- Preface
-
- Configuring the Fabric Interconnects
- Configuring Ports and Port Channels
- Configuring Communication Services
- Configuring Authentication
- Configuring Organizations
- Configuring Role-Based Access Control
- Configuring DNS Servers
- Configuring System-Related Policies
- Managing Licenses
- Managing Virtual Interfaces
- Registering Cisco UCS Domains with Cisco UCS Central
- Index
- Communication Services
- Configuring CIM-XML
- Configuring HTTP
- Configuring HTTPS
- Configuring SNMP
- Enabling Telnet
- Disabling Communication Services
Configuring Communication Services
This chapter includes the following sections:
- Communication Services
- Configuring CIM-XML
- Configuring HTTP
- Configuring HTTPS
- Configuring SNMP
- Enabling Telnet
- Disabling Communication Services
Communication Services
You can use the following communication services to interface third-party applications with Cisco UCS:
Configuring CIM-XML
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Select the Communication Services tab. |
Step 4 | In the CIM-XML area, click the enabled radio button.
The CIM-XML area expands to display the available configuration options. |
Step 5 | (Optional)In the Port field, change the default port that Cisco UCS Manager GUI will use for CIM-XML.
The default port is 5988. |
Step 6 | Click Save Changes. |
Configuring HTTP
Step 1 | In the Navigation pane, click the Admin tab. | ||
Step 2 | On the Admin tab, expand . | ||
Step 3 | Click the Communication Services tab. | ||
Step 4 | In the
HTTP area, click the
enabled radio button.
The HTTP area expands to display the available configuration options. | ||
Step 5 | (Optional)In the
Port field, change the default port that
Cisco UCS Manager GUI uses for HTTP.
The default port is 80. | ||
Step 6 | (Optional)In the Redirect HTTP to HTTPS field, click the enabled radio button.
You must also configure and enable HTTPS to enable redirection of HTTP logins to the HTTPS login. Once enabled, you cannot disable the redirection until you have disabled HTTPS.
| ||
Step 7 | Click Save Changes. |
Configuring HTTPS
Certificates, Key Rings, and Trusted Points
HTTPS uses components of the Public Key Infrastructure (PKI) to establish secure communications between two devices, such as a client's browser and Cisco UCS Manager.
Encryption Keys and Key Rings
Each PKI device holds a pair of asymmetric Rivest-Shamir-Adleman (RSA) encryption keys, one kept private and one made public, stored in an internal key ring. A message encrypted with either key can be decrypted with the other key. To send an encrypted message, the sender encrypts the message with the receiver's public key, and the receiver decrypts the message using its own private key. A sender can also prove its ownership of a public key by encrypting (also called 'signing') a known message with its own private key. If a receiver can successfully decrypt the message using the public key in question, the sender's possession of the corresponding private key is proven. Encryption keys can vary in length, with typical lengths from 512 bits to 2048 bits. In general, a longer key is more secure than a shorter key. Cisco UCS Manager provides a default key ring with an initial 1024-bit key pair, and allows you to create additional key rings.
The default key ring certificate must be manually regenerated if the cluster name changes or the certificate expires.
This operation is only available in the UCS Manager CLI.
Certificates
To prepare for secure communications, two devices first exchange their digital certificates. A certificate is a file containing a device's public key along with signed information about the device's identity. To merely support encrypted communications, a device can generate its own key pair and its own self-signed certificate. When a remote user connects to a device that presents a self-signed certificate, the user has no easy method to verify the identity of the device, and the user's browser will initially display an authentication warning. By default, Cisco UCS Manager contains a built-in self-signed certificate containing the public key from the default key ring.
Trusted Points
To provide stronger authentication for Cisco UCS Manager, you can obtain and install a third-party certificate from a trusted source, or trusted point, that affirms the identity of your device. The third-party certificate is signed by the issuing trusted point, which can be a root certificate authority (CA) or an intermediate CA or trust anchor that is part of a trust chain that leads to a root CA. To obtain a new certificate, you must generate a certificate request through Cisco UCS Manager and submit the request to a trusted point.
The certificate must be in Base64 encoded X.509 (CER) format.
Creating a Key Ring
Cisco UCS Manager supports a maximum of 8 key rings, including the default key ring.
What to Do Next
Create a certificate request for this key ring.
Creating a Certificate Request for a Key Ring
Step 1 | In the Navigation pane, click the Admin tab. | ||||||||||||||||||||||||
Step 2 | On the Admin tab, expand . | ||||||||||||||||||||||||
Step 3 | Click the key ring for which you want to create a certificate request. | ||||||||||||||||||||||||
Step 4 | In the Work pane, click the General tab. | ||||||||||||||||||||||||
Step 5 | In the General tab, click Create Certificate Request. | ||||||||||||||||||||||||
Step 6 | In the
Create
Certificate Request dialog box, complete the following fields:
| ||||||||||||||||||||||||
Step 7 | Click OK. | ||||||||||||||||||||||||
Step 8 | Copy the text of the certificate request out of the Request field and save in a file. | ||||||||||||||||||||||||
Step 9 | Send the file with the certificate request to the trust anchor or certificate authority. |
What to Do Next
Create a trusted point and set the certificate chain for the certificate of trust received from the trust anchor.
Creating a Trusted Point
Step 1 | In the Navigation pane, click the Admin tab. | ||||||
Step 2 | On the Admin tab, expand . | ||||||
Step 3 | Right-click Key Management and choose Create Trusted Point. | ||||||
Step 4 | In the
Create Trusted Point dialog box, complete the
following fields:
| ||||||
Step 5 | Click OK. |
What to Do Next
When you receive the certificate from the trust anchor or certificate authority, import it into the key ring.
Importing a Certificate into a Key Ring
Step 1 | In the Navigation pane, click the Admin tab. | ||
Step 2 | On the Admin tab, expand . | ||
Step 3 | Click the key ring into which you want to import the certificate. | ||
Step 4 | In the Work pane, click the General tab. | ||
Step 5 | In the
Certificate area, complete the following
fields:
| ||
Step 6 | Click Save Changes. |
What to Do Next
Configure your HTTPS service with the key ring.
Configuring HTTPS
Caution | After you complete the HTTPS configuration, including changing the port and key ring to be used by HTTPS, all current HTTP and HTTPS sessions are closed without warning as soon as you save or commit the transaction. |
Step 1 | In the Navigation pane, click the Admin tab. | ||||||||||||||
Step 2 | On the Admin tab, expand . | ||||||||||||||
Step 3 | Select the Communication Services tab. | ||||||||||||||
Step 4 | In the
HTTPS area, click the
enabled radio button.
The HTTPS area expands to display the available configuration options. | ||||||||||||||
Step 5 | Complete the following fields:
| ||||||||||||||
Step 6 | Click Save Changes. |
Deleting a Key Ring
Deleting a Trusted Point
Ensure that the trusted point is not used by a key ring.
Configuring SNMP
Information about SNMP
The Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a message format for communication between SNMP managers and agents. SNMP provides a standardized framework and a common language used for the monitoring and management of devices in a network.
- SNMP Functional Overview
- SNMP Notifications
- SNMP Security Levels and Privileges
- Supported Combinations of SNMP Security Models and Levels
- SNMPv3 Security Features
SNMP Functional Overview
The SNMP framework consists of three parts:
-
An SNMP manager—The system used to control and monitor the activities of network devices using SNMP.
-
An SNMP agent—The software component within Cisco UCS, the managed device, that maintains the data for Cisco UCS and reports the data, as needed, to the SNMP manager. Cisco UCS includes the agent and a collection of MIBs. To enable the SNMP agent and create the relationship between the manager and agent, enable and configure SNMP in Cisco UCS Manager.
-
A managed information base (MIB)—The collection of managed objects on the SNMP agent. Cisco UCS release 1.4(1) and higher support a larger number of MIBs than earlier releases.
Cisco UCS supports SNMPv1, SNMPv2c and SNMPv3. Both SNMPv1 and SNMPv2c use a community-based form of security. SNMP is defined in the following:
-
RFC 3410 (http://tools.ietf.org/html/rfc3410)
-
RFC 3411 (http://tools.ietf.org/html/rfc3411)
-
RFC 3412 (http://tools.ietf.org/html/rfc3412)
-
RFC 3413 (http://tools.ietf.org/html/rfc3413)
-
RFC 3414 (http://tools.ietf.org/html/rfc3414)
-
RFC 3415 (http://tools.ietf.org/html/rfc3415)
-
RFC 3416 (http://tools.ietf.org/html/rfc3416)
-
RFC 3417 (http://tools.ietf.org/html/rfc3417)
-
RFC 3418 (http://tools.ietf.org/html/rfc3418)
-
RFC 3584 (http://tools.ietf.org/html/rfc3584)
SNMP Notifications
A key feature of SNMP is the ability to generate notifications from an SNMP agent. These notifications do not require that requests be sent from the SNMP manager. Notifications can indicate improper user authentication, restarts, the closing of a connection, loss of connection to a neighbor router, or other significant events.
Cisco UCS Manager generates SNMP notifications as either traps or informs. Traps are less reliable than informs because the SNMP manager does not send any acknowledgment when it receives a trap, and Cisco UCS Manager cannot determine if the trap was received. An SNMP manager that receives an inform request acknowledges the message with an SNMP response protocol data unit (PDU). If the Cisco UCS Manager does not receive the PDU, it can send the inform request again.
SNMP Security Levels and Privileges
SNMPv1, SNMPv2c, and SNMPv3 each represent a different security model. The security model combines with the selected security level to determine the security mechanism applied when the SNMP message is processed.
The security level determines the privileges required to view the message associated with an SNMP trap. The privilege level determines whether the message needs to be protected from disclosure or authenticated. The supported security level depends upon which security model is implemented. SNMP security levels support one or more of the following privileges:
-
noAuthNoPriv—No authentication or encryption
-
authNoPriv—Authentication but no encryption
-
authPriv—Authentication and encryption
SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the role in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet.
Supported Combinations of SNMP Security Models and Levels
The following table identifies what the combinations of security models and levels mean.
Model |
Level |
Authentication |
Encryption |
What Happens |
---|---|---|---|---|
v1 |
noAuthNoPriv |
Community string |
No |
Uses a community string match for authentication. |
v2c |
noAuthNoPriv |
Community string |
No |
Uses a community string match for authentication. |
v3 |
noAuthNoPriv |
Username |
No |
Uses a username match for authentication. |
v3 |
authNoPriv |
HMAC-MD5 or HMAC-SHA |
No |
Provides authentication based on the Hash-Based Message Authentication Code (HMAC) Message Digest 5 (MD5) algorithm or the HMAC Secure Hash Algorithm (SHA). |
v3 |
authPriv |
HMAC-MD5 or HMAC-SHA |
DES |
Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides Data Encryption Standard (DES) 56-bit encryption in addition to authentication based on the Cipher Block Chaining (CBC) DES (DES-56) standard. |
SNMPv3 Security Features
SNMPv3 provides secure access to devices by a combination of authenticating and encrypting frames over the network. SNMPv3 authorizes management operations only by configured users and encrypts SNMP messages. The SNMPv3 User-Based Security Model (USM) refers to SNMP message-level security and offers the following services:
-
Message integrity—Ensures that messages have not been altered or destroyed in an unauthorized manner and that data sequences have not been altered to an extent greater than can occur non-maliciously.
-
Message origin authentication—Ensures that the claimed identity of the user on whose behalf received data was originated is confirmed.
-
Message confidentiality and encryption—Ensures that information is not made available or disclosed to unauthorized individuals, entities, or processes.
SNMP Support in Cisco UCS
Cisco UCS provides the following support for SNMP:
Support for MIBs
Cisco UCS supports read-only access to MIBs.
For information about the specific MIBs available for Cisco UCS and where you can obtain them, see the MIB Quick Reference for Cisco UCS.
Authentication Protocols for SNMPv3 Users
Cisco UCS supports the following authentication protocols for SNMPv3 users:
AES Privacy Protocol for SNMPv3 Users
Cisco UCS uses Advanced Encryption Standard (AES) as one of the privacy protocols for SNMPv3 message encryption and conforms with RFC 3826.
The privacy password, or priv option, offers a choice of DES or 128-bit AES encryption for SNMP security encryption. If you enable AES-128 configuration and include a privacy password for an SNMPv3 user, Cisco UCS Manager uses the privacy password to generate a 128-bit AES key. The AES privacy password can have a minimum of eight characters. If the passphrases are specified in clear text, you can specify a maximum of 64 characters.
Enabling SNMP and Configuring SNMP Properties
SNMP messages from a Cisco UCS domain display the fabric interconnect name rather than the system name.
Step 1 | In the Navigation pane, click the Admin tab. | ||||||||||||
Step 2 | On the Admin tab, expand . | ||||||||||||
Step 3 | Select the Communication Services tab. | ||||||||||||
Step 4 | In the
SNMP area, complete the following fields:
| ||||||||||||
Step 5 | Click Save Changes. |
What to Do Next
Create SNMP traps and users.
Creating an SNMP Trap
Step 1 | In the Navigation pane, click the Admin tab. | ||||||||||||||
Step 2 | On the Admin tab, expand . | ||||||||||||||
Step 3 | Select the Communication Services tab. | ||||||||||||||
Step 4 | In the SNMP Traps area, click +. | ||||||||||||||
Step 5 | In the
Create SNMP Trap dialog box, complete the
following fields:
| ||||||||||||||
Step 6 | Click OK. | ||||||||||||||
Step 7 | Click Save Changes. |
Deleting an SNMP Trap
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Select the Communication Services tab. |
Step 4 | In the SNMP Traps area, click the row in the table that corresponds to the user you want to delete. |
Step 5 | Click the Delete icon to the right of the table. |
Step 6 | If the Cisco UCS Manager GUI displays a confirmation dialog box, click Yes. |
Step 7 | Click Save Changes. |
Creating an SNMPv3 user
Step 1 | In the Navigation pane, click the Admin tab. | ||||||||||||||||||
Step 2 | On the Admin tab, expand . | ||||||||||||||||||
Step 3 | Select the Communication Services tab. | ||||||||||||||||||
Step 4 | In the SNMP Users area, click +. | ||||||||||||||||||
Step 5 | In the
Create SNMP User dialog box, complete the
following fields:
| ||||||||||||||||||
Step 6 | Click OK. | ||||||||||||||||||
Step 7 | Click Save Changes. |
Deleting an SNMPv3 User
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Select the Communication Services tab. |
Step 4 | In the SNMP Users area, click the row in the table that corresponds to the user you want to delete. |
Step 5 | Click the Delete icon to the right of the table. |
Step 6 | If the Cisco UCS Manager GUI displays a confirmation dialog box, click Yes. |
Step 7 | Click Save Changes. |
Enabling Telnet
Disabling Communication Services
Note | We recommend that you disable all communication services that are not required to interface with other network applications. |