The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter includes the following sections:
You can use the following communication services to interface third-party applications with Cisco UCS:
Configuring HTTPS
HTTPS uses components of the Public Key Infrastructure (PKI) to establish secure communications between two devices, such as a client's browser and Cisco UCS Manager.
Each PKI device holds a pair of asymmetric Rivest-Shamir-Adleman (RSA) encryption keys, one kept private and one made public, stored in an internal key ring. A message encrypted with either key can be decrypted with the other key. To send an encrypted message, the sender encrypts the message with the receiver's public key, and the receiver decrypts the message using its own private key. A sender can also prove its ownership of a public key by encrypting (also called 'signing') a known message with its own private key. If a receiver can successfully decrypt the message using the public key in question, the sender's possession of the corresponding private key is proven. Encryption keys can vary in length, with typical lengths from 512 bits to 2048 bits. In general, a longer key is more secure than a shorter key. Cisco UCS Manager provides a default key ring with an initial 1024-bit key pair, and allows you to create additional key rings.
To prepare for secure communications, two devices first exchange their digital certificates. A certificate is a file containing a device's public key along with signed information about the device's identity. To merely support encrypted communications, a device can generate its own key pair and its own self-signed certificate. When a remote user connects to a device that presents a self-signed certificate, the user has no easy method to verify the identity of the device, and the user's browser will initially display an authentication warning. By default, Cisco UCS Manager contains a built-in self-signed certificate containing the public key from the default key ring.
To provide stronger authentication for Cisco UCS Manager, you can obtain and install a third-party certificate from a trusted source, or trusted point, that affirms the identity of your device. The third-party certificate is signed by the issuing trusted point, which can be a root certificate authority (CA) or an intermediate CA or trust anchor that is part of a trust chain that leads to a root CA. To obtain a new certificate, you must generate a certificate request through Cisco UCS Manager and submit the request to a trusted point.
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Right-click Root and choose Create Key Ring. |
Step 4 |
In the Create Key Ring dialog box, do the following:
|
Create a certificate request for this key ring.
Create a trusted point and set the certificate chain for the certificate of trust received from the trust anchor.
Step 1 | In the Navigation pane, click the Admin tab. | ||||||
Step 2 | On the Admin tab, expand . | ||||||
Step 3 | Right-click Root and choose Create Trusted Point. | ||||||
Step 4 |
In the Create Trusted Point dialog box, complete the following fields:
|
||||||
Step 5 | Click OK. |
When you receive the certificate from the trust anchor or certificate authority, import it into the key ring.
Step 1 | In the Navigation pane, click the Admin tab. | ||
Step 2 | On the Admin tab, expand . | ||
Step 3 | Click the key ring into which you want to import the certificate. | ||
Step 4 | In the Work pane, click the General tab. | ||
Step 5 |
In the Certificate area, complete the following fields:
|
||
Step 6 | Click Save Changes. |
Configure your HTTPS service with the key ring.
Step 1 | In the Navigation pane, click the Admin tab. | ||
Step 2 | In the Admin tab, expand . | ||
Step 3 | Select the Communication Services tab. | ||
Step 4 |
In the HTTPS area, click the enabled radio button. The HTTPS area expands to display the available configuration options. |
||
Step 5 |
(Optional) In the Port field, change the default port that Cisco UCS Manager GUI will use for HTTPS. The default port is 443. |
||
Step 6 |
(Optional) In the Key Ring field, enter the name of the key ring you created for HTTPS.
|
||
Step 7 | Click Save Changes. | ||
Step 8 | Click OK. |
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Right-click the key ring you want to delete and select Delete. |
Step 4 | If Cisco UCS Manager GUI displays a confirmation dialog box, click Yes. |
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Right-click the trusted point you want to delete and select Delete. |
Step 4 | If Cisco UCS Manager GUI displays a confirmation dialog box, click Yes. |
Step 5 | Click OK. |
Configuring SNMP
SNMP messages from a Cisco UCS instance display the fabric interconnect name rather than the system name.
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | In the Admin tab, expand . |
Step 3 | Select the Communication Services tab. |
Step 4 |
In the SNMP area, click the enabled radio button. The SNMP area expands to display the available configuration options. You cannot change the port on which Cisco UCS Manager communicates with the SNMP host. |
Step 5 |
In the Community field, enter the default community name that Cisco UCS Manager GUI should include with any trap messages it sends to the SNMP server. The default community is public. |
Step 6 | Click Save Changes. |
Create SNMP trap hosts and users.
Step 1 | In the Navigation pane, click the Admin tab. | ||||||||
Step 2 | In the Admin tab, expand . | ||||||||
Step 3 | Select the Communication Services tab. | ||||||||
Step 4 | In the SNMP Traps area, click +. | ||||||||
Step 5 |
In the Create SNMP Trap dialog box, complete the following fields:
|
||||||||
Step 6 | Click OK. | ||||||||
Step 7 | Click Save Changes. |
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | In the Admin tab, expand . |
Step 3 | Select the Communication Services tab. |
Step 4 | In the SNMP Trap Hosts area, click the row in the table that corresponds to the user you want to delete. |
Step 5 | Click the Delete icon to the right of the table. |
Step 6 | If Cisco UCS Manager GUI displays a confirmation dialog box, click Yes. |
Step 7 | Click Save Changes. |
Step 1 | In the Navigation pane, click the Admin tab. | ||||||||||||||||
Step 2 | In the Admin tab, expand . | ||||||||||||||||
Step 3 | Select the Communication Services tab. | ||||||||||||||||
Step 4 | In the SNMP Users area, click +. | ||||||||||||||||
Step 5 |
In the Create SNMP User dialog box, complete the following fields:
|
||||||||||||||||
Step 6 | Click OK. | ||||||||||||||||
Step 7 | Click Save Changes. |
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | In the Admin tab, expand . |
Step 3 | Select the Communication Services tab. |
Step 4 | In the SNMP Users area, click the row in the table that corresponds to the user you want to delete. |
Step 5 | Click the Delete icon to the right of the table. |
Step 6 | If Cisco UCS Manager GUI displays a confirmation dialog box, click Yes. |
Step 7 | Click Save Changes. |
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | In the Admin tab, expand . |
Step 3 | Click the Communication Services tab. |
Step 4 | In the Telnet area, click the enabled radio button. |
Step 5 | Click Save Changes. |
Note |
We recommend that you disable all communication services that are not required to interface with other network applications. |
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | In the Admin tab, expand . |
Step 3 | On the Communication Services tab, click the disable radio button for each service that you want to disable. |
Step 4 | Click Save Changes. |