Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at

Similar documents
Creating and Installing SSL Certificates (for Stealthwatch System v6.10)

Downloading and Licensing. (for Stealthwatch System v6.9.1)

Flow Sensor and Load Balancer Integration Guide. (for Stealthwatch System v6.9.2)

Cisco CSPC 2.7x. Configure CSPC Appliance via CLI. Feb 2018

Cisco Meeting Management

External Lookup (for Stealthwatch System v6.10.0)

SAML SSO Okta Identity Provider 2

Cisco FindIT Plugin for Kaseya Quick Start Guide

Method of Procedure for HNB Gateway Configuration on Redundant Serving Nodes

Cisco Meeting App. Cisco Meeting App (Windows) Release Notes. March 08, Cisco Systems, Inc.

Stealthwatch and Cognitive Analytics Configuration Guide (for Stealthwatch System v6.10.x)

Installation and Configuration Guide for Visual Voic Release 8.5

Cisco TelePresence FindMe Cisco TMSPE version 1.2

Validating Service Provisioning

Cisco TelePresence Management Suite Extension for Microsoft Exchange Software version 5.7. User Guide July 2018

Application Launcher User Guide

Recovery Guide for Cisco Digital Media Suite 5.4 Appliances

Cisco Meeting App. What's new in Cisco Meeting App Version December 17

Cisco TelePresence Management Suite Extension for Microsoft Exchange 5.2

Cisco Jabber for Android 10.5 Quick Start Guide

Proxy Log Configuration

Cisco Unified Communications Self Care Portal User Guide, Release 11.5(1)

Cisco TelePresence Management Suite Extension for Microsoft Exchange Software version 5.0

Cisco Meeting App. Cisco Meeting App (OS X) Release Notes. July 21, 2017

Cisco TelePresence Management Suite Extension for Microsoft Exchange 5.5

Cisco Proximity Desktop

Cisco Unified Communications Self Care Portal User Guide, Release

Proxy Log Configuration

Cisco Meeting App. Release Notes. WebRTC. Version number September 27, Cisco Systems, Inc.

Cisco TelePresence Management Suite Extension for Microsoft Exchange 5.6

Authenticating Cisco VCS accounts using LDAP

Videoscape Distribution Suite Software Installation Guide

Cisco TelePresence Management Suite Extension for Microsoft Exchange Software version 3.1

Cisco Expressway Authenticating Accounts Using LDAP

Cisco Jabber IM for iphone Frequently Asked Questions

NNMi Integration User Guide for CiscoWorks Network Compliance Manager 1.6

Cisco Meeting Management

Cisco Meeting Management

TechNote on Handling TLS Support with UCCX

Migration and Upgrade: Frequently Asked Questions

Cisco Meeting Server. Cisco Meeting Server Release 2.0+ Multi-tenancy considerations. December 20, Cisco Systems, Inc.

Cisco UCS C-Series IMC Emulator Quick Start Guide. Cisco IMC Emulator 2 Overview 2 Setting up Cisco IMC Emulator 3 Using Cisco IMC Emulator 9

Cisco CSPC 2.7.x. Quick Start Guide. Feb CSPC Quick Start Guide

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

Cisco Meeting App. Cisco Meeting App (ios) Release Notes. October 06, 2017

Cisco UCS Performance Manager Release Notes

Cisco Jabber Video for ipad Frequently Asked Questions

Cisco Meeting App. Cisco Meeting App (Windows) Release Notes. March 08, Cisco Systems, Inc.

Cisco Connected Grid Design Suite (CGDS) - Substation Workbench Designer User Guide

Cisco TEO Adapter Guide for SAP Java

Cisco StadiumVision Management Dashboard Monitored Services Guide

Cisco TelePresence Management Suite Provisioning Extension 1.6

Cisco Prime Home Device Driver Mapping Tool July 2013

CPS UDC MoP for Session Migration, Release

Deploying Devices. Cisco Prime Infrastructure 3.1. Job Aid

Cisco Meeting App. Cisco Meeting App (OS X) Release Notes. October 24, Cisco Systems, Inc.

Cisco Expressway with Jabber Guest

Cisco Cloud Services Platform 2100 Quick Start Guide, Release 2.2.0

Wireless Clients and Users Monitoring Overview

Cisco TelePresence TelePresence Server MSE 8710

Cisco UCS Performance Manager Release Notes

Cisco Terminal Services (TS) Agent Guide, Version 1.1

Cisco Expressway ENUM Dialing

Stealthwatch System v6.9.0 Internal Alarm IDs

Provisioning an OCH Network Connection

Cisco TelePresence Server 4.2(3.72)

Cisco TelePresence MCU MSE 8510

Authenticating Devices

Cisco TelePresence Supervisor MSE 8050

VCS BSS/OSS Adaptor (BOA) 17.2 Release Notes

Quantum Policy Suite Subscriber Services Portal 2.9 Interface Guide for Managers

Cisco C880 M4 Server User Interface Operating Instructions for Servers with E v2 and E v3 CPUs

Cisco Connected Mobile Experiences REST API Getting Started Guide, Release 10.2

Cisco Unified Communications Manager Device Package 10.5(1)( ) Release Notes

Cisco TelePresence Management Suite 15.5

Prime Service Catalog: UCS Director Integration Best Practices Importing Advanced Catalogs

Cisco TEO Adapter Guide for

Cisco Unified Communications Manager Device Package 8.6(2)( ) Release Notes

CC Software version 1.5.0

Cisco Cloud Services Platform 2100 Quick Start Guide, Release 2.2.5

Cisco TEO Adapter Guide for Microsoft System Center Operations Manager 2007

Cisco Terminal Services (TS) Agent Guide, Version 1.1

Cisco UCS Director F5 BIG-IP Management Guide, Release 5.0

Cisco Unified Web and Interaction Manager Browser Settings Guide

Cisco TelePresence MCU MSE 8510

Tetration Cluster Cloud Deployment Guide

Cisco Prime Network Registrar IPAM 8.3 Quick Start Guide

Troubleshooting guide

Cisco Meeting Management

Cisco Services Platform Collector 2.7.4

Cisco Report Server Readme

Media Services Proxy Command Reference

Cisco Terminal Services (TS) Agent Guide, Version 1.0

Cisco CIMC Firmware Update Utility User Guide

Wired Network Summary Data Overview

Managing Device Software Images

Cisco UCS Virtual Interface Card Drivers for Windows Installation Guide

Cisco UC Integration for Microsoft Lync 9.7(4) User Guide

Cisco WebEx Best Practices for Secure Meetings for Site Administrators and Hosts

Compatibility Matrix for Cisco Unified Communications Manager and IM & Presence Service, Release 11.x

Transcription:

Document Date: May 16, 2017 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the perating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE -NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. All printed copies and duplicate soft copies are considered un-controlled copies and the original on-line version should be referred to for latest version. Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) 2017 Cisco Systems, Inc. All rights reserved.

Contents Contents Introduction... 4 Audience... 4 Before You Begin... 4 Creating Certificates... 5 Creating a Private Key... 5 Creating a Certificate Signing Request... 5 Creating a Certificate Chain... 7 Installing Certificates... 8 Verification... 10 3

Introduction 1 Introduction This document provides the procedures for creating and installing third party or internal verified certificates to your Stealthwatch System. Note: The Stealthwatch system only supports certificates in PEM format and encrypted with RSA. Audience The primary audience for this guide includes administrators responsible for configuring the Stealthwatch System. Before You Begin Before creating and installing the certificates, you should do the following: Check that your Stealthwatch system is communicating by following these steps: o Go to the SMC client interface. Check the Alarm Table to make sure there are no active Management Channel Down or Failover Channel Down alarms. o Go to the SMC client interface. Open the Flow Collector Dashboard. Check that all three sections of the dashboard have data. Check that you have the proper Stealthwatch licenses. 4

Creating Certificates 2 Creating Certificates Creating a Private Key To create a private key for each appliance (Stealthwatch Management Console, Flow Sensor, Flow Collector, UDP Director), complete the following steps: 1. Access the terminal emulator window for the appliance and enter the appliance IP address. 2. Log in as the root user. 3. To navigate to a temp folder, type the following command: cd /lancope/var/admin/tmp 4. To generate a private key, type the following command: openssl genrsa des3 out server.key 4096 5. Type a password and press Enter. Note: Type in a phrase that is long and complex, but that you can remember (y least twice). Try to use capital and lowercase letters and punctuation. The more different characters you use, the better. 6. To decrypt the private key, type the following commands: cp server.key server.key.org openssl rsa in server.key.org out server_smc1.key Note: The key can be downloaded from this link: https://smc_ip/smc/files/admin/tmp. You can also decrypt the key after you get the certificate back from the Certificate Authority, after step 6 in the next section. Creating a Certificate Signing Request To make a Certificate Signing Request (CSR) with OpenSSL for each appliance, complete the following steps: Note: You will have several server certificates once you have completed this section. The following image shows an example of the created certificates: 5

Creating Certificates 1. Access the terminal emulator window for the appliance and enter the appliance IP address. 2. Log in as the root user. 3. To navigate to a temp folder, type the following command: cd /lancope/var/admin/tmp 4. To generate a CSR, type the following command: openssl req new key server_smc1.key out server_smc1.csr 5. Enter the required information (sample answers in bold): Country Name (2 letter code) [GB]: US State or Province Name (full name) [Berkshire]: Georgia Locality Name (eg, city) [Newbury]: Atlanta Organization Name (eg, company) [My Company Ltd]: Lancope Organizational Unit Name (eg, section) []: Information Technology Common Name (eg, your name or your server's hostname) []: server_mysmc1.lancope.com Email Address []: john.doe@lancope.com Please enter the following 'extra' attributes to be sent with your certificate request: A challenge password []: An optional company name []: Caution: Do not have any certificates with duplicate names. The common name must be unique. We recommend you use the Fully Qualified Domain Name. 6. Send the CSR, server_smc1.csr, to a Certificate Authority, such as VeriSign or GoDaddy, or an internal CA to create the endpoint certificate. a. Request the Certificate Authority provide you with TLS Enhanced Values and PEM format when creating the endpoint certificate. 6

Creating Certificates i. TLS Web Server Authentication (1.3.6.1.5.5.7.3.1) ii. TLS Web Client Authentication (1.3.6.1.5.5.7.3.2) b. Follow the instructions the CA provides. Creating a Certificate Chain To create a certificate chain from a third party certificate, complete the following steps: Note: You will need the whole chain when uploading the SSL endpoint certificate. It will look like the inverse of the certification path, with the Root CA last. The following is an example of the chain: Intermediate certificate --Begin--- <chain> --End----- Secondary CA Certificate --Begin--- <chain> --End----- Root CA --Begin--- <chain> --End----- 1. Extract the certificate zip file received from the third party. 2. Follow the next steps to export the certificates on Windows: Note: We recommend using a Windows VM to export the certificates instead of Mac OS/X. a. b. Click Certification Path. Choose your Issuing/Secondary/Intermediate CA, and then click View Certificate. c. The certificate will pop-up as a new window. Click Details, and then click Copy To File. d. Run through the export wizard, using X.509 as the export type. Note: You will have to do this for every step in the certificate path, including the Root CA. When you are on the last step of the path, View Certificate will be greyed out. 3. Use a text editor to make the chain certificate look like the example above. 7

Installing Certificates 3 Installing Certificates To install the certificates, complete the following steps: Caution: We recommend you do this at a maintenance window because this will break communications between your Stealthwatch appliances. Communications will not be restored until you complete all of the steps. 1. Install the root Certificate Authority (CA) certificate that was exported previously and the endpoint certificate, with the chain, on each appliance by following these steps: a. Log in as an admin user to the Appliance Admin interface for the appliance where you are applying the certificate. b. From the main menu, select Configuration > Certificate Authority Certificates. c. Click Choose File and select the certificate. d. In the Name field, type a name to identify the certificate. Note: The suggested name is the host name of the appliance on which the certificate will be installed. Valid characters are alphanumeric, dash (-), underscore (_), and dot (.). Do not use spaces or any other special characters. e. Click Add Certificate. f. Click Submit. 2. Install the individual Secure Socket Layer (SSL) Server certificates and keys on each appliance by following these steps: a. Log in as admin user to the Appliance Admin interface for the appliance where you are applying the SSL certificate. b. From the main menu, select Configuration > SSL Certificate. c. -encoded) field, click Choose File to access the file that contains the endpoint certificate for the appliance. d. -encoded) ( last section of the previous chapter. Note: The certificate chain is only optional if you are using a self-signed certificate. 8

Installing Certificates e. - Choose File to access the location of the private key file, server_smc1.key, for the appliance. f. Click Upload Certificate to upload and apply the certificates from the provided fields to the appliance. 3. Import the endpoint certificate to the (JRE) cacerts file on every computer that is using the SMC client interface by following these steps: a. Open a command prompt as an administrator. b. Change the directory to your Java Home Bin folder. Note: Install the endpoint certificate to the version of Java that you are using. Your path may be different from the following examples. i. Example path on Windows: cd C:\Program Files (x86)\java\jre1.8.0_101\bin ii. Example path on Mac OS/X: cd \System\Library\Internet Plug Ins\JavaAppletPlugin.plugin\Home\bin c. Type the following command to import the endpoint certificate into the trust store: i. Command on Windows: keytool import alias <alias> -keystore..\lib\security\cacerts -file <path to cert> ii. Command on Mac OS/X: sudo keytool import alias <alias> -keystore..\lib\security\cacerts -file <path to cert> d. Type the keystore password. Note: The default keystore password is changeit. e. Type yes to trust the certificate. 4. Install the endpoint certificate s operating system certificate store/keychain that connects to Stealthwatch. Refer to your Operating S 9

Verification 4 Verification To verify your certificates are working properly, complete the following steps: Note: This section is optional, but highly recommended. 1. Log in to the SMC Web App. Click the padlock on your browser and view the certificate. Verify that it is using the endpoint certificate and not the default Lancope certificate. 2. Go to the SMC client interface. Check the Alarm Table to make sure there are no active Management Channel Down or Failover Channel Down alarms. 3. Go to the SMC client interface. Open the Flow Collector Dashboard. Check that all three sections of the dashboard have data. If not, there is likely an issue with the certificates setup. The following image is an example of the dashboard: 2017 Cisco Systems, Inc. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) SW_6_9_0_Creating_and_Installing_SSL_Certificates_DV_1_6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback