Application Delivery (ADX)

Reply
Occasional Contributor
Posts: 7
Registered: ‎08-13-2009

ServerIron SSL migration

Hi

I'm trying to migrate SSL certs from a ServerIron 450 to a ServerIron 4G-SSL-PREM. I've managed to copy the files from the ServerIron 450, and verified they work using openssl to test them (and I have the right passphrase for the key). Its when I upload them to the 4G and try to setup a ssl profile I get problems.

From a clean config, (the only things configured is ip, username and scp access) I upload the files to the 4G:

scp mykey.key 192.168.145.1:sslkeypair:mykey.key:PLAINTEXTPASSPHRASEFORKEY:pem

scp mycert.pem 192.168.145.1:sslcert:mycert.pem:pem

These seem to work as I get this output

mycert.pem                                 100% 1209     1.2KB/s   00:00   

Connection to 192.168.145.1 closed by remote host.



I run these command at the configuration prompt:

ssl profile test

keypair-file mykey.key

certificate-file mycert.pem

but I get an error back after the certificate-file command:

Error : A key pair needs to be configured first before configuring the certificate



If I run a 'show run' after the keypair-file command, I don't see "keypair-file mykey.key" listed in the output. So is it this command failing sliently on me? And is the only way to input the pass phrase via the scp upload command? Is there a command to list the certs and keys in the system as well?

Regards,

Damien.

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: ServerIron SSL migration

I do prefer the WebGUI to copy certificates and key (possible starting with release 11.0) it is much simpler and you do have less trouble doing it via the WebGUI.

I guess something went wrong during the copy process. Check the certs and keys available at the ServerIron 4G via:

> ena

# rconsole 1 1

1/1# show ssl key *

OUTPUT containing all keys

1/1# show ssl cert *

OUTPUT containing all certs

1/1# rconsole-exit

#

You posted this one to the wrong community section initially - be careful because this delays our responses.

Have you tried to get the key and cert back from the 4G again to see if they are there: It is possible to try to download them just to check whether they are there are not.

Ensure that the passphrase is correct - this should be possible using OpenSSL.



Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: ServerIron SSL migration

A good document to look at beside the release notes of 9.5.02 and the security guide in later releases:

http://www.brocade.com/forms/getFile?p=documents/white_papers/wp-si-ssl-implementation-cert-mgmt.pdf

My 2 Cents...

Occasional Contributor
Posts: 7
Registered: ‎08-13-2009

Re: ServerIron SSL migration

Listing the ssl keys shows no keys to be on the 4G.

I've checked the pass phrase for the key with 'openssl rsa -inform PEM -in mykey.key -noout -check -text' and I get a 'RSA key ok'

The keys' header is

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-CBC,<hash>



First time I tried to upload the key from a rebooted and clean config, I got an error in the serveriron console of "Error : Could not read private key from imported file ssl_keys.pem", and the key is still not there.

show ssl debug gives:

Library                        Description :      count

DigEnv                        bad decrypt :          1

    PEM                        bad decrypt :          1



which is odd, as the pass phrase works.

As a test, I generated a key on the 4G, exported it, deleted it, and reimported it with success. Which then leads me to think: is there any difference between the 450 and 4G-SSL-PREM for ssl implementation, to the point I can't transfer the keys across? Following the SSL PDF hasn't help (and can't get to the 9.5 release docs yet).

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: ServerIron SSL migration

This sounds for sure like a problem for a ticket but I know you do not have any support right now. The SSL stuff at the 4G is the same as the stuff at the WSM6-SSL modules (which are inside the 350/450 and 850). I hope you have used the same code at the 450 because there is still a possibility that this is a bug. I do remember a ticket in the past talking about problem with the key upload as long as the passphrase had upper characters in it.

Could you try to change the passphrase using openssl and use something lower case which is simple like passphras3 or so?

Occasional Contributor
Posts: 7
Registered: ‎08-13-2009

Re: ServerIron SSL migration

thanks a lot oadam, yes this is a bug in the 4G firmware 9.5 that upper case in the pass phrase does not allow the file to be uploaded. I re-encrypted the key with a lower case (and numbers) pass phrase, and the key was successfully uploaded. I successfully made a ssl profile, terminated the ssl on the 4G, made a test web site, and the certificate shows up in the browser, and I get the website through ssl. So the config that was on the 450 works fine on the 4G for the ssl.

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: ServerIron SSL migration

U r welcome... it is good to know that it is working now.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook