Saving TLS config in vIOS .con file

Document created by cdnadmin on Jan 25, 2014
Version 1Show Document
  • View in full screen mode

Subject: RE: Saving TLS config in vIOS .con file
Replied by: Joseph Clarke on 20-12-2013 10:26:13 AM
You cannot save the cert info on the device such that it can survive a netdelete/netcreate.  We looked at doing this, but it was not possible.  This is why we have the script to create a new certificate.  This is done automatically when the 3node network is first created.  The root cert is stored at /home/cisco/ca.pem.  You can use that across netdelete/netcreates.  Make sure you have the latest AiO VM, though.  We will be posting 1.1.0.99.  Earlier versions didn't have this automation, and thus things were a lot messier.

Subject: RE: Saving TLS config in vIOS .con file
Replied by: Joseph Clarke on 20-12-2013 10:50:09 AM
It will be posted here as soon as the licensing is cleared up.  I see that the SDKs should be available tomorrow, perhaps the AiO will be there as well.
This document was generated from CDN thread

Created by: Jacoby Thwaites on 20-12-2013 10:00:18 AM
I'm trying to save a TLS config (with disable-remotecert-validation) so that I can do:
1vmcloud netdelete
followed by:
1vmcloud netcreate
and have the virtual routers start, complete with their correct TLS config.
I get the router working fine, with my onePK app connecting over TLS. I then did:
1show run
and copied the result into e.g. myrouter.con which is the router startup config.
It almost works, and the onePK app is definitely connecting on the right port (15002) for TLS. But this error occurs on the router and the TLS connection fails:
1[12/20/13 15:39:52.842 4B] [209] : Failed to config ssl session, rc: -1005 [onep_al_tls_accept:231]
2[12/20/13 15:39:52.849 4C] [209] : onep tls server: accept failed with error Unknown error 0 [onep_socket_accept_handler:262]
Is there anything I should add to the config (I have ensured the interfaces are up etc, and was wondering if e.g. a "no shut" should appear somewhere else).

I've attached my config file in case it's useful.

Subject: RE: Saving TLS config in vIOS .con file
Replied by: MARKUS RAINER on 20-12-2013 10:16:20 AM
Maybe serial number of router changed?
What certifcate did you safe to your keystore? CA Server's certificate or the routers one?

Best regards
Markus

Subject: RE: Saving TLS config in vIOS .con file
Replied by: Jacoby Thwaites on 20-12-2013 10:26:36 AM
Hi Markus

The serial number of the virtual routers doesn't exist, so I select No  when asked whether to include serial number, and No  when asked to include IP address in the enroll step.

I do the following steps to save the certificate in my Java keystore:
  1. conf term
  2. crypto pki export onepkTP pem terminal
  3. Paste the 2 certificates into foo.pem file
  4. Use keytool -import -alias onepkTP -file  foo.pem -keystore foo.jks
The onePK Java app is then configured to use foo.jks.

Subject: RE: Saving TLS config in vIOS .con file
Replied by: Jacoby Thwaites on 20-12-2013 10:30:16 AM
Ah, ok. Thanks Joseph.

Subject: RE: Saving TLS config in vIOS .con file
Replied by: Jacoby Thwaites on 20-12-2013 10:46:03 AM
Joseph, where will you be posting the latest AiO VM?

I received it through some complicated temporary download link a while back which I think only works once.

Attachments

Outcomes