Manuals / Intel / TV and Video / TV Mount

Intel A31032-001 manual Creating a Client CA Certificate using OpenSSL§

Models: A31032-001

1 196

Download 196 pages 18.6 Kb

Page 42

C H A P T E R 3 Intel® NetStructure™ 7110/7115 e-Commerce Accelerator User Guide

NOTE: To acquire a copy of OpenSSL§ for your environment, access the OpenSSL§ Web site at www.openssl.org

NOTE: In this example, ca_cert.pem is your trusted CA and signing certificate

Creating a Client CA Certificate using OpenSSL§

There are software packages available that handle the details of client certificate generation, however, you can implement them manually. The following example illustrates the appropriate steps using OpenSSL§:

1.Generate the key pair for the client CA: openssl genrsa -out ca_key.pem 1024

2.Generate the client CA certificate:

openssl req -new -x509 -config intel.cnf -key ca_key.pem -days 365 -out ca_cert.pem

3.Using the import client_ca command, import ca_cert.pem For each client:

1.Generate a key pair:

openssl genrsa -out key.pem 1024

2.Generate a certificate signing request:

openssl req -new -config intel.cnf -days 365 -key key.pem -out csr.pem

3.Sign the client certificate signing request with the client CA certificate:

openssl x509 -req -CAcreateserial -CAkey

ca_key.pem -CA ca_cert.pem -days 365 -in csr.pem -out cert.pem

4.Convert from PEM to PKCS12 format in signed certificate form:

openssl pkcs12 -export -in cert.pem -inkey key.pem -name "<Client ID>" -out cert.p12

5.Import the output file from step 4, cert.p12, the signed certificate, into the client browser.

3-20

Image 42

Intel A31032-001 manual Creating a Client CA Certificate using OpenSSL§, Generate the client CA certificate

Contents

Intel NetStructure 7110/7115 e-Commerce Accelerator VersionCopyright TrademarksTable of Contents Theory of Operation Scenarios Remote Management Alarms and Monitoring Troubleshooting Appendix a Front Panel List of Figures Xii Introduction About this User GuideNew in This Release Remote ManagementWho Should Use this Book Before You BeginHow to Use this Book Glossary defines terms appearing in this User Guide Page Installation and Initial Configuration Installing the 7110/7115 Free- Standing or in a Rack Rack InstallationFree-Standing Installation Network ConnectionsNetwork and Server LEDs Admin Terminal ConnectionStatus Check Inline LEDHyperTerminal§ Paste Operations Troubleshooting Continuing ConfigurationServer and Network LEDs Theory of Operation SecuritySingle Server Acceleration 7110/7115 in Single Server Configuration Multiple ServersWorking with Internet Traffic Management ITM Devices Positioning 7110/7115 between ITM Device and Client NetworkPositioning 7110/7115 between ITM Device and Server Scalability and CascadingSpilling and Throttling Keys and Certificates AvailabilityCutting and Pasting with HyperTerminal§ Create a Certificate Signing Request ProcedureCreate a key Type the create key command at the prompt Intel 7115 create signCertificate REQUEST----- lines Intel 7115 export sign mywebserverAsciix Enter Typically, the CSR will look something like this EnterSave the configuration when the server has been mapped Exporting a Key/Certificate from a ServerApache Interface to Open SSL§ modssl Apache SSL§ Stronghold§ Importing into the 7110/7115Intel 7115 import key mywebserver Save the configuration when the server has been mapped Create a key as follows Enter the create cert command with the keyIDCreating a new Key/Certificate on the 7110/7115 Intel 7115 create cert mywebserverGlobal Site Certificates OverviewGlobal Site Certificate Paste Procedure ExampleIntel 7115 import cert keyID A P T E R Redirection Clients and Unsupported Ciphers Intel 7115 set redirectIntel 7115 show redirect Client AuthenticationTo disable a redirect URL for a mapping Intel 7115 set redirect 2 none Intel 7115 show redirectNext, import the client CA certificate for Map ID Intel 7115 import clientcaCreating a Client CA Certificate using OpenSSL§ Generate the client CA certificateGenerate a certificate signing request SSL Processing MappingAutomapping Deleting automapping entries Automapping with user-specified key and certificateAutomapping with multiple port combinations Manual mappingUse the show block command to verify Combining automapping and manual mappingSubnet IP, Specific Port All IPs, Specific PortUse show block to verify Use the show block command to confirm the block Delete a BlockIntel 7115 delete block Failure Conditions, Fail-safe, and Fail-through Scenarios Syntax Procedure for Scenario Manual ConfigurationScenario 1-Single Server Intel 7115delete map 1 Intel 7115list maps This scenario shows how to configure two or more servers Scenario 2-Multiple ServersID KeyID Scenario 3-Multiple 7110/ 7115s, Cascaded AssumptionsIntel 7115 export config Multiple Cascaded 7110/7115sSave the configuration Intel 7115 import configAfter verification y or refusal n, the prompt reappears To reverse this process Intel 7115set egressmac noneCommand Reference Online HelpCommand Line Prompt Command Line InterfaceUser Authentication Abbreviation to UniquenessA P T E R Command Line Interface Input Editing Commands Command HistoryMoving the Insertion Point Cut and Paste Command Summary Command Command Options Import Nic Password RebootInline List Command Command Options Set Command Command Options Show Status SetsnmpShowsnmp TtycharCommand Reference Help CommandsStatus Command Delete key SSL CommandsCommand Description Create key Import keyCommand Description Export key Show keyList keys Import cert Command Description Create certDelete cert Export certDisplays all certificates Command Description Show certDisplay the expanded certificate including PEM format Set ciphersCommand Description Set redirect Show redirectShow clientca Command Description Import clientca Delete clientcaCreate sign Command Description Delete sign Export signShow sign keyID Display the default certificate creation information Command Description Set defcertIssuer e-mail address. You can change all, some or none FieldSet clienttmo Command Description Set kstrengthShow kstrength Show clienttmoClient request is rejected Command Description Set servertmoDisplays the currently specified server timeout value Show servertmoDelete block Port Mapping CommandsCommand Definition Create block Show blockCommand Definition Create permit Delete permitShow permit Show map Command Definition Create mapDelete map mapID List mapsOperational Commands Command Description BypassInline Command Description Set spill Show spillRemote Management Commands Command Description Set ipMaxremotesessions Command Description Set telnet Show telnetSet telnetport Show ssh Command Description Show telnetportSet ssh Set sshportCommand Description Setsnmp snmp Showsnmp snmpSetsnmp snmpinfo CommandDescription SnmpcommunityDelete Snmp community strings Command Description Setsnmp trapauthen TrapcommunityList trapcommunity Delete trapcommunity Delete Snmp trap community strings Intel 7115 delete trapcommunityShow alarms Alarms and Monitoring CommandsCommand Description Set alarms Set rscwindowCommand Description Show rscwindow Set utlwindowSet utlhighwater Show utlhighwater Command Description Set utllowwaterShow utlwindow Show utllowwaterCommandDescription Show ovlwindow Intel 7115 show ovlwindowConfiguration Commands Command Description Show configDisplay current volatile configuration settings Intel 7115 show config default Default configuration Config default Command Description Config compareConfig reset Config saveImport config Command Description Export configConfiguration specifics are displayed Import a configuration file paste, xmodem, uudecodeCommand Description Import upgrade Import patchList system Command Description Factorydefault Returns to factory configuration settingsShow info Administration CommandsCommand Description Password Set dateShow ether Command Description Set egressmacSet ether Set idletoSet prompt Command Description Set moreNic Set serialCommand Description Logging CommandsCommand Description Show serial ExitAll deletes all logs Command Description Delete logDelete saved log/trace files from /flash/logs List logsRemote Management OverviewRemote Management CLI Commands LimitationsA P T E R Overview Remote Telnet Sessions Local Serial ConsoleTo display the Telnet port Remote Console, TelnetChanging the Telnet Port Unix-prompttelnetRemote SSh Sessions To verify Telnet disableEnable remote SSh sessions Disabling TelnetRemote Console, SSh Unix-promptssh -1 adminPasswordpassword Changing the SSh PortDisabling SSh To verify SSh disableIntel 7115 set ssh disable To display the SSh portStandards Compliance Intel MIB TreeManagement Information Base-II MIB-II Intel Enterprise MIBs Where to find MIB FilesSupported MIBs Ceo-header.myEnterprise Private MIB Summary Following is a summary of the 7110/7115 private MIBPage Snmp ThrottlesPerSec Number of throttles per second Snmp Trap Summary Standard Snmp TrapsPrivate Traps in ssl-appliance-mib.my Intel 7115 setsnmp snmp enable Intel 7115 showsnmp snmp Intel 7115 setsnmp snmp disable Intel 7115 showsnmp snmpEnabling Snmp Specifying Snmp Information Intel 7115 showsnmp snmpinfoCommunity String Intel 7115 delete snmpcommunityUse CLI commands, setsnmp trapcommunity, list Trap Community StringAccess Control Page Alarms Monitoring CLI commands for alarm configuration are Set alarms All, esc, rsc, utl, ovl, nls None Show alarmsAlarm Modifiers and Messages Alarm TypesESC Encryption Status Change Alarm For exampleRSC Refused SSL Connections RSC Alarm CLI CommandsTo set Overload Alarm time window Extended DataThis alarm monitors three utilization threshold values UTL Utilization Threshold AlarmTo display Overload Alarm time window Intel 7115 set rscwindow Intel 7115 show rscwindowTo set Utilization Threshold Alarm high-water value UTL Alarm CLI commandsTo set Utilization Threshold Alarm time window To set Utilization Threshold Alarm low-water valueIntel 7115 set ovlwindow seconds Range OVL Overload AlarmOVL Alarm CLI Commands Intel 7115 set ovlwindow Intel 7115 show ovlwindowAlarm Logging NLS Network Link Status AlarmIntel 7115 status Respend Inline Ip 10.1.11.34 netmask Example, status alarms command Intel 7115 status alarmsMonitoring Reports Report ConfigurationMonitoring Monitor report formatMonitoring Reports CLI Commands Intel 7115 set monitoringfieldsIntel 7115 set monitoring enable Intel 7115 show monitoring Intel 7115 show monitoringfieldsPage Software Updates Using Windows§ HyperTerminal§ Press y for yes at the Continue with upgrade? promptIntel 7115 import upgrade Command import patch Connect the serial cable to the 7110/7115 auxiliary consoleTo send the uuencoded file use the ~ command Intel 7115import upgradeIntel 7115import patch Page Troubleshooting Intel 7115 set clienttmo Error message Intermediate See Global Site CertificatesThen use the nic command to force Error message ServerSettings Different mediaFront Panel LEDsFront Panel LEDs Buttons and SwitchesPress to physically force bypass mode bypass 7110/7115 ProcessingSee Appendix B, Failure OverloadConnectors Enable 7110/7115 processing Failure/Bypass ModesFail-through Switch Security Level Bypass ButtonP E N D I X B Fail-through Switch Security Level Page Supported Ciphers Cipher StrengthSSL Version Level RC4-64 SSLv2 RC2 SSLv2RC2128 RC464Page Regulatory Information Taiwan Class a EMI StatementVcci Statement FCC Part 15 Compliance StatementCanada Compliance Statement Industry Canada CE Compliance StatementCispr 22 Statement Vcci Class a Japan AustraliaAvertissement Warnung Advertencias Wichtige Sicherheitshinweise Wichtige Sicherheitshinweise Page Terms and Conditions and Software License END User Terms and Conditions of Sale and Software LicensePage P E N D I X E Page Year warranty Process of being installed Export Law Regulations Page Glossary Glossary-2 Glossary-3 Glossary-4 North America only Support ServicesWorldwide Access to Technical Support Japan onlySupport-2 Intel NetStructure 7110/7115 e-Commerce Accelerator User Support-4 Index D E Index-3 Index-4