As mentioned in previous articles in this series, applying a hardening profile is one of multiple tasks that are required in order to configure a STIG-compliant PowerScale cluster. These include:
Component | Tasks |
Audit | Configure remote syslog servers for auditing. |
Authentication | Configure secure auth provider, SecurityAdmin account, and default restricted shell. |
CELOG | Create event channel for security officers and system admin to monitor /root and /var partition usage, audit service, security verification, and account creation. |
MFA & SSO | Enable and configure multi-factor authentication and single sign-on. |
NTP | Configure secure NTP servers with SHA256 keys. |
SMB | Configure SMB global settings and defaults.
Enable SMB encryption on shares. |
SNMP | Enable SNMP and configure SNMPv3 settings. |
SyncIQ | Configure SyncIQ to use CA certificates so both the source and target clusters (primary and secondary DSCs) have both Server Authentication and Client Authentication set in their Extended Key Usages fields. |
In this final article in the series, we’ll cover the security configuration details for SyncIQ replication using the OneFS CLI.
SyncIQ supports over-the-wire, end-to-end encryption for data replication, protecting and securing in-flight data between clusters. A global setting enforces encryption on all incoming and outgoing SyncIQ policies.
- First, on the source cluster, which is also the primary DSC (Digital Signature Certificate), add the CA (Certificate Authority) certificate(s) to certificate store.
# isi certificate authority import [ca certificate path]
Where:
Item | Description |
[ca certificate path] | The path to the CA certificate file. |
Note that SyncIQ certificates for both the source and target clusters (aka primary and secondary DSC respectively) must have both ‘Server Authentication’ and ‘Client Authentication’ set in their ‘Extended Key Usages’ fields.
Repeat as necessary, and include root and intermediate CA certificates for both the source and target, plus the OCSP (Online Certificate Status Protocol) issuer:
- source cluster
- target cluster
- OCSP issuer
To prevent unauthorized access to the private key/certificate, ensure the certificate and private key files are deleted/removed once all necessary import steps have been successfully completed.
- Next, on the source cluster (primary DSC), add the source cluster certificate to the SyncIQ server certificate store. This can be accomplished with the following CLI syntax:
# isi sync certificates server import [source certificate path]
Where:
Item | Description |
[source certificate path] | The path to the source certificate file (in PEM or DER format). |
[source certificate key path] | The path to the source certificate private key file. |
Once again, to prevent unauthorized access to the private key/certificate, remove the certificate and private key files once import has been completed successfully.
- On the source cluster (primary DSC), set the cluster certificate to the certificate imported above.
Find certificate ID:
# isi certificate server list -v
Then configure cluster certificate ID:
# isi sync settings modify --cluster_certificate_id [certificate_id]
Where:
Item | Description |
[certificate id] | The ID of the cluster certificate. |
- On the source cluster (primary DSC) add the target cluster’s (secondary DSC) certificate as a peer certificate.
# isi sync certificates peer import [target certificate path]
Item | Description |
[target certificate path] | The path to the target cluster/secondary DSC certificate file.. |
To prevent unauthorized access to the private key/certificate, remove certificate and private key files once done with all necessary import steps.
- On the source cluster (primary DSC) configure the global Open Certificate Status Protocol (OCSP) ID and address settings.
# isi sync settings modify --ocsp-issuer-certificate-id=[ocsp issuer certificate id] --ocsp-address=[OCSP server URI]
Where:
Item | Description |
[ocsp issuer certificate id] | The ID of the certificate as registered in the PowerScale certificate manager. |
[OCSP server URI] | The URI of the OCSP responder. |
To find the OCSP issuer certificate ID:
# isi certificate authority list -v
This assumes that the OCSP issuer certificate file has already been successfully imported into the PowerScale certificate manager.
- On the target cluster (secondary DSC), add the CA certificate(s) to the certificate store.
# isi certificate authority import [ca certificate path]
Where:
Item | Description |
[ca certificate path] | The path to the CA certificate file. |
Repeat as necessary, including the root and intermediate CA certificates for:
- source cluster
- target cluster
- OCSP issuer
To prevent unauthorized access to the private key/certificate, remove certificate and private key files once done with all necessary import steps.
On the target cluster (secondary DSC), add the target cluster certificate to the SyncIQ server certificate store.
# isi sync certificates server import [target certificate path]
Where:
Item | Description |
[target certificate path] | The path to the target certificate file (in PEM or DER format). |
[target certificate key path] | The path to the target certificate private key file. |
To prevent unauthorized access to the private key/certificate, remove the certificate and private key files once done with all necessary import steps.
- On the target cluster (secondary DSC), set the cluster certificate to the certificate imported above.
First, retrieve the certificate ID:
# isi certificate server list -v
Next, configure the cluster certificate ID:
# isi sync settings modify --cluster_certificate_id [certificate_id]
Where:
Item | Description |
[certificate id] | The ID of the cluster certificate |
- On the target cluster (secondary DSC), add the source cluster’s (primary DSC) certificate as a peer certificate.
# isi sync certificates peer import [source certificate path]
Where:
Item | Description |
[source certificate path] | The path to the source cluster/secondary DSC certificate file. |
To prevent unauthorized access to the private key/certificate, remove certificate and private key files once done with all necessary import steps.
On the target cluster (secondary DSC), configure the global Open Certificate Status Protocol (OCSP) settings.
# isi sync settings modify --ocsp-issuer-certificate-id=[ocsp issuer certificate id] --ocsp-address=[OCSP server URI]
Where:
Item | Description |
[ocsp issuer certificate id] | The ID of the certificate as registered in the PowerScale certificate manager. |
[OCSP server URI] | The URI of the OCSP responder. |
To find the OCSP issuer certificate ID:
# isi certificate authority list -v
This assumes that the OCSP issuer certificate file has already been imported into the PowerScale certificate manager.
- Finally, for any pre-existing policies, configure the following OCSP settings on the source cluster (primary DSC).
# isi sync policies modify [policy name] --ocsp-issuer-certificate-id=[ocsp issuer certificate id] --ocsp-address=[OCSP server URI]
Where:
Item | Description |
[ocsp issuer certificate id] | The ID of the certificate as registered in the PowerScale certificate manager. |
To find the OCSP issuer certificate ID:
# isi certificate authority list -v
At this point, the SyncIQ certificate configuration work should be complete.