Cisco Configuration Engine Installation & Configuration Guide, 3.0 - Setting Up CNS Agent Devices for Secure Communication [Cisco Configuration Engine]

Table Of Contents

Setting Up CNS Agent Devices for Secure Communication

Understanding CNS Configuration Engine Security

Identification

Authentication

Encryption

Setting Up CNS Agent Devices for Secure Communication

You must set up Cisco Networking Services (CNS) agent devices (routers) so that they can communicate securely with the Cisco Configuration Engine server. On the Cisco Configuration Engine server, you must enable Encryption and Authentication settings (see Encryption Settings, page 2-5, and Authentication Settings, page 2-6). This chapter provides the configuration tasks that you must perform to enable secure communication between the CNS agent devices and the Cisco Configuration Engine server.

This chapter contains the following sections:

•Understanding CNS Configuration Engine Security

•Identification

•Authentication

•Encryption

Understanding CNS Configuration Engine Security

Security in communication between the Cisco Configuration Engine server and the enabled CNS agent devices (routers) involves three basic functions:

•Identification—Unique CNS agent ID. At a minimum, the CNS agent IDs are required for a device to communicate with the Cisco Configuration Engine server.

•Authentication—Unique CNS password. The Authentication feature consists of a CNS password that the CNS agents present to the Cisco Configuration Engine server as part of any communication handshake.

•Encryption—Secure Sockets Layer (SSL) protocol. The Encryption feature consists of the industry standard Secure Sockets Layer (SSL) protocol, which protects communications between the CNS agent devices and the Cisco Configuration Engine server.

While device identification is mandatory, authorization and encryption are optional features. Of the two optional features, you can enable either or both of them at any time. Encryption does not require authentication, and authentication does not require encryption.

Each security feature is configured and handled separately by both the Cisco Configuration Engine server and the CNS agent devices.

The following sections provide more information:

•Identification

•Authentication

•Encryption

Identification

This is a mandatory setting. Each CNS agent device (router) must have a unique ID assigned to it before it can start communication with the Cisco Configuration Engine server. You can configure several CNS agents on a single router. Each agent must have a unique ID assigned to it.

To configure CNS agent IDs on a CNS agent device, enter the following command, beginning in global configuration mode:
cns id string <unique string>
cns id string <unique string for event agent> event
cns id string <unique string for image agent> image
Example
Router(config)# cns id string my-asset-tag1
Router(config)# cns id string my-asset-tag1 event 
Router(config)# cns id string my-asset-tag1 image 
Router(config)# end 
Router# 
On the Cisco Configuration Engine server, when setting up a new device object through the user interface, the administrator must specify these CNS agent IDs. The Cisco Configuration Engine server will not accept any agent connection unless the CNS agent device and the IDs are already configured on the server.

Authentication

The Authentication feature consists of a CNS password that the CNS agent device presents to the Cisco Configuration Engine server as part of any communication handshake.

To configure the CNS password on the CNS agent device, enter the following command, beginning in global configuration mode:
cns password <password>
Example
Router(config)# cns password fgfg123
Router(config)# end 
Router# 
Note The cns password command has been intentionally hidden for additional security. You can use the cns password command to set or reset the initial password, but you cannot view the password value after it has been set.

During setup of the Cisco Configuration Engine server, the administrator must assign this CNS password as a global one-time-use password. Then, before the CNS agent device attempts to connect to the Cisco Configuration Engine server, the administrator must enter this one-time-use password in the CNS agent device configuration.

In the Cisco Configuration Engine server Setup program, authentication is enabled when you answer y at the "Enable authentication" prompt (see Authentication Settings, page 2-6). This configures the Cisco Configuration Engine server to expect the password from the CNS agent device. After authentication is enabled, the administrator must use the Cisco Configuration Engine user interface to reconfigure the actual password. For procedure, see the "Security Manager" section in the Cisco Configuration Engine Administration Guide.

Encryption

Cisco Configuration Engine uses Secure Socket Layer (SSL) as the encryption mechanism for HTTP sessions between the CNS agent devices and the Cisco Configuration Engine server. You enable encryption on the Cisco Configuration Engine server in the Setup program (see Encryption Settings, page 2-5). To enable encryption on CNS agent devices, follow these steps:

Step 1 Set the Cisco IOS trust point on the CNS agent device.

Example
Router# config terminal
Router (config)# crypto ca trustpoint 
Router (config)#  enrollment mode ra
Router (config)#  enrollment url http://gilligan:80/
Router (config)#  usage ssl-client
Router (config)#  revocation-check none 
Router (config)# crypto ca authenticate cisco.com 
Certificate has the following attributes: 
Fingerprint: 1D74D54A 464207FD 81831A4D 67B5619B 
% Do you accept this certificate? [yes/no]: yes 
Trust point CA certificate accepted. 
Router(config)# end 
Router#
Step 2 Enable encryption on the CNS agent devices. Do any or all of the following as needed:

•To enable encryption on the CNS event agent, enter the following command, beginning in global configuration mode:

cns event configserver.cisco.com encrypt 11012 keepalive 60 3

Example
Router(config)# cns event configserver.cisco.com encrypt 11012 keepalive 60 3
Router(config)# end 
Router#
•To enable encryption on the CNS configuration agent for partial configuration, enter the following command, beginning in global configuration mode:

cns config partial configserver.cisco.com encrypt 443

Example
Router(config)# cns config partial configserver.cisco.com encrypt 443 
Router(config)# end 
Router#
•To enable the encryption on the CNS configuration agent for initial configuration, enter the following command, beginning in global configuration mode:

cns config initial configserver.cisco.com encrypt 443 event syntax-check no-persist inventory

Example
Router(config)# cns config initial configserver.cisco.com encrypt 443 event 
syntax-check no-persist inventory 
Router(config)# end 
Router#
•To enable encryption on the CNS exec agent, enter the following command, beginning in global configuration mode:

cns exec encrypt 443

Example
Router(config)# cns exec encrypt 443 
Router(config)# end 
Router#
•To enable encryption on the CNS configuration agent for config retrieve, enter the following command, beginning in EXEC mode:

cns config retrieve configserver.cisco.com encrypt 443 event syntax-check no-persist

Example
Router> enable 
Router# cns config retrieve configserver.cisco.com encrypt 443 event syntax-check 
no-persist 
Router#

	Cisco Configuration Engine Installation & Configuration Guide, 3.0
	Setting Up CNS Agent Devices for Secure Communication
Cisco Configuration Engine Installation & Configuration Guide, 3.0 Index Preface Supplemental License Agreement Installing the Product Software Running the Setup Program Configuring Cisco IOS CNS Agents Setting Up CNS Agent Devices for Secure Communication Setting Up a Multihomed System Scalability Among Event Gateway Ports	Download this chapter Setting Up CNS Agent Devices for Secure Communication Download the complete book Cisco Configuration Engine Installation & Configuration Guide, 3.0 - Full Book PDF (PDF - 1 MB) Feedback Table Of Contents Setting Up CNS Agent Devices for Secure Communication Understanding CNS Configuration Engine Security Identification Authentication Encryption Setting Up CNS Agent Devices for Secure Communication You must set up Cisco Networking Services (CNS) agent devices (routers) so that they can communicate securely with the Cisco Configuration Engine server. On the Cisco Configuration Engine server, you must enable Encryption and Authentication settings (see Encryption Settings, page 2-5, and Authentication Settings, page 2-6). This chapter provides the configuration tasks that you must perform to enable secure communication between the CNS agent devices and the Cisco Configuration Engine server. This chapter contains the following sections: •Understanding CNS Configuration Engine Security •Identification •Authentication •Encryption Understanding CNS Configuration Engine Security Security in communication between the Cisco Configuration Engine server and the enabled CNS agent devices (routers) involves three basic functions: •Identification—Unique CNS agent ID. At a minimum, the CNS agent IDs are required for a device to communicate with the Cisco Configuration Engine server. •Authentication—Unique CNS password. The Authentication feature consists of a CNS password that the CNS agents present to the Cisco Configuration Engine server as part of any communication handshake. •Encryption—Secure Sockets Layer (SSL) protocol. The Encryption feature consists of the industry standard Secure Sockets Layer (SSL) protocol, which protects communications between the CNS agent devices and the Cisco Configuration Engine server. While device identification is mandatory, authorization and encryption are optional features. Of the two optional features, you can enable either or both of them at any time. Encryption does not require authentication, and authentication does not require encryption. Each security feature is configured and handled separately by both the Cisco Configuration Engine server and the CNS agent devices. The following sections provide more information: •Identification •Authentication •Encryption Identification This is a mandatory setting. Each CNS agent device (router) must have a unique ID assigned to it before it can start communication with the Cisco Configuration Engine server. You can configure several CNS agents on a single router. Each agent must have a unique ID assigned to it. To configure CNS agent IDs on a CNS agent device, enter the following command, beginning in global configuration mode: cns id string <unique string> cns id string <unique string for event agent> event cns id string <unique string for image agent> image Example Router(config)# cns id string my-asset-tag1 Router(config)# cns id string my-asset-tag1 event Router(config)# cns id string my-asset-tag1 image Router(config)# end Router# On the Cisco Configuration Engine server, when setting up a new device object through the user interface, the administrator must specify these CNS agent IDs. The Cisco Configuration Engine server will not accept any agent connection unless the CNS agent device and the IDs are already configured on the server. Authentication The Authentication feature consists of a CNS password that the CNS agent device presents to the Cisco Configuration Engine server as part of any communication handshake. To configure the CNS password on the CNS agent device, enter the following command, beginning in global configuration mode: cns password <password> Example Router(config)# cns password fgfg123 Router(config)# end Router# Note The cns password command has been intentionally hidden for additional security. You can use the cns password command to set or reset the initial password, but you cannot view the password value after it has been set. During setup of the Cisco Configuration Engine server, the administrator must assign this CNS password as a global one-time-use password. Then, before the CNS agent device attempts to connect to the Cisco Configuration Engine server, the administrator must enter this one-time-use password in the CNS agent device configuration. In the Cisco Configuration Engine server Setup program, authentication is enabled when you answer y at the "Enable authentication" prompt (see Authentication Settings, page 2-6). This configures the Cisco Configuration Engine server to expect the password from the CNS agent device. After authentication is enabled, the administrator must use the Cisco Configuration Engine user interface to reconfigure the actual password. For procedure, see the "Security Manager" section in the Cisco Configuration Engine Administration Guide. Encryption Cisco Configuration Engine uses Secure Socket Layer (SSL) as the encryption mechanism for HTTP sessions between the CNS agent devices and the Cisco Configuration Engine server. You enable encryption on the Cisco Configuration Engine server in the Setup program (see Encryption Settings, page 2-5). To enable encryption on CNS agent devices, follow these steps: Step 1 Set the Cisco IOS trust point on the CNS agent device. Example Router# config terminal Router (config)# crypto ca trustpoint Router (config)# enrollment mode ra Router (config)# enrollment url http://gilligan:80/ Router (config)# usage ssl-client Router (config)# revocation-check none Router (config)# crypto ca authenticate cisco.com Certificate has the following attributes: Fingerprint: 1D74D54A 464207FD 81831A4D 67B5619B % Do you accept this certificate? [yes/no]: yes Trust point CA certificate accepted. Router(config)# end Router# Step 2 Enable encryption on the CNS agent devices. Do any or all of the following as needed: •To enable encryption on the CNS event agent, enter the following command, beginning in global configuration mode: cns event configserver.cisco.com encrypt 11012 keepalive 60 3 Example Router(config)# cns event configserver.cisco.com encrypt 11012 keepalive 60 3 Router(config)# end Router# •To enable encryption on the CNS configuration agent for partial configuration, enter the following command, beginning in global configuration mode: cns config partial configserver.cisco.com encrypt 443 Example Router(config)# cns config partial configserver.cisco.com encrypt 443 Router(config)# end Router# •To enable the encryption on the CNS configuration agent for initial configuration, enter the following command, beginning in global configuration mode: cns config initial configserver.cisco.com encrypt 443 event syntax-check no-persist inventory Example Router(config)# cns config initial configserver.cisco.com encrypt 443 event syntax-check no-persist inventory Router(config)# end Router# •To enable encryption on the CNS exec agent, enter the following command, beginning in global configuration mode: cns exec encrypt 443 Example Router(config)# cns exec encrypt 443 Router(config)# end Router# •To enable encryption on the CNS configuration agent for config retrieve, enter the following command, beginning in EXEC mode: cns config retrieve configserver.cisco.com encrypt 443 event syntax-check no-persist Example Router> enable Router# cns config retrieve configserver.cisco.com encrypt 443 event syntax-check no-persist Router#
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks