You can use the following communication services to interface third-party applications with Cisco UCS:
Communication Service
Description
CIM XML
This service is disabled by default and is only available in read-only mode. The default port is 5988.
This common information model is one of the standards defined by the Distributed Management Task Force.
HTTP
This service is enabled on port 80 by default.
You must enable either HTTP or HTTPS to run Cisco UCS Manager GUI. If you select HTTP, all data is exchanged in clear text mode.
For security purposes, we recommend that you enable HTTPS and disable HTTP.
By default, Cisco UCS redirects any attempt to communicate via HTTP to the HTTPS equivalent. We recommend that you do not change this behavior.
Note
If you are upgrading to Cisco UCS, version 1.4(1), this does not happen by default. If you want to redirect any attempt to communicate via HTTP to an HTTPS equivalent, you should enable Redirect HTTP to HTTPS in Cisco UCS Manager.
HTTPS
This service is enabled on port 443 by default.
With HTTPS, all data is exchanged in encrypted mode through a secure server.
For security purposes, we recommend that you only use HTTPS and
either disable or redirect HTTP communications.
SMASH CLP
This service is enabled for read-only access and supports a limited subset of the protocols, such as the show command. You cannot disable it.
This shell service is one of the standards defined by the Distributed Management Task Force.
SNMP
This service is disabled by default. If enabled, the default port is 161. You must configure the community and at least one SNMP trap.
Enable this service only if your system includes integration with an SNMP server.
SSH
This service is enabled on port 22. You cannot disable it, nor can you change the default port.
This service provides access to the Cisco UCS Manager CLI.
Telnet
This service is disabled by default.
This service provides access to the Cisco UCS Manager CLI.
Configuring CIM XML
Procedure
Command or Action
Purpose
Step 1
UCS-A# scope system
Enters system mode.
Step 2
UCS-A /system # scope services
Enters system services mode.
Step 3
UCS-A /system/services # enable cimxml
Enables the CIM XLM service.
Step 4
UCS-A /system/services # set cimxml portport-num
Specifies the port to be used for the CIM XML connection.
Step 5
UCS-A /system/services # commit-buffer
Commits the transaction to the system configuration.
The following example enables CIM XML, sets the port number to 5988, and commits the transaction:
UCS-A# scope system
UCS-A /system # scope services
UCS-A /system/services # enable cimxml
UCS-A /system/services* # set cimxml port 5988
UCS-A /system/services* # commit-buffer
UCS-A /system/services #
Configuring HTTP
Procedure
Command or Action
Purpose
Step 1
UCS-A# scope system
Enters system mode.
Step 2
UCS-A /system # scope services
Enters system services mode.
Step 3
UCS-A /system/services # enable http
Enables the HTTP service.
Step 4
UCS-A /system/services # set http portport-num
Specifies the port to be used for the HTTP connection.
Step 5
UCS-A /system/services # commit-buffer
Commits the transaction to the system configuration.
The following example enables HTTP, sets the port number to 80, and commits the transaction:
UCS-A# scope system
UCS-A /system # scope services
UCS-A /system/services # enable http
UCS-A /system/services* # set http port 80
Warning: When committed, this closes all the web sessions.
UCS-A /system/services* # commit-buffer
UCS-A /system/services #
Unconfiguring HTTP
Procedure
Command or Action
Purpose
Step 1
UCS-A# scope system
Enters system mode.
Step 2
UCS-A /system # scope services
Enters system services mode.
Step 3
UCS-A /system/services # disable http
Disables the HTTP service.
Step 4
UCS-A /system/services # commit-buffer
Commits the transaction to the system configuration.
The following example disables HTTP and commits the transaction:
HTTPS uses components of the Public Key Infrastructure (PKI) to establish secure communications between two devices, such as a client's browser and Cisco UCS Manager.
Encryption Keys and Key Rings
Each PKI device holds a pair of asymmetric Rivest-Shamir-Adleman (RSA) encryption keys, one kept private and one made public, stored in an internal key ring. A message encrypted with either key can be decrypted with the other key. To send an encrypted message, the sender encrypts the message with the receiver's public key, and the receiver decrypts the message using its own private key. A sender can also prove its ownership of a public key by encrypting (also called 'signing') a known message with its own private key. If a receiver can successfully decrypt the message using the public key in question, the sender's possession of the corresponding private key is proven. Encryption keys can vary in length, with typical lengths from 512 bits to 2048 bits. In general, a longer key is more secure than a shorter key. Cisco UCS Manager provides a default key ring with an initial 1024-bit key pair, and allows you to create additional key rings.
Certificates
To prepare for secure communications, two devices first exchange their digital certificates. A certificate is a file containing a device's public key along with signed information about the device's identity. To merely support encrypted communications, a device can generate its own key pair and its own self-signed certificate. When a remote user connects to a device that presents a self-signed certificate, the user has no easy method to verify the identity of the device, and the user's browser will initially display an authentication warning. By default, Cisco UCS Manager contains a built-in self-signed certificate containing the public key from the default key ring.
Trusted Points
To provide stronger authentication for Cisco UCS Manager, you can obtain and install a third-party certificate from a trusted source, or trusted point, that affirms the identity of your device. The third-party certificate is signed by the issuing trusted point, which can be a root certificate authority (CA) or an intermediate CA or trust anchor that is part of a trust chain that leads to a root CA. To obtain a new certificate, you must generate a certificate request through Cisco UCS Manager and submit the request to a trusted point.
Creating a Key Ring
Cisco UCS Manager supports a maximum of 8 key rings, including the default key ring.
Creates a certificate request using the IP address or name of the fabric interconnect. You are prompted to enter a password for the certificate request.
Step 4
UCS-A /security/keyring #
commit-buffer
Commits the transaction.
Step 5
UCS-A /security/keyring #
showcertreq
Displays the certificate request, which you can copy and send to a trust anchor or certificate authority.
The following example creates and displays a certificate request for a key ring:
Copy the text of the certificate request, including the BEGIN and END lines, and save it in a file.
Send the file with the certificate request to a trust anchor or certificate authority to obtain a certificate for the key ring.
Create a trusted point and set the certificate chain for the
certificate of trust received from the trust anchor.
Specifies certificate information for this trusted point.
If you do not specify certificate information in the command, you are prompted to enter a certificate or a list of trustpoints defining a certification path to the root certificate authority (CA). On the next line following your input, type ENDOFBUF to finish.
Step 4
UCS-A /security/trustpoint #
commit-buffer
Commits the transaction.
The following example creates a trusted point and provides a certificate for the trusted point:
Obtain a key ring certificate from the trust anchor or certificate
authority and import it into the key ring.
Importing a Certificate into a Key Ring
Before You Begin
Configure a trusted point that contains the certificate chain for the key ring certificate.
Obtain a key ring certificate from a trust anchor or certificate authority.
Procedure
Command or Action
Purpose
Step 1
UCS-A#
scopesecurity
Enters security mode.
Step 2
UCS-A /security #
scopekeyringkeyring-name
Enters configuration mode for the key ring that will receive the certificate.
Step 3
UCS-A /security/keyring #
settrustpointname
Specifies the trusted point for the trust anchor or certificate authority from which the key ring certificate was obtained.
Step 4
UCS-A /security/keyring #
setcert
Launches a dialog for entering and uploading the key ring certificate.
At the prompt, paste the certificate text that you received from the trust anchor or certificate authority. On the next line following the certificate, type ENDOFBUF to complete the certificate input.
Step 5
UCS-A /security/keyring #
commit-buffer
Commits the transaction.
The following example specifies the trust point and imports a certificate into a key ring:
UCS-A# scope security
UCS-A /security # scope keyring kr220
UCS-A /security/keyring # set trustpoint tPoint10
UCS-A /security/keyring* # set cert
Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort.
Keyring certificate:
> -----BEGIN CERTIFICATE-----
> MIIB/zCCAWgCAQAwgZkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UE
> BxMMU2FuIEpvc2UsIENBMRUwEwYDVQQKEwxFeGFtcGxlIEluYy4xEzARBgNVBAsT
> ClRlc3QgR3JvdXAxGTAXBgNVBAMTEHRlc3QuZXhhbXBsZS5jb20xHzAdBgkqhkiG
> 9w0BCQEWEHVzZXJAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
> AoGBAMZw4nTepNIDhVzb0j7Z2Je4xAG56zmSHRMQeOGHemdh66u2/XAoLx7YCcYU
> ZgAMivyCsKgb/6CjQtsofvtrmC/eAehuK3/SINv7wd6Vv2pBt6ZpXgD4VBNKONDl
> GMbkPayVlQjbG4MD2dx2+H8EH3LMtdZrgKvPxPTE+bF5wZVNAgMBAAGgJTAjBgkq
> hkiG9w0BCQcxFhMUQSBjaGFsbGVuZ2UgcGFzc3dvcmQwDQYJKoZIhvcNAQEFBQAD
> gYEAG61CaJoJaVMhzCl903O6Mg51zq1zXcz75+VFj2I6rH9asckCld3mkOVx5gJU
> Ptt5CVQpNgNLdvbDPSsXretysOhqHmp9+CLv8FDuy1CDYfuaLtvlWvfhevskV0j6
> mK3Ku+YiORnv6DhxrOoqau8r/hyI/L43l7IPN1HhOi3oha4=
> -----END CERTIFICATE-----
> ENDOFBUF
UCS-A /security/keyring* # commit-buffer
UCS-A /security/keyring #
What to Do Next
Configure your HTTPS service with the key ring.
Configuring HTTPS
Caution
After you complete the HTTPS configuration, including changing the port and key ring to be used by HTTPS, all current HTTP and HTTPS sessions are closed without warning as soon as you save or commit the transaction.
Procedure
Command or Action
Purpose
Step 1
UCS-A# scope system
Enters system mode.
Step 2
UCS-A /system # scope services
Enters system services mode.
Step 3
UCS-A /system/services # enable https
Enables the HTTPS service.
Step 4
UCS-A /system/services # set https portport-num
Specifies the port to be used for the HTTPS connection.
Step 5
UCS-A /system/services # set https keyringkeyring-name
Specifies the name of the key ring you created for HTTPS.
Step 6
UCS-A /system/services # commit-buffer
Commits the transaction to the system configuration.
The following example enables HTTPS, sets the port number to 443, sets the key ring name to kring7984, and commits the transaction:
UCS-A# scope system
UCS-A /system # scope services
UCS-A /system/services # enable https
UCS-A /system/services* # set https port 443
Warning: When committed, this closes all the web sessions.
UCS-A /system/services* # set https keyring kring7984
UCS-A /system/services* # commit-buffer
UCS-A /system/services #
Commits the transaction to the system configuration.
The following example enables HTTP to HTTPS redirection and commits the transaction:
UCS-A# scope system
UCS-A /system # scope services
UCS-A /system/services # enable http-redirect
Warning: When committed, this closes all the web sessions.
UCS-A /system/services* # commit-buffer
UCS-A /system/services #
Configuring SNMP
Information about SNMP
The Simple Network Management Protocol (SNMP) is an application-layer
protocol that provides a message format for communication between SNMP managers
and agents. SNMP provides a standardized framework and a common language used
for the monitoring and management of devices in a network.
An SNMP manager—The system used to control and
monitor the activities of network devices using SNMP.
An SNMP agent—The software component within Cisco UCS, the
managed device, that maintains the data for Cisco UCS and reports the data,
as needed, to the SNMP manager. Cisco UCS includes the agent and a collection of MIBs. To enable the SNMP agent and create the relationship between the manager and agent, enable and configure SNMP in Cisco UCS Manager.
A managed information base (MIB)—The collection
of managed objects on the SNMP agent. Cisco UCS release 1.4(1) and higher support a larger number of MIBs than earlier releases.
Cisco UCS supports SNMPv1, SNMPv2c and SNMPv3. Both SNMPv1 and SNMPv2c use a
community-based form of security.
SNMP is defined in the following:
A key feature of SNMP is the ability to generate notifications from an
SNMP agent. These notifications do not require that requests be sent from the
SNMP manager. Notifications can indicate improper user authentication,
restarts, the closing of a connection, loss of connection to a neighbor router,
or other significant events.
Cisco UCS Manager generates SNMP
notifications as either traps or informs. Traps are less reliable than informs
because the SNMP manager does not send any acknowledgment when it receives a
trap, and Cisco UCS Manager cannot determine if the trap was received. An SNMP manager
that receives an inform request acknowledges the message with an SNMP response
protocol data unit (PDU). If the
Cisco UCS Manager does not receive the PDU, it can send the inform request again.
SNMP Security Levels and Privileges
SNMPv1, SNMPv2c, and SNMPv3 each represent a different security model. The
security model combines with the selected security level to determine the security
mechanism applied when the SNMP message is processed.
The security level determines the privileges required to view the message associated with an SNMP trap. The privilege level determines whether the message needs to be protected
from disclosure or authenticated. The supported security level depends upon which security model is implemented. SNMP security levels support one or more of the following privileges:
noAuthNoPriv—No authentication
or encryption
authNoPriv—Authentication but no encryption
authPriv—Authentication and
encryption
SNMPv3 provides for both security models and security levels. A
security model is an authentication strategy that is set up for a user and the
role in which the user resides. A security level is the permitted level of
security within a security model. A combination of a security model and a
security level determines which security mechanism is employed when handling an
SNMP packet.
Supported Combinations of SNMP Security Models and Levels
The following table identifies what the combinations of security
models and levels mean.
Table 1 SNMP Security Models and Levels
Model
Level
Authentication
Encryption
What Happens
v1
noAuthNoPriv
Community string
No
Uses a community string match for authentication.
v2c
noAuthNoPriv
Community string
No
Uses a community string match for authentication.
v3
noAuthNoPriv
Username
No
Uses a username match for authentication.
v3
authNoPriv
HMAC-MD5 or HMAC-SHA
No
Provides authentication based on the Hash-Based Message
Authentication Code (HMAC) Message Digest 5 (MD5) algorithm or the HMAC Secure
Hash Algorithm (SHA).
v3
authPriv
HMAC-MD5 or HMAC-SHA
DES
Provides authentication based on the HMAC-MD5 or HMAC-SHA
algorithms. Provides Data Encryption Standard (DES) 56-bit encryption in
addition to authentication based on the Cipher Block Chaining (CBC) DES
(DES-56) standard.
SNMPv3 Security Features
SNMPv3 provides secure access to devices by a combination of
authenticating and encrypting frames over the network. SNMPv3 authorizes management operations only by configured users and
encrypts SNMP messages.
The SNMPv3 User-Based Security Model (USM) refers to SNMP message-level security and offers the following services:
Message integrity—Ensures that messages have not been altered or
destroyed in an unauthorized manner and that data sequences have not been
altered to an extent greater than can occur non-maliciously.
Message origin authentication—Ensures that the claimed identity of
the user on whose behalf received data was originated is confirmed.
Message confidentiality and encryption—Ensures that information is not made
available or disclosed to unauthorized individuals, entities, or processes.
SNMP Support in Cisco UCS
Cisco UCS provides the following support for SNMP:
Support for MIBs
Cisco UCS supports read-only access to MIBs.
For information about the specific MIBs available for Cisco UCS and where you can obtain them, see the MIB Quick Reference for Cisco UCS.
Authentication Protocols for SNMPv3 Users
Cisco UCS supports the following authentication
protocols for SNMPv3 users:
HMAC-MD5-96 (MD5)
HMAC-SHA-96 (SHA)
AES Privacy Protocol for SNMPv3 Users
Cisco UCS uses Advanced
Encryption Standard (AES) as one of the privacy protocols for SNMPv3 message
encryption and conforms with RFC 3826.
The
privacy password, or priv option, offers a choice of DES or 128-bit AES
encryption for SNMP security encryption. If you enable AES-128 configuration and include a privacy password for an SNMPv3 user, Cisco UCS Manager uses the privacy password
to generate a 128-bit AES key. The AES privacy password can have a minimum of
eight characters. If the passphrases are specified in clear text, you can
specify a maximum of 64 characters.
Enabling SNMP and Configuring SNMP Properties
SNMP messages from a Cisco UCS instance display the fabric interconnect name rather than the system
name.
Procedure
Command or Action
Purpose
Step 1
UCS-A#
scope monitoring
Enters monitoring mode.
Step 2
UCS-A /monitoring #
enable snmp
Enables SNMP.
Step 3
UCS-A /monitoring #
set snmp communitycommunity-name
Specifies SNMP community. The community name can
be any alphanumeric string up to 32 characters.
Step 4
UCS-A /monitoring #
set snmp syscontactsystem-contact-name
Specifies the system contact person responsible for the SNMP. The system contact name can
be any alphanumeric string up to 255 characters, such as an email address or name and telephone number.
Step 5
UCS-A /monitoring #
set snmp syslocationsystem-location-name
Specifies the location of the host on which the SNMP agent (server) runs. The system location name can
be any alphanumeric string up to 512 characters.
Step 6
UCS-A /monitoring #
commit-buffer
Commits the transaction to the system configuration.
The following example enables SNMP, configures an SNMP community named SnmpCommSystem2, configures a system contact named contactperson, configures a contact location named systemlocation, and commits the transaction:
UCS-A# scope monitoring
UCS-A /monitoring # enable snmp
UCS-A /monitoring* # set snmp community SnmpCommSystem2
UCS-A /monitoring* # set snmp syscontact contactperson1
UCS-A /monitoring* # set snmp syslocation systemlocation
UCS-A /monitoring* # commit-buffer
UCS-A /monitoring #
If you select v3 for the version, the privilege associated with the trap.
This can be:
auth—Authentication but no encryption
noauth—No authentication or encryption
priv—Authentication and encryption
Step 9
UCS-A /monitoring/snmp-trap #
commit-buffer
Commits the transaction to the system configuration.
The following example enables SNMP, creates an SNMP trap, specifies that the trap will use the
SnmpCommSystem2 community on port 2, sets the version to v3, sets the notification type to traps, sets the v3 privilege to priv, and commits the transaction:
UCS-A# scope monitoring
UCS-A /monitoring # enable snmp
UCS-A /monitoring* # create snmp-trap 192.168.100.112
UCS-A /monitoring/snmp-trap* # set community SnmpCommSystem2
UCS-A /monitoring/snmp-trap* # set port 2
UCS-A /monitoring/snmp-trap* # set version v3
UCS-A /monitoring/snmp-trap* # set notificationtype traps
UCS-A /monitoring/snmp-trap* # set v3 privilege priv
UCS-A /monitoring/snmp-trap* # commit-buffer
UCS-A /monitoring/snmp-trap #
An SNMP username cannot be the same as a local username. Choose an SNMP username that does not match a local username.
Step 4
UCS-A /monitoring/snmp-user #
set aes-128 {no |
yes}
Enables or disables the use of AES-128 encryption.
Step 5
UCS-A /monitoring/snmp-user #
set auth {md5 |
sha}
Specifies the use of MD5 or DHA authentication.
Step 6
UCS-A /monitoring/snmp-user #
set password
Specifies the user password.
After you enter the set password command, you are prompted to enter and confirm the password.
Step 7
UCS-A /monitoring/snmp-user #
set priv-password
Specifies the user privacy password.
After you enter the set priv-password command, you are prompted to enter and confirm the privacy password.
Step 8
UCS-A /monitoring/snmp-user #
commit-buffer
Commits the transaction to the system configuration.
The following example enables SNMP, creates an SNMPv3 user named snmp-user14, disables AES-128 encryption, specifies the use of MD5 authentication, sets the password and privacy password, and commits the transaction:
UCS-A# scope monitoring
UCS-A /monitoring # enable snmp
UCS-A /monitoring* # create snmp-user snmp-user14
UCS-A /monitoring/snmp-user* # set aes-128 no
UCS-A /monitoring/snmp-user* # set auth md5
UCS-A /monitoring/snmp-user* # set password
Enter a password:
Confirm the password:
UCS-A /monitoring/snmp-user* # set priv-password
Enter a password:
Confirm the password:
UCS-A /monitoring/snmp-user* # commit-buffer
UCS-A /monitoring/snmp-user #
Deleting an SNMPv3 User
Procedure
Command or Action
Purpose
Step 1
UCS-A#
scope monitoring
Enters monitoring mode.
Step 2
UCS-A /monitoring #
delete snmp-useruser-name
Deletes the specified SNMPv3 user.
Step 3
UCS-A /monitoring #
commit-buffer
Commits the transaction to the system configuration.
The following example deletes the SNMPv3 user named snmp-user14 and commits the transaction: