Managing certificates to secure communications between GUI web server and web browsers

The IBM Storage Scale system supports self-signed and trusted certificates that are provided by a certificate authority (CA) to secure communications between the system and web browser.

During system setup, an initial self-signed certificate is created to use for secure connections between the GUI web servers and web browsers. Based on the security requirements for your system, you can create either a new self-signed certificate or install a signed certificate that is created by the certifying authority. Self-signed certificates can generate web browser security warnings and might not comply with organizational security guidelines.

The trusted certificates are created by a third-party certificate authority. These certificate authorities ensure that certificates have the required security level for an organization based on purchase agreements. Trusted certificates usually have higher security controls for encryption of data and do not cause browser security warnings. Trusted certificates are also stored in the Liberty profile SSL keystore.

Major web browsers trust the CA-certified certificates by default. Hence, they can confirm that the certificate that is received by the GUI server can be trusted. You can either buy a signed certificate from a trusted third-party authority or create your own certificate and get it certified. You can use both self-signed and trusted certificates. However, using a trusted certificate is the preferred way because the browser trusts this certificate automatically without any manual interventions.

You can either use the Services > GUI page in the GUI or CLI to install and use the certificates.

Obtain and import certificates by using the GUI

You can use the Services > GUI page in the GUI to complete the following tasks:

  1. Generate a self-signed certificate by using the Install Self-Signed Certificate option.
  2. Generate a certificate request and install it after getting it certified by the CA by using the Create Certificate Request option.
    Note: You can use new attributes for Subject Alternative Names, if the OpenSSL version on the GUI node is 1.1.1 or later.
  3. Install an already issued certificate by using the Import Certificate option.
  4. View the details of the certificate that is applied on the local GUI node by using the View Certificate option.

Obtain and import a signed-certificate from a trusted certificate authority by using CLI

You need to complete the following steps to obtain and import a signed-certificate from a trusted certificate authority:

  1. Generate a private key by issuing the following command: 
    openssl genrsa -out <nameOfYourKey>.key 2048
  2. Generate the certificate request as shown in the following example:
    openssl req -new -key <nameOfYourKey>.key -out <nameOfYourKey>.csr
    The system prompts you to enter the following details: 
    Country Name (2 letter code) [XX]:
State or Province Name (full name) []: 
Locality Name (eg, city) [Default City]: 
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []: 
Common Name (eg, your name or your server's hostname) []:
Email Address []: 
Please enter the following 'extra' attributes to be sent with your certificate request 
A challenge password []: 
An optional company name []:
  3. Send the certificate request to a trusted certificate authority to get a certificate file.
  4. Create a PKCS12 store that contains the certificate as shown in the following example: 
    openssl pkcs12 -export -in <yourCertificateFile> -inkey <nameOfYourKey>.key -out <nameOfYourPKCS12File>.p12

    The system prompts to set the export password as shown in the following example: 

    Enter export Password: <yourPassword>
Verifying - Enter export Password: <yourPassword>
  5. Generate a Java™ keystore file (.jks) by using the keytool. Issue the following commands to generate the file. 
    /usr/lpp/mmfs/java/jre/bin/keytool -importkeystore -srckeystore 
<NameOfYourPKCS12File>.p12 -destkeystore 
<NameOfYourJKSFile>.jks -srcstoretype pkcs12
    The system prompts you to enter the destination keystore password. You need to use the same password that you used when you created the PKCS12 store. 
    Enter destination keystore password: <yourPassword>
Re-enter new password: <yourPassword>
Enter source keystore password: <yourPassword>
  6. If you want to encode your password in XOR so that it does not get stored in plain text, use a security utility as shown in the following example: 
    /opt/ibm/wlp/bin/securityUtility encode <yourPassword>
  7. Issue the following command: 
    /usr/lpp/mmfs/gui/cli/sethttpskeystore <pathToKeystore>.jks

    This command imports the keystore into the WebSphere® configuration, which can be used for secure connections. You are prompted to insert your keystore password. You can use either plain text or the XOR password, which you created in the previous step.

Note: The command /usr/lpp/mmfs/gui/cli/lshttpskeystore shows an active custom keystore with a user-defined certificate. If you want to return to the default GUI certificate issue /usr/lpp/mmfs/gui/cli/rmhttpskeystore.