Managing Certificates and Server Security

Managing the Server Certificate

Managing the Server Certificate

You can generate a certificate signing request (CSR) to obtain a new certificate, and you can upload the new certificate to the Cisco IMC to replace the current server certificate. The server certificate may be signed either by a public Certificate Authority (CA), such as Verisign, or by your own certificate authority. The generated certificate key length is 2048 bits.


Note

Before performing any of the following tasks in this chapter, ensure that the Cisco IMC time is set to the current time.

Procedure

Step 1

Generate the CSR from the Cisco IMC.

Step 2

Submit the CSR file to a certificate authority that will issue and sign your certificate. If your organization generates its own self-signed certificates, you can use the CSR file to generate a self-signed certificate.

Step 3

Upload the new certificate to the Cisco IMC.

Note

 

The uploaded certificate must be created from a CSR generated by the Cisco IMC. Do not upload a certificate that was not created by this method.

Generating a Certificate Signing Request


Note

Do not use special characters (For example ampersand (&)) in the Common Name and Organization Unit fields.

Before you begin

  • You must log in as an admin to perform this procedure.

  • Ensure that the Cisco IMC time is set to the current time.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Certificate Management.

Step 4

From the Actions drop-down list, select Generate Certificate Signing Request.

The Generate Certificate Signing Request dialog box appears.

Step 5

In the Generate Certificate Signing Request dialog box, update the following properties:

Table 1. Generate Certificate Signing Request
Name Description

Common Name

The fully qualified name of the Cisco IMC.

By default the CN of the servers appears in CXXX-YYYYYY format, where XXX is the model number and YYYYYY is the serial number of the server.

When you upgrade to latest version, CN is retained as is.

Subject Alternate Name

You can now provide additional input parameter for Subject Alternate Name. This allows various values to be associated using the subject field of the certificate.

The various types include:

  • Email

  • DNS name

  • IP address

  • Uniform Resource Identifier (URI)

Note

 

This field is optional. You can configure any number of SAN instances of each type, but all together the instances count must not exceed 10.

Organization Name field

The organization requesting the certificate.

Organization Unit field

The organizational unit.

Locality field

The city or town in which the company requesting the certificate is headquartered.

State Name field

The state or province in which the company requesting the certificate is headquartered.

Country Code drop-down list

The country in which the company resides.

Email field

The email contact at the company.

Signature Algorithm

Allows you to select the signature algorithm for generating certificate signing request. This can be one of the following:

  • SHA256

  • SHA384

  • SHA512

  • ECDSA

  • RSA

The default signature algorithm selected for generating certificate signing request is SHA384.

Note

 

The signature algorithms ECDSA and RSA are available in Cisco UCS C-series M7 servers only.

Key Length drop-down list

Note

 

  • This option is available in Cisco UCS C-series M7 servers only.

    This option is available for all the Signature Algorithm except ECDSA.

You may select from one of the following:

  • 1024

  • 2048

  • 4096

Key Curve drop-down list

Note

 

  • This option is available in Cisco UCS C-series M7 servers only.

  • This option is available only for ECDSA Signature Algorithm.

You may select from one of the following:

  • P256

  • P384

  • P512

Challenge Password toggle button

A Challenge Password is to be embedded in the Certificate Signing Request (CSR) dialog box, which the issuer Certificate Authority (CA) uses to authenticate the certificate.

If Challenge Password option is selected, then Challenge Password String will be populated for the user to enter the valid password string.

Note

 

The user has an option not to select the Challenge Password in which case the Challenge Password String is not populated. However, the user can proceed with generating the CSR successfully.

Challenge Password String field

This option is displayed only when Challenge Password String is selected. Enter a string.

String Mask drop-down list

This sets a mask for permitted string types in Certificate Signing Request (CSR) dialog box. This option masks out the use of certain string types in certain fields. The string types are as follows:

  • Default: Uses PrintableString, T61String, BMPString.

  • pkix: Uses PrintableString, BMPString.

  • utf8only: Uses only UTF8Strings.

  • nombstr: Uses PrintableString, T61String (no BMPStrings or UTF8Strings).

Self Signed Certificate toggle button

Generates a Self Signed Certificate.

Warning

 
After successful certificate generation, the Cisco IMC Web GUI restarts. Communication with the management controller may be lost momentarily and you will need to re-login.

Note

 

If enabled, CSR is generated, signed and uploaded automatically.

Generate CSR button

Click to generate the certificate.

Reset Values button

Reset all values in the dialog box.

Note

 

If Self-signed certificate is enabled, ignore steps 5 and 6.

Step 6

Click Generate CSR.

The Opening csr.txt dialog box appears.

Step 7

Perform any one of the following steps to manage the CSR file, csr.txt:

  1. Click Open With to view csr.txt.

  2. Click Save File and then click OK to save csr.txt to your local machine.

What to do next

  • Submit the CSR file to a certificate authority that will issue and sign your certificate. If your organization generates its own self-signed certificates, you can use the CSR file to generate a self-signed certificate.

  • Ensure that the certificate is of type Server.

Certificate a Self Signing Request


Note

Do not use special characters (For example ampersand (&)) in the Common Name and Organization Unit fields.

Before you begin

  • You must log in as an admin to perform this procedure.

  • Ensure that the Cisco IMC time is set to the current time.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Certificate Management.

Step 4

In the Actions area, click the Generate New Certificate Signing Request.

The Generate Certificate Signing Request dialog box appears.

Step 5

From the Actions drop-down list, select Generate Certificate Signing Request.

The Generate Certificate Signing Request dialog box appears.

Step 6

In the Generate Certificate Signing Request dialog box, update the following properties:

Note

 

Ensure that Self Signed Certificate toggle button is enabled.

Table 2. Generate Certificate Signing Request
Name Description

Common Name

The fully qualified name of the Cisco IMC.

By default the CN of the servers appears in CXXX-YYYYYY format, where XXX is the model number and YYYYYY is the serial number of the server.

When you upgrade to latest version, CN is retained as is.

Subject Alternate Name

You can now provide additional input parameter for Subject Alternate Name. This allows various values to be associated using the subject field of the certificate.

The various types include:

  • Email

  • DNS name

  • IP address

  • Uniform Resource Identifier (URI)

Note

 

This field is optional. You can configure any number of SAN instances of each type, but all together the instances count must not exceed 10.

Organization Name field

The organization requesting the certificate.

Organization Unit field

The organizational unit.

Locality field

The city or town in which the company requesting the certificate is headquartered.

State Name field

The state or province in which the company requesting the certificate is headquartered.

Country Code drop-down list

The country in which the company resides.

Email field

The email contact at the company.

Signature Algorithm

Allows you to select the signature algorithm for generating certificate signing request. This can be one of the following:

  • SHA256

  • SHA384

  • SHA512

  • ECDSA

  • RSA

The default signature algorithm selected for generating certificate signing request is SHA384.

Note

 

The signature algorithms ECDSA and RSA are available in Cisco UCS C-series M7 servers only.

Key Length drop-down list

Note

 

  • This option is available in Cisco UCS C-series M7 servers only.

    This option is available for all the Signature Algorithm except ECDSA.

You may select from one of the following:

  • 1024

  • 2048

  • 4096

Key Curve drop-down list

Note

 

  • This option is available in Cisco UCS C-series M7 servers only.

  • This option is available only for ECDSA Signature Algorithm.

You may select from one of the following:

  • P256

  • P384

  • P512

Challenge Password toggle button

A Challenge Password is to be embedded in the Certificate Signing Request (CSR) dialog box, which the issuer Certificate Authority (CA) uses to authenticate the certificate.

If Challenge Password option is selected, then Challenge Password String will be populated for the user to enter the valid password string.

Note

 

The user has an option not to select the Challenge Password in which case the Challenge Password String is not populated. However, the user can proceed with generating the CSR successfully.

Challenge Password String field

This option is displayed only when Challenge Password String is selected. Enter a string.

String Mask drop-down list

This sets a mask for permitted string types in Certificate Signing Request (CSR) dialog box. This option masks out the use of certain string types in certain fields. The string types are as follows:

  • Default: Uses PrintableString, T61String, BMPString.

  • pkix: Uses PrintableString, BMPString.

  • utf8only: Uses only UTF8Strings.

  • nombstr: Uses PrintableString, T61String (no BMPStrings or UTF8Strings).

Self Signed Certificate toggle button

Generates a Self Signed Certificate.

Warning

 
After successful certificate generation, the Cisco IMC Web GUI restarts. Communication with the management controller may be lost momentarily and you will need to re-login.

Note

 

If enabled, CSR is generated, signed and uploaded automatically.

Generate CSR button

Click to generate the certificate.

Reset Values button

Reset all values in the dialog box.

Step 7

Click Generate CSR.

The Opening csr.txt dialog box appears.

Step 8

Perform any one of the following steps to manage the CSR file, csr.txt:

  1. Click Open With to view csr.txt.

  2. Click Save File and then click OK to save csr.txt to your local machine.

What to do next

  • Submit the CSR file to a certificate authority that will issue and sign your certificate. If your organization generates its own self-signed certificates, you can use the CSR file to generate a self-signed certificate.

  • Ensure that the certificate is of type Server.

Creating a Self-Signed Certificate using Linux

As an alternative to using a public Certificate Authority (CA) to generate and sign a server certificate, you can operate your own CA and sign your own certificates. This section shows commands for creating a CA and generating a server certificate using the OpenSSL certificate server running on Linux. For detailed information about OpenSSL, see http://www.openssl.org.


Note

These commands are to be entered on a Linux server with the OpenSSL package, not in the Cisco IMC.

Before you begin

  • Obtain and install a certificate server software package on a server within your organization.

  • Ensure that the Cisco IMC time is set to the current time.

Procedure

  Command or Action Purpose

Step 1

openssl genrsa -out CA_keyfilename keysize

Example:

# openssl genrsa -out ca.key 2048

This command generates an RSA private key that will be used by the CA.

Note

 
To allow the CA to access the key without user input, do not use the -des3 option for this command.

The specified file name contains an RSA key of the specified key size.

Step 2

openssl req -new -x509 -days numdays -key CA_keyfilename -out CA_certfilename

Example:

# openssl req -new -x509 -days 365 -key ca.key -out ca.crt

This command generates a new self-signed certificate for the CA using the specified key. The certificate is valid for the specified period. The command prompts the user for additional certificate information.

The certificate server is an active CA.

Step 3

echo "nsCertType = server" > openssl.conf

Example:

# echo "nsCertType = server" > openssl.conf

This command adds a line to the OpenSSL configuration file to designate the certificate as a server-only certificate. This designation is a defense against a man-in-the-middle attack, in which an authorized client attempts to impersonate the server.

The OpenSSL configuration file openssl.conf contains the statement "nsCertType = server".

Step 4

openssl x509 -req -days numdays -in CSR_filename -CA CA_certfilename -set_serial 04 -CAkey CA_keyfilename -out server_certfilename -extfile openssl.conf

Example:

# openssl x509 -req -days 365 -in csr.txt -CA ca.crt -set_serial 04
-CAkey ca.key -out myserver05.crt -extfile openssl.conf

This command directs the CA to use your CSR file to generate a server certificate.

Your server certificate is contained in the output file.

Step 5

openssl x509 -noout -text -purpose -in <cert file>

Example:

openssl x509 -noout -text -purpose -in <cert file>
Verifies if the generated certificate is of type Server.

Note

 

If the values of the fields Server SSL and Netscape SSL server are not yes, ensure that openssl.conf is configured to generate certificates of type server.

Step 6

(Optional) If the generated certificate does not have the correct validity dates, ensure the Cisco IMC time is set to the current time, and regenerate the certificate by repeating steps 1 through 5.

(Optional)
Certificate with the correct validity dates is created.

Example

This example shows how to create a CA and to generate a server certificate signed by the new CA. These commands are entered on a Linux server running OpenSSL. 

# /usr/bin/openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
.............++++++
.....++++++
e is 65537 (0x10001)
# /usr/bin/openssl req -new -x509 -days 365 -key ca.key -out ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:California
Locality Name (eg, city) [Newbury]:San Jose
Organization Name (eg, company) [My Company Ltd]:Example Incorporated
Organizational Unit Name (eg, section) []:Unit A
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:admin@example.com
# echo "nsCertType = server" > openssl.conf
# /usr/bin/openssl x509 -req -days 365 -in csr.txt -CA ca.crt -set_serial 01 -CAkey ca.key -out server.crt -extfile openssl.conf
Signature ok
subject=/C=US/ST=California/L=San Jose/O=Example Inc./OU=Unit A/CN=example.com/emailAddress=john@example.com
Getting CA Private Key
#

What to do next

Upload the new certificate to the Cisco IMC.

Creating a Self-Signed Certificate Using Windows

Before you begin

  • You must log in as an admin to perform this procedure.

  • Ensure that the Cisco IMC time is set to the current time.

Procedure

Step 1

Open IIS Manager and navigate to the level you want to manage.

Step 2

In the Features area, double-click Server Certificate.

Step 3

In the Action pane, click Create Self-Signed Certificate.

Step 4

On the Create Self-Signed Certificate window, enter name for the certificate in the Specify a friendly name for the certificate field.

Step 5

Click Ok.

Step 6

(Optional) If the generated certificate does not have the correct validity dates, ensure the Cisco IMC time is set to the current time, and regenerate the certificate by repeating steps 1 through 5.

Certificate with the correct validity dates is created.

Uploading a Server Certificate

You can either browse and select the certificate to be uploaded to the server or copy the entire content of the signed certificate and paste it in the Paste certificate content text field and upload it.

Before you begin

  • You must log in as an admin to perform this procedure.

  • The certificate file to be uploaded must reside on a locally accessible file system.

  • Ensure that the generated certificate is of type server.

  • The following certificate formats are supported:

    • .crt

    • .cer

    • .pem


Note

You must first generate a CSR using the Cisco IMC Certificate Management menu, and you must use that CSR to obtain the certificate for uploading. Do not upload a certificate that was not obtained by this method.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Certificate Management.

Step 4

From the Actions drop-down list, select Upload Server Certificate.

The Upload Server Certificate dialog box appears.

Step 5

In the Upload Server Certificate dialog box, update the following properties:

Name Description

Local/Paste toggle button

Allows you to select the certificate file from the local machine or paste the certificate.

Browse button

Opens a dialog box that allows you to navigate to the appropriate certificate file.

Applicable only when Local option is selected.

Paste Certificate content radio button

Opens a text box that allows you to copy the entire content of the signed certificate and paste it in the Paste certificate content text field.

Note

 

Ensure the certificate is signed before uploading.

Applicable only when Paste option is selected.

Upload button

Click Upload to upload the certificate.

Managing the External Certificate

You can also upload a wildcard or an external certificate and an external private key, in addition to a server certificate. Unlike a server certificate, you could upload and use the same external certificate and key pair for multiple Cisco IMC servers.

  1. Upload the external certificate and external private key to Cisco IMC.

  2. Activate the uploaded certificate.

    On activation, the new certificate and private key pair replaces the existing certificate and key pair in Cisco IMC.

Uploading an External Certificate

Before you begin

  • You must be logged in as an admin to perform this procedure.

  • The certificate file to be uploaded must reside on a locally accessible file system.

  • The following certificate formats are supported:

    • .crt

    • .cer

    • .pem

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Certificate Management.

Step 4

From the Actions drop-down list, select Upload External Certificate.

The Upload External Certificate dialog box appears.

Step 5

In the Upload External Certificate dialog box, select the appropriate method to upload the certificate and enter the relevant details:

Table 3. Remote
Name Description

Remote button

Select this option when you want to upload the external certificate from a remote location.

Server IP/Hostname

Server details from where you want to upload the external certificate.

Upload Protocol button

Select one of the following protocols.

  • TFTP

  • FTP

  • SCP

  • SFTP

  • HTTP

Note

 

If you select FTP, SCP or SFTP, you will be prompted to enter your username and password.

Path and Filename field

File path where the external certificate file resides on the server along with the filename.

Username field

User name for your remote server.

Password field

Password for your remote server.

Upload button

Allows you to upload the external certificate.

Table 4. Local
Name Description

Local button

Select this option when you want to upload the external certificate from your local machine.

Click Browse and navigate to the external certificate that you want to upload.

Upload button

Allows you to upload the external certificate.

Table 5. Paste
Name Description

Paste button

Opens a text box that allows you to copy the entire content of the external certificate and paste it in the Paste External Certificate Content text field.

Upload button

Allows you to upload the external certificate.

What to do next

Upload the external private key and then activate the uploaded external certificate.

Important

After you upload the external certificate and the external private key, the Activate External Certificate action is enabled. From the Actions drop-down list, select Activate External Certificate to activate the uploaded external certificate.

Activating the uploaded certificate replaces the existing certificate and key pair, and disconnects any existing HTTPS and SSH sessions.

Uploading an External Private Key

Before you begin

  • You must be logged in as an admin to perform this procedure.

  • Ensure that you have uploaded an external certificate.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Certificate Management.

Step 4

From the Actions drop-down list, select Upload External Private Key.

The Upload External Private Key dialog box appears.

Step 5

In the Upload External Private Key dialog box, select the appropriate method to upload the certificate and enter the relevant details:

Table 6. Remote
Name Description

Remote button

Select this option when you want to upload the external private key from a remote location.

Server IP/Hostname field

Server details from where you want to upload the external private key

Upload Protocol button

Select one of the following protocols.

  • SFTP

  • SCP

Username field

User name for your remote server.

Password field

Password for your remote server.

Upload button

Allows you to upload the external private key.

Table 7. Local
Name Description

Local button

Select this option when you want to upload the external private key from your local machine.

Click Browse and navigate to the external private key file that you want to upload.

Upload button

Allows you to upload the external private key.

Table 8. Paste
Name Description

Paste button

Opens a text box that allows you to copy the entire content of the external private key and paste it in the Paste External Private Key Content text field.

Upload button

Allows you to upload the external private key.

What to do next

Upload the external private key and then activate the uploaded external certificate.

Important

After you upload the external certificate and the external private key, the Activate External Certificate action is enabled. From the Actions drop-down list, select Activate External Certificate to activate the uploaded external certificate.

Activating the uploaded certificate replaces the existing certificate and key pair, and disconnects any existing HTTPS and SSH sessions.

Activating the External Certificate

Before you begin

  • You must be logged in as an admin to perform this procedure.

  • Ensure that you have uploaded the external certificate and external private key.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Certificate Management.

Step 4

From the Actions drop-down list, select Activate External Certificate.

Note

 

Activating the external certificate overwrites any existing certificate and key pair, and disconnects any existing HTTPS and SSH sessions.

SPDM Security - MCTP SPDM

SPDM Security

Cisco UCS C-Series Servers might contain mutable components that could provide vectors for attack against a device itself or use of a device to attack another device within the system. To defend against these attacks, SPDM (Security Protocol and Data Model) specification defines messages, data objects, and sequences for performing message exchanges between devices over a variety of transport and physical media. It orchestrates message exchanges between management controllers and end-point devices over Management Component Transport Protocol (MCTP).

Message exchanges include authentication of hardware identities accessing the controller. The SPDM enables access to low-level security capabilities and operations by specifying a managed level for device authentication and certificate management.

Endpoint certificates and authorites (Root CA) certificates are listed on all user interfaces on the server. You can also upload the content of one or more external device certificates into Cisco IMC. Using a SPDM policy allows you to change or delete external Root CA certificate or settings as desired. You can also delete or replace the root CA certificate when no longer needed.

A SPDM security policy allows you to specify any one of the three security level settings, as listed below:

  • Full Security:

    This is the highest MCTP security setting. When you select this setting, a fault is generated when any endpoint authentication failure is detected. A fault will also be generated if any of the endpoints do not support endpoint authentication.

  • Partial Security:

    When you select this setting, a fault is generated when any endpoint authentication failure is detected. There will NOT be a fault generated when the endpoint doesn’t support endpoint authentication. This is chosen as the default setting.

  • No Security

    When you select this setting, no fault will be generated for any failure (endpoint measurement).

Configuring and Viewing the MCTP SPDM Fault Alert Settings

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select MCTP SPDM.

Step 4

Under the Properties area, review or update the following properties:

Table 9. Properties Area
Name Description

Fault Alert Setting drop-down list

Select the fault alert setting from the drop-down list.

This can be one of the following:

  • Full - If you select this option, then a fault is generated when there is any endpoint authentication failure.

    If you select this option, then a fault is generated when the endpoints do not support endpoint authentication.

  • Partial - The default option. If you select this option, then a fault is generated when there is any endpoint authentication failure.

    If you select this option, no fault is generated when the endpoints do not support endpoint authentication.

  • Disabled - If you select this option, no fault is generated for endpoint authentication failure.

Certificate Upload Progress

Displays the certificate upload progress.

Certificate Upload Status

Displays the certificate upload status.

SPDM Status

Displays the overall SDPM authentication status.

What to do next

When a fault is generated in case of device attestation failure, you can view the respective fault details in the Faults and Logs tab under the System Apps.

Viewing SPDM Authentication Status

Procedure

  Command or Action Purpose

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select MCTP SPDM.

Step 4

Under the Properties area, review the following properties:

Table 10. Properties Area
Name Description

Fault Alert Setting drop-down list

Select the fault alert setting from the drop-down list.

This can be one of the following:

  • Full - If you select this option, then a fault is generated when there is any endpoint authentication failure.

    If you select this option, then a fault is generated when the endpoints do not support endpoint authentication.

  • Partial - The default option. If you select this option, then a fault is generated when there is any endpoint authentication failure.

    If you select this option, no fault is generated when the endpoints do not support endpoint authentication.

  • Disabled - If you select this option, no fault is generated for endpoint authentication failure.

Certificate Upload Progress

Displays the certificate upload progress.

Certificate Upload Status

Displays the certificate upload status.

SPDM Status

Displays the overall SDPM authentication status.

Adding Authorities Certificate

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select MCTP SPDM.

Step 4

Under the Certificates area, click + Add Certificate.

Add Authorities Certificate dialog box is displayed.

Step 5

In the Add Authorities Certificate dialog box, use of the following method to add certificate:

Table 11. Remote
Name Description

Remote button

Select this option when you want to add authorities certificate from a remote location.

Server IP/Hostname

Server details from where you want to add authorities certificate.

Upload Protocol button

Select one of the following protocols.

  • TFTP

  • FTP

  • SCP

  • SFTP

  • HTTP

Note

 

If you select FTP, SCP or SFTP, you will be prompted to enter your username and password.

Path and Filename field

File path where the root CA certificate file resides on the server along with the filename.

Username field

User name for your remote server.

Password field

Password for your remote server.

Upload Authorities Certificate button

Allows you to add authorities certificate.

Table 12. Local
Name Description

Local button

Select this option when you want to add authorities certificate from your local machine.

Click Browse and navigate to the authorities certificate that you want to add.

Upload Authorities Certificate button

Allows you to add authorities certificate.

Table 13. Paste
Name Description

Paste field

Opens a text box that allows you to copy the entire content of the root CA certificate and paste it in the Paste Authorities Certificate text field.

Upload Authorities Certificate button

Allows you to add authorities certificate.

You can view the upload progress and status from the following fields in MCTP SPDM tab.

After the upload is complete and successful, the authorities certificate is uploaded and the details are displayed in the Authorities tab.

Viewing the List of Certificates and Certificate Details

Procedure

  Command or Action Purpose

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select MCTP SPDM.

Step 4

Under the Certificates area, click Endpoints tab.

Step 5

You can view the following properties:
Table 14. Endpoints
Name Description

Common Name column

Displays the endpoint's Root CA certificate common name.

Endpoint ID column

Displays the PCIe Slot ID.

Status column

Displays the endpoint's final SPDM handshake status.

View Certificate Details icon

Allows you to view the endpoint certificate details.

Step 6

Under the Certificates area, click Authorities tab.

Step 7

You can view the following properties:
Table 15. Authorities
Name Description

Add Certificate + button

Allows you to add authorities certificates.

Delete button

Allows you to delete the authorities certificate.

Select the check box on any row in the table and click the Delete button.

Note

 

A lock icon is displayed next to the certificates that are shipped from the factory. You cannot delete the certificates with the lock icon.

Common Name column

Displays the authorities certificate common name.

Issued By column

Displays the details of who issued the authorities certificate.

Expires column

Displays the validity of the authorities certificate.

View Certificate Details icon

Allows you to view the authorities certificate details.

Note

 

A lock icon is displayed next to the certificates that are shipped from the factory. You cannot delete the certificates with the lock icon.

Step 8

To view the details of a specific certificate, click the View icon.

The following details of the authorities certificate are displayed in View Certificate dialog box:

Name Description

Name

Displays the authorities certificate common name.

Issued By

Displays the details of who issued the authorities certificate.

Serial Number field

Displays the serial number of the certificate.

Valid from

Displays the start of validity period of the certificate.

Valid To

Displays the end of validity period of the certificate.
Table 16. Subject Area
Name Description

Common Name

Displays the authorities certificate common name.

City

Displays the issuer city of the certificate.

State field

Displays the issuer state of the certificate.

Country Code

Displays the issuer country code of the certificate.

Organization Unit

Displays the issuer organization unit of the certificate.

Organization

Displays the issuer organization name.
Table 17. Issuer Area

Name

Description

Common Name

Displays the issuer common name of the certificate.

City

Displays the issuer city of the certificate.

State

Displays the issuer state of the certificate.

Country Code

Displays the issuer country code of the certificate.

Organization Unit

Displays the issuer organization unit of the certificate.

Organization

Displays the issuer organization name.

Deleting Certificates

Procedure

  Command or Action Purpose

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select MCTP SPDM.

Step 4

Under the Certificates area, click Authorities tab.

Step 5

In the Authorities tab, select the check box on any row in the table.

Note

 

A lock icon is displayed next to the certificates that are shipped from the factory. You cannot delete the certificates with the lock icon.

Step 6

Click the Delete to delete the endpoint certificate.

The following message is displayed in a pop-window:

The certificate has deleted successfully. CIMC will re-authenticate all devices.

Step 7

Click OK.

Key Management Interoperability Protocol

Key Management Interoperability Protocol (KMIP) is a communication protocol that defines message formats to handle keys or classified data on a key management server. KMIP is an open standard and is supported by several vendors. Key management involves multiple interoperable implementations, so a KMIP client works effectively with any KMIP server.

Self-Encrypting Drives(SEDs) contain hardware that encrypts incoming data and decrypts outgoing data in realtime. A drive or media encryption key controls this function. However, the drives need to be locked in order to maintain security. A security key identifier and a security key (key encryption key) help achieve this goal. The key identifier provides a unique ID to the drive.

Different keys have different usage requirements. Currently, the responsibility of managing and tracking local keys lies primarily with the user, which could result in human error. The user needs to remember the different keys and their functions, which could prove to be a challenge. KMIP addresses this area of concern to manage the keys effectively without human involvement.

Viewing Secure Key Management Settings

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Secure Key Management.

Step 4

You can review the following properties:

Table 18. Secure Key Management
Name Description

Enable Secure Key Management toggle button

Allows you to enable or disable the secure key management feature.

Step 5

In the KMIP Servers area, review the following fields:

Table 19. KMIP Servers
Name Description

KMIP Login Details button

Displays the KMIP Login Details dialog box.

+ Add Server button

Allows you to add a row with serve details. Click and enter the server properties in the new row.

ID field

ID for the KMIP server configuration.

IP Address field

IP address of the KMIP server.

Port field

Communication port to the KMIP server.

Timeout field

Time period that Cisco IMC waits for a response from the KMIP server.

Delete button

Allows you to delete the KMIP server configuration. Select a row from the table and click Delete.

Note

 

Delete button is visible when you select a row.

Test Connection button

Tests whether or not the KMIP connection was successful.

Note

 

Test Connection button is visible when you select a row.

Step 6

In the Certificate and Key Status area, review the following fields:

Table 20. Certificate and Key Status

Name

Description

Name column

Displays the name of the certificate/key.

Status column

Indicates the availability of the certificate/key.

Download column

Displays the download status of the certificate/key.

Export column

Displays the export status of the certificate/key.

Creating a Client Private Key and Client Certificate for KMIP Configuration

As an alternative to using a public Certificate Authority (CA) to generate and sign a server certificate, you can operate your own CA and sign your own certificates. This section shows commands for creating a CA and generating a server certificate using the OpenSSL certificate server running on Linux. For detailed information about OpenSSL, see http://www.openssl.org/.


Note

These commands are to be entered on a Linux server with the OpenSSL package, not in the Cisco IMC.

Before you begin

  • Obtain and install a certificate server software package on a server within your organization.

  • Ensure that the Cisco IMC time is set to the current time.

SUMMARY STEPS

  1. openssl genrsa -out Client_Privatekeyfilename keysize
  2. openssl req -new -x509 -days numdays -key Client_Privatekeyfilename -out Client_certfilename
  3. Obtain the KMIP root CA certificate from the KMIP server.

DETAILED STEPS

  Command or Action Purpose

Step 1

openssl genrsa -out Client_Privatekeyfilename keysize

Example:

# openssl genrsa –out client_private.pem 2048

This command generates a client private key that will be used to generate the client certificate.

The specified file name contains an RSA key of the specified key size.

Step 2

openssl req -new -x509 -days numdays -key Client_Privatekeyfilename -out Client_certfilename

Example:

# openssl req -new -x509 -key client_private.pem -out client.pem -days 365

This command generates a new self-signed client certificate using the client private key obtained from the previous step. The certificate is valid for the specified period. The command prompts the user for additional certificate information.

A new self-signed client certificate is created.

Step 3

Obtain the KMIP root CA certificate from the KMIP server.

Refer to the KMIP vendor documentation for details on obtaining the root CA certificate.

What to do next

Upload the new certificate to the Cisco IMC.

Root CA Certificate

Downloading a Root CA Certificate

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Secure Key Management.

Step 4

From the Actions drop-down list, select Download Root CA Certificate.

Step 5

In the Download Root CA Certificate dialog box, use one of the following methods to download the Root CA certificate:

Table 21. Remote
Name Description

Remote button

Select this option when you want to download the root CA certificate from a remote location.

Server IP/Hostname

Server details from where you want to download the root CA certificate.

Upload Protocol button

Select one of the following protocols.

  • TFTP

  • FTP

  • SCP

  • SFTP

  • HTTP

Note

 

If you select FTP, SCP or SFTP, you will be prompted to enter your username and password.

Path and Filename field

File path where the root CA certificate file resides on the server along with the filename.

Username field

User name for your remote server.

Password field

Password for your remote server.

Download Root CA Certificate button

Allows you to download the root CA certificate.

Table 22. Local
Name Description

Local button

Select this option when you want to download the root CA certificate from your local machine.

Click Browse and navigate to the root CA certificate that you want to download.

Download Root CA Certificate button

Allows you to download the root CA certificate.

Table 23. Paste
Name Description

Paste field

Opens a text box that allows you to copy the entire content of the root CA certificate and paste it in the Paste root CA Certificate Content text field.

Download Root CA Certificate button

Allows you to download the root CA certificate.

Exporting a Root CA Certificate

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Secure Key Management.

Step 4

From the Actions drop-down list, select Export Root CA Certificate.

Step 5

In the Export Root CA Certificate dialog box, use one of the following methods to export Root CA certificate:

Table 24. Remote
Name Description

Remote button

Select this option when you want to export root CA certificate from a remote location.

Server IP/Hostname

Server details where you want to export root CA certificate.

Upload Protocol button

Select one of the following protocols.

  • TFTP

  • FTP

  • SCP

  • SFTP

  • HTTP

Note

 

If you select FTP, SCP or SFTP, you will be prompted to enter your username and password.

Path and Filename field

File path where the root CA certificate file resides on the server along with the filename.

Username field

User name for your remote server.

Password field

Password for your remote server.

Export Root CA Certificate button

Allows you to export root CA certificate.

Table 25. Local
Name Description

Local button

Select this option when you want to export root CA certificate from your local machine.

Click Browse and navigate to the export root CA certificate that you want to export.

Export Root CA Certificate button

Allows you to export the root CA certificate.

Deleting a Root CA Certificate

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Secure Key Management.

Step 4

From the Actions drop-down list, select Delete Root CA Certificate.

Step 5

Click OK to confirm.

Downloading a Client Certificate

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Secure Key Management.

Step 4

From the Actions drop-down list, select Download Client Certificate.

Step 5

In the Download Client Certificate dialog box, use one of the following methods to download the client certificate:

Table 26. Remote
Name Description

Remote button

Select this option when you want to download the client certificate from a remote location.

Server IP/Hostname

Server details from where you want to download the client certificate.

Upload Protocol button

Select one of the following protocols.

  • TFTP

  • FTP

  • SCP

  • SFTP

  • HTTP

Note

 

If you select FTP, SCP or SFTP, you will be prompted to enter your username and password.

Path and Filename field

File path where the client certificate file resides on the server along with the filename.

Username field

User name for your remote server.

Password field

Password for your remote server.

Download Client Certificate button

Allows you to download the client certificate.

Table 27. Local
Name Description

Local button

Select this option when you want to download client certificate from your local machine.

Click Browse and navigate to the client certificate that you want to download.

Download Client Certificate button

Allows you to download the client certificate.

Table 28. Paste
Name Description

Paste field

Opens a text box that allows you to copy the entire content of the client certificate and paste it in the Paste Client Certificate Content text field.

Download Client Certificate button

Allows you to download the client certificate.

Client Certificate

Exporting a Client Certificate

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Secure Key Management.

Step 4

From the Actions drop-down list, select Export Client Certificate.

Step 5

In the Export Client Certificate dialog box, use one of the following methods to export the client certificate:

Table 29. Remote
Name Description

Remote button

Select this option when you want to export client certificate from a remote location.

Server IP/Hostname

Server details where you want to export client certificate.

Upload Protocol button

Select one of the following protocols.

  • TFTP

  • FTP

  • SCP

  • SFTP

  • HTTP

Note

 

If you select FTP, SCP or SFTP, you will be prompted to enter your username and password.

Path and Filename field

File path where the client certificate file resides on the server along with the filename.

Username field

User name for your remote server.

Password field

Password for your remote server.

Export Client Certificate button

Allows you to export client certificate.

Table 30. Local
Name Description

Local button

Select this option when you want to export client certificate from your local machine.

Click Browse and navigate to the export client certificate that you want to export.

Export Client Certificate button

Allows you to export the client certificate.

Deleting a Client Certificate

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Secure Key Management.

Step 4

From the Actions drop-down list, select Delete Client Certificate.

Step 5

Click OK to confirm.

Downloading a Client Private Key

Procedure

Step 1

In the Navigation pane, click the Admin menu.

Step 2

In the Admin menu, click Security Management.

Step 3

In the Security Management pane, click Secure Key Management.

Step 4

In the Actions area of the Secure Key Management tab, click Download Client Private Key.

Step 5

In the Download Client Private Key dialog box, complete these fields:

Name Description

Download From Remote Location radio button

Selecting this option allows you to choose the private key from a remote location and download it. Enter the following details:

    • TFTP Server

    • FTP Server

    • SFTP Server

    • SCP Server

    • HTTP Server

    Note

     

    If you chose SCP or SFTP as the remote server type while performing this action, a pop-up window is displayed with the message Server (RSA) key fingerprint is <server_finger_print _ID> Do you wish to continue?. Click Yes or No depending on the authenticity of the server fingerprint.

    The fingerprint is based on the host's public key and helps you to identify or verify the host you are connecting to.

  • Server IP/Hostname field — The IP address or hostname of the server on which the client private key should be stored. Depending on the setting in the Download Certificate From drop-down list, the name of the field may vary.

  • Path and Filename field — The path and filename should use when downloading the file to the remote server.

  • Username field — The username the system should use to log in to the remote server. This field does not apply if the protocol is TFTP or HTTP.

  • Password field — The password for the remote server username. This field does not apply if the protocol is TFTP or HTTP.

Download Through Browser Client radio button

Selecting this option allows you to navigate to the private key stored on a drive that is local to the computer running the Cisco IMC GUI.

When you select this option, Cisco IMC GUI displays a Browse button that lets you navigate to the file you want to import.

Paste Content radio button

Selecting this option allows you to copy the entire content of the signed private key and paste it in the Paste Private Key Content text field.

What to do next

Client Private Key

Downloading a Client Private Key

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Secure Key Management.

Step 4

From the Actions drop-down list, select Download Client Private Key.

Step 5

In the Download Client Private Key dialog box, update the following properties:

Table 31. Remote
Name Description

Remote button

Select this option when you want to download the client private key from a remote location.

Server IP/Hostname

Server details from where you want to download the client private key.

Upload Protocol button

Select one of the following protocols.

  • TFTP

  • FTP

  • SCP

  • SFTP

  • HTTP

Note

 

If you select FTP, SCP or SFTP, you will be prompted to enter your username and password.

Path and Filename field

File path where the client private key file resides on the server along with the filename.

Username field

User name for your remote server.

Password field

Password for your remote server.

Download Root CA Certificate button

Allows you to download the client private key.

Table 32. Local
Name Description

Local button

Select this option when you want to download the client private key from your local machine.

Click Browse and navigate to the client private key that you want to download.

Download Client Private Key button

Allows you to download the client private key.

Table 33. Paste
Name Description

Paste field

Opens a text box that allows you to copy the entire content of the client private key and paste it in the Download Client Private Key text field.

Download Client Private Key button

Allows you to download client private key.

Deleting a Client Private Key

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Secure Key Management.

Step 4

From the Actions drop-down list, select Delete Client Private Key.

Step 5

Click OK to confirm.

Testing the KMIP Server Connection

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Secure Key Management.

Step 4

In the KMIP Servers area, select a row by checking the check box and click Test Connection.

Step 5

If the connection is successful, a success message is displayed.

Restoring the KMIP Server to Default Settings

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Secure Key Management.

Step 4

In the KMIP Servers area, select a row by checking the check box and click Delete.

Step 5

At the prompt, click OK

This restores the KMIP server to its default settings.

Deleting KMIP Login Details

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Secure Key Management.

Step 4

From the Actions drop-down list, select Delete KMIP Login.

Step 5

Click OK to confirm.

FIPS 140-2 Compliance in Cisco IMC

The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2), is a U.S. government computer security standard used to approve cryptographic modules. Prior to the 3.1(3) release, the Rack Cisco IMC is not FIPS compliant as per NIST guideline. It does not follow FIPS 140-2 approved cryptographic algorithms and modules. With this release, all CIMC services will use the Cisco FIPS Object Module (FOM), which provides the FIPS 140-2 compliant cryptographic module.

The Cisco FIPS Object Module is a software library that provides cryptographic services to a vast array of Cisco's networking and collaboration products. The module provides FIPS 140 validated cryptographic algorithms and KDF functionality for services such as IPSec (IKE), SRTP, SSH, TLS, and SNMP.

Enabling Security Configuration

Before you begin

You must log in with admin privileges to perform this task.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Security Configuration.

Step 4

In the Federal Information Processing Standard Configuration (FIPS) and Common Criteria (CC) Configuration pane, toggle Enable FIPS button.

Note

 
When you switch the FIPS or CC mode, it restarts the SSH, KVM, SNMP, webserver, XMLAPI, and redfish services. You will be prompted to continue. If you wish to continue, click OK else click on Cancel.

Enabling Security Configuration (FIPS)

Before you begin

You must be logged in as an admin to perform this procedure.


Note

If Configured TLS Version is set to Custom, then you cannot enable FIPS.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click Security Management menu.

Step 3

From the Security Management menu, select Security Configuration.

Step 4

In the Federal Information Processing Standard Configuration (FIPS) and Common Criteria (CC) Configuration pane, toggle Enable CC button.

Step 5

Click Save.

Note

 
When you enable FIPS, the following is an impact on the SNMP configuration:

  • The community string configuration for the SNMPv2 protocols, and the SNMPv3 users configured with noAuthNoPriv or authNoPriv security-level option are disabled.

  • The traps configured for SNMPv2 or SNMPv3 users with the noAuthNoPriv security-level option are disabled.

  • The MD5 and DES Authentication type and Privacy type are disabled.

  • It also ensures only FIPS-compliant ciphers in SSH, webserver, and KVM connections.