TLS

Document created by cdnadmin on Jan 25, 2014
Version 1Show Document
  • View in full screen mode
This document was generated from CDN thread

Created by: Alexander Bondar on 20-08-2013 04:52:16 PM
I have tried to configure TLS on the router usibg "GettinStartedUserGuide" and I have the following problem: when I try to start a certificate erollment I get a refusal. That's why while trying to run a tutorial I have either  "Remote host closed connection while handshake"  or  just "Connection refused". The type of error depends on which tutorial I'm trying to run. And there is one more question: in TLS configuration manual when we have to create a trustpoint there is a string "en url http://<ip address of admin interface?>" What is the exact address? I think that before TLS configuration it is necessary to configure router like here: http://zed.cisco.com/confluence/display/OPSTC/User+Guide+for+all-in-one-VM .In this configuration we set IP of admin interface(as I think,but I am not sure that it is right). If I am mistaken which address should I use? Address of router shown by getextip command?

Subject: RE: New Message from Alexander Bondar in onePK Developer - Тема Форума - on
Replied by: Zach Seils on 20-08-2013 06:58:50 PM
Can you please detail the steps you followed and what error you received when trying to perform the certificate enrollment?

Thanks,
Zach


From: Cisco Developer Community Forums [mailto:cdicuser@developer.cisco.com]
Sent: Tuesday, August 20, 2013 5:52 PM
To: cdicuser@developer.cisco.com
Subject: New Message from Alexander Bondar in onePK Developer - Тема Форума - onePK Developer: Trasportation Exception

Alexander Bondar has created a new message in the forum "Тема Форума - onePK Developer": -------------------------------------------------------------- I have tried to configure TLS on the router usibg "GettinStartedUserGuide" and I have the following problem: when I try to start a certificate erollment I get a refusal. That's why while trying to run a tutorial I have either  "Remote host closed connection while handshake"  or  just "Connection refused". The type of error depends on which tutorial I'm trying to run. And there is one more question: in TLS configuration manual when we have to create a trustpoint there is a string "en url http://<ip<http://%3cip> address of admin interface?>" What is the exact address? I think that before TLS configuration it is necessary to configure router like here: http://zed.cisco.com/confluence/display/OPSTC/User+Guide+for+all-in-one-VM .In this configuration we set IP of admin interface(as I think,but I am not sure that it is right). If I am mistaken which address should I use? Address of router shown by getextip command?
--
To respond to this post, please click the following link: http://developer.cisco.com/web/onepk-developer/forum/-/message_boards/view_message/18436103 or simply reply to this email.

Subject: RE: New Message from Alexander Bondar in onePK Developer - Тема Форума - on
Replied by: Alexander Bondar on 21-08-2013 11:26:01 AM
Router config
    • telnet 127.0.0.1 3535
    • Router2#conf

      Router2(config)#username cisco privilege 15 password 0 <password>

      Router2(config)#interface GigabitEthernet0/0

      Router2(config-if)#ip address 10.10.20.10 255.255.255.0

      Router2(config-if)#duplex auto

      Router2(config-if)#speed auto

      Router2(config-if)#no shut
      • Router2(config)#onep

        Router2(config-onep)#transport type tcp

        Router2(config-onep)#end
    • ]
      • cisco@ubuntu:~$/usr/bin/vmcloud vmdiag cisco.3node.router2
      • sudo ifconfig vb143874ccf0f50 10.10.20.100/24 up
TLS config
router> enable
router# configure terminal
router(config)# ip http server
router(config)# onep
router(config-onep)# transport tls disable-remotecert-validation
router(config-onep)# start
router(config-onep)# exit
router(config)# crypto pki server onepkCA
router(cs-server)# database level minimum
router(cs-server)# grant auto
router(cs-server)#
no shut
Password: <password>
Re-enter Password: <password>
router(cs-server)# exit
router(config)# crypto pki trustpoint onepkTP
router(ca-trustpoint)# en url http:/<ip address of Router Administration GigabitEthernet Interface// I am not sure which adreess is needed>
router(ca-trustpoint)# exit
router(config)# crypto pki authenticate onepkTP
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
router(config)# crypto pki enroll onepkTP// Here is an error: Creation failed. I can't understand why




Subject: RE: New Message from Alexander Bondar in onePK Developer - Тема Форума - on
Replied by: Zach Seils on 22-08-2013 08:39:50 AM
The IP address to use for the trustpoint URL is an IP address on the router itself.  You are basically specifying the IP address on the router that CA enrollment requests will be directed to.

Zach


From: Cisco Developer Community Forums [mailto:cdicuser@developer.cisco.com]
Sent: Wednesday, August 21, 2013 12:26 PM
To: cdicuser@developer.cisco.com
Subject: New Message from Alexander Bondar in onePK Developer - Тема Форума - onePK Developer: RE: New Message from Alexander Bondar in onePK Developer - Тема Форума - on

Alexander Bondar has created a new message in the forum "Тема Форума - onePK Developer": -------------------------------------------------------------- Router config

·

     *   telnet 127.0.0.1 3535
     *   Router2#conf

Router2(config)#username cisco privilege 15 password 0 <password>

Router2(config)#interface GigabitEthernet0/0

Router2(config-if)#ip address 10.10.20.10 255.255.255.0

Router2(config-if)#duplex auto

Router2(config-if)#speed auto

Router2(config-if)#no shut


        *   Router2(config)#onep

Router2(config-onep)#transport type tcp

Router2(config-onep)#end

     *   ]


        *   cisco@ubuntu:~$/usr/bin/vmcloud vmdiag cisco.3node.router2
·
·

        *   sudo ifconfig vb143874ccf0f50 10.10.20.100/24 up
TLS config
router> enable
router# configure terminal
router(config)# ip http server
router(config)# onep
router(config-onep)# transport tls disable-remotecert-validation
router(config-onep)# start
router(config-onep)# exit
router(config)# crypto pki server onepkCA
router(cs-server)# database level minimum
router(cs-server)# grant auto
router(cs-server)#no shut
Password: <password>
Re-enter Password: <password>
router(cs-server)# exit
router(config)# crypto pki trustpoint onepkTP
router(ca-trustpoint)# en url http:/<ip address of Router Administration GigabitEthernet Interface// I am not sure which adreess is needed>
router(ca-trustpoint)# exit
router(config)# crypto pki authenticate onepkTP
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
router(config)# crypto pki enroll onepkTP// Here is an error: Creation failed. I can't understand why



--
To respond to this post, please click the following link: http://developer.cisco.com/web/onepk-developer/forum/-/message_boards/view_message/18459301 or simply reply to this email.

Attachments

    Outcomes