Best Practices: Server Security Hardening

Transcription

1 The following sections explain how to enhance server security by eliminating or controlling individual points of security exposure. Disable Web Root Access, on page 1 Use SMPv3 Instead of SMPv2, on page 2 Authenticate With External AAA, on page 3 Enable OCSP Settings on the Prime Infrastructure Server, on page 5 Set Up Local Password Policies, on page 5 Disable Individual TCP/UDP Ports, on page 6 Check on Server Security Status, on page 7 Configure Prime Infrastructure in FIPS Mode, on page 8 Disable Web Root Access During installation, Prime Infrastructure also creates a web root user account, prompting the installer for the password to be used for this account. The web root account is needed to enable first-time login to the Prime Infrastructure server and its web user interface. We recommend that you never use this account for normal operations. Instead, use it to create user IDs with appropriate privileges for day-to-day operations and network management, and administrative user IDs for managing Prime Infrastructure itself. Once these user accounts are created, disable the default web root account created at install time, and create user accounts using your administrative user IDs thereafter. To disable the Web root accounts: Open a CLI session with the Prime Infrastructure server (seehow to Connect Via CLI ). Do not enter configure terminal mode. Disable the web root account by entering the following command: PIServer/admin# ncs webroot disable Prime Infrastructure disables the web root account. ote Root shell access is disabled in FIPS release by default and it cannot be enabled. 1

2 Use SMPv3 Instead of SMPv2 Use SMPv3 Instead of SMPv2 Prime Infrastructure 3.2 FIPS supports both SHA-1 and SHA-2 Certificates Chain Key Size: 2048 Bit Chain SMPv3 is a higher-security protocol than SMPv2. You can enhance the security of communications between your network devices and the Prime Infrastructure server by configuring the managed devices so that management takes place using SMPv3 instead of SMPv2. You can choose to enable SMPv3 when adding new devices, when importing devices in bulk, or as part of device discovery. See Related Topics for instruction on how to perform each task. Inventory Section To add device using IPSec parameter, certificate from same CA should be applied in Prime Infrastructure and Device. Choose Inventory > Device Management > etwork Devices. After providing SMP and CLI credentials, add IPSec parameter to make Prime Infrastructure to Device Communication an FIPS Compliant. There are 2 different modes: Transport and Tunnel. SMP v2/v3 is supported via FIPS IPSEC Parameter format Ex1: C=in, ST=tn, L=che, O=hcl, OU=cisco, C=FIPS72.cisco.com Ex2: C=in, ST=tn, L=che, O=hcl, OU=cisco, C=FIPS73.cisco.com, E=abc@abc.com Related Topics Use SMPv3 to Add Devices, on page 2 Use SMPv3 to Import Devices, on page 3 Use SMPv3 to Run Discovery, on page 3 Use SMPv3 to Add Devices To specify SMPv3 when adding a new device: Select Inventory > Device Management > etwork Devices Choose Add Device. In the SMP Parameters area, in Version, select v3. Step 4 Complete the other fields as appropriate, then click Add. Related Topics Use SMPv3 to Import Devices, on page 3 Use SMPv3 to Run Discovery, on page 3 Use SMPv3 Instead of SMPv2, on page 2 2

3 Use SMPv3 to Import Devices Use SMPv3 to Import Devices To specify use of SMPv3 when importing devices in bulk: Step 4 Step 5 Select Inventory > Device Management > etwork Devices. Choose Bulk Import. The Bulk Import page appears. Download the device add sample template from the here link on the Bulk Import page. Edit the template file using any CSV-compatible application. For each row representing a device in the CSV import file: a) In the snmp version column, enter 3. b) Enter appropriate values in the snmpv3_user_name, snmpv3_auth_type, snmpv3_auth_password, snmpv3_privacy_type, and snmpv3_privacy_password columns. c) Complete other columns as appropriate for your devices. Select Inventory > Device Management > etwork Devices, then click Bulk Import and import your modified CSV file. Related Topics Use SMPv3 to Add Devices, on page 2 Use SMPv3 to Run Discovery, on page 3 Use SMPv3 Instead of SMPv2, on page 2 Use SMPv3 to Run Discovery To specify SMPv3 as part of device discovery: Step 4 Step 5 Select Inventory > Device Management > Discovery. The Discovery Jobs page appears. Click the Discovery Settings link in the upper right corner of the page. The Discovery Settings page appears. Choose ew to add new SMP v3 credentials. Complete the fields as needed. Click Save to save the SMPv3 settings and use them thereafter. Related Topics Use SMPv3 to Add Devices, on page 2 Use SMPv3 to Import Devices, on page 3 Use SMPv3 Instead of SMPv2, on page 2 Authenticate With External AAA User accounts and password are managed more securely when they are managed centrally, by a dedicated, remote authentication server running a secure authentication protocol such as RADIUS or TACACS+. You can configure Prime Infrastructure to authenticate users using external AAA servers. You will need to access the Administration > Users > Users, Roles & AAA page to set up external authentication via the 3

4 Set Up External AAA Via GUI Prime Infrastructure graphic user interface (GUI). You can also set up external authentication via the command line interface (CLI). See Related Topics for instructions on how to set up AAA using each method. Related Topics Set Up External AAA Via GUI, on page 4 Set Up External AAA Via CLI, on page 4 Set Up External AAA Via GUI To set up remote user authentication via the GUI: Step 4 Step 5 Log in to Prime Infrastructure with a user ID that has administrator privileges. Select Administration > Users > Users, Roles & AAA > TACACS+ or Administration > Users > Users, Roles & AAA > RADIUS. Enter the TACACS+ or RADIUS server IP address and shared secret in the appropriate fields. Select Administration > Users > Users, Roles & AAA > AAA Mode Settings. Set the AAA mode as appropriate. Related Topics Authenticate With External AAA, on page 3 Set Up External AAA Via CLI, on page 4 Set Up External AAA Via CLI To set up remote user authentication via the CLI: Log in to Prime Infrastructure using the command line, as explained in How to Connect Via CLI. Be sure to enter configure terminal mode. At the prompt, enter the following command to setup an external TACACS+ server: PIServer/admin/terminal# aaa authentication tacacs+ server tacacs-ip key plain shared-secret Where: tacacs-ip is the IP address of an active TACACS+ server. shared-secret is the plain-text shared secret for the active TACACS+ server. At the prompt, enter the following command to create a user with administrative authority, who will be authenticated by the above AAA server: PIServer/admin/terminal# username username password remote role admin id Where: username is the name of the user ID. password is the plain-text password for the user. 4

5 Enable OCSP Settings on the Prime Infrastructure Server id is the address of the user (optional). Related Topics Authenticate With External AAA, on page 3 Set Up External AAA Via GUI, on page 4 Enable OCSP Settings on the Prime Infrastructure Server Online Certificate Status Protocol (OCSP) enables certificate-based authentication for web clients using OCSP responders. Typically, the OCSP responder s URL is read from the certificate s Authority Information Access (AIA). As a failover mechanism, you can configure the same URL on the Prime Infrastructure server as well To set up a custom URL of an OCSP responder, follow the steps below. Log in to the Prime Infrastructure server using the command line, as explained in How to Connect Via CLI. Do not enter configure terminal mode. At the prompt, enter the following command to enable client certificate authentication: PIServer/admin# ocsp responder custom enable At the prompt, enter the following command to set the custom OCSP responder URL: PIServer/admin# ocsp responder set url Responder#URL Where: Responder# is the number of the OCSP responder you want to define (e.g., 1 or 2). URL is the URL of the OCSP responder, as taken from the client CA certificate. ote that there should be no space between the Responder# and URL values. Step 4 To delete an existing custom OCSP responder defined on the Prime Infrastructure server, use the following command: PIServer/admin# ocsp responder clear url Responder# If you do not already know the number of the OCSP responder you want to delete, use the show security-status command to view the OCSP responders currently configured on the server. For details, see Check on Server Security Status, on page 7. Set Up Local Password Policies If you are authenticating users locally, using Prime Infrastructure s own internal authentication, you can enhance your system s security by enforcing rules for strong password selection. ote that these policies affect only the passwords for local Prime Infrastructure user IDs. If you are authenticating Prime Infrastructure users via a centralized or remote AAA server, you can enforce similar protections using the functions of the AAA server. 5

6 Disable Individual TCP/UDP Ports To enforce local password policies: Log in to Prime Infrastructure with a user ID that has administrator privileges. Select Administration > Users > Users, Roles & AAA > Local Password Policy. Select the check boxes next to the password policies you want to enforce, including: The minimum number of characters passwords must contain. o use of the username or cisco as a password (or common permutations of these). o use of public in root passwords. o more than three consecutive repetitions of any password character. Passwords must contain at least one character from three of the following character classes: upper case, lower case, digit, and special character. Whether the password must contain only ASCII characters. Minimum elapsed number of days before a password can be reused. Password expiration period. Advance warnings for password expirations. If you enable any of the following password policies, you can also specify: The minimum password length, in number of characters. The minimum elapsed time between password re-uses. The password expiry period. The number of days in advance to start warning users about future password expiration. Step 4 Click Save. Disable Individual TCP/UDP Ports The following table lists the TCP and UDP ports Prime Infrastructure uses, the names of the services communicating over these ports, and the product s purpose in using them. The Safe column indicates whether you can disable a port and service without affecting Prime Infrastructure s functionality. Table 1: Prime Infrastructure TCP/UDP Ports Port Service ame Purpose Safe? 21/tcp FTP File transfer between devices and server Y 22/tcp SSHD Used by SCP, SFTP, and SSH connections to and from the system 69/udp TFTP File transfer between devices and the server Y 6

7 Check on Server Security Status Port Service ame Purpose Safe? 80/tcp HTTP Provisioning of exus devices Y 162/udp SMP-TRAP To receive SMP Traps 443/tcp HTTPS Primary Web Interface to the product 514/udp SYSLOG To receive Syslog messages 1522/tcp Oracle Oracle/JDBC Database connections: These include both internal server connections and for connections with the High Availability peer server. 8082/tcp HTTPS Health Monitoring ote You must check the Login Disclaimer Acknowledgment check box, to log in to the Health Monitor web page. 8087/tcp HTTPS Software updates on HA Secondary Systems ote You must check the Login Disclaimer Acknowledgment check box, to log in to the Software Update web page. 9991/udp ETFLOW To receive etflow streams (enabled if Assurance license installed) 9992/tcp PI Tomcat Process Lync Monitoring in Assurance 61617/tcp JMS (over TCP) For interaction with remote Plug&Play Gateway server Check on Server Security Status Prime Infrastructure administrators can connect to the server via CLI and use the show security-status command to display the server s currently open TCP/UDP ports, the status of other services the system is using, and other security-related configuration information. For example: Log in to Prime Infrastructure using the command line, as explained in Connecting Via CLI. Do not enter configure terminal mode. Enter the following command at the prompt: test-vm-237/admin# show security-status Depending on your settings, you will see output like the following: Open TCP Ports : Open UDP Ports : FIPS Mode : enabled on FIPS SSH Client Ciphers : disabled TFTP Service : disabled FTP Service : disabled 7

8 Configure Prime Infrastructure in FIPS Mode JMS port (61617) : disabled Root Access : disabled TLS versions : TLSv1.2 TLS ciphers : tls-ecdhe,tls-dhe,tls-static ote : Shows currently configured values. Changes made after last system start if any, will be effective after next restart test-vm-237/admin# Configure Prime Infrastructure in FIPS Mode Federal Information Processing Standards (FIPS) are U.S. government computer-security standards. The FIPS-140 series of standards specifies requirements for cryptography modules. For a more complete description, see Prime Infrastructure s FIPS mode is intended for customers who have requirements to use products which are compliant with the FIPS-140 standards referenced above. Installing Prime Infrastructure in FIPS mode disables use of certain capabilities in order to comply with the cryptographic security requirements of FIPS-140. For more information, see Prime Infrastructure FIPS Mode Details, on page 9 Please note: If you install Prime Infrastructure in FIPS mode, internal libraries are automatically setup for operating in FIPS compliant mode, hence you can not switch to non-fips mode or vice versa after the installation. You have to do a fresh installation of the product with appropriate version (FIPS or non-fips) to switch to FIPS mode from non-fips mode or vice versa. For the steps to install Prime Infrastructure in FIPS mode, see the sectioninstalling the Server in the Cisco Prime Infrastructure Quick Start Guide. FIPS Cryptographic Security Details Prime Infrastructure integrates the following FIPS approved cryptographic modules: 1. CiscoSSL FIPS Object Module (FOM) Version 6.0, FIPS Certificate # Red Hat Enterprise Linux Libreswan Cryptographic Module, FIPS Certificate #2721 In the Prime Infrastructure implementation: 1. Each of the integrated cryptographic modules mentioned above are initialized in a manner that is compliant with their individual security policies. 2. All cryptographic algorithms used for TLS, SSH and SPV3 are offloaded to CiscoSSL FIPS Object Module Version 6.0, FIPS Certificate # All cryptographic algorithms used for IPSec secure connection uses the Red Hat Enterprise Linux Libreswan Cryptographic Module, FIPS Certificate #

9 Prime Infrastructure FIPS Mode Details Prime Infrastructure FIPS Mode Details When you install Prime Infrastructure in FIPS mode, the following insecure services will be disabled by default. You should avoid enabling them in order to ensure FIPS/CC compliant operations. TFTP service (used for internal operations like image transfer to/from managed devices) FTP service (used for internal operations like image transfer to/from managed devices) SMP server Any managed device or any other applications or services interacting with Prime Infrastructure should confirm to the following protocol, ciphers, key and certificate requirement in order to ensure proper operations. Incoming Connections to Services All secure services will be running in FIPS/Common Criteria (CC) compliance mode. These service will use only FIPS compliant keys and ciphers listed below. All cryptographic operations used in these services are offloaded to CiscoSSL FIPS Object Module, version 6.0, FIPS Certificate #2505. SSH Service (CLI login for administrators) RSA, ECDSA AES256-CBC, AES128-CBC, AES256-GCM, AES128-GCM SHA2-512, SHA2-256, SHA1 ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group14-sha1 Secure Copy (SCP) and SFTP Services ( Used for file transfer for internal operations such as image transfer between the managed devices.) RSA, ECDSA AES256-CBC, AES128-CBC, AES256-GCM, AES128-GCM SHA2-512, SHA2-256, SHA1 ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group14-sha1 HTTPS Service (Web UI, BI) TLSv1.2 enabled by default, TLSv1.1 can be enabled TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 9

10 Outgoing Client Connections: By default, insecure protocols are not used for the out going client connections in order to guarantee FIPS compliant operations. We recommend you to configure and use secure protocols. All secure clients will operate in FIPS/CC compliant mode and only the following FIPS/CC compliant ciphers/keys will be used. All cryptographic operations are offloaded to CiscoSSL FIPS Object Module, version 6.0, FIPS Certificate #2505 Telnet client (for communicating to network device) ot recommended to use. SSH Client (for communicating to network devices) AES128-CBC, AES256-CBC, AES256-GCM, AES128-GCM SHA2-256, SHA2-512, SHA1 diffie-hellman-group14-sha1, diffie-hellman-group14-sha256, diffie-hellman-group15-sha512, diffie-hellman-group16-sha512, diffie-hellman-group17-sha512, diffie-hellman-group18-sha512 ote Do not user Telnet client for communication. You can enable additional non-compliant ciphers (such as AES128-CTR, AES192-CTR, 3des-cbc, HMAC-SHA1-96, diffie-hellman-group-exchange-sha1, diffie-hellman-group-exchange-sha256 and diffie-hellman-group1-sha1) using the following CLI command, but this does not guarantee FIPS/CC compliant operations. ncs run sshclient-nonfips-ciphers [enable disable] HTTPS Client (for communicating to network devices and other applications like ISE, Cisco Services, Audit server) TLSv1.2, TLSv1.1 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Certificate presented by the HTTPS server will be validated. Make sure that: The certificate path terminates with a trusted CA certificate. Certificates have the Server Authentication purpose in the extendedkeyusage field. You install proper certificate, because default keys are generated as per FIPS/CC requirements. A trusted CA reviews and updates the certificate. We recommend to use SMPv3 with AES/SHA or IPSec tunnel for securing SMP trap for FIPS complaint operations. Using SMPv2 or SMPv3 with DES/MD5 are not FIPS compliant. 10

11 Using IPSec Certificate-Based Authentication With FIPS Mode SMPv2 SMPv3 AES-256, AES-198, AES-128 SHA1 Refer Cisco Products Support page for all device related documentaion. Using IPSec Certificate-Based Authentication With FIPS Mode For enhanced security, Prime Infrastructure supports IPSec certificate-based authentication only. This authentication takes place during the IKE/ISAKMP tunnel-establishment negotiation between Prime Infrastructure and the devices it manages. The certificates installed on each device and on Prime Infrastructure should be signed by a common Certificate Authority (CA). To set up certificate-based authentication between Prime Infrastructure and the devices it manages, you must perform the following tasks: 1. Generate a Certificate Signing Request (CSR) and send it to a Certificate Authority (CA) for verification. 2. Import the returned CA certificate to the Prime Infrastructure server (both primary and secondary, if using High Availability features). 3. Import the same CA certificate to the devices Prime Infrastructure will manage. Instructions on how to perform each of these actions are given in the Related Topics. ote Only certificate-based authentication is supported for IPSec in Prime Infrastructure. In Prime Infrastrucutre Wired devices - Only SMP, Syslog and Traps are communicated through Tunnel.In Prime Infrastrucutre Wireless devices - Only SMP is communicated through Tunnel. The following cryptographic operations in IPSec communications are performed by Red Hat Enterprise Linux LibreswanCryptographic Module, FIPS Certificate #2721. IKEv1/IKEv2 We recommend to use IKEv1 for both Wired Device and WLCs. RSA AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-GCM, AES-256-GCM SHA2-256, SHA2-384, SHA2-512, SHA1 Generate the Certificate Related Topics Generate the Certificate, on page 11 Importing the Certificate to Prime Infrastructure, on page 12 To generate a CSR, get it signed by a Certificate Authority (CA), and ready it for import: 11

12 Importing the Certificate to Prime Infrastructure Step 4 Step 5 Log in to Prime Infrastructure using the command line, as explained in How to Connect Via CLI. Do not enter configure terminal mode. At the prompt, enter the following command to generate the CSR: ncs key genkey -newdn -csr test.csr repository defaultrepo This will generate the CSR file test.csr in the Prime Infrastructure server s default repository. Copy test.csr to a file storage resource to which you have all access rights. For example: copy disk:/defaultrepo/test.csr sftp://your.ftp.server. Submit the test.csr file to the third-party Certificate Authority for verification and signing. Depending on the CA, you may need to the file, or paste its contents into a web form. You will receive the server and CA certificates from the CA. For example: C.cer - The server certificate. C is replaced with the common name of the CA (e.g., MyCompany CA ). CA.cer - The CA certificate from the signing authority. You may receive more than one of these files, with various names. Step 6 Copy all the certificate files from your file resource back to the default repository. For example: copy sftp://your.ftp.server/c.cer disk:defaultrepo copy sftp://your.ftp.server/ca.cer disk:defaultrepo You are now ready to import the certificates into the Prime Infrastructure server, as explained in Importing the Certificate to Prime Infrastructure, on page 12. Importing the Certificate to Prime Infrastructure Once you have received and prepared the signed CA certificate (as explained in Generate the Certificate, on page 11 ), you must import it to the Prime Infrastructure server. If you are using Prime Infrastructure s High Availability (HA) features, you will need to import it into both the primary and secondary servers. Step 4 If you have not already done so, log in to Prime Infrastructure using the command line, as explained in How to Connect Via CLI. Do not enter configure terminal mode. At the prompt, enter the following command to import the CA certificate file: ncs key importcacert CA-Alias CA.cer repository defaultrepo If you have more than one CA certificate file: Repeat this step for each CA cert file. Finally, import the C.cer file into the server: ncs key importsignedcert C.cer repository defaultrepo Restart the Prime Infrastructure server to apply the changes: ncs stop 12

13 Generate CSR Certificate for Wired Devices ncs start Generate CSR Certificate for Wired Devices Generate CSR. The following example shows how to generate CSR using Open SSL: bash-4.1# openssl genrsa -des3 -out ngwc.pem 2048 Enter pass phrase for ngwc.pem: <<Password>> Verifying - Enter pass phrase for ngwc.pem: <<Password>> bash-4.1# bash-4.1# openssl req -new -key ngwc.pem -out cert.csr Enter pass phrase for ngwc.pem: <<Password>> Country ame (2 letter code) [XX]:US State or Province ame (full name) []:SJ Locality ame (eg, city) [Default City]:SJ Organization ame (eg, company) [Default Company Ltd]: cisco Organizational Unit ame (eg, section) []:cisco Common ame (eg, your name or your server's hostname) []:polaris-edison.cisco.com Address []: <<Mail id - OPTIOAL>> Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <OPTIOAL> An optional company name []: <OPTIOAL> [root@babandi01-ova GWC]# We have generated CSR and PEM (key) files. Provide CSR file to CA to get the ROOT CA certificate and Signed Device certificate. Import CA Certificate in Wired Devices Login to wired device. To import ROOT CA certificate, Key file and Signed Device certificate. Copy and paste the below sample code block in the device CLI: conf t crypto pki trustpoint <CA Server ame> enrollment terminal PEM crl optional exit crypto pki import SSL-CA pem exportable terminal password <Password> ** <Password> - Provide the password used while generating Private key before CSR Generation. ** Open the ROOT CA certificate received from CA, copy entire contents and paste the same here including BEGI and ED. Type quit and press enter once pasted. ** Open Private key file generated from openssl, copy entire contents and paste the same here including BGI and ED. Type quit and press enter once pasted. ** Open etwork Device Certificate received from CA, copy entire contents and paste the same here including BGI and ED. Type quit and press enter once pasted. ote: Certificate import will be successful if certificates are valid one. Validate the CA certificate. 13

14 Configure IPSEC in Wired Device To validate whether the certificate is imported successfully, enter show crypto pki certificates command. The parameter is used to manage the network device in Prime Infrastructure application and considered as IPSEC parameter. Certificate Status: Available Certificate Serial umber (hex): <<SERIAL-o>> Certificate Usage: General Purpose Issuer: cn=<<c-ame>> o=<<issued-orgaizatio>> c=<<issued COUTRY>> Subject: ame: <<FQD AME>> e=<< ID PROVIDED WHILE GEERATIG CSR>> cn=<<fqd AME>> ou=<<orgaisatio UIT provided while generating CSR>> o=<<issued-orgaizatio>> l=<<city provided while generating CSR>> st=<<state provided while generating CSR>> c=<<coutry provided while generating CSR>> CRL Distribution Points: <<Distributor CRL>> Validity Date: start date: 16:10:33 UTC Oct end date: 16:20:33 UTC Oct Associated Trustpoints: SSL-CA Configure IPSEC in Wired Device The following example shows how to configure devices properly for IPSec communication: conf t crypto ikev2 proposal <PROPOSAL-AME> encryption aes-cbc-256 integrity sha1 sha256 group 14 crypto ikev2 policy <POLICY-AME> match address local <<ETWORK DEVICE IP>> proposal <PROPOSAL-AME> 14

15 Configure IPSec between Prime Infrastructure and Wireless LA controllers crypto ikev2 authorization policy <POLICY-AME> crypto isakmp policy 1 encr aes 256 hash sha authentication rsa-sig Certiifcate group 14 lifetime exit --> This key word assures the authentication happened using SSL CA crypto isakmp identity dn ---> This key word only makes the communication happened using IPSEC parameters. This is simply called as Subject D. crypto pki certificate map CERTMAP 10 subject-name co c = in crypto isakmp profile <PROFILE-AME> ca trust-point SSL-CA match certificate CERTMAP crypto ipsec transform-set aes256-sha1 esp-aes 256 esp-sha-hmac mode tunnel Mode. This can be Tunnel or Transport exit ip access-list extended <<ACCESS-LIST-AME>> permit udp host <<ETWORK-DEVICE-IP>> host <<APPLICATIO-SERVER-IP>> crypto map <MAP-AME> 1 ipsec-isakmp set peer <<APPLICATIO-SERVER-IP>> set transform-set aes256-sha1 set isakmp-profile <PROFILE-AME> match address <<ACCESS-LIST-AME>> exit interface <Managment-interface> crypto map <MAP-AME> ---> This Command binds the crypto map to the interface exit exit ote The default lifetime configuration value of IKE/IPSEC on Prime Infrastructure is 28800/3600. IKE/IPSEC lifetime value should be same for both the device and Prime Infrastructure. Configure IPSec between Prime Infrastructure and Wireless LA controllers To configure IPSec between Prime Infrastructure and wireless LA controllers, you must generate CSR certificates for Cisco Wireless LA Controllers (WLCs), import certificates to WLCs, and configuring IPSec for WLCs. For more details, see Generate CSR for Third-Party Certificates and Download Chained Certificates to the WLC. Remember that the certificates installed on each device and on Prime Infrastructure should be signed by a common Certificate Authority (CA). Manage Devices in Prime Infrastructure Follow the below steps to add devices in Prime Infrastructure: 15

16 How to Use High Availability With FIPS Mode Before you begin Refer "Configure IPSec between Prime Infrastructure and Wireless LA controllers" to generate the CSR and install the signed certificate. You should also enable the FIPS pre-requisites in WLC. Ensure that the SSL certificates are signed by common Certificate Authority(CA) and imported in Prime Infrastrucutre server. Step 4 Choose Inventory > Device Management > etwork Devices Click the Add icon above the etwork Devices table, then choose Add Device. Enter the General, SMP and Telnet/SSH parameters. Click IPsec tab. a) Select Enable IPSec Communication check box. b) Select Transport from the Mode dropdownlist. c) Enter the following in the Certificate Subject D field. The subject name available in the device under Certificate after issuing show crypto pki certificate" command, for wired devices. The subject name available in the device under IPSec Device Certificate details" after issuing show certificate ipsec certificate" command, for wireless LA devices. d) Leave the Others filed empty for wired devices, and enter "forceencaps= yes or no" (depending on the network) for wireless LA. Step 5 Click Add. Device will be added successfully. How to Use High Availability With FIPS Mode For details on running Prime Infrastructure in FIPS mode with high availability functionality, see How to Set Up HA in FIPS Mode. ote The Database synchronization happens through IPSec tunnel during HA operations. Using Backup and Restore With FIPS Mode Backup and restore of a Prime Infrastructure server installed in FIPS mode works the same way as with servers not installed in FIPS mode. ote, however, that you cannot restore data backed up from a server not installed in FIPS mode to a server installed in FIPS mode. Similarly, data backed up from a server installed in FIPS mode cannot be restored to a server not installed in FIPS mode. Using Operations Center With FIPS Mode Use of Operations Center is not supported with any Prime Infrastructure server installed in FIPS mode. 16