beautypg.com

HP StoreAll Storage User Manual

Page 166

background image

IMPORTANT:

HP recommends that you use certificates signed by a signing authority like VeriSign

only when you have configured load balancing for an Object Store. The self-signed certificates
can be used for the Object Store proxy endpoint and keystone IP by following the steps provided
in this section. Configuring an authority signed certificate directly to an Object Store would not
work as we have multiple proxy IPs and Keystone IPs for the certificate's common name.

1.

Create a digital certificate.

Create an SSL certificate with more than one common name. To do this, you must modify
openssl.cnf:

Sample command

vim/etc/pki/tls/openssl.cnf

Sample output

organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
-commonName = Common Name (eg, your name or your server\'s hostname)
-commonName_max = 64

+1.commonName = Common Name 1
+1.commonName_default = 10.21.12.*
+1.commonName_max = 64

Or, generate a self-signed certificate with keystone and proxy IPs as common names:

Sample command

openssl req -new -x509 -nodes -out cert.crt -keyout cert.key

Sample output

Generating a 1024 bit RSA private key
...............................................................++++++
.....................++++++
writing new private key to 'cert.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:10.13.15.86T
Common Name 1 [10.21.12.*]:
Email Address []:
[root@dev-sys1 SSL1]#

2.

Create a .pem file using the certificate and the key.

cat cert.crt cert.key > cert.pem

3.

Copy the content of the .pem file.

Sample command

cat cert.pem

Sample output

-----BEGIN CERTIFICATE-----
MIIDSTCCArKgAwIBAgIJAJiBmsSxCZ78MA0GCSqGSIb3DQEBBQUAMHcxCzAJBgNV
BAYTAkdCMRIwEAYDVQQIEwlCZXJrc2hpcmUxEDAOBgNVBAcTB05ld2J1cnkxFzAV
BgNVBAoTDk15IENvbXBhbnkgTHRkMRQwEgYDVQQDEwsxMC4xMy4xNS44NjETMBEG
A1UEAwwKMTAuMjEuMTIuKjAeFw0xMzExMjgyMzMwMDlaFw0xMzEyMjgyMzMwMDla
MHcxCzAJBgNVBAYTAkdCMRIwEAYDVQQIEwlCZXJrc2hpcmUxEDAOBgNVBAcTB05l
d2J1cnkxFzAVBgNVBAoTDk15IENvbXBhbnkgTHRkMRQwEgYDVQQDEwsxMC4xMy4x

166 Using Object Store