Web Services Management Agent with TLS
The Web Services Management Agent (WSMA) defines a set of web services through which a network device can be managed, configuration data information can be retrieved, and new configuration data can be uploaded and manipulated. WSMA uses XML-based data encoding that is transported by the Simple Object Access Protocol (SOAP) for the configuration data and protocol messages.
You can use WSMA over Transport Layer Security (TLS) to access the entire Cisco CLI. Multiple WSMA clients can connect to the WSMA server running on Cisco software.
You can also use WSMA over TLS to initiate secure connections from Cisco software to applications over trusted and untrusted networks.
- Finding Feature Information
- Prerequisites for WSMA with TLS
- Restrictions for WSMA with TLS
- Information About WSMA with TLS
- How to Configure WSMA with TLS
- Configuration Examples for WSMA with TLS
- Additional References
- Feature Information for Web Services Management Agent with TLS
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for WSMA with TLS
Restrictions for WSMA with TLS
Information About WSMA with TLS
WSMA with TLS
The Web Services Management Agent (WSMA) agent needs to be configured to use a service profile that is using Transport Layer Security (TLS) as a transport to run the WSMA with TLS feature. The TLS protocol uses endpoint authentication and encryption to provide secure connections over any network. Encryption protects against eavesdropping, and digital certificates (signed by a trusted CA) protect against tampering and message forgery by authenticating the endpoints.
The WSMA listener and initiator profiles use the TLS server and client adapters to create and accept TLS connections. The TLS server uses a default port (13000) to listen for incoming connections; similarly, the TLS client uses the same default port to initiate connections. You can change the default port setting by changing the profile configuration.
Trusted Certificates
The WSMA over TLS feature requires a CA server to be available on the network. The CA’s public key is made known to the client, and the public key must correspond to the private key used to sign the server’s certificate. The Cisco device and the remote WSMA application use the CA server to validate the certificates sent between them.
WSMA Profiles with TLS
Web Services Management Agent (WSMA) needs input from external management applications to cause actions on the device. A physical transport protocol must be configured and associated to a WSMA to allow the WSMA to communicate with external management applications. The transport protocol and an encapsulation together form a WSMA profile. Any WSMA agent must be associated with a specific WSMA profile to perform valid operations. WSMA profiles demultiplex requests to the appropriate WSMA..
WSMA profiles work as a transport termination point, and allow transport and XML encapsulation parameters to be configured:
Service Listener with TLS
The service listener is a type of Web Services Management Agent (WSMA) profile that listens for incoming connections and accepts devices from allowed addresses or accepted user IDs. The accepted addresses are configured by defining an access list.
Accepted user IDs are configured by defining the transport method that the service listener listens for. The Transport Layer Security (TLS) transport method enforces the specific user ID that is accepted.
Note |
WSMA listener profiles cannot access Cisco devices that are located behind a firewall. |
WSMA over TLS Authentication and Authorization
Web Services Management Agent (WSMA) security is integrated with authentication, authorization, and accounting (AAA) configuration of Cisco software. The AAA associations configured on the transport layer are used by WSMA.
WSMA is designed for point-to-point operation and works over an encrypted transport. The security on the transport layer identifies and authenticates the users.
Unlike Secure Shell (SSH) or Secure HTTP (HTTPS) connections, TLS connections do not require that a user log in to a Cisco device. TLS certificates provide host-level authentication but do not always provide user-level authentication. Therefore, the Web Services Security Header (WSSE) header (if configured) is used to authenticate and authorize different users from a specified host.
For TLS listener profiles, all WSMA requests are authenticated using the Simple Object Access Protocol (SOAP) WSSE header. After the request is authenticated, the user is authorized to perform operations based on the configured privilege level. The user can be configured on the Cisco device or an the AAA server. The identity of the remote host is validated using the TLS client-side certificate.
For TLS initiator profiles, the identity of the remote endpoint is verified using the certificate authority (CA) server as part of the TLS connection setup. After a connection is established, all incoming WSMA requests are authenticated using the WSSE header. After the request is authenticated, the user is authorized to perform operations based on the configured privilege level. The user can be configured on the Cisco device or on the AAA server.
If the WSSE SOAP header is disabled for a TLS listener or initiator profile, user-level authentication is not possible, and the following process is used to decide the authorization level to assign to the profile:
How to Configure WSMA with TLS
Configuring Certificate Validation on the TLS Client for WSMA Initiator Mode
To use the Transport Layer Security (TLS) protocol to connect to the remote host, the Cisco device (acting as the TLS client) must validate the signed certificate of the Web Services Management Agent (WSMA) application host (acting as the TLS server). To allow the device to validate the certificate and trust all certificates signed by the certificate authority (CA), you must configure a trustpoint for the CA on the device and instruct the device to download a self-signed certificate from the CA that authenticates the CA to the device.
1. enable
2. configure terminal
3. crypto pki trustpoint name
4. enrollment url url
5. exit
6. crypto pki authenticate name
7. end
8. show running-config
DETAILED STEPS
Enabling a WSMA Service Initiator over TLS
If you configure service initiator over Transport Layer Security (TLS), you must first configure the certificate authority (CA) settings on the Cisco device.
1. enable
2. configure terminal
3. wsma profile initiator profile-name
4. encap {soap11 | soap12}
5. [backup] transport tls remote-host [initiator-port-number] [localcert trustpoint-name] [remotecert trustpoint-name] [source source-interface]}
6. keepalive interval [retries number]
7. idle-timeout minutes
8. max-message message-size
9. backup hold minutes
10. backup excluded seconds
11. reconnect seconds
12. stealth
13. wsse
14. end
DETAILED STEPS
Configuring Certificates on the TLS Server for WSMA Listener Mode
To configure certificate authority (CA) certificates for Web Services Management Agent (WSMA) listener mode using the Transport Layer Security (TLS) protocol on the Cisco device, you must configure a trustpoint for the CA on the device and instruct the device to download a self-signed certificate from the CA that authenticates the CA to the device. You must then instruct the device to request it’s own certificate signed by the CA.
To enable certificates for WSMA listener mode, perform the following task:
1. enable
2. configure terminal
3. crypto pki trustpoint name
4. enrollment {url url | terminal}
5. exit
6. crypto pki authenticate name
7. crypto pki enroll name
8. crypto pki import name certificate
9. end
10. show running-config
DETAILED STEPS
Enabling a WSMA Service Listener over TLS
If you configure service listener over Transport Layer Security (TLS), you must first configure the certificate authority (CA) settings on the device.
1. enable
2. configure terminal
3. wsma profile listener profile-name
4. encap {soap11 | soap12}
5. transport tls [listener-port-number] [localcert trustpoint-name] [disable-remotecert-validation | remotecert trustpoint-name]
6. idle-timeout minutes
7. max-message message-size
8. keepalive interval [retries number]
9. acl acl-number
10. stealth
11. wsse
12. end
DETAILED STEPS
Configuration Examples for WSMA with TLS
Example: Configuring Certificates on the TLS Server for WSMA Listener Mode
configure terminal crypto pki trustpoint my_CA enrollment terminal exit crypto pki authenticate my_CA . . . crypto pki import my_CA certificate . . . end
Example: Enabling a WSMA Service Initiator over TLS
configure terminal wsma profile initiator profile1 encap soap12 keepalive 100 retries 10 idle-timeout 120 max-message 290 backup hold 233 backup excluded 30 reconnect 434 stealth wsse
Example: Enabling Certificate Validation on the TLS Client for WSMA Initiator Mode
configure terminal crypto pki trustpoint my_CA enrollment url http://myCAurl:80 exit crypto pki authenticate my_CA
Example: Enabling a WSMA Service Listener over TLS
configure terminal wsma profile listener profile1 encap soap12 transport tls 65534 idle-timeout 345 max-message 290 keepalive 100 retries 10 stealth wsse
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
WSMA commands |
|
IP access lists |
Security Configuration Guide: Access Control Lists in the Securing the Data Plan Configuration Guide Library |
Public Key Infrastructure |
Public Key Infrastructure Configuration Guide in the Secure Connectivity Configuration Guide Library |
Secure Shell and Secure Shell Version 2 |
Secure Shell Configuration Guide in the Securing User Services Configuration Guide Library |
Security and IP access lists commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples |
Cisco IOS Security Command Reference |
RFCs
RFC |
Title |
---|---|
RFC 2132 |
DHCP Options and BOOTP Vendor Extensions |
RFC 2246 |
The TLS Protocol Version 1.0 |
RFC 4251 |
The Secure Shell (SSH) Protocol Architecture |
RFC 4252 |
The Secure Shell (SSH) Authentication Protocol |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Web Services Management Agent with TLS
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Web Services Management Agent with TLS |
12.2(50)SY 15.1(1)SY 15.1(1)T |
This feature enables support for the TLS encryption protocol for WSMA initiator and listener profiles. The following commands were introduced or modified by this feature: backup excluded, backup hold, debug wsma profile, encap, idle-timeout, keepalive, max-message, reconnect, stealth, transport, wsma profile initiator, wsma profile listener, wsse. |