would like to create your certificate chain tar

     qs-sslcert installcerts           : Installs all storage grid certificates (CA, Client, Server, REST) included in the extracted tar.

     qs-sslcert resetcerts             : Resets the certificates back to the default certificates included with QuantaStor.

  Advanced Commands (Support Use Only)

     qs-sslcert createca               : Generates a self-signed Certificate Authority(CA) from which other certs can be generated.
     qs-sslcert createclient           : Generates a QuantaStor Client certificate using the CA.
     qs-sslcert createserver           : Generates a QuantaStor Server and REST interface certificates using the CA.
     qs-sslcert certcreatetar          : Creates a tar archive of the generated self-signed certificates. You must copy this via scp to all systems in the storage grid and manually run the script within the tar file.
     qs-sslcert certtarrm              : Removes the generated Certificate Authority(CA) and associated certificates
     qs-sslcert setpempassword         : Sets the PEM Password to be used for Certificate and Private Key generation
     qs-sslcert certtarmkdir           : Creates the directory qscerts and changes into that working directory
     qs-sslcert convertcustom          : Converts custom .pem files into QuantaStor style Certificates
     qs-sslcert resetlegacycerts       : Resets the certificates back to the old legacy certs from QS v3 (not recommended).

Self Generating 2048-bit Certificates

The qs-sslcert utility can generate an entire CA trust chain with 2048-bit SSL certificates and SHA256 protected private keys using the below command and following the onscreen prompts to specify the Certificate properties. If you are unsure what properties to provide, we provide defaults that you can accept by hitting the return/enter key. It is recommended that you provide a password to secure your private keys unless you are running on a trusted private network.

qs-sslcert generatecerts

This command will generate a .tgz archive with the certificates that you can then deploy on your other QuantaStor grid nodes.

If you would prefer to have some certificates be identified by region (for A set of QuantaStor systems in London and a different set of certificates for units in Dallas for instance), you can run the below commands multiple times after first running a 'qs-sslcertgen createca' or 'qs-sslcertgen createall' to estabilish your Certificate authority chain. The last command will generate a .tgz archive of certificates that have those specific properties:

qs-sslcert createclient
qs-sslcert createserver   
qs-sslcert certcreatetar 

Certificates from your own CA

If you would prefer to use your own custom certificates generated from your own Certificate Authority, you can create a certificate deployment package for QuantaStor from your customer certificates using the below commands. If you wish to have many certificates for different regions or specific server FQDN's, you would place your custom certificates and run the commands for each. The first command will provide the location to place your customer certificates into, the second command will convert those certificates into the forms support by QuantaStor. The last command will generate a .tgz archive of the final certificates.

qs-sslcert createdir 
qs-sslcert convertcustom
qs-sslcert certcreatetar 

Please note that the Certificates need to be provided in .pem format typically with the certificate and keyfile in the same file (except for the CA Certificate, which should not include the Private key for your CA). Detailed below are what these files should be called and what their specific contents should be. If you have custom certificates that are not available in pem format or do not appear to work correctly with the script we have provided, please contact OSNEXUS support for additional assistance.

custom_qscacert.pem   - should contain your Certificate Authorities root certificate
custom_qsserver.pem   - should contain the private key and CA signed certificate intended for the QuantaStor Management and RestAPI services.
custom_qsclient.pem   - should contain the private key and CA signed certificate intended for the QuantaStor client certificate used for
                        node-to-node grid communication. (does not need to be unique)
custom_webmanager.pem - (optional) should contain the private key and CA signed certificate intended for the QuantaStor WebManagement interface.
                        You can provide this file if you wish to have the FQDN that you use to login to the WebUI match the Certificate and
                        remove the need to force a security override in your browser. If you do not provide this certificate it is instead
                        generated based on the custom_qsserver.pem certificate.