Storage Provider Certificates
Version 1712 and above of Access Anywhere, by default, apply more stringent requirements on SSL/TLS certificates. This affects storage providers that are accessed over HTTPS. In particular, providers with self-signed certificates and certificates with missing intermediate chains will now return errors. These certificates can either be corrected by the storage administrator or Access Anywhere can be set to allow these certificates.
Validating Storage Certificates
Log into Access Anywhere as the “smeconfiguser” and run the following command against all storage providers accessed over HTTPS:
curl https://fqdn.backendstorage.com
If curl returns any error of type (60), the storage provider will no longer work with the defaults in v1712.
Examples:
Broken chain
curl https://storageFQDN curl: (60) Peer's Certificate issuer is not recognized. More details here: http://curl.haxx.se/docs/sslcerts.html
Self-Signed Certificate
curl https://storageFQDN curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
Expired Certificate
curl https://storageFQDN curl: (60) Peer's Certificate has expired.
Note: Access Anywhere will not allow use of storage with an expired certificate
Disabling certificate validation
We always recommend the use of valid certificates from signed public authorities. However, to preserve functionally with storage providers added prior to v1712, the following procedure will disable certificate validation:
For each storage type that fails curl validation an entry will need to be made in config.inc.php. Find below the list of valid storage providers and the accompanying variable to disable provider certificate validation:
| Storage Type | variable |
|---|---|
| Amplidata | var $ssl_certificates_amplidata = '0'; |
| BlueMix Object Storage | var $ssl_certificates_bluemix = '0'; |
| Caringo Swarm | var $ssl_certificates_caringoswarm = '0'; |
| Ceph | var $ssl_certificates_ceph = '0'; |
| Cleversafe | var $ssl_certificates_cleversafe = '0'; |
| Cloudian | var $ssl_certificates_cloudian = '0'; |
| Dell EMC Elastic Cloud Storage | var $ssl_certificates_dellemc = '0'; |
| EMC Atmos S3 | var $ssl_certificates_atmoss3 = '0'; |
| HostingSolutions.it | var $ssl_certificates_hostsolit = '0'; |
| HPHelion | var $ssl_certificates_hphelion = '0'; |
| IBM Cloud Object Storage | var $ssl_certificates_ibmcloud = '0'; |
| Igneous | var $ssl_certificates_igneous = '0'; |
| Leonovus | var $ssl_certificates_leonovus = '0'; |
| Minio Object Storage | var $ssl_certificates_minio = '0'; |
| Mirantis | var $ssl_certificates_mirantis = '0'; |
| Open S3 - S3 Compatible Cloud | var $ssl_certificates_opens3 = '0'; |
| OpenIO | var $ssl_certificates_openio = '0'; |
| OpenStack | var $ssl_certificates_openstack = '0'; |
| SoftLayer | var $ssl_certificates_softlayer = '0'; |
| Swift v3 | var $ssl_certificates_swift = '0'; |
| SwiftStack | var $ssl_certificates_swiftstack = '0'; |
If you wish to disable certificate validation for a storage provider that is not on this list, please contact NAA At: support@nasuni.com
Log into the NAA Appliance as smeconfiguser e.g.
ssh smeconfiguser@cloudfiles.company.com
Change user to root
su -
Add the required variables to the file: /var/www/smestorage/publichtml/config.inc.php below the line: var $sslversion = 'tls';
vi /var/www/smestorage/public_html/config.inc.php
For example, if the backend storage providers Minio and Ceph have self-signed certificates the following will be added:
var $ssl_version = 'tls'; var $ssl_certificates_minio = '0'; var $ssl_certificates_ceph = '0';
Once added, save the config.inc.php file and confirm normal Access Anywhere operation against altered storage providers by logging into web console as an Organization Administrator then upload and download a file.