Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Last revision Both sides next revision
cloudappliance:smeinplaceupgrade [2018_04_12 11:46]
127.0.0.1 external edit
cloudappliance:smeinplaceupgrade [2018_08_23 18:15]
steven
Line 13: Line 13:
   * Public internet access for download patches   * Public internet access for download patches
   * A complete backup / snapshot has been done of both the system and the database   * A complete backup / snapshot has been done of both the system and the database
-  * Verify API based storage providers have a valid certificate+  * Verify API based storage providers have a valid certificates (especially when upgrading from 10.x or 1705). See [[cloudproviders:​certificates]] for more information.
  
 In addition, you must ensure you have full administrator access to the systems. ​ The following user accounts and passwords will be required: In addition, you must ensure you have full administrator access to the systems. ​ The following user accounts and passwords will be required:
Line 27: Line 27:
  
 Start by backing up the appliance. This upgrade will be an upgrade of both software and the database, please do not proceed without a good backup. SME does not support a database rollback, so if something does not go to plan, a system restore will be required. Start by backing up the appliance. This upgrade will be an upgrade of both software and the database, please do not proceed without a good backup. SME does not support a database rollback, so if something does not go to plan, a system restore will be required.
- 
- 
-== Checking storage certificates == 
-Version 1712 of the Enterprise File Fabric increases the security requirements for storage providers that are accessed over HTTPS. As a result, self-signed certificates and certificates with missing intermediate chains are not supported by default. ​ These certificates can either be corrected by the storage administrator or the Enterprise File Fabric can be set to allow these certificates. 
- 
-== Validating storage certificates == 
-Log into the Enterprise File Fabric as the "​smeconfiguser"​ and run the following command against all storage providers accessed over HTTPS: 
- 
-<​code>​ 
-curl https://​fqdn.backendstorage.com 
-</​code>​ 
- 
-If curl returns any error of type (60), the storage provider will no longer work with the defaults in v1712. ​ 
- 
-Examples: 
- 
-//Broken chain// 
-<​code>​ 
-curl https://​storageFQDN 
-curl: (60) Peer's Certificate issuer is not recognized. 
-More details here: http://​curl.haxx.se/​docs/​sslcerts.html 
-</​code>​ 
- 
-//​Self-Signed Certificate//​ 
-<​code>​ 
-curl https://​storageFQDN 
-curl: (60) Peer's certificate issuer has been marked as not trusted by the user. 
-</​code>​ 
- 
-//Expired Certificate//​ 
-<​code>​ 
-curl https://​storageFQDN 
-curl: (60) Peer's Certificate has expired. 
-</​code>​ 
- 
-Note:  The Enterprise File Fabric will not allow use of storage with an expired certificate 
- 
-=== Disabling certificate validation === 
-Storage Made Easy always recommends the use of valid certificates from signed public authorities. ​ However, to preserve functionally with storage providers added prior to v1712, the following procedure will disable certificate validation: 
- 
-For each storage type that fails curl validation an entry will need to be made in config.inc.php. ​ Find below the list of valid storage providers and the accompanying variable to disable provider certificate validation: 
- 
-^ Storage Type       ^ variable ​ ^ 
-| Amplidata |var $ssl\_certificates\_amplidata = '​0';​ | 
-| BlueMix Object Storage | var $ssl\_certificates\_bluemix = '​0'; ​ |  
-| Caringo Swarm   | var $ssl\_certificates\_caringoswarm = '​0';​ | 
-| Ceph       | var $ssl\_certificates\_ceph = '​0';​ | 
-| Cleversafe ​     | var $ssl\_certificates\_cleversafe = '​0';​ |      
-| Cloudian ​    | var $ssl\_certificates\_cloudian = '​0';​ |  
-| Dell EMC Elastic Cloud Storage | var $ssl\_certificates\_dellemc = '​0';​ | 
-| EMC Atmos S3 |var $ssl\_certificates\_atmoss3 = '​0';​ |  
-| HostingSolutions.it | var $ssl\_certificates\_hostsolit = '​0';​ |  
-| HPHelion | var $ssl\_certificates\_hphelion = '​0';​ | 
-| IBM Cloud Object Storage| var $ssl\_certificates\_ibmcloud = '​0';​ |  
-| Igneous | var $ssl\_certificates\_igneous = '​0';​ |  
-| Leonovus | var $ssl\_certificates\_leonovus = '​0';​ | 
-| Minio Object Storage | var $ssl\_certificates\_minio = '​0';​|  ​ 
-| Mirantis | var $ssl\_certificates\_mirantis = '​0';​ |  ​ 
-| Open S3 - S3 Compatible Cloud | var $ssl\_certificates\_opens3 = '​0';​| 
-| OpenIO | var $ssl\_certificates\_openio = '​0';​ | 
-| OpenStack | var $ssl\_certificates\_openstack = '​0';​ |  
-| SoftLayer | var $ssl\_certificates\_softlayer = '​0';​| ​ 
-| Swift v3 | var $ssl\_certificates\_swift = '​0';​ |  
-| SwiftStack | var $ssl\_certificates\_swiftstack = '​0';​ | 
- 
-If you wish to disable certificate validation for a storage provider that is not on this list, please contact SME at: support@storagemadeeasy.com 
- 
-Log into the SME appliance as smeconfiguser e.g. 
-<​code>​ 
-ssh smeconfiguser@cloudfiles.company.com 
-</​code>​ 
- 
- 
-Change user to root 
-<​code>​ 
-su - 
-</​code>​ 
- 
-Add the required variables to the file: /​var/​www/​smestorage/​public_html/​config.inc.php below the line:  var $ssl_version = '​tls';​ 
-<​code>​ 
-vi /​var/​www/​smestorage/​public_html/​config.inc.php 
-</​code>​ 
- 
-For example, if the backend storage providers Minio and Ceph have self-signed certificates the following will be added: 
- 
-    var $ssl_version = '​tls';​ 
-    var $ssl_certificates_minio = '​0';​ 
-    var $ssl_certificates_ceph = '​0'; ​ 
- 
-Once added, save the config.inc.php file and confirm normal Enterprise File Fabric operation against altered storage providers by logging into web console as an Organization Administrator then upload and download a file. 
  
 === Upgrade === === Upgrade ===