Brocade Communications Systems 12.4.00 manual Exchanging public keys

1 Secure GSLB

ServerIron(config)#wr mem

.Write startup-config in progress.

..Write startup-config done.

ServerIron(config)#Saving SSH host keys process is ongoing. Please wait

.................................................................................

......Writing SSH host keys is done!

SLB-Ctrl-ServerIronADX(config)#^Z SLB-Ctrl-ServerIronADX#reload

A write mem followed by a reload is required. Next, enter the crypto key generate rsa command on the site ServerIron ADX and reload.

Notice the public key is cleartext whereas the private key is not.

NOTE

The crypto RSA component calls the same key functions as SSH. Similar to the SSH implementation, the public and private keys for each ServerIron ADX are stored in its E2PROM. The private key cannot be seen or displayed using any CLI commands or any other user interface. Not even an administrator can gain access to the private key.

Exchanging public keys

Each ServerIron ADX must exchange public keys with each peer ServerIron ADX it needs to communicate with. This exchange allows the peers to authenticate before the GSLB communication starts.

The ServerIron ADX uses an out-of-band channel to deliver the fingerprint of the public key, which ensures the key comes from a trusted authority. To exchange public keys, the network administrator needs to telephone the peer site administrator to read out the fingerprint of the public key and verbally verify the keys match. SHA-1 is the algorithm used to generate the fingerprint.

The public key exchange sequence is illustrated below with an example. In the example, Bob (the site ServerIron ADX) and David (the controller ServerIron ADX) are two network administrators who want to exchange the public keys. For security reasons, We recommend that both administrators be locally logged into the console ports (not telnetted in) during this procedure.

1.(Optional) Both Bob and David issue the gslb auth-encrypt-communication peer-pub-key-expire <timeout> command before exchanging keys using crypto key-exchange passive. If the keys were exchanged first, a one-time usage would not take affect until the next exchange. Refer to “Selecting a peer public key management option” on page 62 for more options. If you do not set a peer-pub-key-expire, the default value is 180 seconds.

SLB-Site-ServerIronADX(config)# gslb auth-encrypt-communication peer-pub-key-expire one-time

2. Bob enables a key exchange connection with the following command.

SLB-Site-ServerIronADX(config)#crypto key-exchange passive

Enter Control-c to abort if connection does not complete.

Wait for connection from peer(enter 'y' or 'n'): y

Waiting ....

The command syntax is crypto key-exchange passive [<decimal>]. The <decimal> parameter specifies the TCP port used for the key exchange communication. If you use <decimal>, the value configured on both the sending side and receiving side must match.