06-21-2012 03:23 PM
I'm wondering if anyone has some great advice on implementing PKI certificates. This is completely new to me and I guess I'm supposed to have it done by Monday! We need to become compliant with the government STIGS and this is one of those items we do not currently comply with. I do not see "chap" mentioned at all in the requirements, so even though I see them mentioned together in guides, I think I'm only worried about PKI at this point. I have looked in the admin guide and the command reference guide and though there is a little bit of information, it is beyond my abilities to know what I'm supposed to do with it. If you have experience or a good reference guide, I would really appreciate it. I not only need to know HOW to do it, but if it has any impact in my environment. We do have a PKI server, but that's about as much as I know.
I have a few fabrics (2 prod, 2 dev, 2 single switches). They are made up of
48000 - FOS 6.4.2a
4900 - FOS 6.4.2a
4100 - FOS 6.4.2a
5470 - FOS 6.4.2b
4020 - FOS 6.2.2d
One single switch is 5300 - FOS 6.4.2a, the other is a 4100.
I'm attaching the output from pkishow and authutil --show from one of my 48000. I believe it must be default since I have not ever changed anything on any of these. I must need a tutorial on posting because I can't paste into the text box I'm typing in.
Again, any assistance or ideas is greatly appreciated!
06-21-2012 10:02 PM
in case that STIGS only require secure admin access to your switches then it should be easy and will not interrupt your traffic.
The admin guide gives really a good step by step guide to enable SSL.
First you have to create the switches public and private keys.
Take care the the values which you enter here. Ask your security admin he will give you all the required information. This was in my case a difficult task to get it right that your clients will not get any alerts. This information depends on your infrastructure. I assume that you have have to create some certificates until you get a client connection alert free.
Export the CSR and send it to your PKI provider. They will send you a certificate file back. You have to load it into the switch. As well you should get the entire certification chain and load it into the switch as well.
Last step is to enable https with the configure command. Last step is to disallow telnet. You can block it with the IP filter policy.
I hope this helps,
06-22-2012 10:41 AM
Thank you, Andreas, for the help. I was able to figure out how to install the PKI cert and I can get to the url with https now... however, I can also still use http. So far I have not been able to locate the command to turn off http access. Anyone know how to turn off http? Somehow I doubt I fully comply if I can bypass security...
The other thing I noticed was that https did not enable like the admin guide said it would simply by using the secCertUtil import command. I had to use secCertUtil import -config swcert -enable https. I don't see a disable http command anywhere though! Just a note incase anyone else has an issue with it.
06-23-2012 09:30 AM
You can not disable HTTP and telnet service in newer FOS codes. The new way is to enable IPFILTER to reject incoming traffic on ports 23 and 80. This will protect your switch to answer on unsecured protocols.
Please have a look in the admin guide and search for IP Filter policy.
If this was helpful or answer your questions please mark the thread. If not please let me know.
07-10-2012 01:53 PM
I figure I should follow up on my post...
The security part of the admin guide was pretty helpful, though was incorrect where it said importing the certificate automatically turned on HTTPS. I had to import it with the enable https option.
I ended up putting in a ticket on this before the last response and got a little more info. They do not give us an easy way to turn off http, other than to disable the port through the IPFILTER (that is how I have turned off telnet). However, there is a configure command that you can run under root and turn off http and http is alive check. Since I know my root password, I did that. (root> /fabos/libexec/webdconfigure) DO NOT enable the other logging, however. That is for debug purposes only and caused my webtools to constantly break. I verified with support that is not a good idea.
Just wanted to post incase anyone else wanted to know. BUT, "always be careful when logged in as root!"
Thanks for the helpful input, Andreas!