The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
Note | To support onePK devices, all connections to Cisco XNC that use onePK or OpenFlow agents require Transport Layer Security (TLS). |
Enabling the TLS connections between Cisco XNC and the OpenFlow or onePK switches requires TLS KeyStore and TrustStore files. The TLS KeyStore and TLS TrustStore files are password protected.
Cisco Nexus 3000, 3100, and 3500 Series switches require additional credentials, including Private Key, Certificate, and Certificate Authority (CA).
The TLS KeyStore file contains the private key and certificate information used by Cisco XNC.
The TLS TrustStore file contains the Certification Authority (CA) certificates used to sign the certificates on the connecting switches.
If TLS connections are required in your Cisco XNC implementation, all of the connections in the network must be TLS encrypted, and you must run Cisco XNC with TLS enabled (see Starting the Application with TLS Enabled). After Cisco XNC is started with TLS, you must run the TLS KeyStore password configuration command (see Providing the TLS KeyStore and TrustStore Passwords) to provide the passwords for Cisco XNC to unlock the KeyStore files.
OpenFlow and Cisco onePK switches require cryptographic configuration to enable TLS.
Caution | Self-signed certificates are appropriate only for testing in small deployments. For additional security, as well as more granular controls over individual certificate use and revocation, you should use certificates generated by your organization's Certificate Authority. In addition, you should never use the keys and certificates generated by this procedure in a production environment. |
Ensure that OpenSSL is installed on the Linux host where these steps will be performed.
Create the TLS certificate file.
Complete the steps in Preparing to Generate the TLS Credentials.
Generate and import the certificate files on your Cisco Nexus 3000, 3100, or 3500 Series switches.
Create the TLS certificate.
Enable TLS for Cisco onePK and OpenFlow switches.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | switch(config)# onep |
Enters onePK configuration mode on the switch. | ||
Step 2 | switch(config-onep)# transport type tls |
Enables TLS for onePK switches. | ||
Step 3 | switch# exit |
Exits onePK configuration mode. | ||
Step 4 | switch# show onep status | (Optional)
Displays the onePK configuration. | ||
Step 5 | switch(config)# openflow |
Enters OpenFlow agent configuration mode on the switch. | ||
Step 6 | switch(config-ofa)# switch 1 |
Enters OpenFlow agent configuration mode for switch 1. | ||
Step 7 | switch(config-ofa)# tls trust-point local myCA remote myCA |
Enables TLS certificate authority on the switch. | ||
Step 8 | switch(config-ofa-switch)# pipeline {201/203} |
Configures the pipeline.
| ||
Step 9 | switch(config-ofa-switch)# controller ipv4 {A.B.C.D} port 6653 vrf management security tls |
Enables TLS for OpenFlow switches. A.B.C.D is the IP address of the controller.
|
Create the TLS KeyStore file.
Note | The TLS KeyStore file should be placed in the configuration directory of Cisco XNC. |
Complete the steps in Configuring the Cryptographic Keys on the Switch.
Step 1 | Copy cert.key to
xnc-privatekey.pem.
This command copies the cert.key file that was generated in the "Creating the TLS Private Key, Certificate, and Certificate Authority" section. This file contains the Cisco XNC private key. | ||
Step 2 | Copy
cert.pem to xnc-cert.pem.
This command makes a copy of the cert.pem file that was generated in the "Creating the TLS Private Key, Certificate, and Certificate Authority" section. This file contains the Cisco XNC certificate. | ||
Step 3 | Create the xnc.pem file, which contains the private key and certificate, by entering the cat xnc-privatekey.pem xnc-cert.pem > xnc.pem command. | ||
Step 4 | Convert the PEM file xnc.pem file to the file xnc.p12 file by entering the openssl pkcs12 -export -out xnc.p12 -in xnc.pem command. | ||
Step 5 | Enter a password
at the prompt.
The xnc.pem file is converted to a password-protected .p12 file. | ||
Step 6 | Convert the
xnc.p12 to a Java KeyStore (tlsKeyStore) file by entering the
keytool -importkeystore
-srckeystore xnc.p12 -srcstoretype pkcs12 -destkeystore tlsKeyStore
-deststoretype jks command.
This command converts the xnc.p12 file to a password-protected tlsKeyStore file | ||
Step 7 | Enter a password
at the prompt.
|
Note | The TLS TrustStore file should be placed in the application configuration directory. |
Step 1 | Copy the mypersonalca/certs/ca.pem file to sw-cacert.pem. | ||
Step 2 | Convert the sw-cacert.pem file to a Java TrustStore (tlsTrustStore) file by entering the keytool -import -alias swca1 -file sw-cacert.pem -keystore tlsTrustStore command. | ||
Step 3 | Enter a password
at the prompt.
The sw-cacert.pem file is converted into a password-protected Java TrustStore (tlsTrustStore) file.
| ||
Step 4 | If the switches in your network use more than one CA certificate, repeat Step 1 through Step 3 for each CA certificate required. |
Generate and import certificate files on the switches.
Enable TLS on the OpenFlow or onePK switches.
Create and deploy TLS KeyStore and TLS TrustStore files for the Cisco XNC application.
Make sure that the TLS KeyStore (tlsKeyStore) and TLS TrustStore (tlsTrustStore) files are located in the ./configuration directory.
Step 1 | From the
console, start
Cisco
XNC by entering the
./runxnc.sh -tls -tlskeystore
./configuration/tlsKeyStore -tlstruststore
./configuration/tlsTrustStore command.
| ||
Step 2 | Cisco XNC is started with TLS enabled. |
The TLS KeyStore and TrustStore passwords are sent to the Cisco Extensible Network Controller (XNC) so that it can read the password-protected TLS KeyStore and TrustStore files.
Step 1 | Open a command window where you installed Cisco XNC. |
Step 2 | Navigate to the xnc/bin directory. |
Step 3 | Provide the TLS
KeyStore and TLS TrustStore passwords by entering the
./xnc
config-keystore-passwords [--user {user}
--password {password} --url
{url} --verbose --prompt --keystore-password
{keystore_password}
--truststore-password {truststore_password}]
command.
Enter the following information:
|