Managing certificates to secure communications between GUI web server and web browsers

The IBM Spectrum Scale™ system supports self-signed and trusted certificates that are provided by a certificate authority (CA) to secure communications between the system and web browser.

During system setup, an initial self-signed certificate is created to use for secure connections between the GUI web servers and web browsers. Based on the security requirements for your system, you can create either a new self-signed certificate or install a signed certificate that is created by certify authority. Self-signed certificates can generate web browser security warnings and might not comply with organizational security guidelines. The self-signed certificates are stored in the Liberty profile SSL keystore, which is located at the resources/security directory in the server. You can find this directory in the following path: /opt/ibm/wlp/usr/servers/gpfsgui/resources/security.

The trusted certificates are created by a third-party certificate authority. These certificate authorities ensure that certificates have the required security level for an organization based on purchase agreements. Trusted certificates usually have higher security controls for encryption of data and do not cause browser security warnings. Trusted certificates are also stored in the Liberty profile SSL keystore.

Major web browsers trust the CA-certified certificates by default and therefore they can confirm that the certificate received by the GUI server can be trusted. You can either buy a signed certificate from a trusted third-party authority or create you own certificate and get it certified. You can use both self-signed and trusted certificates. However, using a trusted is the preferred way because the browser trusts this certificate automatically without any manual interventions.

Obtaining and importing a signed-certificate from a trusted certificate authority

You need to perform the following steps to obtain and import a signed-certificate from a trusted certificate authority:

  1. Generate a private key by issuing the following command: 
    openssl genrsa -out <nameOfYourKey>.key 2048
  2. Generate the certificate request as shown in the following example:
    openssl req -new -key <nameOfYourKey>.key -out <nameOfYourKey>.csr
    The system prompts you to enter the following details: 
    Country Name (2 letter code) [XX]:
State or Province Name (full name) []: 
Locality Name (eg, city) [Default City]: 
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []: 
Common Name (eg, your name or your server's hostname) []:
Email Address []: 
Please enter the following 'extra' attributes to be sent with your certificate request 
A challenge password []: 
An optional company name []:
  3. Send the certificate request to a trusted certificate authority to get a certificate file.
  4. Create a PKCS12 store containing the certificate as shown in the following example: 
    openssl pkcs12 -export -in <yourCertificateFile> -inkey <nameOfYourKey>.key
<nameOfYourPKCS12File>.p12

    The system prompts to set the export password as shown in the following example: 

    Enter export Password: <yourPasswrod>
Verifying - Enter export Password: <yourPasswrod>
  5. Generate a Java™ keystore file (.jks) by using the keytool. It is stored in the following directory: /opt/ibm/wlp/java/jre/bin. Ensure that you set the paths to the Java keystore file properly in the system. Issue the following commands to generate a Java keystore file. 
    <PathToKeytool>/keytool -importkeystore -srckeystore 
<NameOfYourPKCS12File>.p12 -destkeystore 
<NameOfYourJKSFile>.jks -srcstoretype pkcs12
    The system prompts you to enter the destination keystore password. You need to use the same password that you used while creating the PKCS12 store. 
    Enter destination keystore password: <yourPassword>
Re-enter new password: <yourPassword>
Enter source keystore password: <yourPassword>
  6. Copy the new Java keystore file to the directory named security, which is stored in the GUI server. This directory is located at the following location in the GUI server: /opt/ibm/wlp/usr/servers/gpfsgui/resources/security. It is the default place where keystore files are stored.
    cp <NameOfYourJKSFile>.jks <pathToSecurityDir>
  7. You need to define the password to access the Java Keystone file in the server.xml file, which is stored in the GUI server. If you want to encode your password so that it does not get stored in plain text, use a security utility, which is stored in the following directory: /opt/ibm/wlp/bin. The supported encodings are XOR and AES.
    <PathToSecurityUtility>/securityUtility encode --encoding=<xor or aes> <yourPassword>
  8. Edit keystore entry of the server.xml file for the GUI server to enable the new key. The server.xml file is located at the following location: /opt/ibm/wlp/usr/servers/gpfsgui. The following entry is on one line:
    <keyStore id="defaultKeyStore" password="<yourPassword> or <yourEncodedPassword>"
 location="<nameOfYourJKSFile>.jks" />
  9. Restart the IBM Spectrum Scale management GUI by issuing the following commands: 
    For RHEL7 or SLES12: systemctl restart gpfsgui
For RHEL6: service gpfsgui restart