Application Delivery (ADX)

Reply
New Contributor
Posts: 4
Registered: ‎12-01-2009

ServerIronGT SCP SSL certs problem

We have a ServerIronGT C-Series running Version 10.2.00dTD4.


We have to update a SSL cert and the manual says to use SCP.  However, SCP does not respond past authentication.  SSH is enabled, that is how we connect to it.  I have issued the IP SSH SCP enable command, but no luck.  I can tftp the cert to and from the device, but I need to upload the password for the keypair.

Can somebody advise on the best way to update a keypair and cert file on this device?  And/or how to enable SCP?

Thanks.

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: ServerIronGT SCP SSL certs problem

Not sure here,  The following might help or might not

The command for enabing SCP you gave was correct so not sure why that is not working, have you tried a different SCP client?

Also check to make sure nobody has turned off RSA Auth- look for the following in your config.

ServerIron(config)#ip ssh rsa-authentication no

Loading a Public Key File

To cause a public key file to be loaded onto the device, enter commands such as the following:

ServerIron(config)#ip ssh pub-key-file slot1 pkeys.txt

ServerIron(config)#ip ssh pub-key-file tftp 192.168.1.234 pkeys.txt

ServerIron(config)#ip ssh pub-key-file reload

ServerIron(config)#ip ssh pub-key-file flash-memory

ServerIron(config)#write memory

Syntax:

ip ssh pub-key-file slot1 | slot2 <filename>

Syntax:

ip ssh pub-key-file tftp <tftp-server-ip-addr> <filename>

Syntax:

ip ssh pub-key-file reload

Syntax:

ip ssh pub-key-file flash-memory

The

slot1 | slot2 <filename> parameter causes a public key file called <filename> to be loaded from the

Management IV module’s PCMCIA flash card each time the device is booted.

The

tftp <tftp-server-ip-addr> <filename> parameter causes a public key file called <filename> to be loaded

from a TFTP server each time the Foundry device is booted.

The

reload keyword reloads the public keys from the file on the TFTP server or PCMCIA flash card.

The

flash-memory keyword makes the public keys in the active configuration part of the startup-config file.

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: ServerIronGT SCP SSL certs problem

Also found this from the Security guide for the ADX (version 12.2)

In order for certificates to be imported into the ServerIron ADX, they must be in a specific format.

The .PFX file must be converted to .PEM or .P12.

Sorry I do not have a copy of the GTE security guide - any version to check.

New Contributor
Posts: 4
Registered: ‎12-01-2009

Re: ServerIronGT SCP SSL certs problem

Is there a command to apply the password for the keypair file?

In the SCP command -

scp <source-file> <username>@<SI_IP_Addr>:<filetype>:<filename>:<password>:<format>

You send the password with the keypair file.


If not for the password issue, I could just tftp the files to the ServerIron.

Occasional Contributor
Posts: 11
Registered: ‎06-29-2009

Re: ServerIronGT SCP SSL certs problem

Hi Rs,

Have you eventually solved your probleM

Salvo

Frequent Contributor
Posts: 177
Registered: ‎02-14-2011

Re: ServerIronGT SCP SSL certs problem

Hi rsnaic,

We just wanted to check in and see if your problem has been solved. Hopefully the community members were able to assist you!

Thank you!

Cheers,

Grace Chang

Global Community Moderator

N/A
Posts: 1
Registered: ‎08-29-2012

Re: ServerIronGT SCP SSL certs problem

Hi Grace

We experience a similar problem.  I try to upload a new cert (the old one will expire in just a few hours...) and end up with nothing happening respectively the connection getting closed by the SI:

cal@aare ~/tmp/ssl $ scp wildcard.mail.hostpoint.ch.key.pw someuser@217.26.XX.XX:sslkeypair:mail2:PASSPHRASE:pem

someuser@217.26.XX.XX's password:

Connection to 217.26.XX.XX closed by remote host.

lost connection

The ServerIron just logs an ssh logout every time I try to scp:

Aug 29 20:49:40 217.26.XX.XX lb2, Security: SSH logout by someuser from src IP 77.109.XX.XX, src MAC 503d.e5af.cbc0 from USER EXEC mode

ssh -vvv .... Outputs as follows:

debug1: Next authentication method: password

someuser@217.26.XX.XX's password:

debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)

debug2: we sent a password packet, wait for reply

debug1: Authentication succeeded (password).

Authenticated to 217.26.XX.XX (:22).

debug2: fd 4 setting O_NONBLOCK

debug2: fd 5 setting O_NONBLOCK

debug1: Final hpn_buffer_size = 2097152

debug1: HPN Disabled: 0, HPN Buffer Size: 2097152

debug1: channel 0: new

debug1: Enabled Dynamic Window Scaling

debug3: ssh_session2_open: channel_new: 0

debug2: channel 0: send open

debug1: Entering interactive session.

debug2: callback start

debug2: client_session2_setup: id 0

debug2: fd 3 setting TCP_NODELAY

debug1: Sending command: scp -v -t -- sslkeypair:mail2:PASSPHRASE:pem

debug2: channel 0: request exec confirm 1

debug2: callback done

debug2: channel 0: open confirm rwindow 512 rmax 1338

debug2: tcpwinsz: 87380 for connection: 3

debug2: tcpwinsz: 87380 for connection: 3

debug2: channel_input_status_confirm: type 99 id 0

debug2: exec request accepted on channel 0

debug2: tcpwinsz: 87380 for connection: 3

debug1: client_input_channel_req: channel 0 rtype exit-status reply 0

debug2: channel 0: rcvd eof

debug2: channel 0: output open -> drain

debug2: channel 0: obuf empty

debug2: channel 0: close_write

debug2: channel 0: output drain -> closed

debug2: channel 0: rcvd close

debug2: channel 0: close_read

debug2: channel 0: input open -> closed

debug3: channel 0: will not send data after close

debug2: tcpwinsz: 87380 for connection: 3

debug2: channel 0: almost dead

debug2: channel 0: gc: notify user

debug2: channel 0: gc: user detached

debug2: channel 0: send close

debug2: channel 0: is dead

debug2: channel 0: garbage collecting

debug1: channel 0: free: client-session, nchannels 1

debug3: channel 0: status: The following connections are open:

  #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)

debug1: fd 0 clearing O_NONBLOCK

debug1: fd 1 clearing O_NONBLOCK

Connection to 217.26.XX.XX closed by remote host.

Transferred: sent 2888, received 1544 bytes, in 0.0 seconds

Bytes per second: sent 284251.3, received 151968.2

debug1: Exit status 0

lost connection

Im running:

cal@aare ~/tmp/ssl $ ssh -V

OpenSSH_5.9p1-hpn13v11, OpenSSL 1.0.0j 10 May 2012

and

SSH@lb1(config)#show version

  SW: Version 10.2.01zTD4 Copyright (c) 1996-2007 Foundry Networks, Inc.

      Compiled on Feb 13 2012 at 16:43:43 labeled as WXR10201z

  HW: ServerIronGT C-Series Router, SYSIF version 21, Serial #: Non-exist

==========================================================================

SL 1: WSM6-SSL Management Module, SYSIF 2, M6, ACTIVE

      Serial #:   CH42070474

    0 MB SHM, 1 Application Processors

16384 KB BRAM, SMC version 5, BM version 21

  SW: (1)10.2.01zTF3

==========================================================================

SL 2: J-BxGC16 JetCore Gig Copper Module, SYSIF 2

      Serial #:   CH42070402

4096 KB BRAM, JetCore ASIC IGC version 49, BIA version 8a

32768 KB PRAM and 2M-Bit*1 CAM for IGC  4, version 0449

32768 KB PRAM and 2M-Bit*1 CAM for IGC  5, version 0449

32768 KB PRAM and 2M-Bit*1 CAM for IGC  6, version 0449

32768 KB PRAM and 2M-Bit*1 CAM for IGC  7, version 0449

==========================================================================

Active management module:

  1.0 GHz Power PC processor 750GX (version 7002/0102) 66 MHz bus

  512 KB boot flash memory

16384 KB code flash memory

  512 KB SRAM

  512 MB DRAM                                                    

The system uptime is 36 days 21 hours 15 minutes 16 seconds

The system started at 22:42:49 GMT+01 Mon Jul 23 2012

The system : started=cold start  

I saw lots of other postings concerning this problem but no working solution to get it working and upload a new certificate.

And help/hint/pointer would be much appreciated while I try to find the reason and solution myself.

cheers, Michael

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook