Configuring NISH security

Prerequisites

This chapter provides an example of a NISH security configuration. The NISH client and the NISH manager use gRPC, which operates over the HTTP2 transport and can make use of TLS encryption. The default gRPC TCP port is 57400.

To use TLS, the following certificates and keys are required:

Certificate Authority (CA) certificate
Node certificate that contains all DNS names and IP addresses present on the nodes that are used to manage the device
Node certificate key
NISH manager certificate that contains all DNS names and IP addresses to which all NISH manager processes are bound
NISH manager certificate key

Note: The use of TLS is strongly recommended for all operational deployments. In lab environments, the NISH client and NISH managers can operate without TLS.

All certificates must be signed by the provided Certificate Authority.

To start the NISH client in TLS mode, add the -t flag or --ca-cert option followed by the relative or absolute path to the CA certificate file; for example, cacert.pem.

Note: A single CA certificate is supported.

To start the NISH manager in TLS mode, add the following flags or options:

-k or --server-cert, followed by the relative or absolute path to the NISH manager certificate file; for example, nish_manager_cert.pem
-K or --server-key, followed by the relative or absolute path to the NISH manager certificate key file; for example, nish_manager_key.pem
-t or --ca-cert, followed by the relative or absolute path to the CA certificate file; for example, cacert.pem

The certificates must be copied in the SR OS nodes to successfully establish a secured connection.

Note: See the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide for more information about TLS and certificates.

The following procedure is an example of how to install the certificates for use with the NISH client and the NISH manager. The example commands in the procedure assume the following filenames for the certificates:

node_cert.pem for the node certificate
node_key.pem for the node certificate key
cacert.pem for the CA certificate

Note: When installing certificates, operators must use commands appropriate for their encryption environment.

The following are example steps for NISH security configuration:

Procedure

Copy the SR OS node certificate, the node certificate key, and the CA certificate to the SR OS node.

Import the certificates into the SR OS certificate manager:

//admin certificate import type cert input cf3:/node_cert.pem 
# output node.cert format pem
//admin certificate import type key input cf3:/node_key.pem 
# output node.key format pem
//admin certificate import type cert input cf3:/cacert.pem  
# output cacert.pem format pem

Note: The // denotes that these SR OS commands are executed in the classic CLI environment.

Configure the certificate profile:

/configure system security tls cert-profile "grpc_cert_profile" admin-state enable
/configure system security tls cert-profile "grpc_cert_profile" entry 1
# certificate-file "node.cert"
/configure system security tls cert-profile "grpc_cert_profile" entry 1 
# key-file "node.key"

Configure the TLS cipher list:

/configure system security tls server-cipher-list "all" { }
/configure system security tls server-cipher-list "all" cipher 1 name 
# tls-rsa-with3des-ede-cbc-sha
/configure system security tls server-cipher-list "all" cipher 2 name
# tls-rsa-with-aes128-cbc-sha
/configure system security tls server-cipher-list "all" cipher 3 name 
# tls-rsa-with-aes128-cbc-sha256
/configure system security tls server-cipher-list "all" cipher 4 name
# tls-rsa-with-aes256-cbc-sha
/configure system security tls server-cipher-list "all" cipher 5 name 
# tls-rsa-with-aes256-cbc-sha256

Configure the TLS server profile:

/configure system security tls server-tls-profile "grpc_tls_profile" 
# admin-state enable
/configure system security tls server-tls-profile "grpc_tls_profile" 
# cert-profile "grpc_cert_profile"
/configure system security tls server-tls-profile "grpc_tls_profile" 
# cipher-list "all"

Configure the client certificate:

/configure system security pki ca-profile "ca" admin-state enable
/configure system security pki ca-profile "ca" cert-file "cacert.pem"
/configure system security pki ca-profile "ca" revocation-check crl-optional
/configure system security tls trust-anchor-profile "grpc_ca" { }
/configure system security tls trust-anchor-profile "grpc_ca" { trust-anchor "ca"}

Configure the client cipher list:

/configure system security tls client-cipher-list "all" { }
/configure system security tls client-cipher-list "all" cipher 1 name 
# tls-rsa-with3des-ede-cbc-sha
/configure system security tls client-cipher-list "all" cipher 2 name 
# tls-rsa-with-aes128-cbc-sha
/configure system security tls client-cipher-list "all" cipher 3 name  
# tls-rsa-with-aes128-cbc-sha256
/configure system security tls client-cipher-list "all" cipher 4 name 
# tls-rsa-with-aes256-cbc-sha
/configure system security tls client-cipher-list "all" cipher 5 name 
# tls-rsa-with-aes256-cbc-sha256

Configure the client TLS profile:

/configure system security tls client-tls-profile "grpc_tls_client_profile" →
admin-state enable
/configure system security tls client-tls-profile "grpc_tls_client_profile" →
cipher-list "all"
/configure system security tls client-tls-profile "grpc_tls_client_profile" →
trust-anchor-profile "grpc_ca"

Enable TLS protection for gRPC:

/configure system grpc tls-server-profile "grpc_tls_profile"

Enable TLS protection for the Remote Manager service (or per manager):

/configure system management-interface remote-management client-tls-profile 
# "grpc_tls_client_profile"