Configuring Secure Client Communications
This section describes how to configure Cisco Data Center Network Manager for LAN (DCNM-LAN) for secure client-server communications.
This section includes the following topics:
Information About Secure Client Communications
This section includes the following topics:
Encrypted Client-Server Communications
By default, communication between the Cisco DCNM-LAN client and server is unencrypted; however, you can enable secure client-server communications, which uses Transport Layer Security (TLS), a protocol based on the Secure Sockets Layer (SSL) 3.0 protocol. In particular, communications between the Cisco DCNM-LAN client and the EJB port on the Cisco DCNM-LAN server are encrypted when you enable secure client communications.
Enabling secure client communications does not affect how users download, install, and log into the Cisco DCNM-LAN client.
Firewall Support for Client-Server Communications
Cisco DCNM-LAN supports client-server connections across gateway devices such as a firewall; however, you must configure any gateway devices to allow the connections that the client must open to the Cisco DCNM-LAN server. The ports on the Cisco DCNM-LAN server that gateway devices must permit traffic to reach are listed in Table 1-1 .
By default, the secondary server bind port is assigned a random port number when the Cisco DCNM-LAN server starts. To support client-server communications across a gateway device, you must configure the Cisco DCNM-LAN server to use a specific port for the secondary server bind service.
Configuring Secure Client Communications
This section includes the following topics:
Enabling Encrypted Client-Server Communications
You can enable TLS to encrypt client-server communications.
If your Cisco DCNM-LAN deployment is a clustered-server deployment, you must perform this procedure on each server in the cluster.
DETAILED STEPS
Step 1 Stop the Cisco DCNM-LAN server. If you are enabling secure client communications on a server cluster, use the stop-dcnm-cluster script. For single-server deployments, do one of the following:
- Microsoft Windows—Choose Start > All Programs > Cisco DCNM Server > Stop DCNM Server.
- RHEL—Use the Stop_DCNM_Server script.
For more information about stopping Cisco DCNM-LAN, see the Cisco DCNM Fundamentals Guide, Release 5.x.
Step 2 In a text editor, open the jboss-service.xml file that is at the following location:
INSTALL_DIR \dcm\jboss-4.2.2.GA\server\dcnm\deploy\ejb3.deployer\META-INF\jboss-service.xml
where INSTALL_DIR is the Cisco DCNM installation directory. On Microsoft Windows, the default installation directory is C:\Program Files\Cisco Systems. On RHEL systems, the default installation directory is /usr/local/cisco.
Step 3 Find the following section in the file. Verify that the section you find matches the following lines exactly.
<!--mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:type=Connector,transport=SslEjb3Connector,handler=ejb3">
<depends>jboss.aop:service=AspectDeployer</depends>
<attribute name="InvokerLocator">sslsocket://${jboss.bind.address}:${cisco.dcnm.remoting.sslejbport:3843}</attribute>
<attribute name="Configuration">
<handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
The section is commented out using the standard XML comment markers, <!-- and -->.
Step 4 Uncomment the section as follows:
a. From the first line of the section, remove the following three characters from before mbean:
The changed line should read as follows:
<mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:type=Connector,transport=SslEjb3Connector,handler=ejb3">
b. From the last line of the section, remove the following two characters after mbean:
The changed line should read as follows:
Step 5 Save and close the jboss-service.xml file.
Step 6 In a text editor, open the jboss-service.xml file that is at the following location:
INSTALL_DIR \dcm\jboss-4.2.2.GA\server\dcnm\conf\jboss-service.xml
Note This is a different jboss-service.xml file than you opened in Step 2.
Step 7 Find the following section in the file.
cisco.dcnm.remoting.transport=socket
cisco.dcnm.remoting.port=3873
cisco.dcnm.remoting.ejbport=3873
cisco.dcnm.remoting.sslejbport=3843
cisco.dcnm.remoting.client.invokerDestructionDelay=0
The port numbers at the end of the last three lines may vary from this example, depending upon whether the default port numbers were changed during Cisco DCNM-LAN server installation.
Step 8 Change the cisco.dcnm.remoting.transport value to sslsocket. The changed line should read as follows:
cisco.dcnm.remoting.transport=sslsocket
Step 9 Change the cisco.dcnm.remoting.port value to match the value specified for cisco.dcnm.remoting.sslejbport. For example, if the Cisco DCNM-LAN server is configured to use the default SSL port, the cisco.dcnm.remoting.sslejbport value is 3843 and the changed line would read as follows:
cisco.dcnm.remoting.port=3843
Step 10 Change the cisco.dcnm.remoting.client.invokerDestructionDelay value to 30000. The changed line should read as follows:
cisco.dcnm.remoting.client.invokerDestructionDelay=30000
Step 11 Save and close the jboss-service.xml file.
Step 12 Do one of the following:
- If your Cisco DCNM-LAN deployment is a clustered-server deployment, repeat this procedure on each server in the cluster and then start the servers, beginning with the master server first. Allow at least one minute between starting each server.
- If your deployment is a single-server deployment, start the Cisco DCNM-LAN server.
For more information about starting a single Cisco DCNM-LAN or a cluster of Cisco DCNM-LAN servers, see the Cisco DCNM Fundamentals Guide, Release 5.x.
Disabling Encrypted Client-Server Communications
You can disable secure client communications.
If your Cisco DCNM-LAN deployment is a clustered-server deployment, you must perform the following steps on each server in the cluster.
DETAILED STEPS
Step 1 Stop the Cisco DCNM-LAN server. If you are disabling secure client communications on a server cluster, use the stop-dcnm-cluster script. For single-server deployments, do one of the following:
- Microsoft Windows—Choose Start > All Programs > Cisco DCNM Server > Stop DCNM Server.
- RHEL—Use the Stop_DCNM_Server script.
For more information about stopping Cisco DCNM-LAN, see the Cisco DCNM Fundamentals Guide, Release 5.x.
Step 2 In a text editor, open the jboss-service.xml file that is at the following location:
INSTALL_DIR \dcm\jboss-4.2.2.GA\server\dcnm\deploy\ejb3.deployer\META-INF\jboss-service.xml
where INSTALL_DIR is the Cisco DCNM installation directory. On Microsoft Windows, the default installation directory is C:\Program Files\Cisco Systems. On RHEL systems, the default installation directory is /usr/local/cisco.
Step 3 Find the following section in the file. Verify that the section you find matches the following lines exactly.
<mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:type=Connector,transport=SslEjb3Connector,handler=ejb3">
<depends>jboss.aop:service=AspectDeployer</depends>
<attribute name="InvokerLocator">sslsocket://${jboss.bind.address}:${cisco.dcnm.remoting.sslejbport:3843}</attribute>
<attribute name="Configuration">
<handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
The section is commented out using the standard XML comment markers.
Step 4 Use the standard XML comment markers to comment out the section, as follows:
a. To the first line of the section, add the following three characters before mbean:
The changed line should read as follows:
<!--mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:type=Connector,transport=SslEjb3Connector,handler=ejb3">
b. To the last line of the section, add the following two characters after mbean:
The changed line should read as follows:
Step 5 Save and close the jboss-service.xml file.
Step 6 In a text editor, open the jboss-service.xml file that is at the following location:
INSTALL_DIR \dcm\jboss-4.2.2.GA\server\dcnm\conf\jboss-service.xml
Note This is a different jboss-service.xml file than you opened in Step 2.
Step 7 Find the following section in the file.
cisco.dcnm.remoting.transport=sslsocket
cisco.dcnm.remoting.port=3843
cisco.dcnm.remoting.ejbport=3873
cisco.dcnm.remoting.sslejbport=3843
cisco.dcnm.remoting.client.invokerDestructionDelay=30000
The port numbers at the end of the last three lines may vary from this example, depending upon whether the default port numbers were changed during Cisco DCNM-LAN server installation.
Step 8 Change the cisco.dcnm.remoting.transport value to socket. The changed line should read as follows:
cisco.dcnm.remoting.transport=socket
Step 9 Change the cisco.dcnm.remoting.port value to match the value specified for cisco.dcnm.remoting.ejbport. For example, if the Cisco DCNM-LAN server is configured to use the default EJB port, the cisco.dcnm.remoting.ejbport value is 3873 and the changed line would read as follows:
cisco.dcnm.remoting.port=3873
Step 10 Change the cisco.dcnm.remoting.client.invokerDestructionDelay value to 0. The changed line should read as follows:
cisco.dcnm.remoting.client.invokerDestructionDelay=0
Step 11 Save and close the jboss-service.xml file.
Step 12 Do one of the following:
- If your Cisco DCNM-LAN deployment is a clustered-server deployment, repeat this procedure on each server in the cluster and then start the servers, beginning with the master server first. Allow at least one minute between starting each server.
- If your deployment is a single-server deployment, start the Cisco DCNM-LAN server.
For more information about starting a single Cisco DCNM-LAN or a cluster of Cisco DCNM-LAN servers, see the Cisco DCNM Fundamentals Guide, Release 5.x.
Specifying a Secondary Server Bind Port
You can configure a Cisco DCNM-LAN server to use a specific secondary server bind port.
If your Cisco DCNM-LAN deployment is a clustered-server deployment, you must perform this procedure on each server in the cluster.
DETAILED STEPS
Step 1 Stop the Cisco DCNM-LAN server. If you are enabling secure client communications on a server cluster, use the stop-dcnm-cluster script. For single-server deployments, do one of the following:
- Microsoft Windows—Choose Start > All Programs > Cisco DCNM Server > Stop DCNM Server.
- RHEL—Use the Stop_DCNM_Server script.
For more information about stopping Cisco DCNM-LAN, see the Cisco DCNM Fundamentals Guide, Release 5.x.
Step 2 In a text editor, open the remoting-bisocket-service.xml file that is at the following location:
INSTALL_DIR \dcm\jboss-4.2.2.GA\server\dcnm\deploy\jboss-messaging.sar\
remoting-bisocket-service.xml
where INSTALL_DIR is the Cisco DCNM installation directory. On Microsoft Windows, the default installation directory is C:\Program Files\Cisco Systems. On RHEL systems, the default installation directory is /usr/local/cisco.
Step 3 Find the following section in the file. Verify that the section you find includes the secondaryBindPort line.
<!-- Use these parameters to specify values for binding and connecting control connections to work with your firewall/NAT configuration
<attribute name="secondaryBindPort">xyz</attribute>
<attribute name="secondaryConnectPort">abc</attribute>
By default, the section is commented out using the standard XML comment markers, <!-- and -->.
If you have previously specified a secondary server bind port, the section is not commented out.
Step 4 If the section is commented out, uncomment the secondaryBindPort line, as follows:
a. At the end of the second line of the section, add the following three characters from after configuration:
The changed line should read as follows:
to work with your firewall/NAT configuration-->
b. At the beginning of the fourth line of the section, add the following four characters:
The changed line should read as follows:
<!-- <attribute name="secondaryConnectPort">abc</attribute>
After you uncomment the section, it should read as follows:
<!-- Use these parameters to specify values for binding and connecting control connections to work with your firewall/NAT configuration-->
<attribute name="secondaryBindPort">xyz</attribute>
<!--<attribute name="secondaryConnectPort">abc</attribute>
Step 5 In the secondaryConnectPort line, specify a port number between the opening and closing attribute elements. For example, if you want to specify port 47900, the secondaryBindPort line should read as follows:
<attribute name="secondaryBindPort">47900</attribute>
Step 6 Save and close the remoting-bisocket-service.xml file.
Step 7 Do one of the following:
- If your Cisco DCNM-LAN deployment is a clustered-server deployment, repeat this procedure on each server in the cluster and then start the servers, beginning with the master server first. Allow at least one minute between starting each server.
- If your deployment is a single-server deployment, start the Cisco DCNM-LAN server.
For more information about starting a single Cisco DCNM-LAN or a cluster of Cisco DCNM-LAN servers, see the Cisco DCNM Fundamentals Guide, Release 5.x.