Veritas Access Solutions Guide for Software-Defined Storage (SDS) Management Platform

Last Published:
Product(s): Access (7.4.2)
Platform: Linux
  1. Introduction
    1.  
      About Veritas Access
    2.  
      About the SDS Management Platform
  2. Deploying the SDS Management Platform with Veritas Access
    1.  
      Deploying the SDS Management Platform
  3. Using the SDS Management Platform interface
    1.  
      Using the SDS Management Platform launchpad
    2.  
      Using the Infrastructure application
    3.  
      Using the Long Term Retention Storage (LTR) application
    4.  
      Operation icons on the SDS Management Platform interface
  4. Setting up SSL in the SDS Management Platform
    1.  
      About setting up SSL in the SDS Management Platform
    2.  
      Generating and installing a new certificate
    3.  
      Creating and upgrading a trust store
  5. Performing authentication
    1.  
      Authentication modules
    2.  
      Certificate-based client authentication
  6. System backup and restore
    1.  
      About system backup and restore
    2.  
      Automatic backups
    3.  
      Manual backups
  7. Troubleshooting
    1.  
      Log locations
    2.  
      Diagnostic reports
    3.  
      Java Virtual Machine (JVM) parameters
    4. SDS Management Platform known issues
      1.  
        If multiple bucket creation requests with different inputs for attributes such as size and layout are in progress in parallel, then a bucket can get created with incorrect attributes
      2.  
        When editing a storage resource or backup server, an Advanced button is available that shows options that you should not change
      3.  
        If you add a Veritas Access cluster where the host includes the protocol (such as, https://10.20.30.40), the provider gets added and collects data but running the LTR workflow fails
      4.  
        When you create a bucket, the status of the task appears as DONE, even though the creation is still in progress
      5.  
        Clicking on a non-mapped Veritas Access cluster directs you to an empty wiki page which shows a table and some data
      6.  
        If you restart the operating system, the SDS Management Platform does not start automatically
      7.  
        When you add a storage resource or backup server, the added resource is not automatically visible
      8.  
        After the SDS log is rotated, the log messages from either Veritas Access or the SDS plugin go to the rotated file instead of the new file
      9.  
        Some of the storage resources may appear as faulted and a warning sign appears next to the cluster IP address in the Infrastructure> Storage Resources page
      10.  
        Creation of STU fails if the S3 user is changed
    5.  
      Software limitations

Generating and installing a new certificate

You can generate certificates in many different ways. Veritas recommends using the KeyStore Explorer, a graphical UI for the Java Keytool. You can also use the Java Keytool.

Veritas Access requires three files to work with the external certificates.

  • Key file: The private key file which is used to create the CSR.

    In the example used in this section, the key.pem file refers to the key file.

  • Certificate file: The certificate file which CA authority provides after signing the CSR.

    In the example used in this section, the cert.pem file refers to the certificate file.

  • CA certificate file: The certificate file which identifies the CA authority.

    In the example used in this section, the ca-cert.pem file refers to the CA certificate file.

Using KeyStore Explorer to generate a new certificate

You can generate and install a new certificate in the SDS Management Platform using the KeyStore Explorer.

To generate and install a new certificate with the KeyStore Explorer

  1. Open the KeyStore Explorer.
  2. You are prompted to select the type of the new KeyStore. Select JKS. Click OK.
  3. Generate a new key pair. Right-click > Generate Key Pair.

    It is recommended to use RSA with a size of 2048 bits.

  4. Configure the certificate settings.

    • It is recommended to use SHA256 with RSA (or stronger) as the signature algorithm. Modern browsers do not support MD5 or SHA-1 RC4.

    • Choose a suitable validity period.

    • A serial number is generated automatically.

    • Give a suitable name. Click on the address book icon to add name entities.

  5. Add Subject Alternative Names (SANs).

    As mentioned in RFC 2818, the use of CN to match the host's identity is deprecated and SAN should be used instead. To do this, click on Add Extensions in the certificate settings dialog, add an extension with the plus icon and choose Subject Alternative Name as the extension type. In the dialog, add at least one DNS entry that matches the host name to access the SDS Management Platform.

  6. Enter the alias.

    Veritas recommends using jetty as the alias though this is not strictly required. You can externally configure the actual alias that is used by the web server.

  7. Enter the key pair password.

    Note:

    The password of the keystore and the key need to be the same

  8. Check the certificate details. Double-click on the key pair in the list to see its properties. Also check that the Subject Alternative Names are visible in the extensions.
  9. Generate CSR. Right-click on the certificate -> Generate CSR.
  10. Export the private key file (key.pem) in .pem format from the generated key pair.
  11. Send the CSR to a certificate authority and let it be signed. The CA signs the CSR and provides the certificate (cert.pem) file. It also provides the CA certificate (ca-cert.pem) file.
  12. Copy the three files (cert.pem, ca-cert.pem and key.pem) to the Veritas Access server.
  13. Login to the Access CLISH and run System > gui_servercertficate > Add. The Veritas Access GUI server now runs with the external certificate. Enter the details of the certificates when prompted.
  14. If a trusted CA certificate is used, then the browser does not show the Insecure webpage messages. If the CA certificate is not trusted, add the ca-cert.pem file to your browser.
Using the Java Keytool to generate a new certificate

The Java Keytool is a command-line tool for certificate management that is bundled with the JDK. The SDS Management Platform bundles a JRE in the installation folder.

  1. Generate keys.

    This creates a new key pair in a new or existing Java Keystore, which can be used to create a CSR, and obtain an SSL certificate from a Certificate Authority (CA). The following command generates a 2048-bit RSA key pair, under the specified alias (domain), in the specified keystore file (keystore.jks):

    keytool -genkeypair -alias <domain> -keyalg RSA -keystore keystore

    If the specified keystore does not already exist, it is created after the requested information is supplied. You are prompted for the keystore password (new or existing), followed by a Distinguished Name prompt (for the private key), then the desired private key password.

    If you want your certificate to not only accept the given common name but rather additional names or IPs, you can use the keytool's SAN (Subject Alternative Names) extension.

    keytool -genkeypair -alias <domain> -keyalg RSA -keystore keystore 
-ext SAN=dns:example.com,dns:localhost,ip:127.0.0.1

  2. Generate CSR for existing private key.

    Use this method if you want to generate a CSR that you can send to a CA to request the issue of a CA-signed SSL certificate. It requires that the keystore and alias already exist. You can use the previous command to ensure this. You can use the following command to create a CSR (domain.csr) signed by the private key identified by the alias (domain) in the (keystore.jks) keystore:

    keytool -certreq -alias <domain> -file <domain.csr> -keystore keystore

    After you enter the keystore's password, the CSR is generated.

  3. Extract the private key from the keystore.

    • Convert the keystore (jks) file to PKCS12 format.

      # keytool -importkeystore -srckeystore keystore -destkeystore 
keystore_pksc12 -deststoretype pkcs12

      Where keystore_pksc12 is the converted keystore file.

    • Extract the key.pem file.

      If you use Open SSL, you can use the following command:

      # openssl pkcs12 -in keystore_pksc12 -nodes -nocerts 
-out key.pem

  4. Provide the CSR file to CA and get the certificate and also the root/intermediate CA certificate files.

  5. Copy the three files (cert.pem, ca-cert.pem and key.pem) to the Veritas Access server.

  6. Login to the Access CLISH and run System > gui_servercertficate > Add. The Veritas Access GUI server now runs with the external certificate. Enter the details of the certificates when prompted.

  7. If a trusted CA certificate is used, then the browser does not show the Insecure webpage messages. If the CA certificate is not trusted, add the ca-cert.pem file to your browser.