Managing certificates (Quorum Witness)

You can hover over fields to display tooltips.

To navigate to Data Protection screen and manage the quorum witness certificates, do the following:

Procedure
  1. On the main menu, select Data Protection > Remote Copy Configurations.
  2. In the list pane, select a Remote Copy configuration, and then click Manage Certificates on the Actions menu.

    The Manage Quorum Witness Certificates dialog opens.

  3. Edit the required and optional settings.

    General

    Configuration:

    Displays the storage systems in the Remote Copy configuration.

    Existing Quorum Witness Certificates

    Displays the certificates that are already imported in a tabular format with the following details:
    System:

    Name of the storage system for which the certificate is issued.

    Type:

    Type of the certificate. For example, rootca, cert, intca.

    Service:

    Name of the service for which the certificate is issued.

    Certificate name:

    Name of the certificate.

    Issuer:

    Name of the issuer of the certificate.

    Signature type:

    Signature type of the certificate. For example, self-signed, ca-signed.

    Expires on:

    Expiration date and time for the certificate.

    Certificate Management

    System:

    Select a storage system which is part of the Remote Copy configuration.

    To import the Quorum Witness certificate on the storage system, perform the following steps:

    Generate CSR:
    You can update the form after selecting the option to generate a Certificate Signing Request (CSR). The CSR is generated for the Quorum Witness client on the storage system.

    1. Click Generating CSR (Quorum Witness) option.

    2. Save the CSR to a file and use the information to get a signed certificate from CA (Certificate Authority).

    Learn more: Installing CA security certificates, Installing self-signed security certificates.
    Import QW Client Certificate
    You can browse to select and import the specified certificate files for:

    • QW Client CA trust chain

    • QW Client Certificate

    • QW Server root CA: Navigate to Import QW Server Certificate panel and import a QW Server root CA certificate for the storage system.

    The import file must be in pem format.
  4. When you have completed your choices, click Import to accept your choices and close the dialog; otherwise click Cancel.
  5. Along with importing the QW Client certificates on the storage system, you must import the QW Server Certificates on the QW server to establish a secure connection.

    Importing QW Server Certificate

    Generate a CSR using a CSR generation tool available in your local system for a QW server. You cannot import a QW server certificate from HPE SSMC.

    Before you import:

    • Assemble a server certificate bundle (cert.pem) for use by the local Quorum Witness server. The bundle includes QW server private key, server CA certificate, and the server CA trust chain.

    • Save the bundle file as cert.pem.

    • Import the bundle file (cert.pem) to /usr/local/etc.

    • Import the root CA cert file (cacert.pem) to /usr/local/etc. The cacert.pem includes root CA of the QW client.

    1. Generate CSR.

    2. Get a signed certificate from CA for the QW server.

    3. Import the cert.pem, cacert.pem, and QW client root CA to /usr/local/etc directory on the QW server. The import file must be in pem format.

      NOTE:
      To start running QW on the server and HPE Storage System after installing the certificates, run the following commands on the QW server: 
      $systemctl stop qwserv
      $systemctl start qwserv
      $systemctl status qwserv
      Appearance of an error message indicates that the command was unsuccessful.