calin radoni's humble web presence

 homedocstoolboxabout

SSL access for Allied Telesyn's routers and Layer 3 switches

Table of Contents

This document must be read AFTER you read the SSH access for Allied Telesyn's routers and Layer 3 switches document !

Objective

Replacing the HTTP protocol with the HTTPS protocol for monitoring and configuring the Allied Telesyn routers and layer 3 switches.
Why HTTPS ? For security reasons.
You can read more about Secure Sockets Layer by searching the Internet.

Why Allied Telesyn routers and Layer 3 switches? Because I have some to play with...

Requirements

The routers and layer 3 switches must be allready configured in the way that was outlined in the document SSH access for Allied Telesyn's routers and Layer 3 switches for this procedure to work.

Note

You must have a "feature" licence in order to use SSH and SSL with your router or layer 3 switch.

For certificate generation I have used the OpenSSL cryptography toolkit. I have run it under Cygwin environment.

Note

If you allready have a Certificate Authority you can use it instead of using the openssl application. However you may not follow this document exactly.

Warning

From a security point of view, the best approach is to have a Certificate Authority with a certificate signed by one of the Trusted world-wide Certificate Authority !

For moving certificates and requests from routers to Certificate Authority you need a TFTP server.

Certificate Authority

If you have a certificate authority this step is not needed.
Here is how you can create a new certificate authority with openssl: 

# openssl req -new -x509 -keyout caPrvKey.pem -out cacert.pem -days 3650 -verbose
and fill some fields for it: 
Country Name: <YourCountryNameCode>
Organization Name: <YourOrganizationName>
Organization Unit Name: <YourOrganizationUnitName>
Common Name: <TheNameAssignedToThisCA>
Example: 
Country Name: RO
Organization Name: CalinR Company
Organization Unit Name: IT Department
Common Name: Internal CA
Now you have a self-signed certificate with a validity period of ten years, the cacert.pem file, and the CA's private key, the caPrvKey.pem file. The CA's public key is embedded in the cacert.pem file.

Note

This is not a true Certificate Authority, is only a self-signed certificate but is enough for our purpose. A Certificate Authority is much more then a self-signed certificate.

Preparing the router

The router, or layer 3 switch, must be named correctly before making any step further. Log to it and execute the following commands: 

set system name=<YourRouterName>
set system location="<YourOrganizationName>"
set system distinguishedname="cn=<YourRouterName>,o=<YourOrganizationName>,c=<YourCountryNameCode>"
set log utcoffset=<ThoOffsetFromUTC_Time>
Example: 
set system name=CentralRouter1
set system location="CalinR Company"
set system distinguishedname="cn=CentralRouter1,o=CalinR Company,c=RO"
set log utcoffset=2

After correctly naming the router it is time to import your Certificate Authority's certificate into the router.

  1. begin by copy that certificate, cacert.pem, to your TFTP server ...
  2. ... and rename it to cacert.cer
  3. log into the router and load the certificate file: 
    load file=cacert.cer destination=flash method=tftp server=<IP_Address_Of_The_TFTP_Server>
  4. add the certificate, verify it and mark it as trusted: 
    add pki certificate=CACertificate location=cacert.cer type=ca
show pki certificate=CACertificate
set pki certificate=CACertificate trusted=true

Request a certificate from CA

Here is what you must do create a certificate request from your router:

and how is to be done: 
create enco key=5 type=rsa length=1024 desc="SSL Key"
create pki enrollmentrequest=<reqname> keypair=5 protocol=manual type=pkcs10 format=pem
upload file=<reqname>.csr server=<ip_address_of_the_tftp_server> method=tftp
Replace <reqname> with some descriptive name.

The certificate request is somehow incompatible with openssl.
To be able to use it you must remove the empty line from the certificate request file. Open the file with a text editor, Notepad should work fine, and remove the empty line. The file should have the following format:

-----BEGIN CERTIFICATE REQUEST-----
abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz01
23456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrst
uvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijkl
mnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcd
efghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz012345
6789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwx
yz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnop
qrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefgh
-----END CERTIFICATE REQUEST-----

Get a signed certificate

If this is the first certificate that your Certificate Authority is generating you must create a file to store the serial numbers of the generated certificates (the cacert.srl file). For this purpose pass the CAcreateserial switch to the openssl application: 

openssl x509 -req -in <reqname>.csr -out <destCertName> -days 1825 -CA cacert.pem -CAkey caPrvKey.pem -CAcreateserial
otherway, if the cacert.srl file exists, use this line to generate a signed certificate: 
openssl x509 -req -in <reqname>.csr -out <destCertName> -days 1825 -CA cacert.pem -CAkey caPrvKey.pem
Replace <destCertName> with some descriptive name.
Now you have a signed certificate with a validity period of five years.

Now you have a signed certificate for your router. Let's upload it to the router: 

load file=<destCertName>.cer destination=flash method=tftp server=<ip_address_of_the_tftp_server>
and add it to router's certificate store: 
add pki certificate="SSL Certificate" location=<destCertName>.cer type=self
The file containing the certificate request, <reqname>.csr, is no longer needed so you can delete it.

Final step

If everythnig worked without problems you can set the router's HTTP server to work with SSL: 

set http server security=on sslkey=5 port=443
and test it by pointing your web browser to the https://<ip_address_of_the_router>.

Do not forget to save the router's configuration.

And more thing to do : add the cacert.cer file, which is the certificate of your Certification Authority, to your computer's Trusted Root Certification Authorities list. This way, in the case of a man-in-the-middle attack, at least you get a warning when you access the router because the "fake" router certificate could not be verified any more (what I am talking about here? it is about ssl-proxy applications).

Protect your CA

I am hopping that for you, the reader, it is needless to say that the CA's private key, the caPrvKey.pem file must NOT be available to other peoples !
Take that file and put it in a safe place ! Only use the file when you need to sign a certificate !

Backup your CA's files, basically the:

and put the backup in a safe place.

History

Copyright and License

This document is copyrighted (c) 2006 by Calin Radoni. Permission is granted to copy and/or distribute this document.

Disclaimer

No liability for the contents of this document can be accepted. Use the concepts, examples and information at your own risk. There may be errors and inaccuracies that could be damaging to your system. Proceed with caution, the author do not take any responsibility.

All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.


Copyright © 2005 - 2009 Calin Radoni Hosted on http://www.oocities.org/calinradoni Last page modification is 18 May 2006