Page tree

Contents

Use the Security page (Settings icon –> General Settings section –> Security) to configure certificates and define HTTPS, SNMP and SSH settings. The settings you define here ensure that communications between NetMRI and managed network devices conform to best-practice security protocols. You must upload X.509 certificates in PEM format. Also, certain authentication and authorization services, such as LDAP, allow the use of certificates between the requesting client (NetMRI) and the server to protect connections from passing user login information and client-server exchanges in the clear.

Four tabs appear in the Security page:

NetMRI HTTPS Settings

In the NetMRI HTTPS Settings tab, you can do the following:

  • Install an HTTPS certificate. For information, see Installing HTTPS Certificate.
  • Enable or disable HTTP and HTTPS protocols. For information, see Running the NetMRI GUI in HTTP Mode.
    When HTTPS is enabled, you can select one or more CipherSuites to be supported. A Cipher Suite is a combination of a transport protocol (e.g.,TLS), an encryption algorithm (e.g., AES128) and an authentication algorithm (e.g., SHA). Most web browsers support a wide range of Cipher Suites; the list of default combinations provided by NetMRI are generally sufficient for most environments. High assurance environments should select only the Cipher Suites that are defined in their specific network security policy.

SSH Settings

Use the SSH Settings tab to configure the SSH protocols and ciphers used by NetMRI when connecting to network devices for configuration file collection and Configuration Command Script execution (i.e., Client mode); and the SSH protocols and ciphers supported by NetMRI when accepting connections to the Administrative Shell (i.e., Server mode). In both cases, you can selectively enable or disable the SSH v1 and SSH v2 protocols, and specify the ciphers to be supported by each protocol. For information, see Configuring Global SSH Settings.
SSH v1 does not support cipher selection in Server mode because the NetMRI SSH server automatically negotiates the cipher based on the request from the SSH v1 client.

SNMP Settings

Use the SNMP Settings tab to specify the version and community/password for accessing the NetMRI SNMP agent. By default, SNMP v1 and SNMP v2c are enabled with a default community string. High assurance environments may disable those protocols and enable SNMP v3, providing an appropriate passphrase. The NetMRI SNMP Agent is automatically configured and restarted when the settings are updated. For information, see Configuring Global SNMP Settings.
The SNMP Settings form applies only to the SNMP agent, not the SNMP protocols used by NetMRI to access network devices. When accessing network devices, NetMRI attempts SNMP v2c first, then tries SNMP v1.

CA Certificates

The CA Certificates tab provides importing and management of X.509 certificates from trusted Certificate Authorities for operations such as Active Directory and LDAP server authentication. For information, see Installing CA Certificate.

Also, see About CA Certificates for CISCO APIC for APIC-specific information.

Installing HTTPS Certificate

This process involves two tasks: generating the CSR and sending it to the CA, and importing the new certificate from the CA.

To install an HTTPS certificate, do the following:

  1. Using SSH or SCP, connect to the NetMRI Administrative Shell and enter the following command:
    configure certificates
  2. When prompted to select the certificate type, select https.
  3. When prompted for an action, choose 1. Generate CSR.
  4. When prompted to enter information for the CSR, the only required field is Common Name. You must enter the IP address or hostname of the NetMRI appliance. All other fields are optional.
  5. When the appliance generates the CSR, copy the text, as shown in the example, and paste it into the Certificate Request page of the site from which you are requesting a certificate.

-----BEGIN CERTIFICATE REQUEST-----

MIIC5zCCAc8CAQAwZDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQ

MA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQxFjAUBgNV

BAMTDTE3Mi4yMy4yNy4xOTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB

AQDCUvDcvohVWY7tWJo/9D1Olkc9u/nXCpzdhkB1t+hPnY4b1uInhLvcJATqM6u4

kmPIqxCLFfuR3x2RYaiWiayHQP0VxUlz46UNeTPiHM8xdpX1yrclBLMfvBypZW4C

ptKgKhrn1bUV4v8qilGCkPUUICS82jSdFcSVp6pSnkfKIst+pecoX9C5jkIH/p7E

t1xXkJ2HUl92+S59o/Y0/B3V+MrBh9fy/enormcMX9dfjqJHK8FCSjezYw8TFO5V

Dz0Wf31vtQ7WD50aALDJX1gmwna0WdtDyEd2lp2XV/zFvg6eo6W+q9Wbfq+dewBA

FXXudk8ZEVICQOeRS4lRrF/jAgMBAAGgPjA8BgkqhkiG9w0BCQ4xLzAtMAkGA1Ud
----END CERTIFICATE REQUEST-----
When you receive the CA-signed certificate, upload it to the appliance and activate it. Note that the certificate must be in PEM format and the file must have a .crt extension.

6. In the Settings icon –> General Settings –> Security page, click the NetMRI HTTPS Settings tab.

7. In the HTTP Certificate section, click Upload... A message dialog appears:

The NetMRI HTTP and HTTPS server settings are about to be updated and the web server restarted. If the NetMRI web server becomes inaccessible as a result of these changes, login to the NetMRI admin shell using SSH and run the command configure http to update the web server settings. Do you wish to proceed?

8. Click Yes to proceed.

9. In the Upload dialog box, click Browse... for the .PEM-format certificate file, select the file, and click Upload. The HTTPS Certificate section updates with the new information.

Running the NetMRI GUI in HTTP Mode

NetMRI allows operation in both Hypertext Transfer Protocol Secure (HTTPS) mode and in HTTP. By default, both modes are enabled. However, Infoblox recommends disabling the HTTP mode.

To enable or disable the HTTP and HTTPS modes, do the following:

  1. Go to Settings –> General Settings –> Security.
  2. Click the Net MRI HTTPS Settings tab.
  3. Select Enable HTTP for the Net MRI Interface or Enable HTTPS for the NetMRI Interface or both. 

Use caution when saving your settings for UI browser operation. Settings on this page affect the operation of the Web server that is built into NetMRI, requiring a restart of the NetMRI web service. In case of a mistake (accidentally disabling both HTTP and HTTPS, for example), you may not be able to access the web interface after committing settings. To address this, use a terminal program, using the admin account, to connect to the NetMRI admin shell and run the configure http command, which is the command-line version of the feature set presented in the NetMRI HTTPS Settings tab.

4. Close the Settings window.

Configuring Global SNMP Settings

You can define the default SNMP protocol settings that are used by NetMRI. To configure SNMP settings for the appliance, do the following:

  1. Go to the Settings icon –> General Settings –> Security page and click the SNMP Settings tab.
  2. Enable or disable Version 1/2c. If enabled, enter a Community String.
  3. Enable or disable Version 3. If enabled, enter an SNMPv3 Passphrase.
  4. Click Update.

Configuring Global SSH Settings

You can define the default SSH protocol settings that are used by NetMRI. To configure SSH settings for the appliance, do the following:

  1. Go to the Settings icon –> General Settings –> Security page and click the SSH Settings tab.
  2. Configure settings to be used when NetMRI connects to network devices for configuration collection or Configuration Command Script execution (you must enable at least one protocol).
    • Enable or disable SSH v1 Client Status. If enabled, select an SSH v1 Client Cipher.
    • Enable or disable SSHv 2 Client Status. If enabled, click, CTRL+click or SHIFT+click to select SSH v2 Client Ciphers.

3. Configure settings to be used by NetMRI when accepting connections to the Admin Shell (you must enable at least one protocol).

    • Enable or disable SSH v1 Server Status.
    • Enable or disable SSH v2 Server Status. If enabled, click, CTRL+click or SHIFT+click to select SSH v2 Server Ciphers.

4. Click Update.

Subsequent attempts to access the NetMRI Admin Shell must comply with the new settings.

Installing CA Certificate

To install a CA certificate, do the following:

  1. Go to the Settings icon –>General Settings–>Security page and click the CA Certificates tab.
  2. Click Import.
  3. In the pop-up window, enter a logical name for the new certificate.
  4. Click Browse to locate the certificate file.
  5. Click Import to import the CA certificate to NetMRI. The certificate is added to the appliance. The newly imported CA Certificate will appear in the table in the CA Certificates tab after import is complete.

About CA Certificates for CISCO APIC

NetMRI accepts CA certificates and certificate chains, therefore you can upload both root and intermediate (one-file certificate chain) certificates. Next are recommendations and best practices for having valid APIC certificates authenticated via HTTPS in NetMRI.

For a Root CA certificate, ensure the following on the APIC side:

  1. You have selected the Root CA certificate as the default Certificate Authority.
  2. You have issued a Key Ring certificate request signed by this Certificate Authority.
  3. The APIC Key Ring certificate has been created.
  4. In APIC GUI, select Fabric -> Fabric Policies -> Pod Policies -> Policies -> Management Access -> default.
  5. Make sure that the Admin Key Ring and Oper Key Ring correspond to the one created in step 3.
    Now you can upload the Root CA certificate in the NetMRI security settings.

For an Intermediate CA certificate, ensure the following on the APIC side:

  1. You have selected the certificate chain as the default Certificate Authority. This certificate chain must include at least one Intermediate or Root CA certificate.
  2. You have issued a Key Ring certificate request signed by this Certificate Authority.
  3. The APIC Key Ring certificate has been created.
  4. In APIC GUI, select Fabric -> Fabric Policies -> Pod Policies -> Policies -> Management Access -> default.
  5. Make sure that the Admin Key Ring and Oper Key Ring correspond to the one created in step 3.
    Now you can upload the certificate chain in the NetMRI security settings.

Recommended best practices:

  • Make sure that the CA marker is set to "True" in the CA certificate. You can check it in OpenSSL.
  • Make sure that the Subject (CN) of the APIC Key Ring certificate is a fully qualified domain name or a distinguished name of the requesting device.
    When NetMRI tries to establish a connection to the APIC using SSL, it compares the APIC hostname value with the value specified in the APIC Key Ring certificate CN (common name). If they do not match, the certificate verification fails. If you want to specify something different than FQDN, for example, an IP address, for the APIC Key Ring certificate CN, include an additional Subject Alternative Name marker in X509v3 extensions:

    X509v3 Subject Alternative Name: 
    IP Address:[ip-addr]
    or
    X509v3 Subject Alternative Name: 
    DNS:FQDN
    or both of them
    X509v3 Subject Alternative Name: 
    DNS:FQDN, IP Address:ip-addr
    where ip-addr is a valid IP address of the APIC device, and FQDN is a valid fully qualified domain name.

  • Make sure to include the following markers in the APIC Key Ring certificate:

    X509v3 extensions:
    X509v3 Basic Constraints: 
    CA:FALSE
    Netscape Cert Type: 
    SSL Server
    ...
    X509v3 Key Usage: critical
    Digital Signature, Key Encipherment
    X509v3 Extended Key Usage: 
    TLS Web Server Authentication

  • Certificate date must be valid.
  • APIC and NetMRI time settings must be valid and accurate.
  • No labels

This page has no comments.