Managing server certificates

During the installation, a self-signed Secure Sockets Layer (SSL) certificate is generated to create a secure communication channel for servers and clients. If you already have a trusted certificate that you want to use, you can replace the self-signed certificate with an existing trusted certificate or generate a new certificate.

About this task

A self-signed certificate file, vp.crt, and a certificate key file, vp.key, are stored in the following directory:

/opt/ibm/ibm_spectrum_connect/settings/ssl_cert.

Because the self-signed certificate is not automatically recognized by the web browser that you use to log in to Spectrum Connect, you might encounter a connection security warning before you can access the Spectrum Connect login page (see Logging in).
Figure 1. Connection security warning in the Mozilla FireFox web browser
This image shows a connection security warning in the Mozilla Firefox web browser.

To avoid such warning messages, you need to upload a server certificate which is signed by a public certificate authority (CA), such as VeriSign, or by a CA whose root certificate was imported to your web browser. In addition, you can generate an SSL certificate.

Procedure

  1. Click Server certificate in the Settings menu.
    The Server Certificate dialog box is displayed.
    Figure 2. Generate option on Server Certificate dialog box
    This image shows the Generate option on the Server Certificate dialog box.
  2. Enter the common name, hostname/IP address of the Spectrum Connect server and certificate validity period, and then click Generate.
    Note:
    • The Spectrum Connect hostname is automatically copied from the FQDN field of the Settings menu. The value is entered during high-availability group definition, as explained in Defining a high-availability group.
    • The common name of the Spectrum Connect server must match the hostname/IP address in the URL, which is used, when registering Spectrum Connect as a storage provider on a vCenter server. See Registering Spectrum Connect as a storage provider on vCenter server.
    • To support a VMCA subordinate CA, the ssl_verify_depth parameter in the /etc/nginx/conf.d/sc_nginx.conf file is set to 2 by default. This is sufficient for a single customer root CA and a VMCA, as subordinate CA. If you require more than one CA in the trust chain, increase the value accordingly, and restart the Nginx service. See example below.
      ssl_verify_client optional;
      ssl_verify_depth 3;
      ssl_client_certificate ssl_cert/trusted_clents.pem;
    Spectrum Connect generates the SSL certificate and key files, restarts the Nginx process and refreshes the web browser.
  3. Log out and log into Spectrum Connect to complete the certificate generation.
  4. To upload a certificate and a certificate key files, select Upload files on the Server Certificate dialog box.
    Figure 3. Upload files option on Server Certificate dialog box
    This image shows the Upload files option on the Server Certificate dialog box.
  5. Click Browse and attach your certificate vp.crt, and a certificate key files, vp.key, and then click Upload.
    Spectrum Connect overwrites the existing SSL certificate and key files, restarts the Nginx process and refreshes the web browser.
  6. Log out and log into Spectrum Connect to complete the procedure.