Browse Source

Merge "VMAX manila doc - SSL Support" into stable/rocky

tags/7.2.0
Zuul 2 months ago
parent
commit
c87d4c609b

+ 90
- 2
doc/source/configuration/shared-file-systems/drivers/dell-emc-vmax-driver.rst View File

@@ -213,6 +213,8 @@ The following parameters need to be configured in the
213 213
    vmax_share_data_pools = <Comma separated pool names>
214 214
    share_driver = manila.share.drivers.dell_emc.driver.EMCShareDriver
215 215
    vmax_ethernet_ports = <Comma separated ports list>
216
+   emc_ssl_cert_verify = True
217
+   emc_ssl_cert_path = <path to cert>
216 218
 
217 219
 - `emc_share_backend`
218 220
     The plug-in name. Set it to ``vmax`` for the VMAX driver.
@@ -235,18 +237,104 @@ The following parameters need to be configured in the
235 237
 
236 238
     Examples: pool_1, pool_*, *
237 239
 
238
-- `vmax_ethernet_ports`
240
+- `vmax_ethernet_ports (optional)`
239 241
     Comma-separated list specifying the ports (devices) of Data Mover
240 242
     that can be used for share server interface. Do not set this
241 243
     option if all ports on the Data Mover can be used.
242 244
     Wild card character is supported.
243 245
 
244
-    Examples: spa_eth1, spa_*, *
246
+    Examples: fxg-9-0, fxg-_*, *
245 247
 
248
+- `emc_ssl_cert_verify (optional)`
249
+    By default this is True, setting it to False is not recommended
250
+
251
+- `emc_ssl_cert_path (optional)`
252
+    The path to the This must be set if emc_ssl_cert_verify is True which is
253
+    the recommended configuration.  See ``SSL Support`` section for more
254
+    details.
246 255
 
247 256
 Restart of the ``manila-share`` service is needed for the configuration
248 257
 changes to take effect.
249 258
 
259
+SSL Support
260
+-----------
261
+
262
+#. Run the following on eNas Control Station, to display the CA certification
263
+   for the active CS.
264
+
265
+   .. code-block:: console
266
+
267
+      $ /nas/sbin/nas_ca_certificate -display
268
+
269
+   .. warning::
270
+
271
+      This cert will be different for the secondary CS so if there is a failover
272
+      a different certificate must be used.
273
+
274
+#. Copy the contents and create a file with a .pem extention on your manila host.
275
+
276
+   .. code-block:: ini
277
+
278
+      -----BEGIN CERTIFICATE-----
279
+      the cert contents are here
280
+      -----END CERTIFICATE-----
281
+
282
+#. To verify the cert by running the following and examining the output:
283
+
284
+   .. code-block:: console
285
+
286
+      $ openssl x509 -in test.pem -text -noout
287
+
288
+   .. code-block:: ini
289
+
290
+      Certificate:
291
+       Data:
292
+           Version: 3 (0x2)
293
+           Serial Number: xxxxxx
294
+       Signature Algorithm: sha1WithRSAEncryption
295
+           Issuer: O=VNX Certificate Authority, CN=xxx
296
+           Validity
297
+               Not Before: Feb 27 16:02:41 2019 GMT
298
+               Not After : Mar  4 16:02:41 2024 GMT
299
+           Subject: O=VNX Certificate Authority, CN=xxxxxx
300
+           Subject Public Key Info:
301
+               Public Key Algorithm: rsaEncryption
302
+                   Public-Key: (2048 bit)
303
+                   Modulus:
304
+                       xxxxxx
305
+                   Exponent: xxxxxx
306
+           X509v3 extensions:
307
+               X509v3 Subject Key Identifier:
308
+                   xxxxxx
309
+               X509v3 Authority Key Identifier:
310
+                   keyid:xxxxx
311
+                   DirName:/O=VNX Certificate Authority/CN=xxxxxx
312
+                   serial:xxxxx
313
+
314
+               X509v3 Basic Constraints:
315
+                   CA:TRUE
316
+               X509v3 Subject Alternative Name:
317
+                   DNS:xxxxxx, DNS:xxxxxx.localdomain, DNS:xxxxxxx, DNS:xxxxx
318
+       Signature Algorithm: sha1WithRSAEncryption
319
+               xxxxxx
320
+
321
+#. As it is the capath and not the cafile that is expected, copy the file to either
322
+   new directory or an existing directory (where other .pem files exist).
323
+
324
+#. Run the following on the directory
325
+
326
+   .. code-block:: console
327
+
328
+      $ c_rehash $PATH_TO_CERTS
329
+
330
+#. Update manila.conf with the directory where the .pem exists.
331
+
332
+   .. code-block:: ini
333
+
334
+       emc_ssl_cert_path = /path_to_certs/
335
+
336
+#. Restart manila services.
337
+
250 338
 
251 339
 IPv6 support
252 340
 ~~~~~~~~~~~~

Loading…
Cancel
Save