Configuring NISH security
This chapter provides an example of a NISH security configuration. The NISH client and the NISH manager use gRPC, which operates over the HTTP2 transport and can make use of TLS encryption. The default gRPC TCP port is 57400.
To use TLS, the following certificates and keys are required:
-
Certificate Authority (CA) certificate
-
Node certificate that contains all DNS names and IP addresses present on the nodes that are used to manage the device
-
Node certificate key
-
NISH manager certificate that contains all DNS names and IP addresses to which all NISH manager processes are bound
-
NISH manager certificate key
All certificates must be signed by the provided Certificate Authority.
To start the NISH client in TLS mode, add the -t flag or --ca-cert option followed by the relative or absolute path to the CA certificate file; for example, cacert.pem.
To start the NISH manager in TLS mode, add the following flags or options:
-
-k or --server-cert, followed by the relative or absolute path to the NISH manager certificate file; for example, nish_manager_cert.pem
-
-K or --server-key, followed by the relative or absolute path to the NISH manager certificate key file; for example, nish_manager_key.pem
-
-t or --ca-cert, followed by the relative or absolute path to the CA certificate file; for example, cacert.pem
The certificates must be copied in the SR OS nodes to successfully establish a secured connection.
The following procedure is an example of how to install the certificates for use with the NISH client and the NISH manager. The example commands in the procedure assume the following filenames for the certificates:
-
node_cert.pem for the node certificate
-
node_key.pem for the node certificate key
-
cacert.pem for the CA certificate
The following are example steps for NISH security configuration:
- Copy the SR OS node certificate, the node certificate key, and the CA certificate to the SR OS node.
-
Import the certificates into the SR OS certificate manager.
admin system security pki import type certificate input-url c3:/node_cert.pem output-file node.cert format pem admin system security pki import type key input-url cf3:/node_key.pem output-file node.key format pem admin system security pki import type certificate input-url cf3:/cacert.pem output-file cacert.pem format pem
-
Configure the certificate profile.
configure system security tls cert-profile "grpc_cert_profile" admin-state enable configure system security tls cert-profile "grpc_cert_profile" entry 1 certificate-file "node.cert" configure system security tls cert-profile "grpc_cert_profile" entry 1 key-file "node.key"
-
Configure the TLS cipher list.
configure system security tls server-cipher-list "all" { } configure system security tls server-cipher-list "all" cipher 1 name tls-rsa-with3des-ede-cbc-sha configure system security tls server-cipher-list "all" cipher 2 name tls-rsa-with-aes128-cbc-sha configure system security tls server-cipher-list "all" cipher 3 name tls-rsa-with-aes128-cbc-sha256 configure system security tls server-cipher-list "all" cipher 4 name tls-rsa-with-aes256-cbc-sha configure system security tls server-cipher-list "all" cipher 5 name tls-rsa-with-aes256-cbc-sha256
-
Configure the TLS server profile.
configure system security tls server-tls-profile "grpc_tls_profile" admin-state enable configure system security tls server-tls-profile "grpc_tls_profile" cert-profile "grpc_cert_profile" configure system security tls server-tls-profile "grpc_tls_profile" cipher-list "all"
-
Configure the client certificate.
configure system security pki ca-profile "ca" admin-state enable configure system security pki ca-profile "ca" cert-file "cacert.pem" configure system security pki ca-profile "ca" revocation-check crl-optional configure system security tls trust-anchor-profile "grpc_ca" { } configure system security tls trust-anchor-profile "grpc_ca" { trust-anchor "ca"}
-
Configure the client cipher list.
configure system security tls client-cipher-list "all" { } configure system security tls client-cipher-list "all" cipher 1 name tls-rsa-with3des-ede-cbc-sha configure system security tls client-cipher-list "all" cipher 2 name tls-rsa-with-aes128-cbc-sha configure system security tls client-cipher-list "all" cipher 3 name tls-rsa-with-aes128-cbc-sha256 configure system security tls client-cipher-list "all" cipher 4 name tls-rsa-with-aes256-cbc-sha configure system security tls client-cipher-list "all" cipher 5 name tls-rsa-with-aes256-cbc-sha256
-
Configure the client TLS profile.
configure system security tls client-tls-profile "grpc_tls_client_profile" → admin-state enable configure system security tls client-tls-profile "grpc_tls_client_profile" → cipher-list "all" configure system security tls client-tls-profile "grpc_tls_client_profile" → trust-anchor-profile "grpc_ca"
-
Enable TLS protection for gRPC.
configure system grpc tls-server-profile "grpc_tls_profile"
-
Enable TLS protection for the remote management service (or per manager).
configure system management-interface remote-management client-tls-profile "grpc_tls_client_profile"