Home » Lantronix Manuals » Electronics Accessories » Lantronix EMG 8500 » Manual Viewer

Lantronix EMG 8500 EMG User Guide - Page 158

Services, Version 3 TLS over TCP, Apply, To con TLS v3 over TCP

Add to My Manuals
Save this manual to your list of manuals

Page 158 highlights

8: Services Certificate fingerprints may be required by applications interfacing the SNMP applications of EMG when TLS is used. EMG will display the SHA1 and SHA256 fingerprint of the certificate authority and certificate files when they are uploaded into EMG. The fingerprint of the client certificate must also be configured when authenticating the EMG agent with a client or tool that queries the agent. For information about generating a certificate authority (or root) file, agent (or server) certificate and key, and client certificate and key with OpenSSL, see Creating a Certificate. We recommend you to set the message digest used when creating the certificates to SHA1 or SHA256, depending on the level of security required. When EMG is in FIPS mode, only certificates with a message digest of SHA256 or higher are allowed. To set the message digest used by OpenSSL, in step (1b) of the instructions referenced above, change default in the line below in openssl.cnf to either sha1 or sha256. default_md = default # use public key default MD To configure TLS v3 (over TCP): 1. Click Services tab and select SNMP. The SNMP page appears. 2. In the Version 3 TLS (over TCP) section, enter the following: 3. To save, click Apply. Client Certificate Fingerprint Enter the SHA1 or SHA256 fingerprint of the certificate used by the client or tool that queries the EMG agent. For example, a SHA256 fingerprint is a string of 59 characters: D9:E5:DD:11:58:D2:DF:E0:D9:99:AE:A3:DB:57:24:21:A7:0A:20: 5A CertificateUsername Mapping / String EMG requires a mapping from a field in the certificate used by the client or tool that queries the EMG agent to an SNMP v3 user name used internally by the EMG. This provides an extra layer of security to verify the client's identity. The EMG will extract the designated field from the certificate and match it with what is specified in String. Select among the following fields in the client certificate:  User Name: The SNMP v3 user name. It does not need to be a field in the certificate.  E-mail Address: The email address mentioned in the subjectAltName field of the certificate.  FQDN: The DNS name mentioned in the subjectAltName field of the certificate. For example, abc.lantronix.com.  IP Address: The IP address mentioned in the subjectAltName field of the certificate. For example, 10.0.1.150.  Common Name: The common name mentioned in the certificate. For example, "EMG" or "John Smith". By default, this option is selected.  Any: Indicates that any of the subjectAltName fields in the certificate can be used. For example, if the common name in the certificate is "John Smith", select Common Name for Certificate-Username Mapping. and then enter John Smith in the String field. Certificate Authority Indicates the Certificate Authority used by the agent certificate and the client/traps certificate. Note: The certificate authority, agent certificate and client/traps certificate can be viewed by clicking the View link to the associated the filename. It will also display the SHA1 and SHA256 fingerprint of the certificate. All certificate files can be deleted by clicking the Delete Certificate Files check box. Certificate File for The certificate file for the EMG agent. Agent EMG™ Edge Management Gateway User Guide 158

Section	Page
EMG™ Edge Management Gateway User Guide	1
EMG 8500	1
EMG 7500	1
Intellectual Property	2
Warranty	2
Contacts	2
Open Source Software	2
Disclaimer & Revisions	3
Revision History	4
Table of Contents	5
List of Figures	16
List of Tables	20
1: About this Guide	21
Purpose and Audience	21
Summary of Chapters	21
Additional Documentation	22
2: Introduction	23
EMG 8500 Overview	23
EMG 7500 Overview	24
Key Features	24
Console Management	24
Performance Monitoring	25
Security	25
Power	25
Integration with Lantronix ConsoleFlow™	25
Applications	25
Protocol Support	26
Configuration Methods	26
Product Information Label	27
EMG 8500 Hardware Components	28
EMG 7500 Hardware Components	29
System Features	30
Access Control	30
Device Port Buffer	30
Console Port Interface	30
Device Port Interfaces	31
I/O Modules	32
Network Connections	32
Connectivity Modules	34
Front Panel LEDs	35
Digital IO Port	35
3: EMG 8500 Installation	37
EMG 8500 Package Contents	37
Order Information	38
User Supplied Items	38
Customize an EMG	38
Hardware Specifications	39
Physical Installation	40
Rack Mount Installation	41
Wall Mount Installation	42
Connecting to a Device Port	44
Modular Expansion for I/O Module Bays	45
Connecting to Network Ports	46
Modular Expansion for Connectivity Module Bays	46
Connecting Terminals	47
Power Input	48
I/O Module Installation	49
Connectivity Module Installation	50
Modem Installation	52
4: EMG 7500 Installation	53
EMG 7500 Package Contents	53
Order Information	53
User Supplied Items	53
Hardware Specifications	54
Physical Installation	55
Rack Mount Installation	56
Wall Mount Installation	57
Connecting to a Device Port	58
Connecting to Network Ports	60
Connecting Terminals	60
Power Input	61
Modem Installation	62
5: Quick Setup	63
Recommendations	63
IP Address	63
Lantronix Provisioning Manager	64
Method #1 Quick Setup on the Web Page	64
Network Settings	66
Date & Time Settings	67
Administrator Settings	67
Method #2 Quick Setup on the Command Line Interface	68
Next Step	71
Limiting Sysadmin User Access	71
6: Web and Command Line Interfaces	72
Web Manager	72
Logging in	74
Logging Out	75
Web Page Help	75
Command Line Interface	75
Logging In	75
Logging Out	76
Command Syntax	76
Command Line Help	76
Tips	76
General CLI Commands	77
7: Networking	79
Requirements	79
Network Port Settings	80
Ethernet Interfaces (Eth1 and Eth2)	83
Hostname & Name Servers	85
DNS Servers	85
DHCP-Acquired DNS Servers	85
TCP Keepalive Parameters	86
Gateway	86
Fail-Over Settings	87
Fail-Over Cellular Gateway Configuration	89
Advanced Cellular Gateway Configuration	90
Fail-Over Cellular Gateway Firmware	91
Load Cellular Gateway Firmware Options	91
Ethernet Counters	92
Network Commands	92
Cellular Modem Settings	93
Cellular Interface	94
Cellular Modem Configuration	94
Cellular Modem Firmware	94
Load Cellular Modem Firmware Options	95
Cellular Status	95
Cellular Modem Commands	96
Wireless Settings	97
Wireless Overview	97
Wireless Firmware	99
Troubleshooting	100
Wireless Client Settings	101
Wireless Access Point Settings	108
IP Filter	111
Viewing IP Filters	111
Mapping Rulesets	111
Enabling IP Filters	112
Configuring IP Filters	113
Rule Parameters	114
Updating an IP Filter	115
Deleting an IP Filter	115
IP Filter Commands	115
Routing	116
Dynamic Routing	116
Static Routing	116
Routing Commands	117
VPN Settings	117
Sample ipsec.conf Files	128
VPN Commands	133
Security	134
Performance Monitoring	137
Performance Monitoring - Add/Edit Probe	140
Performance Monitoring - Results	143
Performance Monitoring Commands	147
FQDN List	147
8: Services	148
System Logging and Other Services	148
SSH/Telnet/Logging	148
System Logging	149
Audit Log	150
SSH	150
Telnet	151
Web SSH/Web Telnet Settings	151
SMTP	151
SSH Commands	152
Logging Commands	152
SNMP	152
v1/v2c Communities	156
Version 3	156
V3 User Read-Only	157
V3 User Read-Write	157
V3 User Trap	157
Version 3 TLS (over TCP)	157
Services Commands	159
NFS and SMB/CIFS	160
SMB/CIFS Share	161
NFS and SMB/CIFS Commands	161
Secure Lantronix Network	162
Browser Issues	164
Troubleshooting Browser Issues	165
Web SSH/Telnet Copy and Paste	167
Secure Lantronix Network Commands	167
Date and Time	168
Date and Time Commands	169
Web Server	170
Admin Web Commands	172
Services - SSL Certificate	172
Services - Web Sessions	175
ConsoleFlow	176
ConsoleFlow Commands	180
9: USB/SD Card Port	181
Set up USB/SD Card Storage	181
Manage Files	184
USB Commands	185
SD Card Commands	185
10: Device Ports	186
Connection Methods	186
Permissions	186
I/O Modules	187
Device Status	188
Device Ports	188
Telnet/SSH/TCP in Port Numbers	190
Device Port Global Commands	190
Device Ports - Settings	191
Device Port Settings	193
IP Settings	195
Data Settings	196
Hardware Signal Triggers	197
Modem Settings (Device Ports)	198
Modem Settings: Text Mode	199
Modem Settings: PPP Mode	200
Port Status and Counters	201
Device Ports - Power Management	201
Device Port - Sensorsoft Device	204
Device Port Commands	206
Device Commands	206
Interacting with a Device Port	207
Device Ports - Logging and Events	208
Local Logging	208
NFS File Logging	208
USB and SD Card Logging	208
Token/Data Detection	209
Syslog Logging	209
Token & Data Detection	210
Local Logging	212
Log Viewing Attributes	212
NFS File Logging	212
USB / SD Card Logging	212
Syslog Logging	212
Logging Commands	213
Console Port	213
Console Port Commands	214
Internal Modem Settings	215
Internal Modem Commands	219
DIO Port	219
DIO Commands	220
Xmodem	221
Xmodem Commands	223
Host Lists	224
Host Parameters	224
Host List Commands	227
Sites	228
Site Commands	230
Modem Dialing States	231
Dial In	231
Dial-back	231
Dial-on-demand	232
Dial-in & Dial-on-demand	232
Dial-back & Dial-on-demand	233
CBCP Server and CBCP Client	234
CBCP Server	234
CBCP Client	234
Key Sequences	235
11: Remote Power Managers	236
Devices - RPMs	236
RPMs - Add Device	239
RPMs - Manage Device	242
RPMs - Outlets	246
RPM Shutdown Procedure	246
Optimizing and Troubleshooting RPM Behavior	248
RPM Commands	249
12: Scripts	250
Script Commands	255
Batch Script Syntax	256
Interface Script Syntax	257
Primary Commands	258
Secondary Commands	259
Control Flow Commands	261
Custom Script Syntax	263
Example Scripts	265
13: Connections	284
Typical Setup Scenarios for the EMG unit	284
Terminal Server	284
Remote Access Server	285
Reverse Terminal Server	285
Multiport Device Server	286
Console Server	286
Connection Configuration	287
Connection Commands	289
14: User Authentication	290
Authentication Commands	292
User Rights	293
Local and Remote User Settings	294
Sysadmin Account Default Login Values	295
Adding, Editing or Deleting a User	296
Shortcut	300
Local Users Commands	300
Remote User Rights Commands	300
NIS	301
NIS Commands	303
LDAP	304
LDAP Commands	308
RADIUS	309
RADIUS Commands	312
User Attributes & Permissions from LDAP Schema or RADIUS VSA	312
Kerberos	314
Kerberos Commands	316
TACACS+	317
TACACS+ Groups	317
TACACS+ Commands	321
Groups	322
Group Commands	325
SSH Keys	326
Overview	326
Imported Keys	326
Exported Keys	326
Create an SSH Key	326
Imported Keys (SSH In)	329
Exported Keys (SSH Out)	329
SSH Server/Host Keys	330
SSH Commands	332
Custom Menus	333
Custom User Menu Commands	335
15: Maintenance	336
Firmware & Configurations	336
Zero Touch Provisioning Configuration Restore	336
Creating a Certificate	337
HTTPS Push Configuration Restore	339
Factory Reset with External Storage Device	340
Internal Temperature	342
Site Information	342
EMG Firmware	342
Boot Banks and Bootloader Settings	343
Load Firmware Via Options	344
Configuration Management	344
Manage Files	346
Administrative Commands	346
System Logs	347
System Log Commands	348
Audit Log	349
Audit Log Commands	349
Email Log	350
Logging Commands	350
Diagnostics	351
Diagnostic Commands	354
Status/Reports	354
View Report	354
Status Commands	356
Emailing Logs and Reports	357
Events	359
Events Commands	361
Banners	361
Administrative Banner Commands	362
System Info	363
16: Application Examples	365
Telnet/SSH to a Remote Device	366
Dial-in (Text Mode) to a Remote Device	368
Local Serial Connection to Network Device via Telnet	370
17: Command Reference	372
Introduction to Commands	372
Command	372
Command Line Help	373
Tips	373
Administrative Commands	374
admin banner login	374
admin banner logout	374
admin banner show	374
admin banner ssh	375
admin banner welcome	375
admin config checksum	375
admin config copy	375
admin config rename\|delete	375
admin config factorydefaults	376
admin config restore	376
admin config save	377
admin config show	377
admin eeprom	377
admin firmware bootbank	378
admin firmware bootcount	378
admin firmware bootlimit	378
admin firmware bootdelay	378
admin firmware highrestimers	379
admin firmware watchdog	379
admin firmware show	379
admin firmware update	379
admin firmware clearlog	379
admin ftp password	380
admin ftp server	380
admin ftp show	380
admin memory show	380
admin memory swap add	380
admin memory swap delete	381
admin quicksetup	381
admin reboot	381
admin shutdown	381
admin site	381
admin sysinfo	382
admin version	382
admin web certificate import	382
admin web certificate reset	382
admin web certificate custom	383
admin web certificate custom	383
admin web certificate show	383
admin web group	383
admin web server	383
admin web sha2	383
admin web timeout	384
admin web terminate	384
admin web show	384
admin web banner	384
admin web iface	384
admin web cipher	385
admin web sha2	385
admin web tlsv10	385
admin web tlsv11	385
admin web tlsv12	385
admin web restart	386
admin chip resetmodem	386
Audit Log Commands	386
show auditlog	386
Authentication Commands	387
set auth	387
show auth	387
show user	387
Kerberos Commands	388
set kerberos	388
show kerberos	388
LDAP Commands	389
set ldap	389
set ldap bindpassword	389
set ldap certificate import	390
set ldap certificate delete	390
show ldap	390
Local Users Commands	390
set localusers add\|edit	390
set localusers allowreuse	391
set local users complexpasswords	391
set localusers state	391
set localusers delete	391
set localusers lifetime	392
set localusers maxloginattempts	392
set localusers password	392
set localusers periodlockout	392
set localusers periodwarning	392
set localusers reusehistory	393
set localusers multipleadminlogins	393
set localusers consoleonlyadmin	393
show localusers	393
set localusers lock	393
set localusers unlock	394
set localusers permissions	394
NIS Commands	394
set nis	394
show nis	395
RADIUS Commands	395
set radius	395
set radius server	396
show radius	396
TACACS+ Commands	396
set tacacs+	396
show tacacs+	397
User Permissions Commands	398
set localusers group	398
set localusers lock	398
set localusers unlock	398
set localusers permissions	398
set <nis\|ldap\|radius\|kerberos\|tacacs+> permissions	399
show user	399
Remote User Commands	399
set remoteusers add\|edit	399
set remoteusers listonlyauth	400
set remoteusers denyaccessnocustomgroup	400
set remoteusers denyaccessnocustomgroup <enable\|disable>	400
set remoteusers lock\|unlock	400
set remoteusers delete	400
show remoteusers	400
set <nis\|ldap\|radius\|kerberos\|tacacs+> group	401
Cellular Modem Commands	401
set cellular	401
set cellular update	401
set cellular	402
show cellular	402
ConsoleFlow Commands	402
set cflow client	402
set cflow statusinterval	402
set cflow fwupdate	402
set cflow rebootafterupdate	403
set cflow connection	403
set cflow devicename	403
set cflow timeoutcli	403
set cflow digitalprobe	404
set cflow id	404
set cflow key	404
show cflow	404
CLI Commands	405
set cli	405
set cli menu	405
show cli	405
show user	406
set history	406
show history	406
Connection Commands	406
connect bidirection	406
connect direct	407
connect global outgoingtimeout	407
connect listen deviceport	408
connect terminate	408
connect unidirection	408
show connections	409
show connections connid	409
Console Port Commands	409
set consoleport	409
show consoleport	410
Custom User Menu Commands	410
set localusers	410
set menu add	410
set menu delete	411
set <nis\|ldap\|radius\|kerberos\|tacacs+> custommenu	411
set remoteusers add\|edit	411

Match case Limit results 1 per page

8: Services

EMG™ Edge Management Gateway User Guide

158

Certificate fingerprints may be required by applications interfacing the SNMP applications of EMG

when TLS is used. EMG will display the SHA1 and SHA256 fingerprint of the certificate authority

and certificate files when they are uploaded into EMG. The fingerprint of the client certificate must

also be configured when authenticating the EMG agent with a client or tool that queries the agent.

For information about generating a certificate authority (or root) file, agent (or server) certificate

and key, and client certificate and key with OpenSSL, see

Creating a Certificate

. We recommend

you to set the message digest used when creating the certificates to SHA1 or SHA256, depending

on the level of security required. When EMG is in FIPS mode, only certificates with a message

digest of SHA256 or higher are allowed. To set the message digest used by OpenSSL, in step (1b)

of the instructions referenced above, change

default

in the line below in

openssl.cnf

either

sha1

sha256

default_md = default # use public key default MD

To configure TLS v3 (over TCP):

Click

Services

tab and select

SNMP

. The

SNMP

page appears.

In the

Version 3 TLS (over TCP)

section, enter the following:

To save, click

Apply

Client Certificate

Fingerprint

Enter the SHA1 or SHA256 fingerprint of the certificate used by the client or tool that

queries the EMG agent. For example, a SHA256 fingerprint is a string of 59 characters:

D9:E5:DD:11:58:D2:DF:E0:D9:99:AE:A3:DB:57:24:21:A7:0A:20:

Certificate-

Username

Mapping / String

EMG requires a mapping from a field in the certificate used by the client or tool that

queries the EMG agent to an SNMP v3 user name used internally by the EMG. This

provides an extra layer of security to verify the client's identity. The EMG will extract the

designated field from the certificate and match it with what is specified in

String

. Select

among the following fields in the client certificate:



User Name:

The SNMP v3 user name. It does not need to be a field in the

certificate.



E-mail Address:

The email address mentioned in the

subjectAltName

field of

the certificate.



FQDN:

The DNS name mentioned in the

subjectAltName

field of the

certificate. For example, abc.lantronix.com.



IP Address:

The IP address mentioned in the

subjectAltName

field of the

certificate. For example, 10.0.1.150.



Common Name:

The common name mentioned in the certificate. For example,

"EMG" or "John Smith". By default, this option is selected.



Any:

Indicates that any of the

subjectAltName

fields in the certificate can be

used.

For example, if the common name in the certificate is "John Smith", select

Common

Name

for

Certificate-Username Mapping.

and then enter John Smith in the String

field.

Certificate

Authority

Indicates the Certificate Authority used by the agent certificate and the client/traps

certificate.

Note:

The certificate authority, agent certificate and client/traps certificate can be

viewed by clicking the

View

link to the associated the filename. It will also display the

SHA1 and SHA256 fingerprint of the certificate. All certificate files can be deleted by

clicking the

Delete Certificate Files

check box.

Certificate File for

Agent

The certificate file for the EMG agent.