Establishing Management Security

This chapter describes how to enable management security. Enabling management security is a two-step process. The first step involves generating and loading appropriate authentication keys (SSH) and security certificates (SSL). Optionally a reputable third party such as RSA Security, Inc. or Entrust, Inc. can validate these certificates and keys but for evaluation purposes validation is unnecessary. The second step involves enabling either SSL or SSH and optionally disabling the insecure versions of telnet and web management. Once enabled, subsequent management connections may be made in a secure manner.

Certificate Generation

To generate self-signed credentials, the open source applications ssh-keygen and openssl can be used to create the seven files used to form the security certificates and authentication keys. Both of these applications are well documented by the open source community. Detailed descriptions will not be repeated here as the user can check the man pages for detailed help. Two scripts are included at the end of thischapter along with some helper files. This set of files can be freely modified and used to generate the appropriate self-signed credentials. Generation of these credentials has been verified using both cygwin and Linux.

Once the component files are created, the credentials must be loaded onto the Sun Netra CP3240 switch. This is accomplished using the "copy" command from a tftp server. From privileged EXEC mode, issue the following command:

copy tftp://192.168.77.122/rsa1.key nvram:sshkey-rsa1

where the IP address of the tftp server should be substituted as appropriate. This copy command is repeated for all the authentication components:

The SSL and SSH credentials may be uploaded separately as needed but as it is likely that if security is required for one access method it would be required for all access methods, it is recommended that the certificates and authentication key be created simultaneously.

Configuring Secure Shell

Once the authentication credentials are loaded and the certificates and authentication keys are formed, management security may be configured on the FASTPATH device. From privileged EXEC mode, issue the command:

This will allow secure shell sessions to be instantiated on the Sun Netra CP3240 switch. The message log should be checked for errors if a secure connection cannot be established. Entries such as the following indicate the nature of the problem.

0 days 02:30:30 File: ssh_sys_fastpath.c : Line: 584 : tid 40052584, context 0x0x157dba0, deleting 40052584, retval = 1

0 days 02:30:30 File: ssh_sys_fastpath.c : Line: 401 : SSHD: exiting global context 0x0x157dba0

0 days 02:30:30 File: sshd_main.c : Line: 550 : SSHD: host key is corrupt (did not decode).

In this case, the authentication credentials were invalid and should be regenerated. Messages indicating successful start of the ssh service look like the following example.

0 days 00:17:07 Unit: 1 : File: sshd_main.c : Line: 349 : SSHD: Done generating server key
0 days 00:17:06 Unit: 1 : File: sshd_main.c : Line: 639 : SSHD: successfully loaded RSA2 key
0 days 00:17:06 Unit: 1 : File: sshd_main.c : Line: 627 : SSHD: successfully opened file ssh_host_rsa_key
0 days 00:17:06 Unit: 1 : File: sshd_main.c : Line: 605 : SSHD: successfully loaded DSA key
0 days 00:17:06 Unit: 1 : File: sshd_main.c : Line: 592 : SSHD: successfully opened file ssh_host_dsa_key
0 days 00:17:06 Unit: 1 : File: sshd_control.c : Line: 400 : SSHD: sshdListenTask started

lineconfig
no transport input telnet

Configuring Secure Socket Layer

Optionally or in concert with SSH, SSL may be enabled. Once again the message log is the best source of feedback for problem determination. To enable SSL, issue the privileged EXEC mode command:

ip http secure-server

Success may be determined by attempting secure web access using https. Once again, consult the message log for failure information. Valid certificates are indicated by a message log entry that looks like the following:

0 days 01:25:29 Unit: 1 : File: sslt_util.c : Line: 303 : SSLT: Successfully loaded all required SSL PEM files

Certificate information may be accessed using browser-specific methods. With Internet Explorer, the lock icon along the bottom message line can be checked for certificate details. Additionally, when connecting to a Sun Netra CP3240 switch that uses self-generated credentials, Explorer will warn the user about the authenticity of the certificate. When secure certificates are acquired from a third party this warning will no longer occur. Insecure web sessions may be prevented by disabling the http server using the privileged EXEC mode command:

no ip http server

As with secure shell, the best guide for information on FASTPATH commands controlling http and https access is the Sun Netra CP3240 Switch Software Reference Manual (820-3253).

Using Certificate Generation Scripts

The following four scripts and helper files can be used to generate self-signed certificates and authentication keys.

SSH sshKeygen.sh

CODE EXAMPLE 4-1 SSH sshKeygen.sh Example
#!/bin/sh ##################################################################### # # Generate key files for rsa and dsa # ##################################################################### # RSA V1 /usr/bin/ssh-keygen -q -t rsa1 -f rsa1.key -C '' -N '' # RSA V2 /usr/bin/ssh-keygen -q -t rsa -f rsa2.key -C '' -N '' # DSA for V2 /usr/bin/ssh-keygen -q -t dsa -f dsa.key -C '' -N ''

CODE EXAMPLE 4-1 SSH sshKeygen.sh Example


#!/bin/sh
#####################################################################
#
# Generate key files for rsa and dsa
#
#####################################################################
# RSA V1
/usr/bin/ssh-keygen -q -t rsa1 -f rsa1.key -C '' -N ''
# RSA V2
/usr/bin/ssh-keygen -q -t rsa -f rsa2.key -C '' -N ''
# DSA for V2
/usr/bin/ssh-keygen -q -t dsa -f dsa.key -C '' -N ''

SSL pemCreate.sh

CODE EXAMPLE 4-2 SSL pemCreate.sh Example
#!/bin/sh # Ensure that OpenSSL is installed and set the location correctly OPENSSL=/usr/bin/openssl # Set the password to something unique PASSWORD=FASTPATH # Set the number of days the certs will be valid for VALID_NUM_DAYS=3650 ##################################################################### # # Generate the Self Signed Trusted Root Certification Authority (CA) and # Private Key # ##################################################################### ${OPENSSL} req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem -config root.cnf -passout pass:${PASSWORD} ${OPENSSL} x509 -req -days ${VALID_NUM_DAYS} -in rootreq.pem -sha1 -extfile root.cnf -extensions certificate_extensions -signkey rootkey.pem -out rootcert.pem -passin pass:${PASSWORD} cat rootcert.pem rootkey.pem > root.pem rm rootkey.pem rootreq.pem ##################################################################### # # Generate the Trusted Server Certificate signed by the Root CA # ##################################################################### ${OPENSSL} req -newkey rsa:1024 -sha1 -keyout serverkey.pem -nodes -out serverreq.pem -config server.cnf -reqexts req_extensions -passout pass:${PASSWORD} ${OPENSSL} x509 -req -days ${VALID_NUM_DAYS} -in serverreq.pem -sha1 -extfile server.cnf -extensions certificate_extensions -CA root.pem -CAkey root.pem -CAcreateserial -out servercert.pem -passin pass:${PASSWORD} cat servercert.pem serverkey.pem rootcert.pem > server.pem rm root.pem root.srl serverkey.pem servercert.pem serverreq.pem ##################################################################### # # Generate the Diffie-Hellman weak and strong parameters # ##################################################################### ${OPENSSL} dhparam -check -text -5 512 -out dh512.pem ${OPENSSL} dhparam -check -text -5 1024 -out dh1024.pem

CODE EXAMPLE 4-2 SSL pemCreate.sh Example

#!/bin/sh
# Ensure that OpenSSL is installed and set the location correctly
OPENSSL=/usr/bin/openssl
# Set the password to something unique
PASSWORD=FASTPATH
# Set the number of days the certs will be valid for
VALID_NUM_DAYS=3650
#####################################################################
#
# Generate the Self Signed Trusted Root Certification Authority (CA) and
# Private Key
#
#####################################################################
 
${OPENSSL} req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem -config root.cnf -passout pass:${PASSWORD}
${OPENSSL} x509 -req -days ${VALID_NUM_DAYS} -in rootreq.pem -sha1 -extfile root.cnf -extensions certificate_extensions -signkey rootkey.pem -out rootcert.pem -passin pass:${PASSWORD}
cat rootcert.pem rootkey.pem > root.pem
rm rootkey.pem rootreq.pem
 
#####################################################################
#
# Generate the Trusted Server Certificate signed by the Root CA
#
#####################################################################
${OPENSSL} req -newkey rsa:1024 -sha1 -keyout serverkey.pem -nodes -out serverreq.pem -config server.cnf -reqexts req_extensions -passout pass:${PASSWORD}
${OPENSSL} x509 -req -days ${VALID_NUM_DAYS} -in serverreq.pem -sha1 -extfile server.cnf -extensions certificate_extensions -CA root.pem -CAkey root.pem -CAcreateserial -out servercert.pem -passin pass:${PASSWORD}
cat servercert.pem serverkey.pem rootcert.pem > server.pem
rm root.pem root.srl serverkey.pem servercert.pem serverreq.pem
 
#####################################################################
#
# Generate the Diffie-Hellman weak and strong parameters
#
#####################################################################
${OPENSSL} dhparam -check -text -5 512 -out dh512.pem
${OPENSSL} dhparam -check -text -5 1024 -out dh1024.pem

SSL root.cnf

CODE EXAMPLE 4-3 SSL root.cnf Example
# default settings for example. [ ca ] default_ca = ca [ ca ] dir = /opt/ca certificate = $dir/cacert.pem database = $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial default_crl_days = 7 default_days = 365 default_md = sha1 policy = ca_policy x509_extensions = certificate_extensions [ ca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = supplied [ req ] default_bits = 2048 default_keyfile = privkey.pem default_md = sha1 prompt = no distinguished_name = req_distinguished_name x509_extensions = req_extensions # the following sections are specific to the request being built [ certificate_extensions ] basicConstraints = CA:true subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always [ req_distinguished_name ] countryName = US stateOrProvinceName = Mississippi localityName = Ridgeland organizationName = Diversified Technology, Inc. organizationalUnitName = Support commonName = Root CA emailAddress = tech@ms.com [ req_extensions ] basicConstraints = CA:true

CODE EXAMPLE 4-3 SSL root.cnf Example

# default settings for example.
[ ca ]
default_ca = ca
[ ca ]
dir = /opt/ca
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = sha1
policy = ca_policy
x509_extensions = certificate_extensions
[ ca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = supplied
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
default_md = sha1
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = req_extensions
# the following sections are specific to the request being built
[ certificate_extensions ]
basicConstraints = CA:true
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = Mississippi
localityName = Ridgeland
organizationName = Diversified Technology, Inc.
organizationalUnitName = Support
commonName = Root CA
emailAddress = tech@ms.com
[ req_extensions ]
basicConstraints = CA:true

SSH server.cnf

CODE EXAMPLE 4-4 SSH server.cnf Example
# default settings for example. [ ca ] default_ca = ca [ ca ] dir = /opt/eca certificate = $dir/cacert.pem database = $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial default_crl_days = 7 default_days = 365 default_md = sha1 policy = ca_policy x509_extensions = certificate_extensions [ ca_policy ] countryName = supplied stateOrProvinceName = supplied localityName = supplied organizationName = supplied organizationalUnitName = supplied commonName = supplied emailAddress = supplied [ req ] default_bits = 2048 default_keyfile = privkey.pem default_md = sha1 prompt = no distinguished_name = req_distinguished_name x509_extensions = req_extensions # the following sections are specific to the request being built [ certificate_extensions ] basicConstraints = CA:false subjectAltName = DNS:localhost [ req_distinguished_name ] countryName = US stateOrProvinceName = Mississippi localityName = ridgeland organizationName = Diversified Technology, Inc. organizationalUnitName = Support commonName = localhost emailAddress = tech@ms.com [ req_extensions ] basicConstraints = CA:true subjectAltName = DNS:localhost

CODE EXAMPLE 4-4 SSH server.cnf Example

# default settings for example.
[ ca ]
default_ca = ca
[ ca ]
dir = /opt/eca
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = sha1
policy = ca_policy
x509_extensions = certificate_extensions
[ ca_policy ]
countryName = supplied
stateOrProvinceName = supplied
localityName = supplied
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = supplied
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
default_md = sha1
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = req_extensions
# the following sections are specific to the request being built
[ certificate_extensions ]
basicConstraints = CA:false
subjectAltName = DNS:localhost
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = Mississippi
localityName = ridgeland
organizationName = Diversified Technology, Inc.
organizationalUnitName = Support
commonName = localhost
emailAddress = tech@ms.com
[ req_extensions ]
basicConstraints = CA:true
subjectAltName = DNS:localhost

Certificate Generation

Configuring Secure Shell

Configuring Secure Socket Layer

Using Certificate Generation Scripts

`SSH sshKeygen.sh`

`SSL pemCreate.sh`

`SSL root.cn`f

`SSH server.cnf`