SNS: Considerations for SSL/TLS with Windows Clients
Summary
Our SNS product ships with a self-signed TLS certificate to support TLS termination for UI and SCSP/S3 client access. Since the primary use case is accessing SNS storage using S3, it may prove necessary to address TLS validation workarounds for S3 clients encountered in the field. This can be handled in one of two ways:
Setting a config option in the Windows S3 client to bypass SSL/TLS validation
Import of the shipped SNS self-signed TLS certificate into the certificate chain of the Windows system
This document will cover both approaches, using the Windows S3 client “S3 Browser” (S3 Browser - Amazon S3 Client for Windows. User Interface for Amazon S3. S3 Bucket Explorer.) as an example.
For more information related to the use of S3 Browser with Swarm, please reference Using S3 Browser with the Content Gateway for additional details.
S3 Browser SSL/TLS Validation Bypass
The option to perform bypass of SSL/TLS checks in S3 Browser can be found in the “Tools → Options → Advanced” dialogue as shown below:
To bypass validation and allow TLS interaction with the SNS S3 storage endpoint, check the box labeled “Bypass SSL/TLS validation (program restart required)” and, as the name suggests, “Save Changes” and then restart S3 Browser. Once this is done, the configured SNS S3 endpoint should function properly.
Caution
Setting validation bypass with S3 Browser will cause it to perform bypass checks for all S3 endpoints configured to use. Since this is a global options setting, use it with caution!
Import of the SNS Self-Signed Certificate into the Windows Certificate Chain
If the above approach is undesirable, you can also extract and import the self-signed certificate associated with the SNS system you wish to connect with. SSH access to the SNS system with ‘root’ privilege will be required to do this. The steps to perform are:
Log into the SNS system with an SSH client as an appropriate user.
In our case, the account name is ‘datacore’ so we SSH into the SNS as a user ‘datacore’ using password authentication:datacore@192.168.1.156's password: ┌──────────────────────────────────────────────────────────────────────┐ │ • MobaXterm Personal Edition v24.1 • │ │ (SSH client, X server and network tools) │ │ │ │ ⮞ SSH session to datacore@192.168.1.156 │ │ • Direct SSH : ✓ │ │ • SSH compression : ✓ │ │ • SSH-browser : ✓ │ │ • X11-forwarding : ✓ (remote display is forwarded through SSH) │ │ │ │ ⮞ For more info, ctrl+click on help or visit our website. │ └──────────────────────────────────────────────────────────────────────┘ Welcome to Perifery Kubernetes Swarm Appliance System information as of Wed May 8 08:17:36 PM UTC 2024 System load: 0.94 Usage of /: 5.2% of 99.95GB Memory usage: 68% Swap usage: 0% Temperature: 63.0 C Processes: 393 Users logged in: 0 IPv4 address for enp0s31f6: 192.168.1.156 IPv6 address for enp0s31f6: 2605:a601:a0c8:b700::212 IPv6 address for enp0s31f6: 2605:a601:a0c8:b700:1a66:daff:fe45:8d62 Swarm Appliance information as of Wed May 8 20:17:36 UTC 2024 Swarm Appliance status: NotReady When ready, Swarm Appliance UI: http://optiplex01.local:9010/ui Last login: Wed May 8 20:08:03 2024 from 192.168.1.198 datacore@optiplex01:~$
Info
Logging will depend on how the SNS system was configured when the base OS was installed and “sudo enabled” account was created.
Escalate your privilege to ‘root’ using ‘
sudo -i
':datacore@optiplex01:~$ sudo -i [sudo] password for datacore: root@optiplex01:~#
Extract the self-signed SSL/TLS certificate associated with the SNS system using the following command:
root@optiplex01:~# kubectl get secret ssa-stack-issuer-secret -n swarm -o json | jq -r '.data."ca.crt"' | base64 -d > sns.pem root@optiplex01:~# cat sns.pem -----BEGIN CERTIFICATE----- MIIBeDCCAR2gAwIBAgIRAMYYfAZYgRfEY+X9HeTsEF8wCgYIKoZIzj0EAwIwGzEZ MBcGA1UEAxMQc3NhLXN0YWNrLWlzc3VlcjAeFw0yNDA1MDgxNjU0MzFaFw0yNDA4 MDYxNjU0MzFaMBsxGTAXBgNVBAMTEHNzYS1zdGFjay1pc3N1ZXIwWTATBgcqhkjO PQIBBggqhkjOPQMBBwNCAARpYRqbTYhGRKOlIdwJzaOeYCTqszsRRQq9wBNMTdB1 qxUICmGED/mfEbj029QrRE6oPuc+3g7jKtKy7I/aufoqo0IwQDAOBgNVHQ8BAf8E BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPmGOXrxKld1/6AfHSaql +bGUfi4wCgYIKoZIzj0EAwIDSQAwRgIhAKhu+BwAyoUlvqRtO2sPO8KGVa3iHBUz hyb+VwIKklb6AiEAyOqWwLSXBBi3ENmtAnecGEhC90incs+CqHqpJQJFrYo= -----END CERTIFICATE----- root@optiplex01:~# openssl x509 -in sns.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: c6:18:7c:06:58:81:17:c4:63:e5:fd:1d:e4:ec:10:5f Signature Algorithm: ecdsa-with-SHA256 Issuer: CN = ssa-stack-issuer Validity Not Before: May 8 16:54:31 2024 GMT Not After : Aug 6 16:54:31 2024 GMT Subject: CN = ssa-stack-issuer Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:69:61:1a:9b:4d:88:46:44:a3:a5:21:dc:09:cd: a3:9e:60:24:ea:b3:3b:11:45:0a:bd:c0:13:4c:4d: d0:75:ab:15:08:0a:61:84:0f:f9:9f:11:b8:f4:db: d4:2b:44:4e:a8:3e:e7:3e:de:0e:e3:2a:d2:b2:ec: 8f:da:b9:fa:2a ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 3E:61:8E:5E:BC:4A:95:DD:7F:E8:07:C7:49:AA:A5:F9:B1:94:7E:2E Signature Algorithm: ecdsa-with-SHA256 Signature Value: 30:46:02:21:00:a8:6e:f8:1c:00:ca:85:25:be:a4:6d:3b:6b: 0f:3b:c2:86:55:ad:e2:1c:15:33:87:26:fe:57:02:0a:92:56: fa:02:21:00:c8:ea:96:c0:b4:97:04:18:b7:10:d9:ad:02:77: 9c:18:48:42:f7:48:a7:72:cf:82:a8:7a:a9:25:02:45:ad:8a -----BEGIN CERTIFICATE----- MIIBeDCCAR2gAwIBAgIRAMYYfAZYgRfEY+X9HeTsEF8wCgYIKoZIzj0EAwIwGzEZ MBcGA1UEAxMQc3NhLXN0YWNrLWlzc3VlcjAeFw0yNDA1MDgxNjU0MzFaFw0yNDA4 MDYxNjU0MzFaMBsxGTAXBgNVBAMTEHNzYS1zdGFjay1pc3N1ZXIwWTATBgcqhkjO PQIBBggqhkjOPQMBBwNCAARpYRqbTYhGRKOlIdwJzaOeYCTqszsRRQq9wBNMTdB1 qxUICmGED/mfEbj029QrRE6oPuc+3g7jKtKy7I/aufoqo0IwQDAOBgNVHQ8BAf8E BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPmGOXrxKld1/6AfHSaql +bGUfi4wCgYIKoZIzj0EAwIDSQAwRgIhAKhu+BwAyoUlvqRtO2sPO8KGVa3iHBUz hyb+VwIKklb6AiEAyOqWwLSXBBi3ENmtAnecGEhC90incs+CqHqpJQJFrYo= -----END CERTIFICATE----- root@optiplex01:~# openssl x509 -in sns.pem -fingerprint -noout SHA1 Fingerprint=3C:C1:32:61:96:69:4D:AC:B6:FF:09:A6:E0:F6:82:B7:36:5E:53:27 root@optiplex01:~#
Info
The last command that gets the PEM fingerprint will be required later when performing the import.
Download/copy the file ‘
sns.pem
' to the Windows system, which will be hosting the S3 client.Once that’s in place, open either ‘
cmd.exe
' or 'powershell.exe
' with "Administrator" privilege.Change the directory to where the file ‘
sns.pem
' was downloaded and then execute the following command:This command shows the successful import message if all goes well.
To confirm that the cert is now in place in the Root store on the Windows system, verify using PowerShell with “Administrator” privilege:
Verify that the fingerprint for the cert that was just imported should look something like this in the output:
Now that the cert from the SNS has been imported, any Windows S3 client configured to conform to SSL/TLS validation while performing SSL/TLS handshake (such as default for S3 Browser, etc.) will successfully connect to the SNS system.
© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.