transport type tls disable-remotecert-validation

Document created by cdnadmin on Jan 25, 2014
Version 1Show Document
  • View in full screen mode
This document was generated from CDN thread

Created by: joel king on 09-01-2014 03:11:46 PM
I'm working through setting up both ISR 2911's and Nexus 3048's for TLS,  both are configured for 'transport type tls disable-remotecert-validation'. The ISR 2911 I have working, the Nexus 3028's not. Any help on 'ONEP TLS recv error: 5' from the following debug?

N3K-3_nex-3048-b - version 6.0(2)U2(1)


2014 Jan  9 15:14:34 N3K-3_nex-3048-b onep: [-1427432560] : Accept Success [onep_tls_openssl_ssl_accept:575]
2014 Jan  9 15:14:34 N3K-3_nex-3048-b onep: [-1427432560] : ONEP TLS done accept_fd: 62, pid: -1427432560, context: 0x8df3a84, tls 0x8df3a98 [onep_al_tls_accept:949]
2014 Jan  9 15:14:34 N3K-3_nex-3048-b onep: [-1427432560] : select library registering fd 58 [register_fd:432]
2014 Jan  9 15:14:34 N3K-3_nex-3048-b onep: [-1427432560] : select lib enqueuing: 58 [enqueue_op:404]
2014 Jan  9 15:14:34 N3K-3_nex-3048-b onep: [-1427432560] : Listening on fd 58 accepted fd 62 from 10.7.16.219:49509 [onep_transport_accept_handler:386]
2014 Jan  9 15:14:34 N3K-3_nex-3048-b onep: [-1427432560] : ONEP TLS recv error: 5, len: 4096, fd: 62, pid: -1427432560 rd_len: 0, errno: Success (0) [onep_al_tls_recv:703]


isr-2911-a# c2900-universalk9-mz.SPA.153-3.M.bin
Jan  9 15:38:19.195 est: [400] : ONEP TLS done accept_fd: 4, pid: 400, context: 2287F4F4 [onep_al_tls_accept:241]
Jan  9 15:38:20.103 est: [400] : Server Done tos 1 [cthrift_recv_main__:2256]
Jan  9 15:38:20.103 est: [400] : GettingStarted_onePK_tls-10.255.138.120: Connecting attempt: username timeout[0] shandle[0] fd[4] [NetworkElement_connectIDL:219]

Subject: RE: transport type tls disable-remotecert-validation
Replied by: Joseph Clarke on 09-01-2014 04:54:52 PM
I just set my 3048 up with TLS, and I'm having success.  The setup guide for NX-OS was missing some steps with setting up an RSA keypair for the CA trustpoint.  Can you confirm the steps you used to configure the N3K for TLS?

Beyond that, what version of the client API are you using?  I've seen some TLS issues with 1.0 APIs going to a 1.1 network element.  What is your app doing?

Subject: RE: transport type tls disable-remotecert-validation
Replied by: joel king on 09-01-2014 05:40:00 PM
Joe, I am using the 16 December release of onePK and Python  I suspect the problem relates to using IP address versus fully qualified domain name in the certificates.  Are you using FQDN or IP addresses?   My plan was to tear down my CA and the other router and switch are use only FQDN when I bring it back up and document all the configuration steps. Will advise.

Subject: RE: transport type tls disable-remotecert-validation
Replied by: Joseph Clarke on 09-01-2014 05:57:55 PM
I was using hostname.  FQDN didn't work as my cert CN was only the hostname.  When I test with IP, I get an error in the app.  This likely is happening since I don't have the IP in the cert.  The good news is, we're sorting out all of this for our GA release where we'll be able to use certificate pinning in a manner similar to SSH.

I was able to get the simpleCA on our all-in-one VM working with the N3K.  But if you have a CA of your own, give it a try with FQDN or at least hostname.  That should work for you.

Subject: RE: transport type tls disable-remotecert-validation
Replied by: joel king on 13-01-2014 10:09:24 AM
Joe, I have been able to re-create the issue eliminating the Nexus, by using two 2911's, one configured as the CA and the second enrolled with the CA. The second 2911 the certificate included the IP address, the first, the certificate enrollment did not include the IP address. I'll send you additional information later today. I'm successful with the router that included the IP address in the subject of the certificate, when connecting using the IP address, but when the certificate contains the FQDN, I cannot connect using the FQDN as the network element address. I think the issue is more than the Nexus 3048 at this point.

-joel

Subject: RE: transport type tls disable-remotecert-validation
Replied by: Joseph Clarke on 13-01-2014 10:43:45 AM
Yeah, it's tricky to be certain.  It all depends on what the fields in your cert are (i.e., subject, altSubjectName, etc.) and what is configured in DNS/hosts file.  Here is a walktrhough our Technical Marketing Engineers have been working on.  I used this prior to use making the AiO VM easier to use with TLS, so it should work.

Note: it does require you to add the IP address to the cert.  And for hostname validation, make sure the router's hostname and FQDN are either in DNS or the local machine's local hosts file.  For example, in my /etc/hosts file, I have:

10.20.10.110    router1.3node.example.com router1

This walkthrough will show an end to end example of setting up TLS for onepk.  This example will contain a single end host and network element.  The network element will act as the CA Server as well.  No client side certifications will be used.
 
Quick Look / Ingredients:
 
Network Element - 2951 running 15.4T  - hostname oliver.example.com
CA Server running directly on Network Element
Linux End host server running all in one vm: 1.0.1.107
onePK C, Java, and Python sdk:  1.0.1.107
HelloNetwork sample application for C or Java.
BaseTutorial.py for python.
 
 
Pre-Checks:
 
    Ensure the clocks date and time on both the network element and end host (Linux) server match.  
    Clock skew can cause frustrating set up issues which can be challenging to debug.
 
    Ensure the hostname and domain name of the network element are set.  
    In this sample I will use the following configuration on the network element:
            hostname oliver
            ip domain-name example.com
 
    Ensure there are no access lists which will block the network element from contacting
    itself for the connection to the CA Server.  
    The  CA Server is contacted at http://< ip address of network element > : 80           
 
 
Walkthrough:
 
Network Element Side:
 
We will start on the network element side to set up the on device CA Server and trustpoint information:
 
oliver#config t
Enter configuration commands, one per line.  End with CNTL/Z.
oliver(config)#ip http server
oliver(config)#crypto pki server onepkCA
oliver(cs-server)#database level minimum
oliver(cs-server)#grant auto
 
*Nov  8 22:52:56.514: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically grant   
 
oliver(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: 
 
Re-enter password: 
% Generating 1024 bit RSA keys, keys will be non-exportable...
(elapsed time was 0 seconds)
 
% Certificate Server enabled.
 
*Nov  8 22:53:42.518: %PKI-6-CS_ENABLED: Certificate server now enabled.
 
oliver(cs-server)#crypto pki trustpoint onepkTP
oliver(ca-trustpoint)#enrollment url http://10.10.10.28
oliver(ca-trustpoint)#subject-name CN=oliver.cisco.com
oliver(ca-trustpoint)#exit
oliver(config)#crypto pki authenticate onepkTP
Certificate has the following attributes:
       Fingerprint MD5: A1A1046A 3E35C904 242FE8D0 C37B376F 
      Fingerprint SHA1: 939234BD 85F1B8D9 827B97D9 11AE6B75 B51EC05F 
 
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
 
oliver(config)#crypto pki enroll onepkTP
%
% Start certificate enrollment .. 
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.
 
 
*Nov  8 22:58:36.456: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
 
Password:
Re-enter password: 
 
% The subject name in the certificate will include: oliver.cisco.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? : yes
Enter Interface name or IP Address[]: 10.10.10.28
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose onepkTP' commandwill show the fingerprint.
 
*Nov  8 22:58:59.840: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 4EFA5301 703E57E9 7A58DDED 152B75D4 
*Nov  8 22:58:59.840: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 2122DEC4 4DF8F44E D3375CCE A70F1623 BA56898B 
*Nov  8 22:59:02.672: %PKI-6-CERTRET: Certificate received from Certificate Authority
 
oliver(config)#crypto pki export onepkCA pem terminal
% The specified trustpoint is not enrolled (onepkCA).
% Only export the CA certificate in PEM format.
% CA certificate:
-----BEGIN CERTIFICATE-----
MIIB/TCCAWagAwIBAgIBATANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwdvbmVw
a0NBMB4XDTEzMTEwODIyNTMzNloXDTE2MTEwNzIyNTMzNlowEjEQMA4GA1UEAxMH
b25lcGtDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo0hxR9QT6xzH9k/K
rzO8tAHz98Kfp0foNj03hVBH6CoM0tWe/0kgZlvVbuA3gW7KYPcxwIGHaTh3Nrb9
2xKHt6gWwiER8rUy1GT9nvD83kMto/uB+uPBGJOhQP9Cg0Ymzqv8ETUUCAuKrUvk
V+N+7rAOC30N5eU68hN7UKJRsP0CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAO
BgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAUz8yKN4VUcKLJeSonewgO7KY3krcw
HQYDVR0OBBYEFM/MijeFVHCiyXkqJ3sIDuymN5K3MA0GCSqGSIb3DQEBBAUAA4GB
AFYJQjO/uXXE4T5M3KidpxwMgJItHEL45DHaOt9FvNmAz80zvZVwNOoU5iLJh+Q6
FPqhoaE1h3zjy1UbF3sH41PNe1ty0H+l3LQveWMA3SSWslkTvF/H5R7G/PGScUuU
yaDkroKxXaomFdcJox6WqG75XNtcVsreZ5Cfw7xza4Tg
-----END CERTIFICATE-----
 
oliver(config)#onep
oliver(config-onep)#$transport type tls localcert onepkTP disable-remotecert-validation 
oliver(config-onep)#end
oliver#
 
 
At this point the Network Element is now configured to be the CA Server, it has set up
certificates for onepkCA, and has enabled onePK to accept the certificate.  
 
 
End Host (Linux) Side:
 
 
This section is split into three for each of the programming languages supported.   We will run through an end host example for C, Python, and Java.
 
 
C Example:
 
Now you will want to take the output of "crypto pki export onepkCA pem terminal" and
copy it to your end host (Linux) machine into a file called nerootca.pem.
 
I will be running the application HelloNetwork from the sdk.  In my Linux environment this is located at
/home/cisco/onePK-sdk-1.0.1.107/c64/sample-apps/HelloNetwork
 
This is where I created the file nerootca.pem.
 
Notice the contents of the file match the output of "crypto pki export onepkCA pem terminal" above:
 
 
 
Since we are not using client side certifications this is all we need to run the application.  We have already compiled the application, and
will run it now.  The application assumes nerootca.pem is located in the same directory from where the application is run.  The ip address
of my network element is 10.10.10.28:
 
 
 
The connection was successful, and the application ran to completion.
 
 
 
Python Example:
 
Now you will want to take the output of "crypto pki export onepkCA pem terminal" and
 
copy it to your end host (Linux) machine into a file called nerootca.pem.
 
I will be running the application from the python sdk samples.  In my Linux environment this is
located at 
 
I will be running the application HelloNetwork from the sdk.  In my Linux environment this is located at
/home/cisco/onePK-sdk-1.0.1.107/python/tutorials/
 
This is where I created the file nerootca.pem.
 
Notice the contents of the file match the output of "crypto pki export onepkCA pem terminal" above:
 
 
  
Since we are not using client side certifications this is all we need to run the application.  We have already compiled the application, and
will run it now.  The application assumes nerootca.pem is located in the same directory from where the application is run.  The ip address
of my network element is 10.10.10.28:
 
   
 
The connection was successful, and the application ran to completion.
 
 
Java Example:
 
Now you will want to take the output of "crypto pki export onepkCA pem terminal" and
copy it to your end host (Linux) machine into a file called nerootca.pem.
 
 
I will be running the java application HelloNetwork from the sdk.  In my Linux environment this is located at
/home/cisco/onePK-sdk-1.0.1.107/java/sample-apps/HelloNetwork
 
This is where I created the file nerootca.pem.
 
The contents of nerootca.pem matches the output of "crypto pki export onepkCA pem terminal" above.
 
Maven is used to compile java samples from the command line.  To compile the application for maven run:
mvn clean install
 
When using tls with java a keystore is needed to save the certificate information.  To create the keystore for this
example run:
 
/usr/bin/keytool -import -alias onepkCA -file nerootca.pem -keystore truststore.jks
 
You will be prompted for a password.  This password will be used later when you run the application.  In 
this example I am using the password "lab12345".
 
We can now run the application from the command line using  "mvn exec:java".  We will use -D to pass
in necessary arguments to the application.  Here is the complete run line:
 
cd /home/cisco/onePK-sdk-1.0.1.107/java/sample-apps/HelloNetwork
mvn exec:java -Dexec.args="-a 10.10.10.28" -Djavax.net.ssl.trustStore="./truststore.jks" -Djavax.net.ssl.trustStorePassword=lab12345
 
-Dexec.args is used to indicate which network element we want to connect to.
-Djavax.net.ssl.trustStore points to where the trust store file was set up.
-Djavax.net.ssl.trustStorePassword is the password that we used when we ran the keytool command above.
 
The resulting output is:
  
 
The application has connected, and results are as expected.  
 

Attachments

    Outcomes