Table Of Contents
Using Wizards
Using the WebVPNSM Service Setup Wizard
Setting Up a Virtual Gateway
Selecting a Virtual Gateway
Selecting a Certificate Trustpoint
Specifying the SSL Certificate and Private Key
Configuring a Virtual Context
Configuring Authentication and NAT
Selecting an Authentication List
Creating a AAA Server Group
Editing RADIUS Settings
Configuring Network Settings
Configuring a Group Policy
Configuring Clientless Mode
Configuring Thin-Client Mode
WebVPN Access Setup Wizard Summary
Using the Group Policy Setup Wizard
Configuring a Group Policy
Selecting a Virtual Context
Configuring Clientless Mode
Configuring Thin-Client Mode
Configuring Tunnel Mode
Group Policy Setup Wizard Summary
Using the Certificate Trustpoint Setup Wizard
Generating a CSR
Specifying a Trustpoint and RSA Key Pair
Configuring SSL Certificate Attributes
Configuring the Enrollment Method
Authenticating a CA and Importing an SSL Certificate
Using the Copy-and-Paste Method
Using the TFTP Method
Importing a CA Certificate or CA Certificate Chain
Specifying a CA Certificate Source
Specifying the CA Certificate
Specifying the SSL Certificate
Specifying the Certificate File
Importing a CA Certificate Chain
Renewing an SSL Certificate
Regenerating a CSR
Importing a Renewed SSL Certificate
Certificate Trustpoint Setup Wizard Summary
Viewing Trustpoint Configuration Status
Using the Certificate Import Wizard
Specifying Certificate Format and Source
Specifying Certificate and Private Key
Specifying Certificate and Private Key (X.509 PEM - Local Hard Disk)
Specifying Certificates and Private Key (X.509 PEM - Remote System)
Specifying Certificate and Private Key (X.509 PEM - Copy and Paste)
Certificate Import Wizard Summary
Viewing Certificate Import Status
Using the Certificate Export Wizard
Selecting Certificates and Format (PEM, PKCS#12)
Specifying the Destination
Specifying the Destination (X.509 PEM)
Specifying the Destination (PKCS#12)
Specifying Destination Details
Specifying Destination Details (X.509 PEM)
Specifying Destination Details (PKCS#12)
Certificate Export Wizard Summary
Viewing Certificate Export Status
Using Wizards
CVDM-WebVPNSM 1.1 allows you to set up WebVPN Services Module (WebVPNSM) features with the help of wizards, which simplifies complex configuration tasks. To access the Wizards page, click Setup at the top of the window and then click Wizards (see Figure 2-1).
Figure 2-1 Wizards Page
CVDM-WebVPNSM provides the following Setup wizards:
•
WebVPN Service Setup wizard—This wizard allows you to configure both clientless and thin-client access to the WebVPNSM. See Using the WebVPNSM Service Setup Wizard.
•Group Policy Setup wizard—This wizard allows you to configure the default group policy for users accessing the WebVPNSM. See Using the Group Policy Setup Wizard.
•Certificate Trustpoint Setup wizard—This wizard allows you to enroll and install an SSL certificate onto the WebVPNSM. See Using the Certificate Trustpoint Setup Wizard.
•Certificate Import wizard—This wizard allows you to import both certificates and private keys to the WebVPNSM from an external public-key infrastructure (PKI). See Using the Certificate Import Wizard.
•Certificate Export wizard—This wizard allows you to export certificates and private keys to an external system or another WebVPNSM. See Using the Certificate Export Wizard.
Using the WebVPNSM Service Setup Wizard
The WebVPNSM Service Setup wizard allows you to set up both clientless and thin-client access to this WebVPN Services Module. This wizard consists of the following tasks:
•Setting Up a Virtual Gateway
•Specifying the SSL Certificate and Private Key
•Configuring a Virtual Context
•Configuring Authentication and NAT
•Configuring Network Settings
•Configuring a Group Policy
•Configuring Clientless Mode
•Configuring Thin-Client Mode
Note the following:
•If you launch CVDM-WebVPNSM as a Level 15 user without first setting the enable password for this module, you will not be able to launch this wizard.
•If you have not already configured the AAA new-model on this module, you will be prompted to do so after you launch this wizard.
Step 1 Click Setup at the top of the window and click Wizards in the left-most pane. The main CVDM-WebVPNSM wizard page appears.
Step 2 Select the Set Up Clientless and/or Thin-Client Access radio button.
Step 3 Click Launch the Selected Task.
Setting Up a Virtual Gateway
GUI Element
|
Action/Description
|
Set Up a New Virtual Gateway radio button
|
Click to configure a new virtual gateway.
|
Use an Existing Virtual Gateway radio button
|
Click to select this radio button to select an existing virtual gateway.
|
Name field
|
If you selected the Set Up a New Virtual Gateway radio button, enter the name of the new virtual gateway.
If you selected the Use an Existing Virtual Gateway radio button:
a. Click  to launch the Virtual Gateways dialog box. See Selecting a Virtual Gateway for more information.
b. Select a gateway from the table and then click OK.
|
IP Address field
|
Enter the IP address of the virtual gateway to be configured.
|
Secondary check box
|
Select to specify that the IP address defined in the previous field is not on a network with a direct connection.
Note When selected, the fields in the WebVPN Interface pane are not available for configuration.
|
Port (1-65535) field
|
Specify the port to be used by the virtual gateway. The default is 443.
|
Admin Status list
|
Specify whether the virtual gateway is currently up or down.
|
WebVPN Interface pane
If the IP address you specified for the virtual gateway is the primary IP address, you must configure the corresponding WebVPN interface.
|
VLAN ID (2-4094) field
|
Enter the VLAN for the WebVPN interface the virtual gateway belongs to.
|
IP Address field
|
Enter the IP address of the WebVPN interface the virtual gateway belongs to.
|
Subnet Mask list
|
Either select a subnet mask from the list or enter an appropriate value.
|
SSL Certificate pane
|
Select a Certificate Installed on WebVPNSM radio button
|
Select this radio button to select from a list of SSL certificates that have been installed on the WebVPNSM.
|
Certificate Trustpoint Name list
|
Name of the selected certificate Trustpoint.
a. Click to launch the Certificate Trustpoint Selector dialog box. See Selecting a Certificate Trustpoint for more information.
b. Select a Trustpoint from the table and then click OK.
|
Import an SSL Certificate and Private Key for Virtual Gateway radio button
|
Select to import the corresponding SSL certificate and private key for the virtual gateway being configured.
|
Certificate Trustpoint Name field
|
Name of the certificate Trustpoint to be imported.
If this field in not already populated, enter the name of the appropriate Trustpoint.
|
Selecting a Virtual Gateway
Note Since virtual gateways associated with only one virtual context cannot be shared, they are not displayed in this dialog box.
Column
|
Description
|
Gateway Name
|
Name of a virtual gateway configured on the WebVPNSM.
|
Used by Any Context
|
Indicates whether a virtual gateway is currently used by a virtual context.
|
Selecting a Certificate Trustpoint
Column
|
Description
|
Trustpoint Name
|
Name of a certificate Trustpoint.
|
Subject Name
|
Description of a Trustpoint.
|
CA Name
|
Name of the CA associated with this Trustpoint.
|
Specifying the SSL Certificate and Private Key
Step 1 Select either the X.509 PEM or PKCS#12 radio button.
Step 2 Enter the information specified in the appropriate table.
X.509 PEM
GUI Element
|
Action/Description
|
CA Name list
|
Do one of the following:
•If you are specifying a CA certificate that is available on the WebVPNSM, select the corresponding CA name from the list.
•If you are specifying a CA certificate that is not already available on the WebVPNSM, select the default value <New>.
|
CA Certificate File list
|
Click Browse... and navigate to the appropriate CA certificate file.
|
Private Key File list
|
Click Browse... and navigate to the appropriate private key file.
|
Private Key Passphrase field
|
Enter the passphrase for the private key.
|
Allow Private Key Export check box
|
Select to allow the export of private keys.
|
SSL Certificate File list
|
Click Browse... and navigate to the appropriate SSL certificate file.
|
PKCS#12
GUI Element
|
Action/Description
|
Protocol list
|
Select one of the following file transfer protocols:
•TFTP
•FTP
•RCP
•SCP
|
IP Address field
|
Enter the IP address of the certificate source.
|
Username field
|
Enter the username for the remote system.
|
Password field
|
Enter the password to be used for the remote system.
|
PKCS#12 File field
|
Enter the appropriate PKCS#12 filename, specifying the absolute path and the filename.
Example: d:/tftpboot/certs/cert.p12
|
Passphrase field
|
Enter the passphrase used to decrypt the key.
|
Create Trustpoints for CA Certificates in Certificate Chain check box
|
Select to create Trustpoints for certificates higher in the hierarchy.
|
Configuring a Virtual Context
GUI Element
|
Action/Description
|
Name field
|
Enter the name of the new virtual context.
|
Admin Status list
|
Specify whether the virtual context is currently up or down.
|
Title field
|
Enter the HTML title string that will be displayed in the browser title and on the title bar. The string is limited to 255 characters. The default string is "WebVPN Service."
|
Logo File list
|
Custom logo image that is displayed on the login and portal pages.
Click  and then select one of the following:
•Select Logo File—Launches the Logo File Selector dialog box. Select a logo and then click OK.
•Clear Logo File—Clears the logo file that is currently selected.
Note You can only select from graphics that are present in the flash memory of the device. The following file formats are supported: .gif, .jpeg, and .png.
|
User-Context Mapping check box
|
Select to enable user mapping for this virtual context.
|
Domain radio button
|
Select to associate a domain with the virtual gateway configured in step 1 of the WebVPN Access Setup wizard.
Enter the name of the appropriate domain in the provided field.
|
Virtual Host radio button
|
Select to associate a virtual host with the virtual gateway configured in step 1 of the WebVPN Access Setup wizard.
Enter the name of the appropriate virtual host in the provided field.
|
VRF Aware check box
|
Select to make the virtual context VRF-aware.
A VPN routing and forwarding (VRF) instance consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine the information that goes into the forwarding table. In general, a VRF includes the routing information that defines a customer VPN site that is attached to a Provider Edge router.
|
Create VRF radio button
|
Select to create a new VRF instance.
Enter the name for this VRF instance in the provided field.
|
Route Designator field
|
Enter the corresponding route designator for the new VRF instance.
|
Select VRF radio button
|
Select this radio button to select an existing VRF instance.
1. Click to launch the Select VRFs dialog box.
2. Click OK.
|
Configuring Authentication and NAT
GUI Element
|
Action/Description
|
User Authentication pane
|
Use Default Authentication (Local) radio button
|
Select to specify that the local username database is used for authentication.
Note the following:
•If the aaa authentication login default <radius, local, none> command has been entered, then the default method list is used.
•If a default method list is not configured, then the local method list is used.
|
Select an Authentication Method List radio button
|
Select this radio button to select an authentication method list that has already been configured on the WebVPNSM.
|
Method List Name list
|
Select the authentication method to be used.
1. Click to launch the Select Authentication List dialog box. See Selecting an Authentication List for more information.
2. Select a list from the table and then click OK.
|
Configure a RADIUS Authentication Method List radio button
|
Select this radio button to configure a RADIUS authentication method list.
|
Method List name field
|
Enter the name of the RADIUS authentication method list you are about to create.
|
RADIUS Server Group list
|
Specify the authentication, authorization, and accounting (AAA) server group associated with this method list.
Click and then select one of the following:
•Create and Use a New Server Group—Launches the Create AAA Server Group dialog box. See Creating a AAA Server Group for more information.
•Select an Existing Server Group—Launches the Select Server Group dialog box. Select a group and then click OK.
•Clear the Server Group—Clears the server group that is currently selected.
Note If you created a new VRF instance or selected an existing one in the previous wizard step, then only the server groups configured for that VRF instance are displayed. Otherwise, all configured server groups are displayed.
|
RADIUS Parameters... button
|
Click to launch the Edit RADIUS Settings dialog box. See Editing RADIUS Settings for more information.
|
Configure an Authentication Domain check box
|
Select to enable the use of an authentication domain.
|
Authentication Domain Name field
|
Enter the domain name to be appended to a username during authentication.
This feature allows identical usernames in different virtual contexts to use the same service provider AAA server. These usernames are differentiated by the domain name (which is unique across all virtual contexts) specified in this field. When this feature is configured, all usernames in the AAA server must include this domain name. Otherwise, authentication will fail.
|
NAT pane
The NAT range you specify should be six consecutive IP addresses. If more than six are set, then the first six IP addresses will be used.
|
Start IP Address field
|
Enter the first address in the NAT range used by the WebVPNSM to open a server connection.
|
Subnet Mask list
|
Either select a subnet mask from the list or enter the appropriate value.
|
End IP Address field
|
Enter the last address in the NAT range used by the WebVPNSM to open a server connection.
|
Selecting an Authentication List
Column
|
Description
|
Name
|
Name of the authentication list.
|
Type
|
Type of authentication list.
|
Method 1
|
The name of the method that the device will attempt to use first for authentication. Authentication services identify users before they are permitted access to the network or network services. Authentication provides the method for identifying users, including username and password, challenge and response, messaging support, and, depending on the security protocol selected, encryption.
A method is a configured server group used for authenticating users. You can configure up to four methods and specify the order in which you want the device to query them. The device attempts to communicate with the first method. If one of the servers in this method authenticates the user, then authentication is successful. If authentication fails, then the router uses the next method in the list.
|
Method 2
|
The name of the method that the device will attempt to use for authentication if the servers referenced in method 1 do not respond.
|
Method 3
|
The name of the method that the device will attempt to use for authentication if the servers referenced in method 1 and method 2 do not respond.
|
Method 4
|
The name of the method that the device will attempt to use for authentication if the servers referenced in method 1, method 2, and
method 3 do not respond.
|
Creating a AAA Server Group
GUI Element
|
Action/Description
|
Server Group Name field
|
Enter the name of the new AAA server group.
|
Private Server check box
|
Select to make the servers in this group local (unavailable outside of the group).
|
IP Address field
|
Enter the IP address of the server.
|
Type field
|
The type of server.
This field cannot be edited. Only the RADIUS option is supported.
|
Authentication Port field
|
Enter the server port used for authentication requests.
The default is 1645.
|
Accounting Port field
|
Enter the server port used for accounting requests.
The default is 1646.
|
Key field
|
Enter the key used when contacting the server.
|
Confirm Key field
|
Re-enter the key used when contacting the server.
|
Timeout (sec) field
|
Enter the number of seconds that the router should attempt to contact this server before going on to the next server in the group list.
The default is 5 seconds. Valid values range from 1 to 1000 seconds.
|
Editing RADIUS Settings
GUI Element
|
Action/Description
|
Timeout (sec) field
|
Enter the number of seconds that the router should attempt to contact this server before going on to another server.
The default is 5 seconds. Valid values range from 1 to 1000 seconds.
|
Key field
|
Enter the key used when contacting the RADIUS server.
|
Confirm Key field
|
Re-enter the key used when contacting the RADIUS server.
|
Configuring Network Settings
Note If you configured a VRF instance in the virtual context configuration page of this wizard, then the settings you specify here apply to that VRF instance. Otherwise, the settings will apply to the default VRF instance.
GUI Element
|
Action/Description
|
DNS pane
A list of the name servers already configured on this WebVPNSM is displayed at the bottom of this pane.
|
Domain Name field
|
Enter the default domain name that the Cisco IOS software uses to complete unqualified hostnames.
|
Name Server IP Address field
|
Specify one or more hosts (up to six) that can function as a name server to supply name information for the DNS.
Note the following:
•If no name servers have already been configured, you must configure at least one in order to proceed.
•This field is not available if the maximum of six name servers have already been configured.
|
Static Route check box
|
Select to configure the static route used to access the network.
|
IP Address field
|
Enter the destination network address of a static route.
|
Next Hop field
|
Enter the IP address of the next hop device.
|
Mask list
|
Subnet mask to which the network address configured for the static route belongs. Either select a value from the list or enter the appropriate value.
|
Metric (1-255) field
|
Specify the route metric configured for the static route.
|
WebVPN Interface pane
If an interface already exists within the NAT range you specified in the previous wizard page, you will not be able to modify the following fields. The fields will display the values configured for that interface.
|
VLAN ID (2-4094) field
|
Specify the VLAN associated with this WebVPN interface.
|
IP Address field
|
Enter the IP address for this WebVPN interface
|
Mask list
|
Subnet mask to which the IP address belongs. Either select a value from the list or enter the appropriate value.
Note Make sure to specify the same subnet configured in the NAT pane of the previous wizard page.
|
Configuring a Group Policy
GUI Element
|
Action/Description
|
Policy Name field
|
Enter the name for this group policy.
|
Modes
|
Clientless (supports web-enabled and SSL-enabled applications) check box
|
Select to enable clientless mode for this group policy. See Configuring Clientless Mode for more information.
|
Thin-Client (supports nonweb-enabled and non-SSL-enabled applications) check box
|
Select to enable thin-client mode for this group policy. See Configuring Thin-Client Mode for more information.
|
Configuring Clientless Mode
GUI Element
|
Action/Description
|
Hide URL bar on portal check box
|
Select to disable the URL bar on the portal page.
|
URL List Name field
|
Enter a name for the new URL list (group of URLs).
|
Heading field
|
Enter the heading text for the new URL list.
|
URL Label field
|
Enter the text displayed for a particular URL.
|
Link list
|
Enter the URL that corresponds to the label.
|
Add button
|
Click to add a new URL label to the table of existing labels.
|
URL Label column
|
Text displayed for a particular URL.
|
Link column
|
URL that corresponds to that label.
|
Remove button
|
Click to remove the selected URL label from the table.
|
NBNS Server List Name list
|
Specify a NetBIOS name service (NBNS) list for common Internet file system (CIFS) name resolution.
CVDM-WebVPNSM requires NetBIOS to access or share files on remote systems. When you attempt a file-sharing connection to a Windows computer by using its computer name, the file server that you specify corresponds to a specific NetBIOS name that identifies a resource on the network.
|
IP Address field
|
Enter the IP address of the NBNS server.
|
Is Master check box
|
Select to designate this server as a master browser. Do not select this option for a WINS server.
|
Configuring Thin-Client Mode
GUI Element
|
Action/Description
|
Port Forward List Name field
|
Enter a name for the list of forwarded ports. The maximum length of the list name is 63 characters.
|
Add Port Forward Entry pane
|
Local Port (1024-65535) field
|
Specify the local TCP port to be used for listening.
Note Since ports 1 through 1024 are reserved, do not specify a port that falls within this range.
|
Remote Port (1-65535) field
|
Specify the TCP port used to connect to the remote server.
|
Remote Server field
|
Enter the hostname or IP address of the remote server.
|
Description field
|
Enter a short description of the application to be forwarded.
|
Add button
|
Click to add to the port forwarding lists table.
|
Local Port column
|
Local TCP port used for listening.
|
Remote Server column
|
Hostname or IP address of the remote server.
|
Remote Port column
|
TCP port used for connecting to the remote server.
|
Description column
|
Short description of a port forwarding list.
|
Remove button
|
Click to remove the selected port forwarding entry from the port forwarding list.
|
WebVPN Access Setup Wizard Summary
The summary page of the wizard shows you the information that you entered.
Click Finish to send the commands to the device. The Deliver Configuration to Switch/Module(s) dialog box appears if you have configured CVDM-WebVPNSM to display the accumulated CLI commands after you have completed a wizard (for information on configuring this option, see Editing Preferences).
Note For more information on the Deliver Configuration to Switch/Module(s) dialog box, see Delivering CLI Commands to the Device.
Using the Group Policy Setup Wizard
The Group Policy Setup wizard consists of the following tasks:
•Entering the general group policy settings for the selected virtual context. See Configuring a Group Policy for more information.
•Entering the settings for at least one of the three modes supported by CVDM-WebVPNSM:
–Clientless mode—See Configuring Clientless Mode for more information.
–Thin-Client mode—See Configuring Thin-Client Mode for more information.
–Tunnel mode—See Configuring Tunnel Mode for more information.
Step 1 Click Setup at the top of the window and click Wizards in the left-most pane. The main CVDM-WebVPNSM wizard page appears.
Step 2 Select the Set Up a WebVPN User Group Policy radio button.
Step 3 Click Launch the Selected Task.
Configuring a Group Policy
GUI Element
|
Action/Description
|
Context list
|
Click to launch the Available Virtual Contexts dialog box. See Selecting a Virtual Context for more information.
|
Group Policy Name field
|
Enter the name for this group policy.
|
Set Policy as Default for Context check box
|
Select to make this the default group policy.
|
Modes pane
|
Clientless (supports web-enabled and SSL-enabled applications) check box
|
Select to configure clientless mode for this group policy. See Configuring Clientless Mode for more information.
|
Thin-Client (supports nonweb-enabled and non-SSL-enabled applications) check box
|
Select to configure thin-client mode for this group policy. See Configuring Thin-Client Mode for more information.
|
Tunnel (supports all IP applications) check box
|
Select to configure tunnel mode for this group policy. See Configuring Tunnel Mode for more information.
|
Do Not Mandate Tunnel radio button
|
Select to specify that tunnel mode is not required by this group policy.
Note When selected, all configured modes are operational.
|
Mandate Tunnel radio button
|
Select to specify that tunnel mode is required by this group policy.
Note When selected, you can also configure clientless and thin-client modes. However, only tunnel mode will be operational.
|
Selecting a Virtual Context
Column
|
Description
|
Context
|
Name of a virtual context.
|
Default Group Policy
|
Default group policy configured for this virtual context, if available.
|
Gateway Service
|
Gateway service configured for this virtual context, if available.
|
Configuring Clientless Mode
GUI Element
|
Action/Description
|
Hide URL Bar on Portal check box
|
Select to disable the URL bar on the portal page.
|
Setup a New URL List radio pane
|
URL List Name field
|
Enter a name for the new URL list (group of URLs).
|
Heading field
|
Enter the heading text for the URL list.
|
URL Label field
|
Enter the text displayed for a particular URL.
|
Link list
|
Enter the URL that corresponds to the label.
Note If this link will be used for Microsoft Outlook Web Access (OWA), append it with /exchange.
|
Add button
|
Click to add a new URL label to the table of existing labels.
|
URL Label column
|
Text displayed for a particular URL.
|
Link column
|
URL that corresponds to that label.
|
Remove button
|
Click to remove the selected URL label from the table.
|
Use an Existing URL List radio pane
|
URL List Name list
|
1. Click to launch the Select URL List dialog box.
2. Select a list and then click OK.
The table is populated with the entries configured for the selected URL list.
|
Heading field
|
Heading text for a URL list.
|
URL Label column
|
Text displayed for a particular URL.
|
Link column
|
URL that corresponds to that label.
|
NBNS Server List Name list
|
Specify a NetBIOS name service (NBNS) list for common Internet file system (CIFS) name resolution.
Click and then select one of the following:
•Create and Use a New NBNS List—Launches the Enter NBNS Server List Name dialog box. Enter the name for the new list and then click OK.
•Select an Existing NBNS List—Launches the Select NBNS list dialog box. Select a list and then click OK.
•Clear the NBNS List—Clears the NBNS server list that is currently selected/entered.
CVDM-WebVPNSM requires NetBIOS to access or share files on remote systems. When you attempt a file-sharing connection to a Windows computer by using its computer name, the file server that you specify corresponds to a specific NetBIOS name that identifies a resource on the network.
|
IP Address field
|
Enter the IP address of the NBNS server.
|
Is Master check box
|
Select to designate this server as a master browser. Do not select this option for a WINS server.
|
Configuring Thin-Client Mode
GUI Element
|
Action/Description
|
Set Up a New Port Forward List radio button
|
Select this radio button to create a new port forwarding list. Enter the following information:
•Port Forward List Name field—Enter a name for the list of forwarded ports. The maximum length of the listname is 63 characters.
•Local Port (1024-65535) field—Specify the local TCP port to be used for listening.
Since ports 1 through 1024 are reserved, do not specify a port that falls within this range.
•Remote Port (1-65535) field—Specify the TCP port used to connect to the remote server.
•Remote Server field—Enter the hostname or IP address of the remote server.
•Description field—Enter a short description of the application to be forwarded.
•Add button—Click to add to the port forwarding lists table.
|
Use an Existing Port Forward List radio button
|
Select this radio button to select from a list of existing port forwarding lists.
The values configured for the selected list are populated.
|
Local Port column
|
Local TCP port used for listening.
|
Remote Server column
|
Hostname or IP address of the remote server.
|
Remote Port column
|
TCP port used for connecting to the remote server.
|
Description column
|
Short description of a port forwarding list.
|
Remove button
|
Click to remove the selected port forwarding entry from the port forwarding list.
Note This button is not available when the Use an Existing Port Forward List radio button is selected.
|
Configuring Tunnel Mode
In tunnel mode, the gateway supplies an SSL-VPN client (SVC) IP address to each of the end users that are logged into the gateway.
GUI Element
|
Action/Description
|
Tunnel Client Settings pane
|
Keep Tunnel Client Installed check box
|
Select to ensure that the SVC remains installed on the end user client PC after the connection is closed. When the SVC remains installed on the end user PC, the end user does not have to download the SVC again when a new connection is established.
|
Home Page field
|
Enter the URL of the web page that is displayed when a user logs in. The maximum length for the URL is 255 characters. This setting is disabled by default.
|
Named Servers pane
|
Primary WINS field
|
Specify the primary WINS server.
|
Default Domain field
|
Specify the default domain used by the group.
|
Primary DNS field
|
Specify the primary DNS server.
|
Address Pool pane
|
Set Up a New Pool radio button
|
Select to create a new address pool by entering its name in the Address Pool Name field.
|
Select from an Existing Pool radio button
|
Select this radio button to select from a list of existing address pools.
|
Address Pool Name field
|
Do one of the following:
•If you selected the Set Up a New Pool radio button, enter the name of the new address pool.
•If you selected the Select from an Existing Pool radio button:
1. Click to launch the Select Address Pool dialog box.
2. Select the appropriate pool and then click OK.
|
IP Address Range fields
|
In the fields provided, enter the first and last IP address in this address range.
Note These fields are not available when the Select from an Existing Pool radio button is selected. The address range configured for the selected address pool is used.
|
Group Policy Setup Wizard Summary
The summary page of the wizard shows you the information that you entered.
Click Finish to send the commands to the device. The Deliver Configuration to Switch/Module(s) dialog box appears if you have configured CVDM-WebVPNSM to display the accumulated CLI commands after you have completed a wizard (for information on configuring this option, see Editing Preferences).
Note For more information on the Deliver Configuration to Switch/Module(s) dialog box, see Delivering CLI Commands to the Device.
After the group policy has been configured, the virtual context tree is refreshed and displays the new group policy.
Using the Certificate Trustpoint Setup Wizard
The Certificate Trustpoint Setup wizard allows you to enroll an SSL certificate and install it onto the WebVPNSM. Using the wizard, you can do the following:
•Generate a Certificate Signing Request (CSR)—See Generating a CSR.
•Authenticate a CA certificate and import an SSL certificate—See Authenticating a CA and Importing an SSL Certificate.
•Import a CA Certificate or CA Certificate Chain—See Importing a CA Certificate or CA Certificate Chain.
Note If the CA issuing your certificate is a subordinate CA, then you must first install all of the CA certificates in the certification path.
Step 1 Click Setup at the top of the window and click Wizards in the left-most pane. The main CVDM-WebVPNSM wizard page appears.
Step 2 Select the Generate Certificate Signing Request (CSR) and Enroll with CA radio button.
Step 3 Click Launch the Selected Task. The main page of the Certificate Trustpoint Setup wizard appears.
Generating a CSR
To generate a CSR, you first configure a Certificate Trustpoint. You then specify the attributes and enrollment method for the corresponding SSL certificate.
Do the following:
1. Specify a Trustpoint and RSA key pair—See Specifying a Trustpoint and RSA Key Pair.
2. Configure the SSL certificate's attributes—See Configuring SSL Certificate Attributes.
3. Configure the SSL certificate's enrollment method—See Configuring the Enrollment Method.
Specifying a Trustpoint and RSA Key Pair
The Specify Trustpoint and RSA Key Pair wizard page allows you to set up a CA Trustpoint. You can either use an existing key pair for the Trustpoint or generate a new key pair.
Enter the following information and then click Next.
GUI Element
|
Action/Description
|
Trustpoint Name list
|
Either enter the name of a new Trustpoint or select an existing one.
To select an existing Trustpoint:
1. Click to launch the Certificate Trustpoint Selector dialog box (see Selecting a Certificate Trustpoint for more information).
2. Select a Trustpoint and then click OK.
|
Task pane
|
Generate Certificate Signing Request (CSR) radio button
|
Select this option to generate a CSR.
|
Authenticate CA and Import SSL Certificate Obtained using CSR radio button
|
Select this option to import the SSL certificate obtained using the CSR.
|
Install CA Certificate Chain or CA Certificate radio button
|
Select this option to install CA certificates in order to complete a certificate chain (SSL termination) or authenticate servers/clients.
|
RSA Key Pair pane
|
Generate a New Key Pair radio button
|
Select to generate a new key pair.
|
Key Pair Name field
|
Enter the name of the key pair.
We recommend that you use a key pair name that matches the Trustpoint name.
|
Key Size list
|
Specify the size of the key, in bits.
Valid key sizes are 512, 768, 1024, 1536, and 2048.
|
Allow Private Key Export check box
|
Select to make the new key exportable.
You must select this option to enable you to export the private key later in the wizard.
|
Use an Existing Key Pair radio button
|
Select this radio button to select an existing key pair.
|
Key Pair Name list
|
1. Click to launch the Key Pair Selector dialog box (see Selecting a Key Pair for more information).
2. Select a key pair and then click OK.
|
Selecting a Key Pair
Column
|
Description
|
Key Pair Name
|
Name of a key pair.
|
Key Size
|
Size of a key pair.
|
Configuring SSL Certificate Attributes
The SSL Certificate Attributes wizard page allows you to enter the SSL certificate attributes for the certificate Trustpoint. Even though it is not mandatory to fill in any of these fields, you should at minimum fill in the common name (CN) field.
The following fields appear in the SSL certificate attributes dialog box.
GUI Element
|
Action/Description
|
Subject Distinguished Name (DN) pane
|
Common Name (CN) field
|
Common name to be used.
Example: server.domain.com, where server is the name of the SSL server that appears in the URL.
|
Email Address (EA) field
|
E-mail address.
|
Organization Unit (OU) field
|
Organization unit name.
Example: Marketing
|
Organization (O) field
|
Organization/business name.
Example: Cisco
|
Locality or City (L) field
|
Name of the city the organization is located in.
Example: San Jose
|
State or Province (ST) field
|
Name of the state/province the organization is located in.
Example: California
|
Country Code (C) field
|
Name of the country the organization is located in.
Example: US
|
Include WebVPNSM Serial Number check box
|
Select to include the serial number of the WebVPNSM in the certificate.
|
Unstructured (Optional) pane
|
Unstructured Name field
|
(Optional) Enter the Fully Qualified Domain Name (FQDN) of the virtual gateway that will use this certificate.
Example: server5.domain.com
|
Subject IP Address field
|
(Optional) Enter the IP address of the virtual gateway that will use this certificate.
|
Other (Optional) field
|
Certificate Purpose list
|
Select one of three options:
•Blank (no purpose selected)
•SSL Server
•SSL Client
|
Configuring the Enrollment Method
The Configure Enrollment Method page of the wizard allows you to specify the enrollment parameters for your certificate authority.
Enter the following information and then click Next.
GUI Element
|
Action/Description
|
CA list
|
Specify the name of the certificate authority (CA):
•If you are configuring enrollment parameters for a new CA, choose the field display as <NEW>.
•If you want to enroll with a CA already configured, select the CA from the list and modify the parameters.
|
Copy and Paste radio button
|
Select to copy and paste an SSL certificate.
|
Simple Certificate Enrollment Protocol (SCEP) radio button
|
Select to use this enrollment method.
|
CA Server URL field
|
Enter the URL of the CA server.
|
Challenge Password field
|
Enter a challenge password.
This password is necessary in the event that you need to revoke your certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
|
Confirm Password field
|
Re-enter the challenge password to confirm it.
|
Retry Count (0-100) field
|
Enter the number of attempts to make to establish enrollment.
|
Auto Renewal and Enrollment check box
|
Select to enable auto-enrollment.
|
Retry Period (1-60 min field)
|
Enter the time interval that elapses before the next enrollment retry takes place.
|
HTTP Proxy field
|
Enter the URL of the HTTP proxy to be used for enrollment.
|
Port field
|
Enter the port to be used for enrollment.
|
TFTP radio button
|
Select to use TFTP for enrollment.
|
CA Server URL field
|
Enter the URL of the CA server.
Example: tftp://ipaddress/Certificates/filename
The WebVPN Services Module adds the following extensions to the filename you specify:
•CA certificate—.ca
•CSR—.req
•SSL certificate—.crt
|
The TFTP and cut-and-paste feature allows you to generate a certificate request and accept certification authority certificates as well as router certificates. These tasks are accomplished with a TFTP server or manual cut-and-paste operations.
You may want to use TFTP or manual cut-and-paste enrollment in the following situations:
•Your certificate authority does not support Simple Certificate Enrollment Protocol (SCEP).
•A network connection between the router and certificate authority is not possible. The router running Cisco IOS software obtains its certificates using a network connection between the router and the certificate authority.
Saving a CSR
After you have completed the steps necessary to generate a CSR, the Certificate Signing Request (CSR) dialog box appears, displaying the text of the request.
Step 1 Click Save to File....
Step 2 Enter a filename for the request.
Step 3 Navigate to the directory where you want to save the request and click OK.
Authenticating a CA and Importing an SSL Certificate
This task is applicable only to manual enrollment methods, such as the copy-and-paste and TFTP methods. For Simple Certificate Enrollment Protocol (SCEP), an automatic enrollment method, the CA certificate is authenticated when the certificate request is generated. As soon as the certificate request has been issued, the device automatically installs the SSL certificate you want to import.
See the following sections for more information:
•Using the Copy-and-Paste Method
•Using the TFTP Method
Using the Copy-and-Paste Method
To import the SSL certificate obtained using the CSR via the copy-and-paste method, you first select the Trustpoint used to generate the CSR. You then specify the corresponding CA certificate for that Trustpoint as well as the appropriate SSL certificate.
Note The authentication of a CA involves the manual verification of the CA certificate's fingerprint.
Do the following:
1. Specify a Trustpoint and RSA key pair—See Specifying a Trustpoint and RSA Key Pair.
2. Specify the CA certificate configured for that Trustpoint—See Specifying the CA Certificate.
3. Specify the appropriate SSL certificate—See Specifying the SSL Certificate.
Using the TFTP Method
To import the SSL certificate obtained using the CSR via the TFTP method, first select the Trustpoint used to generate that CSR and then specify the appropriate certificates.
1. Specify a Trustpoint and RSA key pair—See Specifying a Trustpoint and RSA Key Pair.
2. Specify the appropriate certificate file—See Specifying the Certificate File.
Note the following:
•You will specify the same filename for both the CA and SSL certificates.
•When specifying a filename, do not include an extension. The WebVPN Services Module will add the extensions .ca and .crt to the filename you specify when importing the certificates.
•The extension .ca will be appended to the CA certificate filename and the extension .crt will be appended to SSL certificate filename.
Importing a CA Certificate or CA Certificate Chain
To install either a CA certificate chain or CA certificate, select the Install CA Certificate Chain or CA Certificate radio button from the Specify Trustpoint and RSA Key Pair wizard page. When installing a chain, you need to set up a Trustpoint for each of the CA certificates in that chain. For each of these Trustpoints, the Trustpoint name you specify will be used as the prefix. Optionally, you can modify each of these Trustpoint names when specifying the CA certificates.
If the issuer of your SSL certificate is a subordinate CA, you need to install all of the CA certificates in the certificate chain, from the root CA through the subordinate CA issuing your SSL certificates. You can also use this option to install the CA certificates or CA certificate chains required for SSL client/server authentication.
Importing a CA Certificate (X.509 PEM Format)
To import a CA certificate in the X.509 PEM format, select the X.509 PEM radio button from the CA Certificate Source wizard page and then specify the certificate source. You can import a certificate from either the local hard drive of a client workstation or a TFTP server. You can also copy-and-paste the appropriate certificate information.
For details, see Specifying a CA Certificate Source.
Importing a CA Certificate (X.509 DER Format)
To import a CA certificate in the X.509 DER format, select the X.509 DER radio button from the CA Certificate Source wizard page and then specify a certificate file from the local hard drive of a client workstation.
For details, see Specifying a CA Certificate Source.
Importing a CA Certificate Chain (X.509 PEM Format)
To import a CA certificate chain composed of certificates in the PEM format, select the X.509 PEM radio button from the CA Certificate Source wizard page and then check the Import CA Certificate Chain check box.
For details, see Importing a CA Certificate Chain.
Importing a CA Certificate Chain (PKCS#7 Format)
To import a CA certificate chain in the PKCS#7 format, select the PKCS#7 radio button from the CA Certificate Source wizard page and then specify either a PKCS#7 file or the URL of a SCEP server.
For details, see Specifying a CA Certificate Source.
Specifying a CA Certificate Source
From this wizard page, you can specify the source of the CA certificate you want to import. The following formats are supported:
•X.509 privacy enhanced mail (PEM)
•X.509 DER
•Public-Key Cryptography Standards #7 (PKCS#7)
You can also import a CA certificate chain using either the X.509 PEM or PKCS#7 format.
Note To import a certificate using SCEP, select the PKCS#7 format.
Step 1 Depending on the format you selected, do the following:
X.509 PEM
a. Select one of the following options:
–Local Hard Disk—Select this option to import the CA certificate from the client machine.
–Copy and Paste—Select this option to import the CA certificate using copy-and-paste method.
–TFTP—Select this option to import the CA certificate from a TFTP server.
b. (Optional) Select the Import CA Certificate Chain check box to import the certificate chain.
X.509 DER
Click Browse... and navigate to the appropriate CA certificate file.
PKCS#7
Enter the following information:
GUI Element
|
Action/Description
|
Simple Certificate Enrollment Protocol (SCEP) radio button
|
Select to use this enrollment method.
|
CA Server URL field
|
Enter the URL of the CA server.
|
Local Hard Disk radio button
|
Select to import a certificate file from the local hard disk.
|
PKCS#7 File list
|
Click Browse... and navigate to the appropriate PKCS#7 file.
|
PKCS#7 CA Certificates pane
|
CRL Verification list
|
Select the certificate revocation list verification level:
•Strict (default)
•Optional
•Best Effort
|
CA Level column
|
Level of CA in the certificate chain.
|
CA Name column
|
Name of the CA.
|
Trustpoint Name column
|
Name of the Trustpoint to which the CA certificate is imported.
|
Step 2 Click Next to continue.
Specifying the CA Certificate
In this wizard page, you specify the certificate used by the CA issuing the SSL certificate configured in the next wizard page.
Step 1 Enter the information specified in the following table:
CA Name list
|
Do one of the following:
•If you are specifying a CA certificate that is available on the WebVPNSM, select the corresponding CA name from the list.
•If you are specifying a CA certificate that is not already available on the WebVPNSM, select the default value <New>.
|
CA Certificate File list
|
Click Browse... and navigate to the appropriate CA certificate file.
|
CA Certificate pane
|
If you did not select a CA certificate file from the client machine, copy and paste the appropriate certificate here.
|
Step 2 Click Next to continue.
Specifying the SSL Certificate
In this wizard page, you specify which SSL certificate to import into the system.
Step 1 Do one of the following:
•Click Browse... and navigate to the appropriate SSL certificate.
•Cut and paste the text of the appropriate certificate into the SSL Certificate pane.
Step 2 Click Next to continue.
Specifying the Certificate File
GUI Element
|
Description
|
Protocol field
|
Lists the selected file transfer protocol, TFTP.
|
Server field
|
Enter the IP address of the TFTP server you want to import the certificate file from.
|
Filename field
|
Enter the filename of the certificate you want to import.
|
Importing a CA Certificate Chain
You can specify all the certificates in a certificate chain and the wizard will create CA Trustpoints for each of the CA certificates.
A suffix is added to the Trustpoint name based on whether the CA certificate is a root or subordinate CA certificate. You can edit the default Trustpoint name by using the CA Trustpoints tab. As the certificates are added, the status of the certificate and certificate chain is displayed.
•If you have selected Local Hard Disk, see Importing a CA Certificate Chain from a Local Hard Disk.
•If you have selected Copy and Paste, see Importing a CA Certificate Chain Using Copy and Paste.
•If you have selected Local Hard Disk, see Importing a CA Certificate Chain from a TFTP Server.
Importing a CA Certificate Chain from a Local Hard Disk
Step 1 Configure the Trustpoint name.
Step 2 Specify the CA certificate source as X.509 PEM.
Step 3 Select the Local Hard Disk option.
Step 4 Select the Import CA Certificate Chain check box and then click Next. The Specify CA Certificates page appears.
Step 5 Specify the CA certificates you want to add to the certificate chain.
See Specifying CA Certificates for Certificate Chain for more information.
Step 6 Click Next to continue.
Importing a CA Certificate Chain Using Copy and Paste
Step 1 Configure the Trustpoint name.
Step 2 Specify the CA certificate source as X.509 PEM.
Step 3 Select the Copy and Paste option.
Step 4 Select the Import CA Certificate Chain check box and then click Next. The Specify CA Certificates page appears.
Step 5 Specify the CA certificates you want to add to the certificate chain.
See Specifying CA Certificates for Certificate Chain for more information.
Step 6 Click Next to continue.
Importing a CA Certificate Chain from a TFTP Server
To import a CA certificate chain from a TFTP server:
Step 1 Configure the Trustpoint name.
Step 2 Specify the CA Certificate source as X.509 PEM.
Step 3 Select the TFTP option.
Step 4 Select the Import CA Certificate Chain check box and then click Next. The Specify CA Certificates page appears.
Step 5 Specify the CA certificates you want to add to the certificate chain.
Enter the information specified in the following table.
GUI Element
|
Action/Description
|
CA Certificate Chain pane
|
CRL Verification list
|
Select the certificate revocation list verification level:
•Strict (default)
•Optional
•Best Effort
|
CA Level column
|
Indicates the level of the CA in the certificate chain.
|
CA Certificate File column
|
Name of a CA certificate in this certificate chain.
|
Trustpoint Name column
|
Name of the Trustpoint associated with the certificate.
|
Add... button
|
Click to launch the Add CA Certificate dialog box.
1. In the CA Trustpoint Name field, enter the name for the certificate you want to add.
2. In the Server IP Address field, enter the corresponding server IP address.
3. In the Filename list, either enter the appropriate filename for the certificate you want to add or select one from the list.
4. Click OK.
Note The certificate filename must be in the following format: filename.ca.
|
Edit... button
|
With a certificate selected, click to launch the Edit CA Certificate dialog box. From here, you can modify the settings configured for that certificate.
|
Remove button
|
Click to remove the selected CA certificate.
|
Note the following:
•The validity of the certificate or the completeness of the certificate chain is not validated. Please make sure that you specify valid CA certificates and all the certificates are in the certificate chain.
•When specifying the certificates in the certificate chain, add root CA through the subordinate CA in accordance with the certificate hierarchy.
Renewing an SSL Certificate
If your CA requires you to generate a new key pair in order to renew a certificate, you must generate a CSR and then import the renewed SSL certificate. If your CA allows you to use the key pair configured for the expiring certificate, obtain the renewed SSL certificate and then import it.
Regenerating a CSR
To regenerate a CSR, follow the steps described in the "Generating a CSR" section. Note the following:
•If necessary, you can regenerate the key pair.
•If you regenerate the key pair or assign a different key pair, the existing SSL certificate will be deleted.
Importing a Renewed SSL Certificate
To import a renewed SSL certificate, follow the steps described in the "Authenticating a CA and Importing an SSL Certificate" section.
Note For reenrollment, CA authentication is skipped.
Certificate Trustpoint Setup Wizard Summary
The summary page of the wizard shows you the information that you entered.
Click Finish to send the commands to the device. The Deliver Configuration to Switch/Module(s) dialog box appears if you have configured CVDM-WebVPNSM to display the accumulated CLI commands after you have completed a wizard (for information on configuring this option, see Editing Preferences).
Note For more information on the Deliver Configuration to Switch/Module(s) dialog box, see Delivering CLI Commands to the Device.
Viewing Trustpoint Configuration Status
The Trustpoint Configuration Status dialog box provides the status of Trustpoint configuration tasks. If a task fails, you can use the information provided for that task in order to troubleshoot the problem.
To proceed, click OK.
Using the Certificate Import Wizard
This wizard allows you to import certificates and private key to WebVPNSM from an external public-key infrastructure (PKI). You can import certificates in X.509 privacy enhanced mail (PEM) format, X.509 Distinguished Encoding Rules (DER) format, Public-Key Cryptography Standards #7 (PKCS#7) format, or PKCS#12 format. The instructions below guide you through the steps based on the format and source of the certificates.
This wizard consists of the following tasks:
•Specifying Certificate Format and Source
•Specifying Certificate and Private Key
Step 1 Click Setup at the top of the window and click Wizards in the left-most pane. The main CVDM-WebVPNSM wizard page appears.
Step 2 Select the Import Certificates and Private Key to WebVPNSM radio button.
Step 3 Click Launch the Selected Task. The main page of the Certificate Import Wizard appears.
Specifying Certificate Format and Source
The Specify Certificate Format and Source page of the wizard allows you to enter the Trustpoint name, format, and source.
You can select any of the following formats and specify the source of the certificates and private key:
•X.509 PEM
•PKCS#12
•X.509 DER
•PKCS#7
X.509 PEM
Step 1 Select one of the following sources:
•Local Hard Disk—Imports certificates from the client workstation.
•Copy and Paste—Imports certificates and key using the copy-and-paste method.
•Remote System—Imports certificates from a remote system using TFTP, FTP, RCP, or SCP.
Step 2 (Optional) Select Import a Certificate Chain to import the certificate chain associated with the Trustpoint. (This option is available only if you select Local Hard Disk or Copy and Paste)
Step 3 Click Next.
•If you have selected the Local Hard Disk option and selected the Import a Certificate Chain check box, the next step is to specify certificates and key pairs. See Specifying Certificate and Private Key for Certificate Chain.
•If you have selected Copy and Paste option and Import a Certificate Chain check box, the next step is to specify CA certificates. See Specifying CA Certificates for Certificate Chain.
PKCS#12
Step 1 Enter the information specified in the following table.
GUI Element
|
Action/Description
|
Protocol list
|
Select one of the following file transfer protocols:
•TFTP
•FTP
•RCP
•SCP
|
IP Address field
|
Enter the IP address of the certificate source.
|
Username field
|
Enter the username for the remote system.
|
Password field
|
Enter the password to be used for the remote system.
|
PKCS#12 File field
|
Enter the appropriate PKCS#12 filename, specifying the absolute path and the filename.
Example: d:/tftpboot/certs/cert.p12
|
Passphrase
|
Enter the passphrase used to decrypt the key.
|
Create Trustpoints for CA Certificates in Certificate Chain check box
|
Select to create Trustpoints for certificates higher in the hierarchy.
|
Step 2 Click Next.
X.509 DER
Step 1 Enter the information specified in the following table.
GUI Element
|
Action/Description
|
CA Name list
|
Do one of the following:
•If you are specifying a CA certificate that is available on the WebVPNSM, select the corresponding CA name from the list.
•If you are specifying a CA certificate that is not already available on the WebVPNSM, select the default value <New>.
|
CA Certificate File list
|
Click Browse... and navigate to the appropriate CA certificate file.
|
Private Key File list
|
Click Browse... and navigate to the appropriate private key file.
|
Private Key Passphrase field
|
Enter the passphrase for the private key.
|
NET Format (Netscape Server/Microsoft IIS) field
|
When selected, you must specify the Rivest Cipher 4 (RC4) passphrase used to encrypt a private key in the NET format. The same passphrase will be used to encrypt the private key in PEM format.
|
SGC Key check box
|
Select if the private key is either an SGC or Microsoft IIS key encrypted in the NET format.
This is active only for a NET format key.
|
Allow Private Key Export check box
|
Select to allow the export of private keys.
|
SSL Certificate File list
|
Click Browse... and navigate to the appropriate SSL certificate file.
|
Step 2 Click Next.
PKCS#7
The wizard will use the following suffixes when creating the CA Trustpoints:
•Root CA Certificate: -rootCA
•Subordinate CA Certificate: -subCA<level>
Step 1 Enter the information specified in the following table.
GUI Element
|
Action/Description
|
PKCS#7 Certificate File list
|
Click Browse... and navigate to the appropriate PKCS#7 certificate file.
|
Create Trustpoints for CA Certificates in Certificate Chain check box
|
Select this option to create Trustpoints for certificates in a chain. After selecting this check box, a new set of field details appears below.
For details, see the entry in this table for the PKCS#7 CA Certificates pane.
|
Private Key File (PEM) list
|
Click Browse... and navigate to the appropriate private key file.
Note A passphrase protects a PEM file that contains a private key. The PEM file is encrypted with either Data Encryption Standard (DES) or 3DES.
|
Private Key Passphrase
|
Enter the passphrase used to decrypt the key.
|
Allow Private Key Export
|
Select to allow the export of private keys.
|
PKCS#7 CA Certificates pane
This pane appears only if you select the Create Trustpoints for CA Certificates in Certificate Chain check box. It lists the PKCS#7 CA certificates configured on the WebVPNSM.
|
CRL Verification list
|
Select the CRL verification level:
•Strict (default)
•Optional
•Best Effort
|
CA Level column
|
Indicates the CA's level in the certificate chain.
|
CA Name column
|
Name of the certification authority.
|
Trustpoint Name column
|
Name of the Trustpoint associated with the certificate.
|
Step 2 Click Next.
Specifying Certificate and Private Key
In this part of the wizard, you specify the CA and SSL certificates you want to import as well as the appropriate private key. This section contains the following topics:
•Specifying Certificate and Private Key (X.509 PEM - Local Hard Disk)
•Specifying Certificates and Private Key (X.509 PEM - Remote System)
•Specifying Certificate and Private Key (X.509 PEM - Copy and Paste)
Specifying Certificate and Private Key (X.509 PEM - Local Hard Disk)
With the X.509 PEM and Local Hard Disk options selected, you can either import a certificate chain or a single CA certificate. See the appropriate topic for more information:
•Specifying Certificate and Private Key for Certificate Chain
•Specifying Certificates and Private Key
Specifying Certificate and Private Key for Certificate Chain
If you have selected to import a certificate chain in X.509 PEM format from the local hard disk, you need to specify the CA certificates, SSL (Server/Client) certificate, and private key.
You must specify all CA certificates in the chain from the root CA to the issuer of the SSL certificate.
GUI Element
|
Action/Description
|
CA Certificate Chain pane
|
CRL Verification list
|
Select the CRL verification level:
•Strict (default)
•Optional
•Best Effort
|
Chain tab
|
From here, you can either add a certificate to or remove a certificate from the chain.
To add a certificate:
1. Click Add... to launch the Add CA Certificate dialog box.
2. In the CA Trustpoint Name field, enter the name for the certificate you want to add.
3. In the CA Certificate File list, click Browse... and navigate to the appropriate certificate file.
The details for this certificate are listed in the Certificate Details pane.
4. Click OK.
To remove a certificate, select the appropriate certificate and then click Remove.
|
CA Trustpoints tab
|
From here, you can view information about the CA Trustpoints configured on the WebVPNSM.
You can specify the name of the Trustpoint and can even edit the name of the Trustpoint.
•CA Level column—Indicates the level of the CA in the certificate chain.
•CA Name—Name of the certification authority.
•Trustpoint Name—Name of the Trustpoint associated with the certificate.
•With a CA Trustpoint selected, click Edit to modify the name of that Trustpoint.
|
SSL Certificate and Private Key pane
|
SSL Certificate File list
|
Click Browse... and navigate to the SSL certificate file.
|
Private Key File list
|
Click Browse... and navigate to the private key file.
|
Private Key Passphrase field
|
Enter the passphrase used to decrypt the private key.
|
Allow Private Key Export check box
|
Select to allow the export of the private key.
|
Specifying Certificates and Private Key
From this wizard page, you can specify the location of the CA certificate, SSL certificate, and private key you want to import.
Enter the information specified in the following table.
GUI Element
|
Action/Description
|
CA Name list
|
Do one of the following:
•If you are specifying a CA certificate that is available on the WebVPNSM, select the corresponding CA name from the list.
•If you are specifying a CA certificate that is not already available on the WebVPNSM, select the default value <New>.
|
CA Certificate File list
|
Click Browse... and navigate to the appropriate CA certificate file.
|
Private Key File list
|
Click Browse... and navigate to the appropriate private key file.
|
Private Key Passphrase field
|
Enter the passphrase used to decrypt the private key.
|
Allow Private Key check box
|
Select to allow the export of the private key.
|
SSL Certificate File list
|
Click Browse... and navigate to the appropriate SSL certificate file.
|
Note A passphrase protects a PEM file that contains a private key. The PEM file is encrypted by DES or 3DES. The encryption key is derived from the passphrase. A PEM file containing a certificate is not encrypted and is not protected by the passphrase.
Specifying Certificates and Private Key (X.509 PEM - Remote System)
From this dialog box, you can specify the location of the CA certificate, SSL certificate, and private key you want to import.
Enter the information specified in the following table.
GUI Element
|
Action/Description
|
Protocol list
|
Select one of the following file transfer protocols:
•FTP
•RCP
•SCP (default value)
•TFTP
|
IP Address field
|
Enter the IP address of the remote system.
|
Username field
|
Enter the username for the remote system.
|
Password field
|
Enter the password to be used for the remote system.
|
CA Certificate File field
|
Enter the CA certificate filename, using the absolute path.
Example: /Certs/cert.pem
|
Private Key File field
|
Enter the private key filename, using the absolute path.
Example: /Certs/cert.pem
|
Private Key Passphrase field
|
Enter the passphrase used to decrypt the private key.
|
Allow Private Key Export check box
|
Select to allow the export of the private key.
|
SSL Certificate File field
|
Enter the SSL certificate filename, using the absolute path.
Example: /user/local/Certs/cert.pem
|
Note A passphrase protects a PEM file that contains a private key. The PEM file is encrypted by DES or 3DES. The encryption key is derived from the passphrase. A PEM file containing a certificate is not encrypted and is not protected by the passphrase.
Specifying Certificate and Private Key (X.509 PEM - Copy and Paste)
With the X.509 PEM and Copy and Paste options selected, you can either import a certificate chain or a single CA certificate. See the appropriate topic for more information:
•Specifying CA Certificates for Certificate Chain
•Specifying a CA Certificate
•Specifying a Private Key
•Specifying an SSL Certificate
Specifying CA Certificates for Certificate Chain
If you have selected to import a certificate chain in X.509 PEM format using the copy-and-paste method, you need to specify the CA certificates from the root CA to the issuer of the SSL certificate.
Step 1 Enter the information specified in the following table.
GUI Element
|
Action/Description
|
CA Certificate Chain pane
|
CRL Verification list
|
Select the CRL verification level:
•Strict (default)
•Optional
•Best Effort
|
Chain tab
|
From here, you can either add a certificate to or remove a certificate from the chain.
To add a certificate:
1. Click Add... to launch the Add CA Certificate dialog box.
2. In the CA Trustpoint Name field, enter the name for the certificate you want to add.
3. In the CA Certificate File list, click Browse... and navigate to the appropriate certificate file.
The details for this certificate are listed in the Certificate Details pane.
4. Click OK.
To remove a certificate, select the appropriate certificate and then click Remove.
|
CA Trustpoints tab
|
From here, you can view information about the CA Trustpoints configured on the WebVPNSM.
You can specify the name of the Trustpoint and can even edit the name of the Trustpoint.
•CA Level column—Indicates the level of the CA in the certificate chain.
•CA Name—Name of the certification authority.
•Trustpoint Name—Name of the Trustpoint associated with the certificate.
•With a CA Trustpoint selected, click Edit to to modify the name of that Trustpoint.
|
Step 2 Click Next to continue.
Specifying a CA Certificate
This page of the wizard allows you to copy and paste the CA certificate in PEM format. You can also select the CA certificate from the CA Name list. When you select a CA, the certificate details are displayed.
Click Next to continue.
Specifying a Private Key
Copy and paste the RSA private key in PEM format and enter the passphrase used to protect the key. You can also enable the export of this private key by selecting the Allow Private Key Export check box.
Click Next to continue.
Specifying an SSL Certificate
Copy and paste the SSL Certificate in PEM format.
Click Next to continue.
Certificate Import Wizard Summary
The summary page of the wizard shows you the information that you entered.
Click Finish to send the commands to the device. The Deliver Configuration to Switch/Module(s) dialog box appears if you have configured CVDM-WebVPNSM to display the accumulated CLI commands after you have completed a wizard (for information on configuring this option, see Editing Preferences).
Note For more information on the Deliver Configuration to Switch/Module(s) dialog box, see Delivering CLI Commands to the Device.
Viewing Certificate Import Status
The Certificate Import Status dialog box provides the status of certificate import tasks and indicates whether the import was successful. If a task fails, you can use the information provided for that task in order to troubleshoot the problem.
To proceed, click OK.
Using the Certificate Export Wizard
This wizard allows you to export certificates and private keys from the WebVPNSM in either Public-Key Cryptography Standards #12 (PKCS#12) format or privacy enhanced mail (PEM) format. You can export certificates and private keys to an external system (local hard disk or remote server) or to another WebVPNSM. When exporting the certificates in PEM format, you can optionally choose to export the CA certificates in the certificate chain.
The Certificate Export wizard consists of the following tasks:
•Selecting Certificates and Format (PEM, PKCS#12)
•Specifying the Destination
•Specifying Destination Details
Step 1 Click Setup at the top of the window and click Wizards in the left-most pane. The main CVDM-WebVPNSM wizard page appears.
Step 2 Select the Export Certificates and Private Keys from WebVPNSM radio button.
Step 3 Click Launch the Selected Task. The main page of the Certificate Export Wizard appears.
Selecting Certificates and Format (PEM, PKCS#12)
This page of the wizard helps you to specify the certificates to be exported and the format in which you want them to be exported. The certificates are listed in the Certificates table, which displays the following fields.
Field
|
Description
|
SSL Certificate Subject
|
The subject of the SSL certificate.
|
Certificate Trustpoint
|
The Trustpoint name of the certificate.
|
Step 1 Select Export CA Certificate in the Chain to export the CA Certificates in the certificate chain of the selected certificates.
You can add and remove certificates from the list:
•Click Add to add certificates to the export list. A popup window appears with the list of Trustpoints. Select the Trustpoint from the list, then click OK.
•Select a certificate and click Remove to remove a certificate from the export list.
Step 2 Select the Format in which you want to export the certificate. You can export the certificates in either the X.509 PEM format or PKCS#12 format.
Step 3 If you have selected the X.509 PEM format:
a. Specify the following information.
GUI Element
|
Action
|
Encryption list
|
Select an encryption method. There are two available options:
•DES
•3DES (default value)
|
Passphrase field
|
Enter the passphrase.
|
Confirm Passphrase field
|
Re-enter the passphrase to confirm it.
|
b. Select the Export CA Certificates in certificate chains check box to enable the export of the CA certificates in certificate chains.
c. Specify where to export the certificate and private key. See Specifying the Destination (X.509 PEM).
If you have selected the PKCS#12 format:
a. Specify the following information:
Field
|
Action
|
Passphrase
|
Enter the passphrase.
|
Confirm Passphrase
|
Re-enter the passphrase to confirm.
|
b. Specify where to export the certificate and private key. See Specifying the Destination (PKCS#12).
Specifying the Destination
After you have selected which certificate to export, you then specify where it will be exported to.
This section contains the following topics:
•Specifying the Destination (X.509 PEM)
•Specifying the Destination (PKCS#12)
Specifying the Destination (X.509 PEM)
You can select any of the following destinations for the X.509 PEM format:
•Local Hard Disk—Exports the certificate and private key to this client machine. See Specifying the Destination Details (Local Hard Disk) for more information.
•Copy and Paste—Exports the certificates and private key using the copy-and-paste method. See Specify Destination Details (Copy and Paste) for more information.
•Remote System—Exports the certificates and private keys to a remote server using TFTP, FTP, SCP, or RCP. See Specify Destination Details (Remote System) for more information.
•Redundant WebVPNSM—Exports the certificates and private keys to a redundant WebVPN services module. See Specify Destination Details (Redundant WebVPNSM) for more information.
Note The Copy and Paste and Remote System options will be disabled if you select more than one certificate.
Specifying the Destination (PKCS#12)
You can select either of the following destinations for the PKCS#12 format:
•Remote System—Exports the certificates and private keys to a remote server using TFTP, FTP, SCP, or RCP. See Specify Destination Details (Remote System) for more information.
•Redundant WebVPNSM—Exports the certificates and private keys to a redundant WebVPN services module. See Specify Destination Details (Redundant WebVPNSM) for more information.
Specifying Destination Details
After you have selected a destination for the certificate you want to export, you then enter more detailed information for that destination. See the appropriate section for more information:
•Specifying Destination Details (X.509 PEM)
•Specifying Destination Details (PKCS#12)
Specifying Destination Details (X.509 PEM)
With the X.509 PEM format selected, you have four options to choose from:
•Specifying the Destination Details (Local Hard Disk)
•Specify Destination Details (Copy and Paste)
•Specify Destination Details (Remote System)
•Specify Destination Details (Redundant WebVPNSM)
Specifying the Destination Details (Local Hard Disk)
Step 1 Enter the following information:
GUI Element
|
Action/Description
|
Directory list
|
Click and navigate to the certificate you want to export.
|
Trustpoint Name column
|
Name of a Trustpoint.
|
CA Certificate column
|
CA certificate chain name associated with a Trustpoint.
|
SSL Certificate column
|
SSL certificate chain name associated with a Trustpoint.
|
Private Key column
|
Private key filename associated with a Trustpoint.
|
Edit... button
|
Click to launch the Edit Filenames dialog box. From here, you can make changes to the CA certificate, SSL certificate, or private key associated with the selected Trustpoint.
|
CA Certificates in Certificate Chains pane
This pane is displayed if you selected the Export CA Certificates in Certificate Chains check box in Step 1 of this wizard.
|
Certification Authority (CA) Name column
|
Chain of certificate authority names.
|
CA Certificate File column
|
Chain of CA certificate filenames.
|
Edit... button
|
Click to launch the Edit Filenames dialog box. From here, you can modify the current CA name and CA certificate chain filenames.
|
Step 2 Click Next.
Specify Destination Details (Copy and Paste)
This page is enabled only when exporting a single Trustpoint. Once the export is completed, exported certificates and privates keys are displayed. You can copy and paste the certificate and save the file.
Specify Destination Details (Remote System)
Specify the details of the remote system where you want the certificates and private keys to be exported. Note that this page is enabled only when exporting a single Trustpoint.
Step 1 Enter the following information:
GUI Element
|
Action/Description
|
Remote File Server pane
|
Protocol list
|
Select one of the following file transfer protocols:
•FTP
•RCP
•SCP (default value)
•TFTP
|
Server IP Address field
|
Enter the IP address of the remote system.
|
Username field
|
Enter the username for the remote system.
|
Password field
|
Enter the password to be used for the remote system.
|
Files pane
|
Directory field
|
Enter the location of the files listed in the following table.
|
Trustpoint Name column
|
Name of a Trustpoint.
|
CA Certificate column
|
Name of the CA certificate file associated with a Trustpoint.
|
SSL Certificate column
|
Name of the SSL certificate file associated with a Trustpoint.
|
Private Key column
|
Name of the private key file associated with a Trustpoint.
|
Edit... button
|
Click to launch the Edit Filenames dialog box. From here, you can make changes to the CA certificate, SSL certificate, or private key associated with the selected Trustpoint.
|
Step 2 Click Next.
Specify Destination Details (Redundant WebVPNSM)
You can export certificates to a redundant WebVPNSM. The wizard will use the name of the Trustpoint selected on the redundant WebVPNSM. You can edit the names if required.
Note Do not specify a Trustpoint name that already exists in the redundant WebVPNSM. If the Trustpoint name is already present, the export will fail.
Step 1 Enter the following information:
GUI Element
|
Action/Description
|
Redundant WebVPNSM pane
|
IP Address field
|
Enter the IP address of the redundant WebVPNSM.
|
Username field
|
Enter the appropriate username.
|
Password field
|
Enter the appropriate password.
|
Enable Username field
|
Enter the appropriate enable username.
|
Enable Password field
|
Enter the appropriate enable password.
|
Trustpoints pane
|
SSL Certificate Subject column
|
Lists SSL certificates configured on the WebVPNSM.
|
Redundant WebVPNSM Trustpoint column
|
Lists redundant Trustpoints configured on the WebVPNSM.
|
Edit... button
|
Click to launch the Edit Trustpoint Name dialog box. From here, you can make changes to the name of the selected Trustpoint.
|
CA Certificates in Certificate Chains pane
This pane is displayed if you selected the Export CA Certificates in Certificate Chains check box in Step 1 of this wizard.
|
Certification Authority (CA) Name column
|
Lists CA name chains configured on the WebVPNSM.
|
Redundant WebVPNSM CA Trustpoint column
|
Lists redundant Trustpoints configured on the WebVPNSM.
|
CRL Verification list
|
Select the CRL verification level:
•Strict (default)
•Optional
•Best Effort
|
Step 2 Click Next.
Specifying Destination Details (PKCS#12)
With the PKCS#12 format selected, you have two options to choose from:
•Specify Destination Details (Remote System)
•Specify Destination Details (Redundant WebVPNSM)
Specify Destination Details (Remote System)
Specify the details of the remote system where you want the certificates and private keys to be exported.
Step 1 Enter the following information:
GUI Element
|
Action/Description
|
Remote File Server pane
|
Protocol list
|
Select one of the following file transfer protocols:
•FTP
•RCP
•SCP (default value)
•TFTP
|
Server IP Address field
|
Enter the IP address of the remote system.
|
Username field
|
Enter the username for the remote system.
|
Password field
|
Enter the password to be used for the remote system.
|
Files pane
|
Directory field
|
Enter the location of the files listed in the following table.
|
SSL Certificate Subject column
|
Lists the SSL certificate subjects configured on the WebVPNSM.
|
PKCS#12 File column
|
Lists the PKCS#12 files configured on the WebVPNSM.
|
Edit... button
|
Click to launch the Edit Filenames dialog box. From here, you can make changes to the PKCS#12 file associated with the selected SSL certificate subject.
|
Step 2 Click Next
Specify Destination Details (Redundant WebVPNSM)
You can export certificates to a redundant WebVPNSM. The wizard will use the name of the Trustpoint selected on the redundant WebVPNSM. You can edit the names, if required.
In this step, you need to specify a staging area. The certificates are exported to the staging area and then imported to the redundant WebVPNSM from there.
Note Do not specify a Trustpoint name that already exists in the redundant WebVPNSM. If the Trustpoint name is already present, the export will fail.
Step 1 Enter the following information:
Field
|
Description
|
Redundant WebVPNSM
|
IP Address field
|
Enter the IP address of the redundant WebVPNSM.
|
Username field
|
Enter the appropriate username.
|
Password field
|
Enter the appropriate password.
|
Enable Username field
|
Enter the appropriate enable username.
|
Enable Password field
|
Enter the appropriate enable password.
|
Remote File Server pane
|
Protocol list
|
Select one of the following file transfer protocols:
•FTP
•RCP
•SCP (default value)
•TFTP
|
Server IP Address field
|
Enter the IP address of the remote system.
|
Username field
|
Enter the username for the remote system.
|
Password field
|
Enter the password to be used for the remote system.
|
Files and Trustpoints pane
|
Directory field
|
Enter the location of the files listed in the following table.
|
SSL Certificate Subject column
|
Lists the SSL certificate subjects configured on the WebVPNSM.
|
PKCS#12 File column
|
Lists the PKCS#12 files configured on the WebVPNSM.
|
Redundant WebVPNSM Trustpoint column
|
Lists the redundant Trustpoints configured on the WebVPNSM.
|
Edit... button
|
Click to launch the Edit File and Trustpoint Name dialog box. From here, you can make changes to the PKCS#12 file and redundant WebVPNSM Trustpoint associated with the selected SSL certificate subject.
|
Step 2 Click Next.
Certificate Export Wizard Summary
The summary page of the wizard shows you the information that you entered.
Click Finish to send the commands to the device. The Deliver Configuration to Switch/Module(s) dialog box appears if you have configured CVDM-WebVPNSM to display the accumulated CLI commands after you have completed a wizard (for information on configuring this option, see Editing Preferences).
Note For more information on the Deliver Configuration to Switch/Module(s) dialog box, see Delivering CLI Commands to the Device.
Viewing Certificate Export Status
The Certificate Export Status dialog box provides the status of certificate export tasks and indicates whether the export was successful. If a task fails, you can use the information provided for that task in order to troubleshoot the problem.
To proceed, click OK.
