So you have a bunch of OES2 SP1 Linux nodes running in a cluster. You have followed the documentation in the NetStorage for Linux Administration Guide to setup, install and configure NetStorage to run in your cluster. All is working well, except your users get that nasty warning in their browser, every time they connect, because your NetStorage is using the default untrusted self-signed server certificates.
Wouldn’t life be just great if we could get NetStorage to use a third-party minted one from a reputable trusted Certificate Authority.
Well, you can, here’s how.
This document, won’t go into the gory details of how you go getting your minted certificate from a trusted Certificate Authority, there are many places these can be obtained from, and there is usually help from these sites, on what you need to do. Once you have your certificate, you can commence configuring NetStorage to use it.
If we simply configure apache to use our trusted certificate, instead of the default server certificates, it will break the iManager components necessary to configure NetStorage. This is because the default server certificates are used by iManager to configure xtier services required by NetStorage. So what we need to do is configure apache so that it uses the default server certificates for iManager, and our trusted certificate for NetStorage independently.
By default, apache2 listens on all ip addressees ie. 0.0.0.0 for both port 80 and 443. As we want to use a different certificate, namely our externally signed one, we need to first configure apache to listen on a specific IP address only, namely the host ip address of the server.
This is easily achieved by editing the /etc/apache2/listen.conf as follows:
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" # #Listen 18.104.22.168:80 #Listen 80 #Listen 443 Listen hostname.company.com:80 <IfDefine SSL> <IfDefine !NOSSL> <IfModule mod_ssl.c> Listen hostname.company.com:443 </IfModule> </IfDefine> </IfDefine>
restart apache2 for these changes to take effect.
# /etc/init.d/apache2 restart
Now we need to configure apache to listen on our clustered virtual IP address that will be used for NetStorage.
First lets create a new virtual host definition from the system default.
# cd /etc/apache2/vhosts.d # cp vhost-ssl.conf netstorage-ssl.conf
Now edit the file we just copied, netstorage-ssl.conf, to use our external certs and prepare it for our netstorage cluster resource.
Because we want this section to only apply for our virtual server we need to have apache listen on the virtual server IP address. To do that we add two “Listen” lines one for port 80 and one for port 443 as shown.
We also need to change the <VirtualHost _default_:443> to also include our netstorage virtual IP address.
# # Listen netstorage.cluster.company.com:80 Listen netstorage.cluster.company.com:443 <IfDefine SSL> <IfDefine !NOSSL> ## ## SSL Virtual Host Context ## <VirtualHost netstorage.cluster.company.com:443> # General setup for the virtual host
To use our external server certs change the following lines in the VirtualHost section . Here I am assuming that your signed certificate that you received from your trusted Certificate Authority is called ‘netstorage-cert.pem’, and your private key file is called ‘netstorage-key.pem’ Copy both these files to your /etc/ssl/servercerts directory and edit the VirtualHost section of your netstorage-ssl.conf file as follows.
SSLCertificateFile /etc/ssl/servercerts/netstorage-cert.pem #SSLCertificateFile /etc/ssl/servercerts/servercert.pem SSLCertificateKeyFile /etc/ssl/servercerts/netstorage-key.pem #SSLCertificateKeyFile /etc/ssl/servercerts/serverkey.pem
That concludes all the modifications to netstorage-ssl.conf file that we need to make.
If we restart apache2 now, it will most likely fail to start. This is because our virtual IP address for NetStorage is not currently active on this node and we are telling apache2 to bind to an IP address that does not exist. To get around this, we will temporarily rename the netstroage-ssl.conf file to something else, that will allow apache2 to run on the node while it is not serving NetStorage.
Lets rename this file to netstorage-ssl.conf.cluster for now.
The advantage of this, allows you to use other apache services on this cluster node, like iManager, to make configuration changes to NetStorage, if required. It also allows you to test this server’s instance of NetStorage by accessing it from the server hostname url.
Now, when you restart apache2, it should load happily, as the netstorage-ssl.conf.cluster file is not parsed by apache when it loads.
Now we move onto configuring our Cluster load and unload scripts.
From the Novell Documentation the suggested load script for NetStorage is inherently simple, as all it really contains is a single line to add the secondary ip address. (Remember, that we don’t need or use shared storage with NetStorage in a Novell Cluster, rather we install and configure NetStorage on each node and move the clustered ip address instead, from one node to another node).
So what we want to do when we start our Cluster resource for NetStorage is,
- we add our secondary IP address,
- rename our apache config file for netstorage
- restart apache.
So our load and unload scripts will look like this.
exit_on_error add secondary ipaddress 192.168.0.120 exit_on_error mv /etc/apache2/vhosts.d/netstorage-ssl.conf.cluster /etc/apache2/vhosts.d/netstorage-ssl.conf exit_on_error /etc/init.d/apache2 restart
ignore_error mv /etc/apache2/vhosts.d/netstorage-ssl.conf /etc/apache2/vhosts.d/netstorage-ssl.conf.cluster ignore_error /etc/init.d/apache2 restart ignore_error del secondary ipaddress 192.168.0.120
With that all done, there is one last important step that needs to be completed. Now the users will get our external certificate when they connect to NetStorage. While at this stage you will be able to login and browse directories etc. You will find that you wont be able to download anything, or get properties of files and folders. What you will see is Java complaining bitterly that it doesn’t trust your external certificate.
So what we need to do now, is import the external third-party certificate into the novell-tomcat5 Certificate Store..
You need to get your certificate in base64 format if it isn’t already. If you are like me, and import your external certificates into eDirectory, then this is easily exported. For help in doing this, I suggest reading the follow Novell Technical Information Documents. TID 3305590, TID 10098796, and TID 10090460.
Once you have your certificate in base64, eg. certificate.b64 file you can update novell-tomcat5 certificate store by using the following keytool command (remember to make a backup of your cacerts file first)
# keytool -import -alias netstorage -file certificate.b64 -keystore /var/opt/novell/tomcat5/conf/cacerts
Now simply restart novell-tomcat5, and your done configuring this cluster node.
Simply, repeat the process on every other node you have in your NetStorage cluster.