All communication between the XIV GUI, XCLI, Multi-System Manager and XIV systems utilize Secure Sockets Layering (SSL) via x509 certificates.
Beginning with XIV Storage System Software version 11.2 and XIV Storage Management Software version 4.1, you have the flexibility to install and use your own x509 certificates in addition to the built-in certificate.
You can choose to use a certificate that is signed by either a trusted Certificate Authority (CA) vendor or your organization’s own private CA server.
There are four steps required to use your own certificate:
- Generate a Certificate Signing Request (CSR) file from the XIV Storage System.
- Obtain a signed certificate using the CSR file, either from a CA vendor, or with your own CA server.
- Install the signed certificate on the XIV Storage System.
- Instruct the XIV GUI to trust the new signed certificate.
Step 1To generate the CSR from the XIV GUI, select Manage Certificates from the System Settings to get the Certiificate Management Panel and click the Generate CSR icon
In the Generate CSR panel , enter a unique value for the name of the Certificate in the Name field.
In the Subject field, enter a value for the subject of the certificate. The subject field represents the values that uniquely identify this system, and are commonly called, collectively, the distinguished name (DN).
The acceptable format for the subject field is a string of attribute=value pairs, each preceded by a slash. Spaces are not permitted. In our example, we use the value /CN=xivhost/O=itso/L=Tucson/ST=AZ/C=US
Click Generate to Generate the CSR file and then save it .Choose the appropriate location and save the CSR file. You will provide this file to your CA in order to produce a signed certificate.
Use the CSR file you just created to obtain a signed x509 certificate, either from a trusted CA vendor, or from your organization’s own CA server.
Once you have obtained the signed certificate, return to the Certificate Management panel and click on the Import Certificate icon
Click the Browse button to open a file browser window and select the signed certificate file.
Click the corresponding check boxes to select the Services your would like to use this certificate for. The options are:
- All: Use this certificate to secure all communications.
- XCLI: Use this certificate to secure XCLI communication only.
- IPSec: Use this certificate to secure IPsec traffic (for more information on IPSec, see.
- CMI: Use this certificate to secure CIM Agent communications only.
If the certificate type is PCKS12 (.p12 file extension), enter values for the Name and Password for the certificate.
Click Import to complete the import of the signed certificate into the XIV Storage System.
Once you have imported your own certificate into the XIV Storage System, that system will present this certificate to the management tools (GUI, XCLI, etc.) that you use to connect to that system. Since this is a new certificate, the GUI will report a certificate error when connecting to that system. To resolve this error, you must configure the GUI to trust the new certificate.
To do so, right click on the system and choose Manage Certificate The GUI will display the details of the new certificate. Click the Trust Always button to trust this certificate for all future connections.
Note: The XIVTop tool uses the same certificate store as the XIV GUI. Trusting a certificated in the GUI mean that the XIVTop tool will also trust that certificate