Cisco pxgrid 로인증서배포 CA(Certifice Authority) 서명 pxgrid 클라이언트및자체서명 ISE pxgrid 노드인증서
목차 이문서정보... 3 서론... 4 인증서컨피그레이션예... 5 자체서명 ISE pxgrid 노드인증서및 pxgrid 페르소나컨피그레이션... 5 pxgrid 클라이언트인증서컨피그레이션... 8 pxgrid 클라이언트및 ISE pxgrid 노드테스트... 12 키저장소항목보기... 14 문제해결... 18 2 페이지
이문서정보 이문서에서는 CA 권한으로서명된인증서및 ISE pxgrid 노드의 ISE 를위한 ISE 자체서명인증서를사용하여 pxgrid 클라이언트를구성하는데필요한컨피그레이션단계에대해설명합니다. 이문서는 Cisco pxgrid 를구축하는 Cisco 현장엔지니어, 기술마케팅엔지니어, 파트너및고객을대상으로합니다. 또한 pxgrid 에대해잘알고있어야합니다. pxgrid 에대해잘모르는사용자는아래의 Configure_and_Test_Integrion_with_Cisco_pxGrid.pdf 를참조하십시오. http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/howto-84- Configure_and_Test_Integrion_with_Cisco_pxGrid.pdf Cisco 어카운트팀에서 pxgrid sdk 를받습니다. Cisco ISE(Identity Services Engine) 1.3 이설치된것을전제로합니다. OSX 10.8.5 를실행중인 MAC 은 pxgrid 클라이언트로사용됩니다. Linux OS 도사용할수있습니다. pxgrid 클라이언트에는 Oracle Java Development Kit 7 또는 8 이필요합니다. Deploying pxgrid with Certifices 시리즈에는다음과같은두가지다른문서가있습니다. ISE pxgrid 노드및 pxgrid 클라이언트에 CA 서명인증서사용 ISE pxgrid 노드및 ISE pxgrid 클라이언트에자체서명인증서사용 3 페이지
서론 이섹션에서는 ISE 독립형구축시 pxgrid 클라이언트및 ISE pxgrid 노드의 CA 서명인증서컨피그레이션에대해자세히다룹니다. 이경우 pxgrid 클라이언트에는 Entrus 같은퍼블릭 CA 에의해서명된인증서가포함될수있습니다. 사용자지정 pxgrid 템플릿은클라이언트인증 (1.3.6.5.5.7.3.2) 및서버인증 (1.3.6.1.5.5.7.3.1) 에모두 EKU(Enhanced Key Usage) ISO 정의 OID(object identifier) 가수반됩니다. ISE pxgrid 노드에는 ISE 트러스트된인증서저장소의자체서명 ISE ID 인증서가포함됩니다. Microsoft Enterprise CA 2008 R2 는 pxgrid 클라이언트의인증서에서명할수있는 CA 권한으로사용됩니다. Microsoft CA 권한의 CA 루트인증서는 ISE 트러스트된인증서저장소에추가됩니다. ISE 퍼블릭인증서는 pxgrid 클라이언트의키저장소에추가됩니다. pxgrid 클라이언트가 ISE pxgrid 노드에연결할경우두퍼블릭인증서모두성공적인 pxgrid 연결을위해 SASL(Simple Authenticion and Security Layer) 에트러스트됩니다. 다음다이어그램에는정보의인증서플로우가나와있습니다. 4 페이지
인증서컨피그레이션예 다음은이문서에사용된인증서예를나타냅니다. 자체서명 ISE pxgrid 노드인증서및 pxgrid 페르소나컨피그레이션 이예에서는 ISE 자체서명인증서를 ISE 트러스트된인증서저장소로가져옵니다. ISE ID 인증서가트러스트된인증서저장소에있으면 ISE 노드의 pxgrid 페르소나를활성화하고이를 Primary 노드로변경할수있습니다. 게시된노드는 pxgrid Services View 에표시됩니다. 1 단계자체서명 ISE ID 인증서를내보내고.pem 파일로저장합니다. Administrion->System->Certifices 를차례로누른다음 ISE identity cert->export( 퍼블릭키만 ) 를선택합니다. 5 페이지
2 단계저장된 ISE.pem 파일을 ISE 트러스트된인증서저장소로가져옵니다. Administrion->System->Certifices->Trusted Certifices->Browse 를차례로누른다음파일을업로드하고 Submit 을누릅니다. ISE 트러스트된인증서가져오기가표시됩니다. 6 페이지
3 단계 CA 루트인증서를다운로드하고 ISE 트러스트된인증서저장소에업로드한다음 ISE 커뮤니케이션에트러스트활성화를선택합니다. Administrion->System->Certifices->Trusted Certifices->Import 를차례로누른다음 CA 루트인증서를업로드합니다. 4 단계 ISE 에서 pxgrid 페르소나를활성화합니다. Administrion->System->Deployment->Enable pxgrid 를차례로누른다음역할을 Primary 로변경하고 Save 를누릅니다. 참고 : 역할을 Primary 로반드시변경해야하는것은아닙니다. 7 페이지
5 단계게시된서비스가시작되었는지확인합니다. Administrion->pxGrid Services 참고 : ISE 게시노드가표시되기전까지지연이발생할수있습니다. pxgrid 페르소나가활성화되기전에인증서를설치해야합니다. pxgrid 클라이언트인증서컨피그레이션 이섹션에서는 pxgrid 클라이언트자체인증서생성프로세스를단계별로살펴봅니다. 인증서퍼블릭 / 프라이빗키쌍이생성되면프라이빗키인 self2.key 에서 PKCS12 파일이생성됩니다. PKCS12 파일은 ID 키저장소인 self1.jks 로가져오기됩니다. 이 ID 키저장소및관련비밀번호는 pxgrid 스크립트의 keystorefilename 및 keystorepassword 역할을합니다. pxgrid 클라이언트인증서인 self2.cer 도 ID 키저장소에추가됩니다. ISE ID 인증서인 isemnt 는모두벌크세션다운로드에필요하며, CA 루트인증서는트러스트키저장소인 root.jks 에추가됩니다. 이트러스트키저장소및관련비밀번호는 pxgrid 스크립트의 truststorefilename 및 truststorepassword 역할을합니다. 1 단계 pxgrid 클라이언트에대한프라이빗키 ( 예 : self2.key) 를생성합니다. openssl genrsa -out self2.key 4096 Genering RSA prive key, 4096 bit long modulus...++......++ e is 65537 (0x10001) 2 단계 CA 권한에대한 CSR( 예 : self2.csr) 요청을생성합니다. 챌린지비밀번호 ( 예 : cisco123) 를제공합니다. 8 페이지
openssl req -new -key self2.key -out self2.csr You are about to be asked to enter informion th will be incorpored into your certifice request. Wh you are about to enter is wh is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU: Ste or Province Name (full name) [Some-Ste: Locality Name (eg, city) [: Organizion Name (eg, company) [Internet Widgits Pty Ltd: Organizional Unit Name (eg, section) [: Common Name (e.g. server FQDN or YOUR name) [: Email Address [: Please enter the following 'extra' tributes to be sent with your certifice request A challenge password [:cisco123 An optional company name [:Eppich,Inc Note: Keep the same password throughout this documnent, easier to maintain, and cut down on errors 3 단계 CA 권한은클라이언트인증및서버인증을위한 EKU(Enhanced Key Usage) ISO 정의 OID(object identifier) 가포함된사용자정의템플릿 ( 예 : pxgrid) 을사용하여사용자인증서를지원해야합니다. 참고 : pxgrid 템플릿은 CA 권한에서생성됩니다. 이는중복된사용자템플릿이며, Windows 2003 형식을사용하므로 Certifice Temple 드롭다운메뉴에해당템플릿이표시됩니다. EKU 클라이언트인증및서버인증이모두템플릿에추가되었습니다. 4 단계 pxgrid 클라이언트인증서 ( 예 : self2.cer) 의프라이빗키에서 pxgrid 클라이언트 pkcs12 파일 (self2.p12) 을생성합니다. 이는키저장소관리에사용됩니다. CA 루트파일 ( 예 : ca_root.cer) 을포함합니다. 9 페이지
openssl pkcs12 -export -out self2.p12 -inkey self2.key -in self2.cer -chain -CAfile ca_root.cer Enter Export Password: cisco123 Verifying - Enter Export Password: cisco123 Johns-MacBook-Pro:pxGridsdk jeppich$ 참고 : cisco123 은이문서전체에서사용되는비밀번호입니다. 5 단계 pxgrid 클라이언트 ID 키저장소 ( 예 : self2.jks) 를생성합니다. 이는 pxgrid 스크립트예에서 keystorefilename 및관련 keystorepassword 역할을합니다. keytool -importkeystore -srckeystore self2.p12 -destkeystore self2.jks -srcstoretype PKCS12 Enter destinion keystore password: cisco123 Re-enter new password: cisco123 Enter source keystore password: cisco123 Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled 6 단계퍼블릭 ISE ID 인증서만 pxgrid 클라이언트로내보내며, 이는.pem 형식으로이루어집니다. 확장자가.pem 인파일의이름을더읽기쉽게변경할수있습니다. 이예에서파일의이름은 isemnt.pem 으로변경되었습니다. 7 단계.pem 파일을.der 형식으로변환합니다. openssl x509 -outform der -in isemnt.pem -out isemnt.der 8 단계 ISE ID 인증서를트러스트키저장소 ( 예 : root.jks) 에추가합니다. 이는 pxgrid 스크립트에사용된 truststorefilename 및관련 truststorepassword 가됩니다. 10 페이지
keytool -import -alias mnt -keystore root.jks -file isemnt.der Enter keystore password: cisco123 Re-enter new password: cisco123 Owner: CN=ise.lab6.com Issuer: CN=ise.lab6.com Serial number: 548502f500000000ec27e53c1dd64f46 Valid from: Sun Dec 07 17:46:29 PST 2014 until: Mon Dec 07 17:46:29 PST 2015 Certifice fingerprints: MD5: 04:7D:67:04:EC:D2:F5:BC:DC:79:4D:0A:FF:62:09:FD SHA1: 5A:7B:02:E4:07:A1:D2:0B:7D:A5:AE:83:27:3B:E7:33:33:30:1E:32 SHA256: C4:21:6C:6F:5B:06:F3:2C:D7:26:35:CB:BE:2B:1B:FF:0E:EE:09:91:F6:B6:54:0C:6F:63:CB:43:1F:77:F2:37 Signure algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PhLen:2147483647 #2: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverauth clientauth #3: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignure Key_Encipherment Key_Agreement Key_CertSign #4: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL server #5: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: C4 F3 1A 9E 7B 1B 14 4F 51 9E A4 88 33 07 7A AC...OQ...3.z. 0010: 75 37 36 D4 u76. Trust this certifice? [no: yes Certifice was added to keystore Johns-MacBook-Pro:pxGridsdk jeppich$ 9 단계 pxgrid 클라이언트인증서를 ID 키저장소로가져옵니다. keytool -import -alias pxgridclient -keystore self2.jks -file self2.cer Enter keystore password: cisco123 Certifice already exists in keystore under alias <1> Do you still want to add it? [no: no Certifice was not added to keystroke 11 페이지
10 단계 CA 루트인증서를트러스트키저장소에추가합니다. 두인증서는모두트러스트키저장소에상주해야합니다. keytool -import -alias root -keystore root.jks -file ca_root.cer Enter keystore password: cisco123 Owner: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com Serial number: 448a6d6486c91cb14c6888c127d16c4e Valid from: Thu Nov 13 17:47:06 PST 2014 until: Wed Nov 13 17:57:06 PST 2019 Certifice fingerprints: MD5: 41:10:8A:F5:36:76:79:9C:2C:00:03:47:55:F8:CF:7B SHA1: 9D:DA:06:AF:06:3F:8F:5E:84:C7:F4:58:50:95:03:22:64:48:96:9F SHA256: DB:28:50:D6:47:CA:C0:6A:E9:7B:87:B4:0E:9C:3A:C1:A2:61:EA:D1:29:8B:45:B4:76:4B:DA:2A:F1:D8:E0:A3 Signure algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false 0000: 02 01 00... #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PhLen:2147483647 #3: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignure Key_CertSign Crl_Sign #4: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: A9 C7 8E 26 9C F5 37 0A E6 5A 15 36 26 D4 A2 06...&..7..Z.6&... 0010: 6A C8 79 2C j.y, Trust this certifice? [no: yes Certifice was added to keystore 11 단계 ID 키저장소 ( 예 : self2.jks) 및트러스트키저장소 ( 예 : root.jks) 를.../samples/bin 폴더에복사합니다. pxgrid 클라이언트및 ISE pxgrid 노드테스트 샘플 pxgrid 스크립트인 register.sh 및 session_download.sh 는 pxgrid 클라이언트연결및 pxgrid 등록을확인하기위해실행됩니다. 세션다운로드는 ISE MNT 인증서및 pxgrid 클라이언트에문제가없는지확인합니다. 12 페이지
1 단계 pxgrid 클라이언트등록./register.sh -keystorefilename self2.jks -keystorepassword cisco123 -truststorefilename root.jks - truststorepassword cisco123 -group Session -description test -hostname 10.0.0.96 -username JohnMACbook ------- properties ------- version=1.0.0 hostnames=10.0.0.96 username=johnmacbook descriptipon=test keystorefilename=self2.jks keystorepassword=cisco123 truststorefilename=root.jks truststorepassword=cisco123 -------------------------- registering... connecting... connected. done registering. connection closed 2 단계세션다운로드실행./session_download.sh -keystorefilename self2.jks -keystorepassword cisco123 -truststorefilename root.jks - truststorepassword cisco123 -hostname 10.0.0.96 -username JohnMACbook ------- properties ------- version=1.0.0 hostnames=10.0.0.96 username=johnmacbook keystorefilename=self2.jks keystorepassword=cisco123 truststorefilename=root.jks truststorepassword=cisco123 filter=null start=null end=null -------------------------- connecting... connected. starting Wed Dec 10 09:55:36 PST 2014... session (ip=10.0.0.18, Audit Session Id=0A0000020000000B006E1086, User Name=jeppich, AD User DNS Domain=lab6.com, AD Host DNS Domain=null, AD User NetBIOS Name=LAB6, AD Host NETBIOS Name=null, Calling stion id=00:0c:29:d1:8d:90, Session ste= STARTED, Epsstus=null, Security Group=null, Endpoint Profile=VMWare-Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/15, RADIUSAVPairs=[ Acct-Session- Id=00000002, Posture Stus=null, Posture Timestamp=, Session Last Upde Time=Wed Dec 10 08:27:59 PST 2014 )... ending : Wed Dec 10 09:55:36 PST 2014 --------------------------------------------------- downloaded 1 sessions in 100 milliseconds --------------------------------------------------- connection closed 13 페이지
키저장소항목보기 키저장소항목을확인하여 ID 및트러스트키저장소의트러스트된인증서항목을볼수있습니다. keytool -list -v -keystore self2.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: isecert Creion de: Dec 10, 2014 Entry type: trustedcertentry Owner: CN=ise.lab6.com Issuer: CN=ise.lab6.com Serial number: 548502f500000000ec27e53c1dd64f46 Valid from: Sun Dec 07 17:46:29 PST 2014 until: Mon Dec 07 17:46:29 PST 2015 Certifice fingerprints: MD5: 04:7D:67:04:EC:D2:F5:BC:DC:79:4D:0A:FF:62:09:FD SHA1: 5A:7B:02:E4:07:A1:D2:0B:7D:A5:AE:83:27:3B:E7:33:33:30:1E:32 SHA256: C4:21:6C:6F:5B:06:F3:2C:D7:26:35:CB:BE:2B:1B:FF:0E:EE:09:91:F6:B6:54:0C:6F:63:CB:43:1F:77:F2:37 Signure algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PhLen:2147483647 #2: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverauth clientauth #3: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignure Key_Encipherment Key_Agreement Key_CertSign #4: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL server #5: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: C4 F3 1A 9E 7B 1B 14 4F 51 9E A4 88 33 07 7A AC...OQ...3.z. 0010: 75 37 36 D4 u76. ******************************************* ******************************************* 14 페이지
Alias name: 1 Creion de: Dec 10, 2014 Entry type: PriveKeyEntry Certifice chain length: 2 Certifice[1: Owner: O=Internet Widgits Pty Ltd, ST=Some-Ste, C=AU Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com Serial number: 6105dce600000000000a Valid from: Wed Dec 10 09:01:44 PST 2014 until: S Dec 10 09:11:44 PST 2016 Certifice fingerprints: MD5: 76:3E:43:48:A7:FD:2C:5B:A3:FD:76:3F:6E:DF:2D:B8 SHA1: A9:E4:66:D9:34:C6:62:67:2B:C0:AF:E1:68:83:EA:36:3D:2A:23:CC SHA256: 0E:D8:04:30:39:3E:0B:06:D5:3E:29:94:ED:C7:76:7A:5E:27:1C:14:CF:CD:1E:4D:10:AF:22:A7:54:E5:52:7B Signure algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 1.2.840.113549.1.9.15 Criticality=false 0000: 30 35 30 0E 06 08 2A 86 48 86 F7 0D 03 02 02 02 050...*.H... 0010: 00 80 30 0E 06 08 2A 86 48 86 F7 0D 03 04 02 02..0...*.H... 0020: 00 80 30 07 06 05 2B 0E 03 02 07 30 0A 06 08 2A..0...+...0...* 0030: 86 48 86 F7 0D 03 07.H... #2: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false 0000: 30 32 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0A 020...+...0. 0010: 06 08 2B 06 01 05 05 07 03 02 30 0A 06 08 2B 06..+...0...+. 0020: 01 05 05 07 03 04 30 0C 06 0A 2B 06 01 04 01 82...0...+... 0030: 37 0A 03 04 7... #3: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false 0000: 30 2D 06 25 2B 06 01 04 01 82 37 15 08 DC FD 1A 0-.%+...7... 0010: 87 CB EB 79 81 89 9D 2D 86 E6 FC 53 86 82 A1 38...y...-...S...8 0020: 5E 86 D1 B8 23 85 FC EF 40 02 01 64 02 01 03 ^...#...@..d... #4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessmethod: caissuers accesslocion: URIName: ldap:///cn=lab6-win-bg7gpq053id- CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configurion,DC=lab6,DC=com?cACertifice?base?objectC lass=certificionauthority #5: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: A9 C7 8E 26 9C F5 37 0A E6 5A 15 36 26 D4 A2 06...&..7..Z.6&... 0010: 6A C8 79 2C j.y, #6: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: ldap:///cn=lab6-win-bg7gpq053id-ca,cn=win- BG7GPQ053ID,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configurion,DC=lab6,DC=com?certificeRevoca tionlist?base?objectclass=crldistributionpoint #7: ObjectId: 2.5.29.32 Criticality=false CertificePolicies [ [CertificePolicyId: [2.5.29.32.0 [ 15 페이지
#8: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverauth clientauth emailprotection 1.3.6.1.4.1.311.10.3.4 #9: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignure Key_Encipherment #10: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 36 E2 1A 09 D1 51 72 4D C3 6A 18 C1 C4 EB AE B5 6...QrM.j... 0010: E4 48 39 4E.H9N Certifice[2: Owner: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com Serial number: 448a6d6486c91cb14c6888c127d16c4e Valid from: Thu Nov 13 17:47:06 PST 2014 until: Wed Nov 13 17:57:06 PST 2019 Certifice fingerprints: MD5: 41:10:8A:F5:36:76:79:9C:2C:00:03:47:55:F8:CF:7B SHA1: 9D:DA:06:AF:06:3F:8F:5E:84:C7:F4:58:50:95:03:22:64:48:96:9F SHA256: DB:28:50:D6:47:CA:C0:6A:E9:7B:87:B4:0E:9C:3A:C1:A2:61:EA:D1:29:8B:45:B4:76:4B:DA:2A:F1:D8:E0:A3 Signure algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false 0000: 02 01 00... #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PhLen:2147483647 #3: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignure Key_CertSign Crl_Sign #4: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: A9 C7 8E 26 9C F5 37 0A E6 5A 15 36 26 D4 A2 06...&..7..Z.6&... 0010: 6A C8 79 2C j.y, ******************************************* ******************************************* keytool -list -v -keystore root.jks Enter keystore password: Keystore type: JKS 16 페이지
Keystore provider: SUN Your keystore contains 2 entries Alias name: root Creion de: Dec 10, 2014 Entry type: trustedcertentry Owner: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com Serial number: 448a6d6486c91cb14c6888c127d16c4e Valid from: Thu Nov 13 17:47:06 PST 2014 until: Wed Nov 13 17:57:06 PST 2019 Certifice fingerprints: MD5: 41:10:8A:F5:36:76:79:9C:2C:00:03:47:55:F8:CF:7B SHA1: 9D:DA:06:AF:06:3F:8F:5E:84:C7:F4:58:50:95:03:22:64:48:96:9F SHA256: DB:28:50:D6:47:CA:C0:6A:E9:7B:87:B4:0E:9C:3A:C1:A2:61:EA:D1:29:8B:45:B4:76:4B:DA:2A:F1:D8:E0:A3 Signure algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false 0000: 02 01 00... #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PhLen:2147483647 #3: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignure Key_CertSign Crl_Sign #4: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: A9 C7 8E 26 9C F5 37 0A E6 5A 15 36 26 D4 A2 06...&..7..Z.6&... 0010: 6A C8 79 2C j.y, ******************************************* ******************************************* Alias name: mnt Creion de: Dec 10, 2014 Entry type: trustedcertentry Owner: CN=ise.lab6.com Issuer: CN=ise.lab6.com Serial number: 548502f500000000ec27e53c1dd64f46 Valid from: Sun Dec 07 17:46:29 PST 2014 until: Mon Dec 07 17:46:29 PST 2015 Certifice fingerprints: MD5: 04:7D:67:04:EC:D2:F5:BC:DC:79:4D:0A:FF:62:09:FD SHA1: 5A:7B:02:E4:07:A1:D2:0B:7D:A5:AE:83:27:3B:E7:33:33:30:1E:32 SHA256: C4:21:6C:6F:5B:06:F3:2C:D7:26:35:CB:BE:2B:1B:FF:0E:EE:09:91:F6:B6:54:0C:6F:63:CB:43:1F:77:F2:37 Signure algorithm name: SHA1withRSA Version: 3 Extensions: 17 페이지
#1: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PhLen:2147483647 #2: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverauth clientauth #3: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignure Key_Encipherment Key_Agreement Key_CertSign #4: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL server #5: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: C4 F3 1A 9E 7B 1B 14 4F 51 9E A4 88 33 07 7A AC...OQ...3.z. 0010: 75 37 36 D4 u76. ******************************************* ******************************************* 문제해결 이섹션에서는트러블슈팅에대한정보를제공합니다. pxgrid 클라이언트호스트이름및 ISE pxgrid 가 DNS 를통해확인가능한지파악하여 pxgrid 스크립팅오류메시지를방지합니다. 트러스트저장소가변경되고유사한오류메시지가표시될경우, ISE VM 에서 ISE 애플리케이션을중지하고다시시작합니다. 18 페이지
./register.sh -keystorefilename self1.jks -keysrepassword cisco123 -truststorefilename root1.jks - truststorepassword cisco123 -username pxgridclient -hostname 10.0.0.96 -group Session -description test1 ------- properties ------- version=1.0.0 hostnames=10.0.0.96 username=pxgridclient descriptipon=test1 keystorefilename=self1.jks keystorepassword=cisco123 truststorefilename=root1.jks truststorepassword=cisco123 -------------------------- registering... connecting... javax.net.ssl.sslhandshakeexception: Received fal alert: unknown_ca sun.security.ssl.alerts.getsslexception(alerts.java:192) sun.security.ssl.alerts.getsslexception(alerts.java:154) sun.security.ssl.sslsocketimpl.recvalert(sslsocketimpl.java:1991) sun.security.ssl.sslsocketimpl.readrecord(sslsocketimpl.java:1104) sun.security.ssl.sslsocketimpl.performinitialhandshake(sslsocketimpl.java:1343) sun.security.ssl.sslsocketimpl.starthandshake(sslsocketimpl.java:1371) sun.security.ssl.sslsocketimpl.starthandshake(sslsocketimpl.java:1355) org.jivesoftware.smack.xmppconnection.proceedtlsreceived(xmppconnection.java:806) org.jivesoftware.smack.packetreader.parsepackets(packetreader.java:267) org.jivesoftware.smack.packetreader.access$000(packetreader.java:43) org.jivesoftware.smack.packetreader$1.run(packetreader.java:70) Exception in thread "main" com.cisco.pxgrid.gclexception: SASL authenticion failed: com.cisco.pxgrid.gridconnection.connect(gridconnection.java:197) com.cisco.pxgrid.samples.ise.register.main(register.java:99) Caused by: SASL authenticion failed: org.jivesoftware.smack.saslauthenticion.authentice(saslauthenticion.java:281) org.jivesoftware.smack.xmppconnection.login(xmppconnection.java:206) com.cisco.pxgrid.configurion.connect(configurion.java:194) com.cisco.pxgrid.gridconnection.connect(gridconnection.java:134)... 1 more ISE 서비스다시시작 applicion stop ise applicion start ise pxgrid 프로세스가초기화중인지확인합니다. sh applicion stus ise 유사한오류메시지가표시되면루트인증서를 truststorefilename 키저장소 ( 이예에서는 root3.jks) 에추가해야합니다../register.sh -keystorefilename pxgridclient.jks -keystorepassword cisco123 -truststorefilename root3.jks - truststorepassword cisco123 -group Session -description MACBOOK -username Macbook_PRO -hostname 10.0.0.96 ------- properties ------- version=1.0.0 hostnames=10.0.0.96 username=macbook_pro descriptipon=macbook keystorefilename=pxgridclient.jks keystorepassword=cisco123 19 페이지
truststorefilename=root3.jks truststorepassword=cisco123 -------------------------- registering... connecting... javax.net.ssl.sslhandshakeexception: java.security.cert.certificeexception: root certifice not trusted of [ise.lab6.com sun.security.ssl.alerts.getsslexception(alerts.java:192) sun.security.ssl.sslsocketimpl.fal(sslsocketimpl.java:1917) sun.security.ssl.handshaker.false(handshaker.java:301) sun.security.ssl.handshaker.false(handshaker.java:295) sun.security.ssl.clienthandshaker.servercertifice(clienthandshaker.java:1471) sun.security.ssl.clienthandshaker.processmessage(clienthandshaker.java:212) sun.security.ssl.handshaker.processloop(handshaker.java:936) sun.security.ssl.handshaker.process_record(handshaker.java:871) sun.security.ssl.sslsocketimpl.readrecord(sslsocketimpl.java:1043) sun.security.ssl.sslsocketimpl.performinitialhandshake(sslsocketimpl.java:1343) sun.security.ssl.sslsocketimpl.starthandshake(sslsocketimpl.java:1371) sun.security.ssl.sslsocketimpl.starthandshake(sslsocketimpl.java:1355) org.jivesoftware.smack.xmppconnection.proceedtlsreceived(xmppconnection.java:806) org.jivesoftware.smack.packetreader.parsepackets(packetreader.java:267) org.jivesoftware.smack.packetreader.access$000(packetreader.java:43) org.jivesoftware.smack.packetreader$1.run(packetreader.java:70) Caused by: java.security.cert.certificeexception: root certifice not trusted of [ise.lab6.com org.jivesoftware.smack.servertrustmanager.checkservertrusted(servertrustmanager.java:144) sun.security.ssl.abstracttrustmanagerwrapper.checkservertrusted(sslcontextimpl.java:865) sun.security.ssl.clienthandshaker.servercertifice(clienthandshaker.java:1453)... 11 more 아래와같은오류메시지가표시되면 pxgrid 클라이언트및 ISE pxgrid FQDN 이름이 DNS 를통해확인가능한지파악합니다../session_download.sh -keystorefilename jeppich.jks -keystorepassword cisco123 -truststorefilename trust007.jks -truststorepassword cisco123 -hostname 10.0.0.96 -username mac2 ------- properties ------- version=1.0.0 hostnames=10.0.0.96 username=mac2 keystorefilename=jeppich.jks keystorepassword=cisco123 truststorefilename=trust007.jks truststorepassword=cisco123 filter=null start=null end=null -------------------------- connecting... connected. 20:18:07.181 [main WARN o.a.cxf.phase.phaseinterceptorchain - Interceptor for {https://ise.lab6.com/pxgrid/mnt/sd}webclient has thrown exception, unwinding now org.apache.cxf.interceptor.fault: Could not send Message. org.apache.cxf.interceptor.messagesenderinterceptor$messagesenderendinginterceptor.handlemessage(messagesen derinterceptor.java:64) ~[cxf-api-2.7.3.jar:2.7.3 org.apache.cxf.phase.phaseinterceptorchain.dointercept(phaseinterceptorchain.java:271) ~[cxfapi-2.7.3.jar:2.7.3 org.apache.cxf.jaxrs.client.abstractclient.doruninterceptorchain(abstractclient.java:581) [cxfrt-frontend-jaxrs-2.7.3.jar:2.7.3 org.apache.cxf.jaxrs.client.webclient.dochainedinvocion(webclient.java:904) [cxf-rt-frontendjaxrs-2.7.3.jar:2.7.3 org.apache.cxf.jaxrs.client.webclient.doinvoke(webclient.java:772) [cxf-rt-frontend-jaxrs- 2.7.3.jar:2.7.3 org.apache.cxf.jaxrs.client.webclient.doinvoke(webclient.java:759) [cxf-rt-frontend-jaxrs- 2.7.3.jar:2.7.3 20 페이지
org.apache.cxf.jaxrs.client.webclient.invoke(webclient.java:355) [cxf-rt-frontend-jaxrs- 2.7.3.jar:2.7.3 org.apache.cxf.jaxrs.client.webclient.post(webclient.java:381) [cxf-rt-frontend-jaxrs- 2.7.3.jar:2.7.3 com.cisco.pxgrid.stub.identity.impl.sessioniterorimpl.open(sessioniterorimpl.java:128) [pxgrid-identity-client-stub-1.0.0.jar:1.0.0 com.cisco.pxgrid.samples.ise.sessiondownload.main(sessiondownload.java:132) [pxgrid-sdk- 1.0.0.jar:1.0.0 Caused by: java.net.unknownhostexception: UnknownHostException invoking https://ise.lab6.com/pxgrid/mnt/sd/getsessionlistbytime: ise.lab6.com sun.reflect.niveconstructoraccessorimpl.newinstance0(nive Method) ~[na:1.8.0_25 sun.reflect.niveconstructoraccessorimpl.newinstance(niveconstructoraccessorimpl.java:62) ~[na:1.8.0_25 sun.reflect.delegingconstructoraccessorimpl.newinstance(delegingconstructoraccessorimpl.java:45) ~[na:1.8.0_25 java.lang.reflect.constructor.newinstance(constructor.java:408) ~[na:1.8.0_25 org.apache.cxf.transport.http.httpconduit$wrappedoutputstream.mapexception(httpconduit.java:1338) ~[cxf-rttransports-http-2.7.3.jar:2.7.3 org.apache.cxf.transport.http.httpconduit$wrappedoutputstream.close(httpconduit.java:1322) ~[cxf-rt-transports-http-2.7.3.jar:2.7.3 org.apache.cxf.transport.abstractconduit.close(abstractconduit.java:56) ~[cxf-api- 2.7.3.jar:2.7.3 org.apache.cxf.transport.http.httpconduit.close(httpconduit.java:622) ~[cxf-rt-transports-http- 2.7.3.jar:2.7.3 org.apache.cxf.interceptor.messagesenderinterceptor$messagesenderendinginterceptor.handlemessage(messagesen derinterceptor.java:62) ~[cxf-api-2.7.3.jar:2.7.3... 9 common frames omitted Caused by: java.net.unknownhostexception: ise.lab6.com java.net.abstractplainsocketimpl.connect(abstractplainsocketimpl.java:184) ~[na:1.8.0_25 java.net.sockssocketimpl.connect(sockssocketimpl.java:392) ~[na:1.8.0_25 java.net.socket.connect(socket.java:589) ~[na:1.8.0_25 sun.security.ssl.sslsocketimpl.connect(sslsocketimpl.java:649) ~[na:1.8.0_25 sun.net.networkclient.doconnect(networkclient.java:175) ~[na:1.8.0_25 sun.net.www.http.httpclient.openserver(httpclient.java:432) ~[na:1.8.0_25 sun.net.www.http.httpclient.openserver(httpclient.java:527) ~[na:1.8.0_25 sun.net.www.protocol.https.httpsclient.<init>(httpsclient.java:275) ~[na:1.8.0_25 sun.net.www.protocol.https.httpsclient.new(httpsclient.java:371) ~[na:1.8.0_25 sun.net.www.protocol.https.abstractdelegehttpsurlconnection.getnewhttpclient(abstractdelegehttpsurlconn ection.java:191) ~[na:1.8.0_25 sun.net.www.protocol.http.httpurlconnection.plainconnect0(httpurlconnection.java:1103) ~[na:1.8.0_25 sun.net.www.protocol.http.httpurlconnection.plainconnect(httpurlconnection.java:997) ~[na:1.8.0_25 sun.net.www.protocol.https.abstractdelegehttpsurlconnection.connect(abstractdelegehttpsurlconnection.ja va:177) ~[na:1.8.0_25 sun.net.www.protocol.http.httpurlconnection.getoutputstream0(httpurlconnection.java:1281) ~[na:1.8.0_25 sun.net.www.protocol.http.httpurlconnection.getoutputstream(httpurlconnection.java:1256) ~[na:1.8.0_25 sun.net.www.protocol.https.httpsurlconnectionimpl.getoutputstream(httpsurlconnectionimpl.java:250) ~[na:1.8.0_25 org.apache.cxf.transport.http.urlconnectionhttpconduit$urlconnectionwrappedoutputstream.setupwrappedstream( URLConnectionHTTPConduit.java:170) ~[cxf-rt-transports-http-2.7.3.jar:2.7.3 org.apache.cxf.transport.http.httpconduit$wrappedoutputstream.handleheaderstrustcaching(httpconduit.java:12 82) ~[cxf-rt-transports-http-2.7.3.jar:2.7.3 org.apache.cxf.transport.http.httpconduit$wrappedoutputstream.onfirstwrite(httpconduit.java:1233) ~[cxf-rttransports-http-2.7.3.jar:2.7.3 21 페이지
org.apache.cxf.transport.http.urlconnectionhttpconduit$urlconnectionwrappedoutputstream.onfirstwrite(urlcon nectionhttpconduit.java:183) ~[cxf-rt-transports-http-2.7.3.jar:2.7.3 org.apache.cxf.io.abstractwrappedoutputstream.write(abstractwrappedoutputstream.java:47) ~[cxfapi-2.7.3.jar:2.7.3 org.apache.cxf.io.abstractthresholdoutputstream.write(abstractthresholdoutputstream.java:69) ~[cxf-api-2.7.3.jar:2.7.3 org.apache.cxf.transport.http.httpconduit$wrappedoutputstream.close(httpconduit.java:1295) ~[cxf-rt-transports-http-2.7.3.jar:2.7.3... 12 common frames omitted 20:18:07.185 [main WARN c.c.p.s.i.impl.sessioniterorimpl - unsuccessful tempt made to session directory ise.lab6.com javax.ws.rs.client.clientexception: javax.ws.rs.client.clientexception: org.apache.cxf.interceptor.fault: Could not send Message. org.apache.cxf.jaxrs.client.webclient.doresponse(webclient.java:946) ~[cxf-rt-frontend-jaxrs- 2.7.3.jar:2.7.3 org.apache.cxf.jaxrs.client.webclient.dochainedinvocion(webclient.java:905) ~[cxf-rt-frontendjaxrs-2.7.3.jar:2.7.3 org.apache.cxf.jaxrs.client.webclient.doinvoke(webclient.java:772) ~[cxf-rt-frontend-jaxrs- 2.7.3.jar:2.7.3 org.apache.cxf.jaxrs.client.webclient.doinvoke(webclient.java:759) ~[cxf-rt-frontend-jaxrs- 2.7.3.jar:2.7.3 org.apache.cxf.jaxrs.client.webclient.invoke(webclient.java:355) ~[cxf-rt-frontend-jaxrs- 2.7.3.jar:2.7.3 org.apache.cxf.jaxrs.client.webclient.post(webclient.java:381) ~[cxf-rt-frontend-jaxrs- 2.7.3.jar:2.7.3 com.cisco.pxgrid.stub.identity.impl.sessioniterorimpl.open(sessioniterorimpl.java:128) ~[pxgrid-identity-client-stub-1.0.0.jar:1.0.0 com.cisco.pxgrid.samples.ise.sessiondownload.main(sessiondownload.java:132) [pxgrid-sdk- 1.0.0.jar:1.0.0 Caused by: javax.ws.rs.client.clientexception: org.apache.cxf.interceptor.fault: Could not send Message. org.apache.cxf.jaxrs.client.abstractclient.checkclientexception(abstractclient.java:522) ~[cxfrt-frontend-jaxrs-2.7.3.jar:2.7.3 org.apache.cxf.jaxrs.client.abstractclient.preprocessresult(abstractclient.java:508) ~[cxf-rtfrontend-jaxrs-2.7.3.jar:2.7.3 org.apache.cxf.jaxrs.client.webclient.doresponse(webclient.java:941) ~[cxf-rt-frontend-jaxrs- 2.7.3.jar:2.7.3... 7 common frames omitted Caused by: org.apache.cxf.interceptor.fault: Could not send Message. org.apache.cxf.interceptor.messagesenderinterceptor$messagesenderendinginterceptor.handlemessage(messagesen derinterceptor.java:64) ~[cxf-api-2.7.3.jar:2.7.3 org.apache.cxf.phase.phaseinterceptorchain.dointercept(phaseinterceptorchain.java:271) ~[cxfapi-2.7.3.jar:2.7.3 org.apache.cxf.jaxrs.client.abstractclient.doruninterceptorchain(abstractclient.java:581) ~[cxfrt-frontend-jaxrs-2.7.3.jar:2.7.3 org.apache.cxf.jaxrs.client.webclient.dochainedinvocion(webclient.java:904) ~[cxf-rt-frontendjaxrs-2.7.3.jar:2.7.3... 6 common frames omitted Caused by: java.net.unknownhostexception: UnknownHostException invoking https://ise.lab6.com/pxgrid/mnt/sd/getsessionlistbytime: ise.lab6.com sun.reflect.niveconstructoraccessorimpl.newinstance0(nive Method) ~[na:1.8.0_25 sun.reflect.niveconstructoraccessorimpl.newinstance(niveconstructoraccessorimpl.java:62) ~[na:1.8.0_25 sun.reflect.delegingconstructoraccessorimpl.newinstance(delegingconstructoraccessorimpl.java:45) ~[na:1.8.0_25 java.lang.reflect.constructor.newinstance(constructor.java:408) ~[na:1.8.0_25 org.apache.cxf.transport.http.httpconduit$wrappedoutputstream.mapexception(httpconduit.java:1338) ~[cxf-rttransports-http-2.7.3.jar:2.7.3 org.apache.cxf.transport.http.httpconduit$wrappedoutputstream.close(httpconduit.java:1322) ~[cxf-rt-transports-http-2.7.3.jar:2.7.3 org.apache.cxf.transport.abstractconduit.close(abstractconduit.java:56) ~[cxf-api- 2.7.3.jar:2.7.3 org.apache.cxf.transport.http.httpconduit.close(httpconduit.java:622) ~[cxf-rt-transports-http- 2.7.3.jar:2.7.3 22 페이지
org.apache.cxf.interceptor.messagesenderinterceptor$messagesenderendinginterceptor.handlemessage(messagesen derinterceptor.java:62) ~[cxf-api-2.7.3.jar:2.7.3... 9 common frames omitted Caused by: java.net.unknownhostexception: ise.lab6.com java.net.abstractplainsocketimpl.connect(abstractplainsocketimpl.java:184) ~[na:1.8.0_25 java.net.sockssocketimpl.connect(sockssocketimpl.java:392) ~[na:1.8.0_25 java.net.socket.connect(socket.java:589) ~[na:1.8.0_25 sun.security.ssl.sslsocketimpl.connect(sslsocketimpl.java:649) ~[na:1.8.0_25 sun.net.networkclient.doconnect(networkclient.java:175) ~[na:1.8.0_25 sun.net.www.http.httpclient.openserver(httpclient.java:432) ~[na:1.8.0_25 sun.net.www.http.httpclient.openserver(httpclient.java:527) ~[na:1.8.0_25 sun.net.www.protocol.https.httpsclient.<init>(httpsclient.java:275) ~[na:1.8.0_25 sun.net.www.protocol.https.httpsclient.new(httpsclient.java:371) ~[na:1.8.0_25 sun.net.www.protocol.https.abstractdelegehttpsurlconnection.getnewhttpclient(abstractdelegehttpsurlconn ection.java:191) ~[na:1.8.0_25 sun.net.www.protocol.http.httpurlconnection.plainconnect0(httpurlconnection.java:1103) ~[na:1.8.0_25 sun.net.www.protocol.http.httpurlconnection.plainconnect(httpurlconnection.java:997) ~[na:1.8.0_25 sun.net.www.protocol.https.abstractdelegehttpsurlconnection.connect(abstractdelegehttpsurlconnection.ja va:177) ~[na:1.8.0_25 sun.net.www.protocol.http.httpurlconnection.getoutputstream0(httpurlconnection.java:1281) ~[na:1.8.0_25 sun.net.www.protocol.http.httpurlconnection.getoutputstream(httpurlconnection.java:1256) ~[na:1.8.0_25 sun.net.www.protocol.https.httpsurlconnectionimpl.getoutputstream(httpsurlconnectionimpl.java:250) ~[na:1.8.0_25 org.apache.cxf.transport.http.urlconnectionhttpconduit$urlconnectionwrappedoutputstream.setupwrappedstream( URLConnectionHTTPConduit.java:170) ~[cxf-rt-transports-http-2.7.3.jar:2.7.3 org.apache.cxf.transport.http.httpconduit$wrappedoutputstream.handleheaderstrustcaching(httpconduit.java:12 82) ~[cxf-rt-transports-http-2.7.3.jar:2.7.3 org.apache.cxf.transport.http.httpconduit$wrappedoutputstream.onfirstwrite(httpconduit.java:1233) ~[cxf-rttransports-http-2.7.3.jar:2.7.3 org.apache.cxf.transport.http.urlconnectionhttpconduit$urlconnectionwrappedoutputstream.onfirstwrite(urlcon nectionhttpconduit.java:183) ~[cxf-rt-transports-http-2.7.3.jar:2.7.3 org.apache.cxf.io.abstractwrappedoutputstream.write(abstractwrappedoutputstream.java:47) ~[cxfapi-2.7.3.jar:2.7.3 org.apache.cxf.io.abstractthresholdoutputstream.write(abstractthresholdoutputstream.java:69) ~[cxf-api-2.7.3.jar:2.7.3 org.apache.cxf.transport.http.httpconduit$wrappedoutputstream.close(httpconduit.java:1295) ~[cxf-rt-transports-http-2.7.3.jar:2.7.3... 12 common frames omitted Exception in thread "main" java.io.ioexception: unsuccessful tempts made to all session directories com.cisco.pxgrid.stub.identity.impl.sessioniterorimpl.open(sessioniterorimpl.java:148) com.cisco.pxgrid.samples.ise.sessiondownload.main(sessiondownload.java:132) 23 페이지