Obtaining a CA from your Atmos-Powered Cloud Storage Service Provider
ARX Cloud Extender (CE) requires a proper SSL CA (Certificate Authority) from your EMC Atmos-powered cloud storage provider to ensure authenticity of the connection. For the most part, the SSL CA’s have a long life and the instructions here shouldn’t be required frequently.
This Tech Tip explains the following:
- How to recognize this problem
- Steps for obtaining and installing an SSL CA from your service provider
- Steps for installing the SSL CA on your ARX CE system
When migrate or demigrate operations are attempted by ARX CE from your cloud Atmos-powered storage provider, a network connection is made to the service providers endpoint. This is an SSL connection and it requires the service provider to have a valid SSL CA.
If ARX CE does not have the correct CA, data cannot be migrated or demigrated from your cloud storage provider to your ARX CE system because ARX CE will refuse to complete the connection setup until the certificate is in order.
How to Recognize the Problem
For migrate operations (copying data from your ARX CE system to your cloud storage service provider), you will see immediate failures from the ARX CE control panel, an excerpt is below:
Click on the job’s log file, in this case, the “RUN migrate-att log” link and look at the errors. The one circled in red is the indication the SSL CA is out of date:
Note: Other errors may be indicative of a different problem.
The “console.log” file will also show this error. “console.log” can be found in your ARX CE agent directory, which is typically “C:\Program Files\F5 ARX CE agent”
Obtaining a new SSL CA can be done with Internet Explorer using the following steps. The screen shots below are from IE 8. We’ll also use AT&T’s Synaptic StaaS for our example, which is Atmos-powered.
- Browse to the URI for their service: https://storage.synaptic.att.com/rest (Note: your service provider can give you this URI if you do not have it).
- The following screen shows up (partial screen shot). On this screen, click on the padlock icon circled in red, then click on :”View Certificates”:
- The following (or similar) screen is presented. On this screen, click on the “Certification Path” tab, which is circled in red:
- On the “Certification Path” screen, a certificate path is shown. Click on the top-level certificate, the one shown below highlighted in blue and circled in red, then click the “View Certificate” button:
- When the new Certificate screen is shown, click on the “Details” tab, which is circled in red, then click “Copy to File…”, which will bring up the certificate export wizard and/or screen.
- The export file format is important, it must be Base-64 encoded X.509 (.CER), as shown below in red:
- On the next page, enter the file name, then click next. If you are running this procedure directly on your ARX CE agent system, you can save the file directly into the Atmos certificates folder, which is by default “C:\Program Files\F5 ARX CE agent\plugins\atmosca” (if you chose a different install directory, the relative path is “plugins\atmosca”. If you are doing this procedure on a non ARX CE agent host, simply save it to a local directory, then manually copy the certificate to the appropriate ARX CE agent systems.
- Be sure the former certificate file for your service provider is removed (or overwritten with the new certificate).
- Restart the F5 ARX CE Agent service:
- Retry your migrate policy task and verify the errors are no longer present.
Firefox and Google Chrome have similar methods for viewing and extracting SSL certificates.
When migrate jobs fail due to the ERR_SSLTRUSTSTORE_VERIFYCONNECTION_FAILED error in your ARX task log, the SSL CA is not in order. This Tech Tip illustrates how to obtain an update certificate, store it on your ARX CE agent host, and restart the service to enable use of the new certificate.
http://askf5.f5.com – F5’s repository of product information, manuals, and much more. You can find the ARX CE Administrator’s Guide here, which also explains this procedure.
http://en.wikipedia.org/wiki/Transport_Layer_Security - TLS/SSL overview, including the function of the SSL certificate.
http://en.wikipedia.org/wiki/Certificate_authority - explanation and information on Certificate Authorities.
JC Ferguson has been working in the storage domain for over 9 years and was instrumental in the invention and delivery of the ARX storage virtualization switch at Acopia Networks. F5 acquired Acopia Networks in 2007, and since then JC has continued his role as ARX product architect and project leader. Recently, JC focused on cloud storage and was instrumental in bringing the ARX CE product to market in February 2011.