Problem
InfoScale Operations Manager uses Self-Signed Certificates for TLS communication over port 5634.
Error Message
# openssl s_client -connect <client IP>:5634
Verification error: self-signed certificate
Cause
The product uses self-signed certificates by default.
Solution
To address this issue, import a certificate signed by a Certificate Authority (CA) using the below steps:
1) Generate a private key:
# mkdir -p {certs,keys,csr}
# openssl genrsa -out keys/xprtld.key 2048
2) Create a Certificate Sign Request (CSR) by either of the below steps:
a) # openssl req -new -sha256 -key keys/xprtld.key -out csr/xprtld.csr -subj '/CN=sfm_agent/C=US/ST=Mass/L=Boston/O=vx/OU=sfm_domain@<SFMDomain>'
Note: <SFMDomain> can be located in /etc/default/sfm_resolv.conf
b) # grep config /etc/default/sfm_resolv.conf cs_config_name = viom.arctera.net;
Command required to create the CSR using the cs_config_name
# openssl req -new -sha256 -key keys/xprtld.key -out csr/xprtld.csr -subj '/CN=sfm_agent/C=US/ST=Mass/L=Boston/O=vx/OU=sfm_domain@viom.arctera.net'
3) Sign the certificate by either of the below steps:
a) Send the CSR to the certificate signing authority. They will provide the certificate chain to be used for importing.
b) Create your own Certificate Authority (CA), if not using a commercial signing authority.
Root CA Private Key:
# openssl genrsa -aes256 -out keys/ca.key 4096
Self-Signed Root CA Certificate:
# openssl req -x509 -new -nodes -key keys/ca.key -sha256 -days 3650 -out certs/ca.crt -subj '/CN=LODLab RootCA/C=US/ST=Mass/L=Boston/O=Support' -addext 'basicConstraints = critical, CA:true' -addext "keyUsage = critical, digitalSignature, cRLSign, keyCertSign"
Intermediate CA Private Key:
# openssl genrsa -aes256 -out keys/ca-intermediate.key 4096
Intermediate Certificate Sign Request (CSR):
# openssl req -new -sha256 -key keys/ca-intermediate.key -out csr/ca-intermediate.csr -subj '/CN=LODLab Intermediate CA/C=US/ST=Mass/L=Boston/O=Support' -addext 'basicConstraints = critical, CA:true, pathlen:0' -addext 'subjectKeyIdentifier = hash' -addext 'keyUsage = critical, digitalSignature, cRLSign, keyCertSign'
Sign the Intermediate CA using the RootCA:
# openssl x509 -req -days 3650 -sha256 -in csr/ca-intermediate.csr -CA certs/ca.crt -CAkey keys/ca.key -out certs/ca-intermediate.crt -set_serial 1004 -extfile <(printf "basicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,digitalSignature,cRLSign,keyCertSign")
Sign the SFM agent CSR using the Intermediate CA:
# openssl x509 -req -days 3650 -sha256 -in csr/xprtld.csr -CA certs/ca-intermediate.crt -CAkey keys/ca-intermediate.key -out certs/xprtld.crt -set_serial 1004
4) Verify that the following certificate and keys are available before importing.
| Private Key | xprtld.key |
| Certificate | xprtld.crt |
| Intermediate CA | ca-intermediate.crt |
| CA | ca.crt |
5) Import the Certificates on the Management Server
# /opt/VRTSsfmh/bin/perl /opt/VRTSsfmh/util/import_sfm_agent_certificate.pl --import_sfm_agent_cert --sfm_agent_certificate=certs/xprtld.crt --sfm_agent_privatekey=keys/xprtld.key --subCA_certificate=certs/ca-intermediate.crt --rootCA_certificate=certs/ca.crt
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.