Table of Contents

Storage Provider Certificates

Version 1712 and above of Access Anywhere, by default, apply more stringent requirements on SSL/TLS certificates. This affects storage providers that are accessed over HTTPS. In particular, providers with self-signed certificates and certificates with missing intermediate chains will now return errors. These certificates can either be corrected by the storage administrator or Access Anywhere can be set to allow these certificates.

Validating Storage Certificates

Log into Access Anywhere as the “smeconfiguser” and run the following command against all storage providers accessed over HTTPS:

curl https://fqdn.backendstorage.com

If curl returns any error of type (60), the storage provider will no longer work with the defaults in v1712.

Examples:

Broken chain

curl https://storageFQDN
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

Self-Signed Certificate

curl https://storageFQDN
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.

Expired Certificate

curl https://storageFQDN
curl: (60) Peer's Certificate has expired.

Note: Access Anywhere will not allow use of storage with an expired certificate

Disabling certificate validation

We always recommend the use of valid certificates from signed public authorities. However, to preserve functionally with storage providers added prior to v1712, the following procedure will disable certificate validation:

For each storage type that fails curl validation an entry will need to be made in config.inc.php. Find below the list of valid storage providers and the accompanying variable to disable provider certificate validation:

Storage Type variable
Amplidata var $ssl_certificates_amplidata = '0';
BlueMix Object Storage var $ssl_certificates_bluemix = '0';
Caringo Swarm var $ssl_certificates_caringoswarm = '0';
Ceph var $ssl_certificates_ceph = '0';
Cleversafe var $ssl_certificates_cleversafe = '0';
Cloudian var $ssl_certificates_cloudian = '0';
Dell EMC Elastic Cloud Storage var $ssl_certificates_dellemc = '0';
EMC Atmos S3 var $ssl_certificates_atmoss3 = '0';
HostingSolutions.it var $ssl_certificates_hostsolit = '0';
HPHelion var $ssl_certificates_hphelion = '0';
IBM Cloud Object Storage var $ssl_certificates_ibmcloud = '0';
Igneous var $ssl_certificates_igneous = '0';
Leonovus var $ssl_certificates_leonovus = '0';
Minio Object Storage var $ssl_certificates_minio = '0';
Mirantis var $ssl_certificates_mirantis = '0';
Open S3 - S3 Compatible Cloud var $ssl_certificates_opens3 = '0';
OpenIO var $ssl_certificates_openio = '0';
OpenStack var $ssl_certificates_openstack = '0';
SoftLayer var $ssl_certificates_softlayer = '0';
Swift v3 var $ssl_certificates_swift = '0';
SwiftStack var $ssl_certificates_swiftstack = '0';

If you wish to disable certificate validation for a storage provider that is not on this list, please contact NAA At: support@nasuni.com

Log into the NAA Appliance as smeconfiguser e.g.

ssh smeconfiguser@cloudfiles.company.com

Change user to root

su -

Add the required variables to the file: /var/www/smestorage/publichtml/config.inc.php below the line: var $sslversion = 'tls';

vi /var/www/smestorage/public_html/config.inc.php

For example, if the backend storage providers Minio and Ceph have self-signed certificates the following will be added:

var $ssl_version = 'tls';
var $ssl_certificates_minio = '0';
var $ssl_certificates_ceph = '0'; 

Once added, save the config.inc.php file and confirm normal Access Anywhere operation against altered storage providers by logging into web console as an Organization Administrator then upload and download a file.