The Web user interface (UI) is served using the hypertext transfer protocol (HTTP) over TLS (Transport Layer Security, HTTPS) and is configured with a self-signed transport layer security (TLS) certificate. When a user requests a login page to the Web UI, the browser displays a security warning that the certificate authority (CA) cannot be recognized and prompts the user to add a security exception. When the security exception is added in the browser, the user can proceed to the given system's login screen.
In some cases, the IT department may configure the workstations in such a way as to prevent security exceptions from being added. This scenario can prohibit access to the Web UI from these workstations.
Note
A CA is a trusted entity that issues electronic documents that verify a digital entity's identity on the Internet. The electronic documents, which are called digital certificates, are an essential part of secure communication and play an important part in the public key infrastructure (PKI).
A TLS certificate signed by a recognized CA does not require a security exception because web browsers come with a list of recognized trusted certificate authorities. If a valid CA-signed certificate is configured and imported into the Web UI (as described in the following paragraphs), then the user is not prompted to add a security exception before logging in.
To obtain and install a CA-signed certificate, a user with root access must first create a signing request (CSR). The CSR contains information identifying the user (such as location, company name, and common name). The CSR generation on the DSC - SP2000 Platform can be accomplished on one of the management nodes, either through Web UI or using a command-line tool.
Note
When the CSR generates, the DSC - SP2000 Platform also generate a private key associated with the CSR and stores it on the management node.
After the CSR is created, download the CSR using the Web UI or perform a remote copy (if command-line generation is followed), and then, send it to a CA.
The CA takes the CSR, verifies the information contained in the request, and then issues the certificates in the X.509 format. The user is usually issued a certificate bundle, which contains a server certificate and an intermediate (or chain) certificate.
Note
The X.509 is a standard from the International Telecommunication Union for Public Key Infrastructure (PKI).
The final step is to install the certificates on the DSC - SP2000 Platform using the Web UI or the command line tool. Once the CA-signed certificates are imported, the Web UI restarts and from then on, can be accessed in a secure manner.
Note
The certificates are issued against a Domain Name System (DNS) and are obtained by demonstrating a control over a specific DNS. After installation of the CA-signed certificates, the Web UI should only be accessed by the DNS.
Note
It is the user's responsibility to ensure that the DNS entered for the CSR and CA-signed certificates are properly resolved.
The procedures in this section describe the steps for how to create and download the CSR files for a certificate authority to approve, and then how to install the CA-signed certificates.
Caution
If you create a backup of the system after the CA-signed certificates are created, the backup will not contain the CA configuration. The CA configuration can be backed up and restored using dedicated procedures, refer to Backing up or Restoring CA-signed Certificates.
If you can access the Web UI, use the procedures provided on Configuring CA-signed Certificates Using Web UI.
If for any reason you cannot access the Web UI, use the procedures provided on Configuring CA-signed Certificates using CLI.
Overview
Content Tools