From ba0842c77a7d862aeaee8a02d7f791ac0ddeb110 Mon Sep 17 00:00:00 2001 From: Helen Walsh Date: Fri, 8 Mar 2019 14:03:20 +0000 Subject: [PATCH] VMAX manila doc - SSL Support Documenting the steps for setting up the Secure Socket Layer for trusted communication between the manila host and the eNas Control Station. Change-Id: Ia2efb004125acea08d8bf72d99958c9a4f512dfd (cherry picked from commit c8a0d1715f4d9205c108c672fc82b4dc19e7246a) --- .../drivers/dell-emc-vmax-driver.rst | 92 ++++++++++++++++++- 1 file changed, 90 insertions(+), 2 deletions(-) diff --git a/doc/source/configuration/shared-file-systems/drivers/dell-emc-vmax-driver.rst b/doc/source/configuration/shared-file-systems/drivers/dell-emc-vmax-driver.rst index 0e044845d5..9b90bc385a 100644 --- a/doc/source/configuration/shared-file-systems/drivers/dell-emc-vmax-driver.rst +++ b/doc/source/configuration/shared-file-systems/drivers/dell-emc-vmax-driver.rst @@ -213,6 +213,8 @@ The following parameters need to be configured in the vmax_share_data_pools = share_driver = manila.share.drivers.dell_emc.driver.EMCShareDriver vmax_ethernet_ports = + emc_ssl_cert_verify = True + emc_ssl_cert_path = - `emc_share_backend` The plug-in name. Set it to ``vmax`` for the VMAX driver. @@ -235,18 +237,104 @@ The following parameters need to be configured in the Examples: pool_1, pool_*, * -- `vmax_ethernet_ports` +- `vmax_ethernet_ports (optional)` Comma-separated list specifying the ports (devices) of Data Mover that can be used for share server interface. Do not set this option if all ports on the Data Mover can be used. Wild card character is supported. - Examples: spa_eth1, spa_*, * + Examples: fxg-9-0, fxg-_*, * +- `emc_ssl_cert_verify (optional)` + By default this is True, setting it to False is not recommended + +- `emc_ssl_cert_path (optional)` + The path to the This must be set if emc_ssl_cert_verify is True which is + the recommended configuration. See ``SSL Support`` section for more + details. Restart of the ``manila-share`` service is needed for the configuration changes to take effect. +SSL Support +----------- + +#. Run the following on eNas Control Station, to display the CA certification + for the active CS. + + .. code-block:: console + + $ /nas/sbin/nas_ca_certificate -display + + .. warning:: + + This cert will be different for the secondary CS so if there is a failover + a different certificate must be used. + +#. Copy the contents and create a file with a .pem extention on your manila host. + + .. code-block:: ini + + -----BEGIN CERTIFICATE----- + the cert contents are here + -----END CERTIFICATE----- + +#. To verify the cert by running the following and examining the output: + + .. code-block:: console + + $ openssl x509 -in test.pem -text -noout + + .. code-block:: ini + + Certificate: + Data: + Version: 3 (0x2) + Serial Number: xxxxxx + Signature Algorithm: sha1WithRSAEncryption + Issuer: O=VNX Certificate Authority, CN=xxx + Validity + Not Before: Feb 27 16:02:41 2019 GMT + Not After : Mar 4 16:02:41 2024 GMT + Subject: O=VNX Certificate Authority, CN=xxxxxx + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + xxxxxx + Exponent: xxxxxx + X509v3 extensions: + X509v3 Subject Key Identifier: + xxxxxx + X509v3 Authority Key Identifier: + keyid:xxxxx + DirName:/O=VNX Certificate Authority/CN=xxxxxx + serial:xxxxx + + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Alternative Name: + DNS:xxxxxx, DNS:xxxxxx.localdomain, DNS:xxxxxxx, DNS:xxxxx + Signature Algorithm: sha1WithRSAEncryption + xxxxxx + +#. As it is the capath and not the cafile that is expected, copy the file to either + new directory or an existing directory (where other .pem files exist). + +#. Run the following on the directory + + .. code-block:: console + + $ c_rehash $PATH_TO_CERTS + +#. Update manila.conf with the directory where the .pem exists. + + .. code-block:: ini + + emc_ssl_cert_path = /path_to_certs/ + +#. Restart manila services. + IPv6 support ~~~~~~~~~~~~