Dell PowerEdge M710HD Fabric OS Administrator’s Guide - Page 163
SSL configuration overview, Certificate authorities, TABLE 21
View all Dell PowerEdge M710HD manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 163 highlights
Secure Sockets Layer protocol 6 SSL configuration overview You configure for SSL by obtaining, installing, and activating digital certificates for SSL support. Certificates are required on all switches that are to be accessed through SSL. Also, you must install a certificate in the Java Plug-in on the management workstation, and you may need to add a certificate to your Web browser. Configuring for SSL involves these main steps, which are shown in detail in the next sections. 1. Choose a certificate authority (CA). 2. Generate the following items on each switch: a. A public and private key by using the secCertUtil genkey command. b. A certificate signing request (CSR) by using the secCertUtil gencsr command. 3. Store the CSR on a file server by using the secCertUtil export command. 4. Obtain the certificates from the CA. You can request a certificate from a CA through a Web browser. After you request a certificate, the CA either sends certificate files by e-mail (public) or gives access to them on a remote host (private). Typically, the CA provides the certificate files listed in Table 21. Brocade supports .pem, .crt. and .cer files from the Certificate Authority. TABLE 21 SSL certificate files Certificate file Description name.crt nameRoot.crt nameCA.crt The switch certificate. The root certificate. Typically, this certificate is already installed in the browser, but if not, you must install it. The CA certificate. It must be installed in the browser to verify the validity of the server certificate or server validation fails. 5. On each switch, install the certificate. Once the certificate is loaded on the switch, HTTPS starts automatically. 6. If necessary, install the root certificate to the browser on the management workstation. 7. Add the root certificate to the Java Plug-in keystore on the management workstation. Certificate authorities To ease maintenance and allow secure out-of-band communication between switches, consider using one certificate authority (CA) to sign all management certificates for a fabric. If you use different CAs, management services operate correctly, but the Web Tools Fabric Events button is unable to retrieve events for the entire fabric. Each CA (for example, Verisign or GeoTrust) has slightly different requirements; for example, some generate certificates based on IP address, while others require an FQDN, and most require a 1024-bit public/private key while some may accept a 2048-bit key. Consider your fabric configuration, check CA Web sites for requirements, and gather all the information that the CA requires. Fabric OS Administrator's Guide 123 53-1001763-02