Cisco MDS 9000 Family Storage Media Encryption Configuration Guide
Creating Self-Sign certificates
Downloads: This chapterpdf (PDF - 138.0KB) The complete bookPDF (PDF - 10.16MB) | Feedback

Provisioning Self-Sign Certificates

Table Of Contents

Provisioning Self-Sign Certificates

Configuring SSL for Cisco SME

Creating CA Certificates

Generating KMC Certificate

Generating and Installing Self-Signed Certificates

Editing SSL Settings in Cisco Fabric Manager Web Client


Provisioning Self-Sign Certificates


The Secure Socket Layer (SSL) protocol secures the network communication and allows data to be encrypted before transmission and provides security. Many application servers and Web servers support the use of keystores for SSL configuration.

This appendix also includes information on how to select the RSA Key Manager.

This appendix includes the following sections:

Configuring SSL for Cisco SME

Generating and Installing Self-Signed Certificates

Editing SSL Settings in Cisco Fabric Manager Web Client

Configuring SSL for Cisco SME

A certificate is an electronic document that you use to identify a server, a company, or some other entity and to associate that identity with a public key.

Certificate authority (CA) are entities that validate identities and issue certificates. The certificate that the CA issues binds a particular public key to the name of the entity that the certificate identifies (such as the name of a server or device). Only the public key that the certificate certifies works with the corresponding private key that is possessed by the entity that the certificate identifies. Certificates help prevent the use of fake public keys for impersonation.

You must install a third-party tool such as the OpenSSL application to generate a certificate request. In Windows, by default, openssl.exe is located at c:\openssl\bin.

Before configuring the SSL, consider the following:

Ensure that the time in all the switches, Fabric Manager server and the system running the OpenSSL commands, are all synchronized.

Provide different identities for the CA certificate and KMC certificate.

Only JRE1.6 JAVA keytool is supported for importing PKCS12 certificates to Java Keystores (JKS) files.

This section describes the following topics:

Creating CA Certificates

Generating KMC Certificate

Creating CA Certificates

Before creating the CA certificates, download OpenSSL for Windows from the following link:

http://gnuwin32.sourceforge.net/packages/openssl.htm

To generate the CA certificates, follow these steps:


Step 1 Create a CA certificate using the OpenSSL application. Issue the following command for the 365 day certificate:

OpenSSL> req -x509 -days 365 -newkey rsa:1024 -out cacert.pem -outform PEM -config openssl.conf

This creates a cacert.pem file in the directory with OpenSSL.exe.


Note Access the openssl.config file from the following location:

C:\Program Files\GnuWin32\share


Step 2 Open the CLI and enter the configuration mode.

switch# config t
 
   
Enter configuration commands, one per line.  End with CNTL/Z.
 
   

Step 3 Create a trust point named my_ca.

switch(config)#crypto ca trustpoint my_ca
 
   

Step 4 Create an RSA keypair for the switch in the trustpoint submode.

switch(config-trustpoint)# rsakeypair my_ca_key
 
   

Step 5 Exit the trustpoint submode.

switch(config-trustpoint)# exit
 
   

Step 6 Authenticate the cacert.pem file for the trustpoint by cutting and pasting the contents of the cacert.pem created in Step 1.

switch(config)# crypto ca authenticate my_ca
 
   
input (cut & paste) CA certificate (chain) in PEM format;
end the input with a line containing only END OF INPUT :
----BEGIN CERTIFICATE----
MIIDnjCCAwegAwIBAgIBADANBgkqhkiG9w0BAQQFADCBlzELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRowGAYDVQQK
ExFDaXNjbyBTeXN0ZW1zIEluYzEOMAwGA1UECxMFRGV2ZWwxETAPBgNVBAMTCG1h
bWFzc2V5MSEwHwYJKoZIhvcNAQkBFhJtYW1hc3NleUBjaXNjby5jb20wHhcNMDcx
MTIyMDgzNDM1WhcNMDgxMTIxMDgzNDM1WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRowGAYDVQQKExFDaXNj
byBTeXN0ZW1zIEluYzEOMAwGA1UECxMFRGV2ZWwxETAPBgNVBAMTCG1hbWFzc2V5
MSEwHwYJKoZIhvcNAQkBFhJtYW1hc3NleUBjaXNjby5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAMbZAv0+Ka/FS3/jwdaqItc8Ow3alpw9gyqEzA3uFLjN
tXSfHRu9OsrP5tliHHlJP+fezeAUuVfmMTPrOIxURcF2c7Yq1Ux5s4Ua3cMGf9BG
YBRbhO8Filt2mGDqY5u0mJY+eViR69MZk8Ouj+gRxQq83fB8MqJG39f1BedRcZLB
AgMBAAGjgfcwgfQwHQYDVR0OBBYEFGXsBg7f7FJcL/741j+M2dgI7rIyMIHEBgNV
HSMEgbwwgbmAFGXsBg7f7FJcL/741j+M2dgI7rIyoYGdpIGaMIGXMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxGjAY
BgNVBAoTEUNpc2NvIFN5c3RlbXMgSW5jMQ4wDAYDVQQLEwVEZXZlbDERMA8GA1UE
AxMIbWFtYXNzZXkxITAfBgkqhkiG9w0BCQEWEm1hbWFzc2V5QGNpc2NvLmNvbYIB
ADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAFmDucZlBZFJk09IihEm
5wd4oouxHsKPQroyG/CYShv1XXAyEGytxuCAITDzMq2IJiFbZt0kIiyuP9YRQLNR
z47G4IRJGp5J2HnOc2cdF8Mc0DDApdgndUiIX/lv7vuQfyxqX45oSncwQct3y38/
FPEbcRgZgnOgwcrqBzKV0Y3+
----END CERTIFICATE----
END OF INPUT
Fingerprint(s): MD5 Fingerprint=1E:18:10:69:7B:C1:CC:EA:82:08:67:FB:90:7D:58:EB
 
   
Do you accept this certificate? [yes/no]:yes
 
   

Step 7 Generate a certificate request for enrolling with the trustpoint created in Step 3.

switch(config)# crypto ca enroll my_ca
 
   
Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:nbv123
The subject name in the certificate will be: ips-vegas8.cisco.com
Include the switch serial number in the subject name? [yes/no]:no
Include an IP address in the subject name [yes/no]:no
The certificate request will be displayed...
 
   
----BEGIN CERTIFICATE REQUEST----
MIIBJTCB0AIBADAfMR0wGwYDVQQDExRpcHMtdmVnYXM4LmNpc2NvLmNvbTBcMA0G
CSqGSIb3DQEBAQUAA0sAMEgCQQCeAzv5w9d32YpPfYdNYoFjOW0yRVbYEe+mNHi8
b2VPOVZ6UOFdhIS1Im0/Xv1Bpcuy4TRktu7whNyyvvu3niVdAgMBAAGgTDAVBgkq
hkiG9w0BCQcxCBMGbmJ2MTIzMDMGCSqGSIb3DQEJDjEmMCQwIgYDVR0RAQH/BBgw
FoIUaXBzLXZlZ2FzOC5jaXNjby5jb20wDQYJKoZIhvcNAQEEBQADQQBzPcKE3Eje
TjODnPXNkz1WsU3oUdsuxOT/m1OSBZvhBfHICQZZpfS2ILqaQP16LiZCZydHWViN
Q+9LmHUZ4BDG
----END CERTIFICATE REQUEST----
 
   
switch(config)#
 
   

Step 8 Create a file named switch.csr in the OpenSSL.exe directory. Cut and paste the certificate request created in Step 7.

Ensure that you include the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines in the file content.

 
   

Step 9 Generate an identity certificate for this certificate request in the OpenSSL application by entering the following command:

OpenSSL> x509 -req -days 365 -in switch.csr -CA cacert.pem -CAkey privkey.pem -set_serial 01 -out switch.pem

 
   

Step 10 Import the trustpoint certificate at the switch by cutting and pasting the contents of the switch.pem file that was created in Step 9.

switch(config)# crypto ca import my_ca certificate
input (cut & paste) certificate in PEM format:
----BEGIN CERTIFICATE----
MIIB4jCCAUsCAQEwDQYJKoZIhvcNAQEEBQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEaMBgGA1UEChMRQ2lz
Y28gU3lzdGVtcyBJbmMxDjAMBgNVBAsTBURldmVsMREwDwYDVQQDEwhtYW1hc3Nl
eTEhMB8GCSqGSIb3DQEJARYSbWFtYXNzZXlAY2lzY28uY29tMB4XDTA3MTIxNDAy
MzIzOVoXDTA4MTIxMzAyMzIzOVowHzEdMBsGA1UEAxMUaXBzLXZlZ2FzOC5jaXNj
by5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAngM7+cPXd9mKT32HTWKBYzlt
MkVW2BHvpjR4vG9lTzlWelDhXYSEtSJtP179QaXLsuE0ZLbu8ITcsr77t54lXQID
AQABMA0GCSqGSIb3DQEBBAUAA4GBAKR3WAAF/9zMb2u9A42I2cB2G5lucSzndc4P
+O4sYZF5pBt7UpyAs1GKAqivGXVq2FJ2JetX78Fqy7jYCzanWm0tck0/G1dSfr/X
lCFXUuVed9de02yqxARSEx8mX4ifqzYHErHdbi+vDAaMzkUEvHWthOuUZ7fvpoNH
+xhRAuBo
----END CERTIFICATE----
 
   

Step 11 Repeat steps 2 through 9 for all the switches managed by a Fabric Manager server. Ensure that the same trustpoint is used for all the switches in this Fabric Manager server.


Generating KMC Certificate

To generate the KMC server certificate, follow these steps:


Step 1 Generate KMC certificate by entering the following commands in the OpenSSL application:

OpenSSL> genrsa -out sme_kmc_server.key 1024

OpenSSL> req -new -key sme_kmc_server.key -out sme_kmc_server.csr -config openssl.conf

OpenSSL> x509 -req -days 365 -in sme_kmc_server.csr -CA cacert.pem -CAkey privkey.pem -CAcreateserial -out sme_kmc_server.cert

OpenSSL> pkcs12 -export -in sme_kmc_server.cert -inkey sme_kmc_server.key -out sme_kmc_server.p12


Note Access the openssl.config file from the following location:

C:\Program Files\GnuWin32\share


Step 2 Import this PKCS12 keystore to Java Keystores using JAVA keytool (JRE 1.6).

"C:\Program Files\Java\jre1.6.0_02\bin\keytool.exe" -importkeystore -srckeystore sme_kmc_server.p12 -srcstoretype PKCS12 -destkeystore sme_kmc_server.jks -deststoretype JKS


Note Remember the password as it needs to be updated in the properties file.


Step 3 Import the CA certificate to Java Keystores using JAVA keytool (JRE 1.6).

"C:\Program Files\Java\jre1.6.0_02\bin\keytool.exe" -importcert -file cacert.pem -keystore sme_kmc_trust.jks -storetype JKS

Step 4 Place these keystore files in mds9000/conf/cert directory.

Step 5 Modify the KMC SSL settings in the Key Manager Settings in Fabric Manager Web Client.

Step 6 Restart the Fabric Manager server.


Note You can also use sme_kmc_server.p12 as KMC server certificate and cacert.pem as KMC trust certificate instead of using Java keystores created in Step 3 and 4.



Generating and Installing Self-Signed Certificates

To configure SSL when KMC is not integrated with Fabric Manager server, follow these steps:


Step 1 Create the required certificates by using the following commands:

switch:./createSmeCerts.tcl
Usage: ./createSmeCerts.tcl [r] [k] [s] [a] [h]
        r       Generate Root CA certificate
        k       Generate KMC server certificate
        s       Generate Switch certificate and configure switch trust point
        a       Generate all certificates and configure switch
        h       Print this usage screen
Usage: ./createSmeCerts.tcl [r] [k] [s] [a] [h]
        r       Generate Root CA certificate
        k       Generate KMC server certificate
        s       Generate Switch certificate and configure switch trust point
        a       Generate all certificates and configure switch
        h       Print this usage screen
 
   
switch:./createSmeCerts.tcl a
Dir to store certificates [] :.
Openssl path [/usr/bin] :
RootCA CN [RootCA] :SMECA
Trust Pass Phrase [nbv123] :nbv123
Certificate Validity days [365] :1024
Trust point name [sme_ca] :
Generating CA certificate ...
 
   
Generated CA certificate /users/filename1/SSL script/./cacert.pem
 
   
Create switch certificate and configure trustpoint ...
 
   
Switch IP [] :switchname
username [] :admin
password [] :
Created certificate and configured trustpoint for switch: ips-hac4
 
   
Do you want to configure another switch? (y/n) [n] :n
Generating KMC certificate ...
 
   
KMC Common Name [] :KMC
Generated KMC certificate: /users/filename1/SSL script/./sme_KMC_server.p12
 
   
switch:./createSmeCerts.tcl k
Dir where RootCA certificate is stored [] :.
Reading properties from /users/filename1/SSL script/./sme_cert.properties
Generating KMC certificate ...
 
   
KMC Common Name [] :FM
Generated KMC certificate: /users/filename1/SSL script/./sme_FM_server.p12
 
   
switch:ls
cacert.pem                openssl_FM.conf      sme_FM_server.cert   sme_KMC_server.csr
cacert.srl                openssl_KMC.conf     sme_FM_server.csr    sme_KMC_server.key
createSmeCerts.tcl*       privkey.pem          sme_FM_server.key    sme_KMC_server.p12
createSmeCerts.tcl.orig*  README*              sme_FM_server.p12    sw_ips.csr
openssl.conf              sme_cert.properties  sme_KMC_server.cert  sw_ips.pem
switch:
 
   

Step 2 Use JAVA keytool (JRE 1.6) to generate Java keystores.

"C:\Program Files\Java\jre1.6.0_02\bin\keytool.exe" -importkeystore -srckeystore 
sme_KMC_server.p12 -srcstoretype PKCS12 -destkeystore sme_kmc_server.jks -deststoretype 
JKS
 
   
"C:\Program Files\Java\jre1.6.0_02\bin\keytool.exe" -importkeystore -srckeystore 
sme_FM_server.p12 -srcstoretype PKCS12 -destkeystore sme_fm_server.jks -deststoretype JKS
 
   
"C:\Program Files\Java\jre1.6.0_02\bin\keytool.exe" -importcert -file cacert.pem -keystore 
sme_kmc_trust.jks -storetype JKS
 
   
"C:\Program Files\Java\jre1.6.0_02\bin\keytool.exe" -importcert -file cacert.pem -keystore 
fmtrust.jks -storetype JKS
 
   

Step 3 Run the following commands for the Fabric Manager server:

Copy sme_fm_server.jks to <FMINSTALL>/jboss/server/default/conf/fmserver.jks
Copy fmtrust.jks to <FMINSTALL>/jboss/server/default/conf/fmtrust.jks
 
   
Go to <FMInstall>/bin
Run ./Encrypter.sh ssl
 
   
Edit <FMInstall>/conf/server.properties; set useSSL=true
 
   

Step 4 Run the following commands for KMC (whether KMC is standalone or integrated with Fabric Manager server):

Copy sme_kmc_server.jks to <FMINSTALL>/conf/cert/sme_kmc_server.jks
Copy sme_kmc_trust.jks to <FMINSTALL>/conf/cert/sme_kmc_trust.jks
 
   
Copy sme_kmc_server.jks to <FMINSTALL>/jboss/server/default/conf/fmserver.jks 
Copy fmtrust.jks to <FMINSTALL>/jboss/server/default/conf/fmtrust.jks
 
   
Go to <FMInstall>/bin
Run ./Encrypter.sh ssl
 
   
Edit <FMInstall>/conf/server.properties; set useSSL=true
 
   
Go to Key Manager settings tab in SME tab on web client. In KMC SSL settings select
sme_kmc_trust.jks as KMC trust and sme_kmc_server.jks as KMC server certificate
 
   

Editing SSL Settings in Cisco Fabric Manager Web Client

You can edit the SSL settings if you chose the Cisco Key Manager.

To edit the SSL settings in the Cisco SME wizard, follow these steps:


Step 1 Log into the Fabric Manager.

Step 2 Click the SME tab and select the Key Manager Settings. The Key Manager Settings window displays.

Step 3 Click Edit SSL Settings.

Step 4 In the KMC SSL settings area, select the SME KMC Trust certificate from the drop-down menu. This is the switch root certificate.


Note You must copy the acerts to the /mds9000/conf/cert directory. Certificates in the conf/cert directory are listed in the drop-down menus.


Step 5 From the drop-down menu, select the SME KMC Server certificate.

The keystore files that are stored in the KMC directory are listed in the drop-down menu.

Step 6 Enter the server certificate password. Confirm the password.

Step 7 Click Submit SSL Settings to apply the changes, or click Cancel. Save the settings.

To change the SSL settings again, click Edit SSL Settings.



Note After editing the SSL settings, restart the Fabric Manager Server.


If On is selected in the Transport Settings during cluster creation, then SSL is enabled on KMC with the following results:

New clusters are created. If Off is selected, cluster creation fails.

Previously created clusters are updated by enabling SSL with trustpoint on the switches. KMC server connection state remains as none until the cluster is updated.

For more information, refer to Selecting Transport Settings.