5. Security

The NISH client and the NISH manager use gRPC, which operates over the HTTP2 transport and can make use of TLS encryption. The default gRPC TCP port is 57400.

To use TLS, the following certificates and keys are required:

  1. Certificate Authority (CA) certificate
  2. Node certificate that contains all DNS names and IP addresses present on the nodes that are used to manage the device
  3. Node certificate key
  4. NISH manager certificate that contains all DNS names and IP addresses to which all NISH manager processes are bound
  5. NISH manager certificate key
Note:

  1. The use of TLS is strongly recommended for all operational deployments. In lab environments, the NISH client and NISH managers can operate without TLS.
  2. All certificates must be signed by the provided Certificate Authority.

To start the NISH client in TLS mode, add the -t or --ca-cert flag followed by the relative or absolute path to the CA certificate file; for example, cacert.pem.

Note:

A single CA certificate is supported.

To start the NISH manager in TLS mode, add the following flags:

  1. -k or --server-cert, followed by the relative or absolute path to the NISH manager certificate file; for example, nish_manager_cert.pem
  2. -K or --server-key, followed by the relative or absolute path to the NISH manager certificate key file; for example, nish_manager_key.pem
  3. -t or --ca-cert, followed by the relative or absolute path to the CA certificate file; for example, cacert.pem

The certificates must be copied in the SR OS nodes to successfully establish a secured connection.

Note:

For more information about TLS and certificates, refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide.

The following procedure is an example of how to install the certificates for use with the NISH client and the NISH manager. The example commands in the procedure assume the following filenames for the certificates:

  1. node_cert.pem for the node certificate
  2. node_key.pem for the node certificate key
  3. cacert.pem for the CA certificate
Note:

When installing certificates, operators must use commands appropriate for their encryption environment.

  1. Copy the SR OS node certificate, the node certificate key, and the CA certificate to the SR OS node.
  2. Import the certificates into the SR OS certificate manager:
    //admin certificate import type cert input cf3:/node_cert.pem →
    output node.cert format pem
    //admin certificate import type key input cf3:/node_key.pem →
    output node.key format pem
    //admin certificate import type cert input cf3:/cacert.pem →
    output cacert.pem format pem
    Note:

    The // denotes that these SR OS commands are executed in the classic CLI environment.

  3. Configure the certificate profile:
    /configure system security tls cert-profile "grpc_cert_profile" admin-state enable
    /configure system security tls cert-profile "grpc_cert_profile" entry 1 →
    certificate-file "node.cert"
    /configure system security tls cert-profile "grpc_cert_profile" entry 1 →
    key-file "node.key"
  4. Configure the TLS cipher list:
    /configure system security tls server-cipher-list "all" { }
    /configure system security tls server-cipher-list "all" cipher 1 name →
    tls-rsa-with3des-ede-cbc-sha
    /configure system security tls server-cipher-list "all" cipher 2 name →
    tls-rsa-with-aes128-cbc-sha
    /configure system security tls server-cipher-list "all" cipher 3 name →
    tls-rsa-with-aes128-cbc-sha256
    /configure system security tls server-cipher-list "all" cipher 4 name →
    tls-rsa-with-aes256-cbc-sha
    /configure system security tls server-cipher-list "all" cipher 5 name →
    tls-rsa-with-aes256-cbc-sha256
  5. Configure the TLS server profile:
    /configure system security tls server-tls-profile "grpc_tls_profile" →
    admin-state enable
    /configure system security tls server-tls-profile "grpc_tls_profile" →
    cert-profile "grpc_cert_profile"
    /configure system security tls server-tls-profile "grpc_tls_profile" →
    cipher-list "all"
  6. Configure the client certificate:
    /configure system security pki ca-profile "ca" admin-state enable
    /configure system security pki ca-profile "ca" cert-file "cacert.pem"
    /configure system security pki ca-profile "ca" revocation-check crl-optional
    /configure system security tls trust-anchor-profile "grpc_ca" { }
    /configure system security tls trust-anchor-profile "grpc_ca" { trust-anchor "ca"} 
  7. Configure the client cipher list:
    /configure system security tls client-cipher-list "all" { }
    /configure system security tls client-cipher-list "all" cipher 1 name →
    tls-rsa-with3des-ede-cbc-sha
    /configure system security tls client-cipher-list "all" cipher 2 name →
    tls-rsa-with-aes128-cbc-sha
    /configure system security tls client-cipher-list "all" cipher 3 name →
    tls-rsa-with-aes128-cbc-sha256
    /configure system security tls client-cipher-list "all" cipher 4 name →
    tls-rsa-with-aes256-cbc-sha
    /configure system security tls client-cipher-list "all" cipher 5 name →
    tls-rsa-with-aes256-cbc-sha2568.
  8. Configure the client TLS profile:
    /configure system security tls client-tls-profile "grpc_tls_client_profile" →
    admin-state enable
    /configure system security tls client-tls-profile "grpc_tls_client_profile" →
    cipher-list "all"
    /configure system security tls client-tls-profile "grpc_tls_client_profile" →
    trust-anchor-profile "grpc_ca"
  9. Enable TLS protection for gRPC:
    /configure system grpc tls-server-profile "grpc_tls_profile"
  10. Enable TLS protection for the Remote Manager service (or per manager):
    /configure system management-interface remote-management client-tls-profile →
    "grpc_tls_client_profile"