Storage Provider Certificates

Version 1712 and above of the Enterprise File Fabric, by default, apply more stringent requirements on SSL/TLS certificates. This affects storage providers that are accessed over HTTPS. In particular, providers with self-signed certificates and certificates with missing intermediate chains will now return errors. These certificates can either be corrected by the storage administrator or the Enterprise File Fabric can be set to allow these certificates.

Validating Storage Certificates

Log into the Enterprise File Fabric as the “smeconfiguser” and run the following command against all storage providers accessed over HTTPS:

curl https://fqdn.backendstorage.com

If curl returns any error of type (60), the storage provider will no longer work with the defaults in v1712.

Examples:

Broken chain

curl https://storageFQDN
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

Self-Signed Certificate

curl https://storageFQDN
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.

Expired Certificate

curl https://storageFQDN
curl: (60) Peer's Certificate has expired.

Note: The Enterprise File Fabric will not allow use of storage with an expired certificate

Disabling certificate validation

Storage Made Easy always recommends the use of valid certificates from signed public authorities. However, to preserve functionally with storage providers added prior to v1712, the following procedure will disable certificate validation:

For each storage type that fails curl validation an entry will need to be made in config.inc.php. Find below the list of valid storage providers and the accompanying variable to disable provider certificate validation:

Storage Type variable
Amplidata var $ssl_certificates_amplidata = '0';
BlueMix Object Storage var $ssl_certificates_bluemix = '0';
Caringo Swarm var $ssl_certificates_caringoswarm = '0';
Ceph var $ssl_certificates_ceph = '0';
Cleversafe var $ssl_certificates_cleversafe = '0';
Cloudian var $ssl_certificates_cloudian = '0';
Dell EMC Elastic Cloud Storage var $ssl_certificates_dellemc = '0';
EMC Atmos S3 var $ssl_certificates_atmoss3 = '0';
HostingSolutions.it var $ssl_certificates_hostsolit = '0';
HPHelion var $ssl_certificates_hphelion = '0';
IBM Cloud Object Storage var $ssl_certificates_ibmcloud = '0';
Igneous var $ssl_certificates_igneous = '0';
Leonovus var $ssl_certificates_leonovus = '0';
Minio Object Storage var $ssl_certificates_minio = '0';
Mirantis var $ssl_certificates_mirantis = '0';
Open S3 - S3 Compatible Cloud var $ssl_certificates_opens3 = '0';
OpenIO var $ssl_certificates_openio = '0';
OpenStack var $ssl_certificates_openstack = '0';
SoftLayer var $ssl_certificates_softlayer = '0';
Swift v3 var $ssl_certificates_swift = '0';
SwiftStack var $ssl_certificates_swiftstack = '0';

If you wish to disable certificate validation for a storage provider that is not on this list, please contact SME at: support@storagemadeeasy.com

Log into the SME appliance as smeconfiguser e.g.

ssh smeconfiguser@cloudfiles.company.com

Change user to root

su -

Add the required variables to the file: /var/www/smestorage/publichtml/config.inc.php below the line: var $sslversion = 'tls';

vi /var/www/smestorage/public_html/config.inc.php

For example, if the backend storage providers Minio and Ceph have self-signed certificates the following will be added:

var $ssl_version = 'tls';
var $ssl_certificates_minio = '0';
var $ssl_certificates_ceph = '0'; 

Once added, save the config.inc.php file and confirm normal Enterprise File Fabric operation against altered storage providers by logging into web console as an Organization Administrator then upload and download a file.