Cisco Configuration Engine Installation & Configuration Guide, 3.0
Setting Up CNS Agent Devices for Secure Communication
Downloads: This chapterpdf (PDF - 107.0KB) The complete bookPDF (PDF - 1.5MB) | Feedback

Setting Up CNS Agent Devices for Secure Communication

Table Of Contents

Setting Up CNS Agent Devices for Secure Communication

Understanding CNS Configuration Engine Security

Identification

Authentication

Encryption


Setting Up CNS Agent Devices for Secure Communication


You must set up Cisco Networking Services (CNS) agent devices (routers) so that they can communicate securely with the Cisco Configuration Engine server. On the Cisco Configuration Engine server, you must enable Encryption and Authentication settings (see Encryption Settings, page 2-5, and Authentication Settings, page 2-6). This chapter provides the configuration tasks that you must perform to enable secure communication between the CNS agent devices and the Cisco Configuration Engine server.

This chapter contains the following sections:

Understanding CNS Configuration Engine Security

Identification

Authentication

Encryption

Understanding CNS Configuration Engine Security

Security in communication between the Cisco Configuration Engine server and the enabled CNS agent devices (routers) involves three basic functions:

Identification—Unique CNS agent ID. At a minimum, the CNS agent IDs are required for a device to communicate with the Cisco Configuration Engine server.

Authentication—Unique CNS password. The Authentication feature consists of a CNS password that the CNS agents present to the Cisco Configuration Engine server as part of any communication handshake.

Encryption—Secure Sockets Layer (SSL) protocol. The Encryption feature consists of the industry standard Secure Sockets Layer (SSL) protocol, which protects communications between the CNS agent devices and the Cisco Configuration Engine server.

While device identification is mandatory, authorization and encryption are optional features. Of the two optional features, you can enable either or both of them at any time. Encryption does not require authentication, and authentication does not require encryption.

Each security feature is configured and handled separately by both the Cisco Configuration Engine server and the CNS agent devices.

The following sections provide more information:

Identification

Authentication

Encryption

Identification

This is a mandatory setting. Each CNS agent device (router) must have a unique ID assigned to it before it can start communication with the Cisco Configuration Engine server. You can configure several CNS agents on a single router. Each agent must have a unique ID assigned to it.

To configure CNS agent IDs on a CNS agent device, enter the following command, beginning in global configuration mode:

cns id string <unique string>
cns id string <unique string for event agent> event
cns id string <unique string for image agent> image

Example

Router(config)# cns id string my-asset-tag1
Router(config)# cns id string my-asset-tag1 event 
Router(config)# cns id string my-asset-tag1 image 
Router(config)# end 
Router# 

On the Cisco Configuration Engine server, when setting up a new device object through the user interface, the administrator must specify these CNS agent IDs. The Cisco Configuration Engine server will not accept any agent connection unless the CNS agent device and the IDs are already configured on the server.

Authentication

The Authentication feature consists of a CNS password that the CNS agent device presents to the Cisco Configuration Engine server as part of any communication handshake.

To configure the CNS password on the CNS agent device, enter the following command, beginning in global configuration mode:

cns password <password>

Example

Router(config)# cns password fgfg123
Router(config)# end 
Router# 


Note The cns password command has been intentionally hidden for additional security. You can use the cns password command to set or reset the initial password, but you cannot view the password value after it has been set.


During setup of the Cisco Configuration Engine server, the administrator must assign this CNS password as a global one-time-use password. Then, before the CNS agent device attempts to connect to the Cisco Configuration Engine server, the administrator must enter this one-time-use password in the CNS agent device configuration.

In the Cisco Configuration Engine server Setup program, authentication is enabled when you answer y at the "Enable authentication" prompt (see Authentication Settings, page 2-6). This configures the Cisco Configuration Engine server to expect the password from the CNS agent device. After authentication is enabled, the administrator must use the Cisco Configuration Engine user interface to reconfigure the actual password. For procedure, see the "Security Manager" section in the Cisco Configuration Engine Administration Guide.

Encryption

Cisco Configuration Engine uses Secure Socket Layer (SSL) as the encryption mechanism for HTTP sessions between the CNS agent devices and the Cisco Configuration Engine server. You enable encryption on the Cisco Configuration Engine server in the Setup program (see Encryption Settings, page 2-5). To enable encryption on CNS agent devices, follow these steps:


Step 1 Set the Cisco IOS trust point on the CNS agent device.

Example

Router# config terminal
Router (config)# crypto ca trustpoint 
Router (config)#  enrollment mode ra
Router (config)#  enrollment url http://gilligan:80/
Router (config)#  usage ssl-client
Router (config)#  revocation-check none 
Router (config)# crypto ca authenticate cisco.com 
Certificate has the following attributes: 
Fingerprint: 1D74D54A 464207FD 81831A4D 67B5619B 
% Do you accept this certificate? [yes/no]: yes 
Trust point CA certificate accepted. 
Router(config)# end 
Router#

Step 2 Enable encryption on the CNS agent devices. Do any or all of the following as needed:

To enable encryption on the CNS event agent, enter the following command, beginning in global configuration mode:

cns event configserver.cisco.com encrypt 11012 keepalive 60 3

Example

Router(config)# cns event configserver.cisco.com encrypt 11012 keepalive 60 3
Router(config)# end 
Router#

To enable encryption on the CNS configuration agent for partial configuration, enter the following command, beginning in global configuration mode:

cns config partial configserver.cisco.com encrypt 443

Example

Router(config)# cns config partial configserver.cisco.com encrypt 443 
Router(config)# end 
Router#

To enable the encryption on the CNS configuration agent for initial configuration, enter the following command, beginning in global configuration mode:

cns config initial configserver.cisco.com encrypt 443 event syntax-check no-persist inventory

Example

Router(config)# cns config initial configserver.cisco.com encrypt 443 event 
syntax-check no-persist inventory 
Router(config)# end 
Router#

To enable encryption on the CNS exec agent, enter the following command, beginning in global configuration mode:

cns exec encrypt 443

Example

Router(config)# cns exec encrypt 443 
Router(config)# end 
Router#

To enable encryption on the CNS configuration agent for config retrieve, enter the following command, beginning in EXEC mode:

cns config retrieve configserver.cisco.com encrypt 443 event syntax-check no-persist

Example

Router> enable 
Router# cns config retrieve configserver.cisco.com encrypt 443 event syntax-check 
no-persist 
Router#