Manuals / Nortel Networks / Computer Equipment / Network Router

Nortel Networks NN46120-104 manual Certiﬁcates and Client Authentication

Models: NN46120-104

1 300

Download 300 pages 2.66 Kb

Page 93

.

93

Certiﬁcates and Client Authentication

This chapter describes common tasks involving certificates and client authentication. The chapter also provides detailed step-by-step instructions for generating certificate signing requests, adding certificates to the Nortel VPN Gateway (NVG), generating and revoking client certificates, as well as configuring the VPN Gateway to require client certificates.

The VPN Gateway supports importing certificates in the PEM, NET, DER, PKSCS7, and PKCS12 formats. The certificates must conform to the X.509 standard. You can create a new certificate, or use an existing certificate. The VPN Gateway supports using up to 1500 certificates. The basic steps to create a new certificate using the command line interface of the VPN Gateway are:

•Generate a Certificate Signing Request (CSR) and send it to a Certificate Authority (CA, such as Entrust or VeriSign) for certification.

•Add the signed certificate to the VPN Gateway.

Note: Even though the VPN Gateway supports keys and certificates created by using Apache-SSL, OpenSSL, or Stronghold SSL, the preferred method from a security point of view is to create keys and generate certificate signing requests from within the VPN Gateway by using the command line interface. This way, the encrypted private key never leaves the VPN Gateway, and is invisible to the user.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

Image 93

Nortel Networks NN46120-104 manual Certiﬁcates and Client Authentication

Contents

User Guide Licensing ExportContents Upgrading the NVG Software Snmp Agent 183 Copyright 2007-2008 Nortel Networks Preface Who Should Use This Book VPN Gateway 6.0 Application Guide for SSL Acceleration Related documentationProduct Names How This Book Is Organized Users GuideAppendices Adding User Preferences Attribute to Active Directory Typographic Conventions AaBbCc123Host# telnet IP Address Getting help from the Nortel Web site How to Get HelpVPN Introducing the VPN GatewaySSL Acceleration VPN Hardware Platforms Feature List Software FeaturesWeb Portal Transparent Mode Access User AuthenticationUser Authorization Client Security Secure Service PartitioningAccounting and Auditing NetworkingBranch Office Tunnels Portal GuardSSL Acceleration Scalability and Redundancy Certificate and Key ManagementPublic Key Infrastructure Supported Handshake Protocols Supported Key and Certificate FormatsHash Algorithms Cipher SuitesSecure Portable Office SPO Client Virtual DesktopIntroducing the VPN Gateway Introducing the ASA 310-FIPS HSM Overview FIPS140-1 Level 3 Security Extended Mode vs. Fips ModeConcept of iKey Authentication Types of iKeysWrap Keys for ASA 310-FIPS Clusters CODE-USER Available Operations and iKeys RequiredHSM-SO HSM-US Additional HSM Information Introducing the ASA 310-FIPS Initial Setup New and Join ClustersConﬁguration is Replicated among Master NVGs Clustering Over Multiple SubnetsIP Address Types Ports Interfaces One-Armed ConﬁgurationTwo-Armed Conﬁguration Two-Armed Configuration without Application Switch Setup Menu Conﬁguration at Boot UpSetting Up a One-Armed Conﬁguration Installing an NVG in a New ClusterStep Action Choose new from the Setup menu Specify the port you want to use for network connectivityEnter a default gateway address Enter network mask and Vlan tag IDEnter a Management IP address MIP Setting Up a Two-Armed Conﬁguration Configure the management interface port numberSpecify the host IP address for the current VPN Gateway Specify a new port number for the traffic interface Enter a default gateway address on the traffic interfaceSpecify a host IP address on the traffic public interface Interface gateway IP addressSelect Complete the New SetupPress Enter if correct Enter if correctWizard To acceptEnter to accept Create the accountEnter Network mask for the pool range Creating IP pool 10.10.20.99Settings Created by the VPN Quick Setup Wizard Default Network Basic VPN SetupDefault Services Joining a VPN Gateway to an Existing Cluster Enter the VPN Gateway ’s host IP address Specify the port to be used for network connectivityEnter the Management IP address MIP of the existing cluster Step Action Choose join from the Setup menuAccepts Complete the Join Setup Enter the default gateway on the traffic interfaceSpecify the VPN Gateway type Wait until the Setup utility has finished Admin userAs slave Installing an ASA 310-FIPS in a New Cluster Installing an ASA 310-FIPSUse Fips or Extended Security Mode? fips/extended HSM-SO password HSM-SO password, or use the same HSM-SO password as for Card Press Enter to select new Adding an ASA 310-FIPS to an Existing Cluster Setup Menu Join Join an existing iSD cluster New Adding an ASA 310-FIPS to an Existing Cluster For this HSM card Re-enter to confirm HSM-SO iKey has been updatedCluster Verify that CODE-SO iKey black is inserted in cardThat you used in Step End Log in as user boot, password ForgetMe Reinstalling the SoftwareContinue y/n? y Press Enter to continue Tag id or EnterIf correct Restarting system Alteon WebSystems,I nc C Booting Login Upgrading the NVG Software Main# boot/software/download Performing Minor/Major Release UpgradesEnter the host name or IP address of the server Activating the Software Upgrade PackageEnter hostname or IP address of server server host Name or IPSoftware Management# cur At the Software Management# prompt, enterActivate ok, relogin Main# boot/software/curHere Upgrading the NVG Software Managing Users and Groups User Rights and Group Membership Access the User Menu Step Action Log in to the NVG cluster as the admin userAdding a New User Add the new user and designate a user nameUser# edit certadmin Define a login password for the userAssign the new user to a user group Verify and apply the group assignmentApply the changes Groups# /cfg/sys/user User# edit certadminRemove the admin user from the certadmin group User# edit adminVerify and apply the changes Adding Users through Radius Login certadmin Changing a Users Group AssignmentStep Action Log in to the NVG cluster User admin# groups/add Enter group name certadmin Changing a Users Password Changing Your Own PasswordType the passwd command to change your current password Type the password command to initialize the password change Changing Another Users PasswordApply the changes Deleting a User User# del certadminUser# list Oper Root Admin Certadmin User# apply Certiﬁcates and Client Authentication Generating and Submitting a CSR Using the CLI ~ ! @ # $ % * / \ ? Apply your changes Save the CSR to a fileSave the private key to a file Open and copy the CSR KEY----- and -----END RSA Private KEYSubmit the CSR to Verisign, Entrust, or any other CA PEM NET DER Adding Certiﬁcates to the NVGCopy-and-Paste Certiﬁcates Copy the contents of your certificate fileCertificate 1# apply Changes applied successfully Copy the contents of your private key file Paste the contents of the key file at the command promptCopy-and-Paste Private Key Using TFTP/FTP/SCP/SFTP to add Certiﬁcates and Keys Name or IP address Enter the desired file nameAdd your private key if in a separate file End Create a New Certiﬁcate Update Existing CertiﬁcateStep Action Check the certificate numbers currently in use Add a certificate with a new certificate numberStep Action Conﬁgure a Virtual SSL Server to Require a Client CertiﬁcateMain# cfg/cur ssl Apply your settingsSSL# server RequireEnter for client certificate Generating client certiﬁcatesSpecify the validity period, key size, and serial number Key size 512/1024 Serial number of client certificate Main# cfg/ssl/server Export Client Certiﬁcate ComCert.pfx Transmit Private Key and Certiﬁcate to User Revoking Client Certiﬁcates Issued by an External CA Managing Revocation of Client CertiﬁcatesDownload and add a CRL from a TFTP/FTP/SCP/SFTP server Crl.der Crl.ascii Creating Your Own Certiﬁcate Revocation List Automatic CRL Retrieval Main /cfg/cert 1/revoke/automatic Http//10.42.128.30/server.crlInfo/certs command Enter the password in the Ndic login screen Click Connect Client certiﬁcate supportClick Connect Paste the CSR Signing CSRsMain# cfg/ssl/server #/adv/sslconnect/verify/cacer Generate Test Certiﬁcate Step Action Specify an unused certificate numberProvide the requested information Automatic CRL Retrieval Show Certiﬁcate Information General CommandsShow Subject Information Check if Key and Certiﬁcate MatchShow Key Information Show Key SizeCertificates and Client Authentication Virtual Desktop Licensing vdesktop Running the Virtual Desktop on Client ComputersClick Save Launch Vdesktop from PortalVirtual Desktop Operations Command Line Interface Procedure Connecting to the VPN GatewayEstablishing a Console Connection RequirementsEnabling and Restricting Telnet Access Establishing a Telnet ConnectionRunning Telnet Enabling and Restricting SSH Access Establishing a Connection Using SSH Secure ShellRunning an SSH Client Telnet IP addressEstablishing a Connection Using SSH Secure Shell Accessing the NVG Cluster ForgetM User Access Level Description Default Account Group PasswoCLI vs. Setup Command Line History and Editing Idle Timeout Troubleshooting the NVG Check the Access List Enable Telnet or SSH AccessCannot Connect to VPN Gateway through Telnet or Verify the Current ConﬁgurationCheck the IP Address Conﬁguration Cannot Add an NVG to a Cluster Add Interface 1 IP Addresses and MIP to Access List # /cfg/sys/accesslist/addCannot Contact the MIP Troubleshooting the NVG NVG Stops Responding Telnet or SSH Connection to the Management IP AddressConsole Connection Administrator User Password User Password is LostOperator User Password Root User PasswordAn ASA 310-FIPS Stops Processing Trafﬁc Password enter the admin user passwordMain# maint/hsm/login Password associated with the HSM-USER iKey for card# /info/events/alarms Resetting HSM Cards on the ASA 310-FIPS Main# /boot/delete End Step Action Existing Enter the same secret passphrase as was used Former cluster Transfer the cluster wrap key to cardSame secret passphrase as was used in the former Cluster Wait for the setup of the added ASA 310-FIPS to finishMain# cfg/gtcfg User Fails to Connect to the VPN AaaMain# maint/starttrace Ike DnsIpsec IppoolSsl Upref SmbFtp Netdirectpacket NetdirectIs Net Direct enabled and configured correctly? Netdirectpacket End Cannot download the NetDirect Zipped ﬁle from client PC System Diagnostics Installed Certiﬁcates and Virtual SSL ServersNetwork Diagnostics # /stats/dump # /cfg/sys/cur# /info/ethernet # ping IP address of virtual serverError Log Files Active Alarms and the Events Log File# /cfg/ssl/server #/trace/ssldump # /info/events/downloadUnable to download NetDirect from VPN server Troubleshooting the NVG Supported Ciphers Appendix Supported CiphersSupported Ciphers cont’d Cipher List Formats Modifying a Cipher List Cipher Strings and Meanings Supported Cipher Strings and MeaningsCipher Strings and Meanings cont’d Appendix Snmp Agent SNMPv2-MIB Supported MIBsSNMP-TARGET MIB SNMP-FRAMEWORK-MIBLimitations SNMP-USER-BASED-SM-MIBIP-MIB IANAifType-MIB ALTEON-ISD-PLATFORM-MIBFollowing Snmp traps are supported by the VPN Gateway Supported TrapsSnmp Agent Appendix Syslog Messages List of Syslog Messages Config filesystem corrupt beyond repairOperating System OS Messages Root filesystem corruptMissing files in config filesystem Config filesystem corruptSystem Control Process Messages System started isdssl-versionName singlemaster Name isddownName logopenfailed Name makesoftwarereleasepermanentfailedName license Name copysoftwarereleasefailed Sender IPName sslhwfail Name hsmnotloggedinName partitionednetwork Name softwareconfigurationchangedName ssimipishere Name licenseexpiresoonTrafﬁc Processing Messages Vbscript error reason for hostpath Javascript error reason for hostpathJscript.encode error reason Css error reasonSocks error reason Html error reasonBad Ipport data line in hc script Bad regexp expr in health checkProxy connect host name too long host Certificate CRL handling errorsTPS license limit limit exceeded Gzip error reasonLicense expired Certificate CRL handling warningsStartup Messages AAA Subsystem Messages Conﬁguration Reload MessagesLog functionality Ldap backends unreachable Vpn=\id\ AuthId=\authid\Host host ip is up accounted for in the license pool IPsec Subsystem Messages All credits are exhausted for IPSec SA Ignoring request to roam from %s to %sPFS is required but not provided by %s Error while decoding certificate DER Id Bad clicert, Can’t find issuer in clicertFailed to allocate IP addr from empty pool Failed to decode client certRevocation byte length %d Deleting the QM replaced by new rekeyed QMLoaded ca certificate %s Loaded server cert %sSyslog Messages in Alphabetical Order Syslog Messages in Alphabetical OrderSyslog Messages in Alphabetical Order cont’d Config filesystem re-initialized Down AAA Html IPsec Isakmp SA Established Isddown Cfg/sys/cur command Gateway but /cfg/vpn # /ser Loaded server id *will not Processing Received Delete Isakmp SA Socks error reason System started isdssl-version VPN LoginFailed Vpn=id Appendix License Information OpenSSL License IssuesOriginal SSLeay License GNU General Public License GNU General Public LicenseTerms and Conditions for COPYING, Distribution Modification 227 License Information No Warranty Apache Software License, Version 231 License Information Scope Appendix HSM Security PolicyOverview Applicable DocumentsAlgorithm How it is used by the HSM module Used Fips Mode? CapabilitiesSHA-1 Module Interfaces Physical SecurityComponents Deﬁnition of Security Relevant Data Items HSM Security Policy Roles and Services User Creation ServicesYES Service FIPS140-1 Level 3 Mode EPK, DPK EPK MK, Sopin Key Generation Key ManagementKey Storage Key Entry and OutputKey Distribution Modes Fips 140-1 ModeKey Destruction Key ArchivingSelf-Tests Non-FIPS 140-1 ModeRC4 KAT ConclusionAppendix Deﬁnition of Key Codes Allowed Special Characters Syntax DescriptionAllowed Special Characters Explanation Redeﬁnable KeysExample of a Key Code Deﬁnition File Appendix SSH host keys Methods for Protection VPN Gateway SSH host keys 261 Install All Administrative Tools Windows 2000 Server Register the Schema Management dll Windows ServerStep Action Click Start and select Run Add Standalone Snap-in window is displayed Create a Shortcut to the Console Window Under Snap-in, select Active Directory Schema and click AddPermit Write Operations to the Schema Windows 2000 Server Right-click Attributes, point to New and select AttributeClick Continue Create New Class Create the isdUserPrefs attribute as shown Click OKCreate the nortelSSLOffload class as shown Click Next Click Finish Add isdUserPrefs Attribute to nortelSSLOffload ClassAdd the nortelSSLOffload Class to the User Class Click OK Adding User Preferences Attribute to Active Directory Appendix Using the Port Forwarder API General =1&c=1 Creating a Port ForwarderDemo Application Content.zip file Example Creating a Port Forwarder AuthenticatorExample Using the Port Forwarder API Adding a Port Forwarder Logger Using the Port Forwarder API Example Connecting Through a Proxy Monitoring the Port Forwarder StatusStatistics Using the Port Forwarder API CLI Command Line Interface Access RulesGlossary Base ProfileConsole Connection Cluster of VPN GatewaysCRL Certificate Revocation List CSR Certificate Signing RequestDPort Destination Port DIP Destination IP AddressDTE Data Terminal Equipment Extended ProfileIP Interface Http ProxyMaster MIB Management Information BaseNTP Network Time Protocol NslookupPassphrase PEM Privacy Enhanced MailPortal Setup UtilityPort Forwarder Real Server GroupSlave SIP Source IP AddressSnmp Simple Network Management Protocol SPort Source PortSSL VPN client SSL Secure Sockets Layer ProtocolSTP Spanning Tree Protocol TLS Transport Layer SecurityVirtual Router VIP Virtual Server IP AddressVirtual SSL Server Vlan Virtual Local Area Network509 Index HSM SSL 298 Page User Guide