Managing certificates (Quorum Witness)
You can hover over fields to display tooltips.
To navigate to Data Protection screen and manage the quorum witness certificates, do the following:
- On the main menu, select Data Protection > Remote Copy Configurations.
-
In the list pane, select a Remote Copy configuration, and then click
Manage Certificates on the
Actions menu.
The Manage Quorum Witness Certificates dialog opens.
-
Edit the required and optional settings.
General
- Configuration:
Displays the storage systems in the Remote Copy configuration.
Existing Quorum Witness Certificates
Displays the certificates that are already imported in a tabular format with the following details:- System:
Name of the storage system for which the certificate is issued.
- Type:
Type of the certificate. For example,
rootca
,cert
,intca
.- Service:
Name of the service for which the certificate is issued.
- Certificate name:
Name of the certificate.
- Issuer:
Name of the issuer of the certificate.
- Signature type:
Signature type of the certificate. For example, self-signed, ca-signed.
- Expires on:
Expiration date and time for the certificate.
Certificate Management
- System:
Select a storage system which is part of the Remote Copy configuration.
To import the Quorum Witness certificate on the storage system, perform the following steps:
- Generate CSR:
- You can update the form after selecting the option to generate a Certificate Signing Request (CSR). The CSR is generated for the Quorum Witness client on the storage system.
Click Generating CSR (Quorum Witness) option.
Save the CSR to a file and use the information to get a signed certificate from CA (Certificate Authority).
- Import QW Client Certificate
- You can browse to select and import the specified certificate files for:
QW Client CA trust chain
QW Client Certificate
QW Server root CA: Navigate to Import QW Server Certificate panel and import a QW Server root CA certificate for the storage system.
pem
format.
- When you have completed your choices, click Import to accept your choices and close the dialog; otherwise click Cancel.
-
Along with importing the QW Client certificates on the storage system, you must import the QW Server Certificates on the QW server to establish a secure connection.
Importing QW Server Certificate
Generate a CSR using a CSR generation tool available in your local system for a QW server. You cannot import a QW server certificate from HPE SSMC.
Before you import:
Assemble a server certificate bundle (
cert.pem
) for use by the local Quorum Witness server. The bundle includes QW server private key, server CA certificate, and the server CA trust chain.Save the bundle file as
cert.pem
.Import the bundle file (
cert.pem
) to /usr/local/etc.Import the root CA cert file (
cacert.pem
) to /usr/local/etc. Thecacert.pem
includes root CA of the QW client.
Generate CSR.
Get a signed certificate from CA for the QW server.
Import the
cert.pem
,cacert.pem
, and QW client root CA to /usr/local/etc directory on the QW server. The import file must be inpem
format.NOTE:To start running QW on the server and HPE Storage System after installing the certificates, run the following commands on the QW server:$systemctl stop qwserv
$systemctl start qwserv
Appearance of an error message indicates that the command was unsuccessful.$systemctl status qwserv