Brocade Communications Systems 12.4.00 Exchanging public keys

60 ServerIron ADX Global Server Load Balancing Guide

53-1002437-01

Secure GSLB

ServerIron(config)#wr mem

.Write startup-config in progress.

..Write startup-config done.

ServerIron(config)#Saving SSH host keys process is ongoing. Please wait

.................................................................................

......Writing SSH host keys is done!

SLB-Ctrl-ServerIronADX(config)#^Z

SLB-Ctrl-ServerIronADX#reload

A write mem followed by a reload is required. Next, enter the crypto key generate rsa command on

the site ServerIron ADX and reload.

Notice the public key is cleartext whereas the private key is not.

NOTE

The crypto RSA component calls the same key functions as SSH. Similar to the SSH implementation,

the public and private keys for each ServerIron ADX are stored in its E2PROM. The private key cannot

be seen or displayed using any CLI commands or any other user interface. Not even an administrator

can gain access to the private key.

Exchanging public keys

Each ServerIron ADX must exchange public keys with each peer ServerIron ADX it needs to

communicate with. This exchange allows the peers to authenticate before the GSLB

communication starts.

The ServerIron ADX uses an out-of-band channel to deliver the fingerprint of the public key, which

ensures the key comes from a trusted authority. To exchange public keys, the network

administrator needs to telephone the peer site administrator to read out the fingerprint of the

public key and verba lly verify the keys ma tch. SHA-1 is the algorithm used to generate the

fingerprint.

The public key exchange sequence is illustrated below with an example. In the example, Bob (the

site ServerIron ADX) and David (the controller ServerIron ADX) are two network administrators who

want to exchange the public keys. For security reasons, We recommend that both administrators be

locally logged into the console ports (not telnetted in) during this procedure.

1. (Optional) Both Bob and David issue the gslb auth-encrypt-communication peer-pub-key-expire

<timeout> command before exchanging keys using crypto key-exchange passive. If the keys

were exchanged first, a one-time usage would not take affect until the next exchange. Refer to

“Selecting a peer public key management option” on page 62 for more options. If you do not

set a peer-pub-key-expire, the default value is 180 seconds.

SLB-Site-ServerIronADX(config)# gslb auth-encrypt-communication

peer-pub-key-expire one-time

2. Bob enables a key exchange connection with the following command.

SLB-Site-ServerIronADX(config)#crypto key-exchange passive

Enter Control-c to abort if connection does not complete.

Wait for connection from peer(enter 'y' or 'n'): y

Waiting ....

The command syntax is crypto key-exchange passive [<decimal>]. The <decimal> parameter

specifies the TCP port used for the key exchange communication. If you use <decimal>, the

value configured on both the sending side and receiving side must match.