SSL certificates

Reference to view, import, or delete SSL certificates to support connection to a Storage Authentication Service server from an IBM® TS7700 Cluster. Installing SSL certificates also makes supporting direct connections to LDAP servers (from R3.0 or later). Starting from R3.3, TS7700 also allows the user to replace the MI HTTPS SSL certificate with a custom one.

Note: The following topic has been added to the TS7700 Service Information Center for reference only. LDAP setup and administration is a customer task. Contact the customer to obtain an LDAP user ID and password.
Note: If Https is used, the TLS version must be the same at both the TS7700 and the Cloud Server in order to avoid problem with the SSL Certificate Retrieve.
If a Primary or Alternate Server URL defined by a Storage Authentication Service policy uses the https protocol, a certificate for that address must be defined on the page. The same for Direct LDAP policies if the primary or alternate server uses LDAPs. If the policy uses LDAP, then a certificate is not required. The Certificates table displays identifying information for SSL certificates on the cluster. The information that the table shows includes:
Alias
A unique name to identify the certificate on the machine.
Issued To
The distinguished name of the entity that is requesting the certificate.
Fingerprint
A number that specifies the Secure Hash Algorithm (SHA hash) of the certificate. This number can be used to verify the hash for the certificate at another location, such as the client side of a connection.
Expiration
The expiration date of the signer certificate for validation purposes.
Issued By
The issuer of the certificate.
Type
Type displays whether the certificate is a trusted certificate that is installed from a remote server, or https for the only certificate that is used in https connections to the MI.

To import a new SSL certificate, refer to Adding SSL certificates for the Cloud. To delete an existing SSL certificate, select the radio button next to the certificate you want to delete, select Delete from the Select Action menu, and click Go. A confirmation dialog page opens. Confirm your decision to delete the SSL certificate. Click Yes to delete the certificate and close the dialog. Click No to abandon the delete operation and close the dialog. The delete operation applies only to Trusted type certificates.

Warning: The issuer in a x509 certificate must have a non-empty distinguished name (DN). If the issuer's DN is empty, the certificate is considered not valid, as described in RFC 5280 (Section 4.1.2.4. Issuer).

To replace an SSL certificate, refer to Replacing HTTPS/SDT certificates.

Supported certificate types:
  • .der - A .der file contains binary data. You can use a .der file for a single certificate.
  • .pem - A privacy-enhanced mail .pem format file begins and ends with the following lines:

    -----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----

    You can use a .pem file for a single certificate.

Requirements:

  • If you are replacing the lwiks certificate to set up for external encryption, and want to request a new certificate from your CA, be sure to specify that it must work for both TLS Web Server Authentication, and TLS Web Client Authentication.