Summary Of Ssl Procedures; Choosing A Ca; Generating A Public/Private Key; Ssl Certificate Files - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual
Hp storageworks fabric os 6.x administrator guide (5697-0015, may 2009)
Hide thumbs
Also See for A7533A - Brocade 4Gb SAN Switch Base:
- Administrator's manual (576 pages) ,
- Hardware reference manual (256 pages) ,
- User manual (248 pages)
Table of Contents
Advertisement
Summary of SSL procedures
You configure for SSL by obtaining, installing, and activating digital certificates for SSL support. Certificates
are required on all switches that are to be accessed through SSL.
You also need to install a certificate in the Java Plug-in on the management workstation, and you may need
to add a certificate to your Web browser.
Configuring for SSL involves these major steps, which are shown in detail in the next sections.
1.
Choose a Certificate Authority (CA).
2.
Generate the following items on each switch:
a. A public/private key (secCertUtil genkey command).
b. A certificate signing request (CSR) (secCertUtil gencsr command) and store the CSR on an
FTP server (secCertUtil export command).
3.
Obtain the certificates from the CA.
You can request a certificate from a CA through a Web browser. After you request a certificate, the CA
either sends certificate files by e-mail (public) or gives access to them on a remote host (private).
Typically, the CA provides the certificate files listed in
Table 20
SSL certificate files
Certificate file
name.crt
nameRoot.crt
nameCA.crt
4.
On each switch, install and then activate the certificate.
5.
If necessary, install the root certificate to the browser on the management workstation.
6.
Add the root certificate to the Java Plug-in keystore on the management workstation.
Choosing a CA
To ease maintenance and allow secure out-of-band communication between switches, consider using one
CA to sign all management certificates for a fabric. If you use different CAs, management services operate
correctly, but the Web Tools Fabric Events button is unable to retrieve events for the entire fabric.
Each CA (for example, Verisign or GeoTrust) has slightly different requirements; for example, some
generate certificates based on IP address, while others require an FQDN, and most require a 1024-bit
public/private key while some may accept a 2048-bit key. Consider your fabric configuration, check CA
websites for requirements, and gather all the information that the CA requires.
Generating a public/private key
Perform this procedure on each switch.
1.
Connect to the switch and log in as admin.
2.
Enter this command to generate a public/private key pair:
switch:admin>
The system reports that this process will disable secure protocols, delete any existing CSR, and delete
any existing certificates.
3.
Respond to the prompts to continue and select the key size:
Continue (yes, y, no, n): [no]
Select key size [1024 or 2048]:
Generating new rsa public/private key pair
Done.
90
Configuring standard security features
Description
The switch certificate.
The root certificate. Typically, this certificate is already installed in the
browser, but if not, you must install it.
The CA certificate. It needs to be installed in the browser to verify the
validity of the server certificate or server validation fails.
seccertutil genkey
y
1024
Table
20.
Advertisement
Table of Contents
Troubleshooting
