Dell Force10 S50-01-GE-48T-V User's Manual
Contents
1. S Series Secure Management This application note describes how to enable the SSH and SSL secure management features on the S Series platforms Version 1 5 June 1 2006 S Series Secure Management Table of Contents Introduction feet ical navi N en ee 2 Enabling SSH and ndaaetndadians 2 Enabling SSL A TT PS cui re 4 Introduction Enabling secure management via Secure SHell SSH or Secure Sockets Layer SSL HTTPS on the S Series is a four step process SSH and SSL both provide an encrypted transport session between the management station and switch Generate the SSH keys or SSL certificates offline Copy the SSH keys or SSL certificates to the switch using TFTP Enable the secure management server SSH or HTTPS on the switch Disable the insecure version of the management server Telnet or HTTP PON gt If you received this document as part of a zip file the file should contain two directories ssh and ssl the directories are also on the S Series CD ROM If you did not get the entire zip file please contact your Force10 account team e The ssh directory has example RSA1 RSA2 and DSA keys and a shell script called generate keys sh that can be used to generate your own SSH keys e The ssl directory has example certificates and a shell script called generate pem sh that can be used to generate your own SSL certificates The scripts provided use OpenSSH http www openssh org and OpenSSL http www2. 01 00 31 54 192 168 0 34 1 UNKN 209305936 sshd_main c 609 17 loaded DSA key ao ao 109 un T D successfully oe oe SSHD successfully JAN 01 00 31 54 192 168 0 34 1 UNKN 209305936 sshd main c 631 18 SSHD successfully opened file ssh_host_rsa_key JAN 01 00 31 54 192 168 0 34 1 UNKN 209305936 sshd main c 643 19 SSHD successfully loaded RSA2 key JAN 01 00 31 56 192 168 0 34 1 UNKN 209305936 sshd_main c 353 20 SSHD Done generating server key S Series Secure Management Using an SSH client connect to the switch and login to verify that the SSH server is working 4 Once you have verified that you can connect to the switch with an SSH client the Telnet server can be disabled with this command for additional security if it was enabled The Telnet server is disabled by default SFTOS Version lt 2 2 1 SFTOS Version gt 2 3 1 SFTOS no ip telnet server enable SFTOS Config no ip telnet server enable Enabling SSL HTTPS 1 Generate the SSL certificates using the script in the ssl directory or copy the example certificates which end in pem to your TFTP server Copy the certificates to NVRAM with TFTP as follows from this example using the IP address of your TFTP server SFTOS copy tftp 192 168 0 10 dh512 pem nvram sslpem dhweak Mode 3 2 a RATE LER ER EEE TFTP Set TETP Server Prge ve a A 192 16
3. en ar RR IR Nennen ee rear TFTP Set TETP Server Pila 2a es E EA 192 168 0 10 LETP Patch aa a A a un ar E oe TETP PLENAS re N AI ER diate rootcert pem Data Typenr i ects ache en ae dre A dea SSL Root cert Management access will be blocked for the duration of the transfer Are you sure you want to start y n y TFTP SSL certificate receive complete updating certificate file Certificate file transfer operation completed successfully 3 Enable the HTTPS server with this command SFTOS Version lt 2 2 1 SFTOS Version gt 2 3 1 SFTOS ip http secure server SFTOS Config ip http secure server enable To verify that the server has started use this command to show the HTTPS server status and check the log file for the following messages SFTOS show ip http Java Mode Disabled HTTP Mode Unsecure Disabled HTTP Mode Secure Enabled Secure Port 443 Secure Protocol Level s TLS1 SSL3 SFTOS show logging buffered JAN 01 01 16 19 192 168 0 34 1 UNKN 209189968 sslt_util c 321 39 SSLT Successfully loaded all required SSL PEM files Using a web browser connect to the switch using an https URL and login to verify that the SSL server is working The padlock icon on your browser should indicate an encrypted connection If you used the example certificates your browser will display a warning that it cannot verify the authenticity of the certificate This is because t
4. want to start y n y TFTP SSH key receive complete updating key file Key file transfer operation completed successfully SFTOS copy tftp 192 168 0 10 dsa key nvram sshkey dsa MOdessen ha o ie glee A te TFTP SEE TETP Server LEE A iia Pa ER ra aE a a 192 168 0 10 TETP Patha hice a ee ee eh ee TETE PR sig MS tts ee nee een dsa key Data Type sur Ze I Be Ener ee a da SSH DSA key Management access will be blocked for the duration of the transfer Are you sure you want to start y n y TFTP SSH key receive complete updating key file Key file transfer operation completed successfully 3 Enable the SSH server with this command SFTOS Version lt 2 2 1 SFTOS Version gt 2 3 1 SFTOS ip ssh server enable SFTOS Config ip ssh server enable To verify that the server has started use this command to show the SSH server status and check the log file for the following messages SFTOS show ip ssh SSH Configuration Administrative Moder sotan nen Deine Enabled Protocol Lbevelsi ia A ER A a ate Versions 1 and 2 SSH Sessions Currently Active 0 Max SSH Sessions Allowed ooooooooooooooooo 5 SSH TIMeout rar ae GOS R PE eee ai 5 SFTOS show logging buffered JAN 01 00 31 54 192 168 0 34 1 UNKN 222273672 sshd_control c 444 15 SSHD sshdListenTask started JAN 01 00 31 54 192 168 0 34 1 UNKN 209305936 sshd main c 596 16 opened file ssh_host_dsa_key JAN
5. 8 0 10 TETP Path nu a das A TETP ELLeNaAME A ia a dh512 pem Data Typen a rar ate Pe ea ae SSL DH weak Management access will be blocked for the duration of the transfer Are you sure you want to start y n y TFTP SSL certificate receive complete updating certificate file Certificate file transfer operation completed successfully SFTOS copy tftp 192 168 0 10 dh1024 pem nvram sslpem dhstrong MOG RL een ear goa a TETP Set TETP Server IP ua aa ara 192 168 0 10 CERP Path a ts ea are TFTP BELEM nee a re N ee dh1024 pem Data TYPE ul ad laica SSL DH strong Management access will be blocked for the duration of the transfer Are you sure you want to start y n y TFTP SSL certificate receive complete updating certificate file Certificate file transfer operation completed successfully SFTOS copy tftp 192 168 0 10 server pem nvram sslpem server MOTE As WAP EA an AE AA TFTP Set TETP Server Pt sakes ea ae 192 168 0 10 TER Path ar ern en Be TETP Erlename ir a eee Server pem Dat Typer e a a e E a a a ar a eee een SSL Server cert Management access will be blocked for the duration of the transfer Are you sure you want to start y n y TFTP SSL certificate receive complete updating certificate file 4 S Series Secure Management Certificate file transfer operation completed successfully SFTOS copy tftp 192 168 0 10 rootcert pem nvram sslpem root Mode a
6. he example certificates have not been certified by a Certification Authority When certificates are acquired from a Certification Authority and loaded on the switch this warning will not occur 4 Once you have verified that you can connect to the switch with a web browser the HTTP server can be disabled with this command for additional security if it was enabled previously The HTTP server is disabled by default SFTOS Version lt 2 2 1 SFTOS Version gt 2 3 1 SFTOS no ip http server SFTOS Config no ip http server enable S Series Secure Management Force10 Networks Inc 1440 McCarthy Boulevard Milpitas CA 95035 www force10networks com Phone 408 571 3500 Fax 408 571 3550 Email info force10networks com FORCEGO
7. openssl org for key and certificate generation Other free and commercial tools exist that can provide the same functionality and you can use them if you like For additional options and commands related to the Telnet SSH and HTTP HTTPS features please consult the SFTOS manuals Enabling SSH 1 Generate the SSH keys using the script in the ssh directory or copy the example keys which end in key to your TFTP server 2 Copy the keys to NVRAM with TFTP as follows from this example using the IP address of your TFTP server For SSHv1 copy the RSA1 key For SSHv2 copy the RSA1 RSA2 and DSA keys as shown below SFTOS copy tftp 192 168 0 10 rsal key nvram sshkey rsal MOS a rai RS Boa NS ARA Reese TETP Set TEPIP Server Tyan aba 192 168 0 10 TETP Paties ea eia en een ns TETP FrLlenaMnere a a eel A i rsal key Data Typeset aa see ee SSH RSA1 key Management access will be blocked for the duration of the transfer Are you sure you want to start y n y TFTP SSH key receive complete updating key file Key file transfer operation completed successfully S Series Secure Management SFTOS copy tftp 192 168 0 10 rsa2 key nvram sshkey rsa2 MO CIS oo ee ER re TFTP Set TELP Serv r TPs o se ee te 192 168 0 10 TETPr Pete si aa a A A ee TETP he TEAM ia Se PR ae rsa2 key Data Typera Ta rea ee ee un ale re SSH RSA2 key Management access will be blocked for the duration of the transfer Are you sure you
Download Pdf Manuals
Related Search