summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZuul <zuul@review.openstack.org>2019-03-15 18:45:49 +0000
committerGerrit Code Review <review@openstack.org>2019-03-15 18:45:49 +0000
commitc87d4c609b60829981d25966ea5420d4ecd3db39 (patch)
treedbcb5e5db3dee3d04c4b7acffa09d5f5c13926f9
parent6beeb83fc648390b2b6172b44b4001b3c192084f (diff)
parentba0842c77a7d862aeaee8a02d7f791ac0ddeb110 (diff)
Merge "VMAX manila doc - SSL Support" into stable/rocky
-rw-r--r--doc/source/configuration/shared-file-systems/drivers/dell-emc-vmax-driver.rst92
1 files changed, 90 insertions, 2 deletions
diff --git a/doc/source/configuration/shared-file-systems/drivers/dell-emc-vmax-driver.rst b/doc/source/configuration/shared-file-systems/drivers/dell-emc-vmax-driver.rst
index 0e04484..9b90bc3 100644
--- a/doc/source/configuration/shared-file-systems/drivers/dell-emc-vmax-driver.rst
+++ b/doc/source/configuration/shared-file-systems/drivers/dell-emc-vmax-driver.rst
@@ -213,6 +213,8 @@ The following parameters need to be configured in the
213 vmax_share_data_pools = <Comma separated pool names> 213 vmax_share_data_pools = <Comma separated pool names>
214 share_driver = manila.share.drivers.dell_emc.driver.EMCShareDriver 214 share_driver = manila.share.drivers.dell_emc.driver.EMCShareDriver
215 vmax_ethernet_ports = <Comma separated ports list> 215 vmax_ethernet_ports = <Comma separated ports list>
216 emc_ssl_cert_verify = True
217 emc_ssl_cert_path = <path to cert>
216 218
217- `emc_share_backend` 219- `emc_share_backend`
218 The plug-in name. Set it to ``vmax`` for the VMAX driver. 220 The plug-in name. Set it to ``vmax`` for the VMAX driver.
@@ -235,18 +237,104 @@ The following parameters need to be configured in the
235 237
236 Examples: pool_1, pool_*, * 238 Examples: pool_1, pool_*, *
237 239
238- `vmax_ethernet_ports` 240- `vmax_ethernet_ports (optional)`
239 Comma-separated list specifying the ports (devices) of Data Mover 241 Comma-separated list specifying the ports (devices) of Data Mover
240 that can be used for share server interface. Do not set this 242 that can be used for share server interface. Do not set this
241 option if all ports on the Data Mover can be used. 243 option if all ports on the Data Mover can be used.
242 Wild card character is supported. 244 Wild card character is supported.
243 245
244 Examples: spa_eth1, spa_*, * 246 Examples: fxg-9-0, fxg-_*, *
245 247
248- `emc_ssl_cert_verify (optional)`
249 By default this is True, setting it to False is not recommended
250
251- `emc_ssl_cert_path (optional)`
252 The path to the This must be set if emc_ssl_cert_verify is True which is
253 the recommended configuration. See ``SSL Support`` section for more
254 details.
246 255
247Restart of the ``manila-share`` service is needed for the configuration 256Restart of the ``manila-share`` service is needed for the configuration
248changes to take effect. 257changes to take effect.
249 258
259SSL Support
260-----------
261
262#. Run the following on eNas Control Station, to display the CA certification
263 for the active CS.
264
265 .. code-block:: console
266
267 $ /nas/sbin/nas_ca_certificate -display
268
269 .. warning::
270
271 This cert will be different for the secondary CS so if there is a failover
272 a different certificate must be used.
273
274#. Copy the contents and create a file with a .pem extention on your manila host.
275
276 .. code-block:: ini
277
278 -----BEGIN CERTIFICATE-----
279 the cert contents are here
280 -----END CERTIFICATE-----
281
282#. To verify the cert by running the following and examining the output:
283
284 .. code-block:: console
285
286 $ openssl x509 -in test.pem -text -noout
287
288 .. code-block:: ini
289
290 Certificate:
291 Data:
292 Version: 3 (0x2)
293 Serial Number: xxxxxx
294 Signature Algorithm: sha1WithRSAEncryption
295 Issuer: O=VNX Certificate Authority, CN=xxx
296 Validity
297 Not Before: Feb 27 16:02:41 2019 GMT
298 Not After : Mar 4 16:02:41 2024 GMT
299 Subject: O=VNX Certificate Authority, CN=xxxxxx
300 Subject Public Key Info:
301 Public Key Algorithm: rsaEncryption
302 Public-Key: (2048 bit)
303 Modulus:
304 xxxxxx
305 Exponent: xxxxxx
306 X509v3 extensions:
307 X509v3 Subject Key Identifier:
308 xxxxxx
309 X509v3 Authority Key Identifier:
310 keyid:xxxxx
311 DirName:/O=VNX Certificate Authority/CN=xxxxxx
312 serial:xxxxx
313
314 X509v3 Basic Constraints:
315 CA:TRUE
316 X509v3 Subject Alternative Name:
317 DNS:xxxxxx, DNS:xxxxxx.localdomain, DNS:xxxxxxx, DNS:xxxxx
318 Signature Algorithm: sha1WithRSAEncryption
319 xxxxxx
320
321#. As it is the capath and not the cafile that is expected, copy the file to either
322 new directory or an existing directory (where other .pem files exist).
323
324#. Run the following on the directory
325
326 .. code-block:: console
327
328 $ c_rehash $PATH_TO_CERTS
329
330#. Update manila.conf with the directory where the .pem exists.
331
332 .. code-block:: ini
333
334 emc_ssl_cert_path = /path_to_certs/
335
336#. Restart manila services.
337
250 338
251IPv6 support 339IPv6 support
252~~~~~~~~~~~~ 340~~~~~~~~~~~~