- New and Changed Information
- Storage Media Encryption Overview
- Configuring SME
- Configuring SME Interfaces
- Configuring SME Cluster Management
- Configuring SME Tapes
- Configuring SME Disks
- Configuring SME Key Management
- Provisioning Certificates
- RSA Key Manager and SME
- SME Best Practices
- SME Troubleshooting
- Disaster Recovery in SME
- Offline Data Recovery in SME
- Database Backup and Restore
- Planning For SME Installation
- Migrating SME Database Table
Provisioning Certificates
The Secure Socket Layer (SSL) protocol secures the network communication and allows data to be encrypted before transmission and provides security. Many application servers and web servers support the use of keystores for SSL configuration. The use of SSL between the switches and KMC requires provisioning of Public Key Infrastructure.
This chapter includes the following topics:
- Information About Public Key Infrastructure Certificates
- Prerequisites for SSL
- Configuring SSL Using CLI
- Feature History for SSL
Information About Public Key Infrastructure Certificates
A certificate is an electronic document that you use to identify a server, a company, or some other entity and to associate that identity with a public key.
Certificate authority (CA) are entities that validate identities and issue certificates. The certificate that the CA issues binds a particular public key to the name of the entity that the certificate identifies (such as the name of a server or device). Only the public key that the certificate certifies works with the corresponding private key that is possessed by the entity that the certificate identifies. Certificates help prevent the use of fake public keys for impersonation.
Prerequisites for SSL
Before configuring SSL, consider the following:
-
You must install a third-party tool such as the freely available OpenSSL application to generate keys, certificates, and certificate signing requests. Download OpenSSL for Windows from the following link:
http://gnuwin32.sourceforge.net/packages/openssl.htAfter installing in Windows, by default, openssl.exe is located at c:\openssl\bin.
-
Ensure that the time in all the switches, DCNM-SAN and the system running the OpenSSL commands, are all synchronized.
-
Provide different identities for the CA certificate and KMC certificate.
-
Only JRE1.6 JAVA keytool is supported for importing PKCS12 certificates to Java Keystores (JKS) files.
Configuring SSL Using CLI
This section describes the following SSL configuration topics:
Creating the CA Certificate
Your organization might already have a CA certificate. If you are requesting the CA from a security administrator, indicate that you need the CA certificate in PEM format, and you will need them to sign certificates as part of configuring SME. If you do not have or want to use an existing CA, you can create a new one by using an OpenSSL command.
This command is used to create the Certificate Authority (CA). This command creates a certificate (identify plus public key) and a private key. The private key must always be protected. In a typical enterprise organization, the private key should already exist.
Create a CA certificate using the OpenSSL application. Enter the following command for the 365-day certificate:
OpenSSL> req -x509 -days 365 -newkey rsa:2048 -out cacert.pem -outform PEM
This command creates two files: a cacert.pem file and a privkey.pem file in the directory with OpenSSL.exe. The cacert.pem file is the certificate. The privkey.pem file must be stored in a safe location.
Configuring Trust points
This sequence of steps must be done for all of the switches managed by a DCNM-SAN server. Ensure that the same trustpoint name is used for all the switches.
To configure truspoints, follow these steps:
Removing Trustpoints
This sequence of steps must be done for all of the switches to remove the crypto CA signed trustpoints.
To remove the trustpoints, follow these steps:
Step 1 | Enter the configuration mode.
Example: switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. |
Step 2 | Enter into the trustpoint mode.
Example: switch(config)# crypto ca trustpoint my_ca |
Step 3 | Remove the certificate corresponding to the trustpoint.
Example: switch(config-trustpoint)# delete certificate force |
Step 4 | Remove an RSA keypair for the switch in the trustpoint submode.
Example: switch(config-trustpoint)# no rsakeypair my_ca_key |
Step 5 | Remove the CA certificate corresponding to the trustpoint.
Example: switch(config-trustpoint)# delete ca-certificate |
Step 6 | Exit the trustpoint submode.
Example: switch(config-trustpoint)# exit |
Step 7 | Removing the trustpoint that is configured.
Example: switch(config)# no crypto ca trustpoint my_ca |
Generating KMC Certificate
To generate the KMC certificate, follow these steps. Generate KMC certificate by entering the following commands in the OpenSSL application:
Step 1 | Create the KCM Server’s private key.
OpenSSL> genrsa -out sme_kmc_server.key 2048 | ||||
Step 2 | Create a certificate signing request using the private key from
Step 1.
OpenSSL> req -new -key sme_kmc_server.key -out sme_kmc_server.csr -config openssl.conf | ||||
Step 3 | Using the certificate and private key, create a signed
certificate for the KMC Server.
OpenSSL> x509 -req -days 365 -in sme_kmc_server.csr -CA cacert.pem -CAkey privkey.pem -CAcreateserial -out sme_kmc_server.cert
| ||||
Step 4 | Export the signed KMC certificate to pkcs12 format.
OpenSSL> pkcs12 -export -in sme_kmc_server.cert -inkey sme_kmc_server.key -out sme_kmc_server.p12
| ||||
Step 5 | Import this PKCS12 keystore to Java Keystores using JAVA keytool
(JRE 1.6).
"<JAVA_HOME>\bin\keytool" -importkeystore -srckeystore sme_kmc_server.p12 -srcstoretype PKCS12 -destkeystore sme_kmc_server.jks -deststoretype JKS
| ||||
Step 6 | Import the CA certificate to Java Keystores using JAVA keytool
(JRE 1.6).
"<JAVA_HOME>\bin\keytool" -importcert -file cacert.pem -keystore sme_kmc_trust.jks -storetype JKS | ||||
Step 7 | Place these keystore files in the <install path>dcm\fm\conf\cert directory. | ||||
Step 8 | Modify the KMC SSL settings in the Key Manager Settings in DCNM-SAN Web Client. | ||||
Step 9 | Restart the DCNM-SAN server.
|
Feature History for SSL
The below table lists the release history for this feature.
Feature Name |
Releases |
Feature Information |
---|---|---|
Software change |
5.2(1) |
In Release 5.2(1), Fabric Manager is changed to DCNM for SAN (DCNM-SAN). |
4.1(1c) |
In Release 4.1(1b) and later, the MDS SAN-OS software is changed to MDS NX-OS software. The earlier releases are unchanged and all references are retained. |
|
Generating and installing self-signed certificates |
4.1(1c) |
In Release 4.1(1c) and later, the SSL configuration when KMC is separated from Fabric Manager Server. |
Introduction to Secure Socket Layer (SSL) |
3.3(1c) |
Describes how to configure SSL for SME and edit SSL settings in the SME wizard. |