Configuring TLS/SSL Certificates

Introduction

StorReduce uses Transport Layer Security, also known as TLS or SSL, to secure (encrypt and authenticate) communications between client software to the StorReduce server and also between the StorReduce server and the back-end Object Store. Communications between the StorReduce server and a web browser displaying the StorReduce Dashboard are also secured with TLS.

The TLS connections are in turn secured using X.509 Certificates, commonly known as SSL Certificates. The SSL certificates are used to authenticate the identity of the communicating systems. For more information please see Wikipedia.

By default the StorReduce server presents a randomly generated SSL certificate known as a self signed certificate to every client. The self signed certificate provides encryption, but not authentication. It has to be this way because there is no secure way for StorReduce to provide its users with a certificate that the users can trust without communicating with an outside service. An outside service would raise a different set of security issues. Use of the self signed certificate can lead to security warnings or a failure to communicate if the client software is unable to trust the certificate. These issues can occur both when:

  1. a client is trying to communicate with the StorReduce server, and

  2. when the StorReduce server is trying to communicate with a private object store that presents an untrusted certificate.

In this document we will explain how to configure the StorReduce server to avoid both these issues.

1. How to Add an SSL Certificate to StorReduce

This procedure is necessary to allow clients to authenticate the StorReduce server. If you need to authenticate the object store to StorReduce see section 2 below.

1.1. Get a Certificate

You will need to obtain a certificate for the StorReduce server from a Certificate Authority or CA. Your company may have an internal CA or you might obtain certificates from an external company like Symantec or Thawte.

The certificate should contain a Common Name field which contains the Domain (DNS) name of your StorReduce server.

Important: If you intend to use Virtual Host Style Bucket Addressing then you will need a wildcard certificate with a Common Name field like *.my-dns-name.com and a second certificate with a Common Name field containing the base DNS name (e.g., my-dns-name.com). In most cases you will not need Virtual Host Style Bucket Addressing as most client software supports Path Style Bucket Addressing.

1.2. Convert the Certificate into PEM format

There are a number of different file formats for certificates. StorReduce uses the PEM format, PEM files usually have a .pem extension. If your certificate is in a different format then you will need to convert it into the PEM format. Instructions for converting the formats are beyond the scope of this document but they can be easily found on the Internet (e.g., http://stackoverflow.com/questions/4691699/how-to-convert-crt-to-pem ).

When this step is complete you should have a .pem file containing your certificate (e.g., my-cert.pem).

1.3. Convert any Intermediate Certificates into PEM format

Sometimes a certificate will come with a set of extra certificates known as a certificate bundle or intermediate bundle. These will need to be converted into PEM format too (see above).

When this step is complete you should have a .pem file containing the intermediate certificates (e.g., my-intermediates.pem).

1.4. Concatenate the Intermediate Certificates and the Certificate Files

Concatenate the intermediate certificate PEM file and the certificate PEM file to form a certificate chain file. If you are familiar with the Unix command line you can use cat for example.

cat my-intermediates.pem my-cert.pem > my-chain.pem

You could also use a text editor to perform this step.

Important: Put the intermediates before the certificate in the concatenated file.

1.5. Convert the Private Key into PEM Format

See section 1.2 above.

When this step is complete you should have a .pem file containing the private key (e.g., my-private-key.pem).

1.6. Paste the PEM encoded Certificate into the Settings screen

Open the StorReduce dashboard and browse to the Settings tab, then click the SSL\TLS Certificates button on the left hand side.

Open the PEM chain file (e.g., my-chain.pem) in a text editor, then copy the entire contents of the file into the S3 API SSL/TLS Certificate field:

SSL/TLS Certificate Settings

Open the PEM private key file (e.g., my-private-key.pem) in a text editor, then copy and paste the entire contents of the file into the S3 API SSL/TLS Private Key field:

SSL/TLS Private Settings

1.7. Optional: Use the same certificate for the Admin Interface or Dashboard

Repeat the steps in section 1.6, but paste the contents of the chain file into Admin API SSL/TLS Certificate and the contents of the private key file into Admin API SSL/TLS Private Key.

1.8. Restart the StorReduce Server

Click the Save Settings ... button at the bottom of the Settings page.

2. How to Add an SSL Root Certificate to StorReduce

2.1. Obtain the Root CA Certificate for the Object Store

Get the Root CA certificate that was used to sign the object store’s certificate. The person who setup the object store should have this.

2.2. Convert the Root CA Certificate into PEM format

The Root CA certificate might be in a file format other than PEM. If it is then convert it to PEM format, see section 1.2 above.

2.3. Paste the Root CA Certificate into the StorReduce Settings page

Open the StorReduce dashboard and browse to the Settings tab, scroll down to the Root CA Certificates section. Check the Custom Root CA certificate check box.

Open the Root CA Certificate PEM file in a text editor, then copy and paster the entire contents of the file into the text field under the Custom Root CA certificate check box:

Root CA Certificates

2.4. Restart the StorReduce server

Click the Save Settings ... button at the bottom of the Settings page.

Summary

In this document we have explained how to configure the SSL Certificate Settings in the StorReduce server. If you have any questions please contact StorReduce Support help@storreduce.com.