Cisco pxGrid로 인증서 배포

Cisco pxgrid 로인증서배포 ISE pxgrid 노드및 pxgrid 클라이언트에자체서명인증서사용

목차 이문서정보... 3 서론... 4 인증서컨피그레이션예... 5 자체서명 ISE pxgrid 노드인증서및 pxgrid 페르소나컨피그레이션... 5 자체서명 pxgrid 클라이언트인증서... 8 pxgrid 클라이언트및 ISE pxgrid 노드테스트... 12 키저장소항목보기... 13 문제해결... 16 2 페이지

이문서정보 이문서에서는자체서명인증서를사용하여 pxgrid 클라이언트및 ISE pxgrid 노드를구성하는데필요한컨피그레이션단계에대해설명합니다. 이문서는 Cisco pxgrid 를구축하는 Cisco 현장엔지니어, 기술마케팅엔지니어, 파트너및고객을대상으로합니다. 또한 pxgrid 에대해잘알고있어야합니다. pxgrid 에대해잘모르는사용자는다음을참조하십시오. http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/howto-84- Configure_and_Test_Integration_with_Cisco_pxGrid.pdf Cisco 어카운트팀에서 pxgrid SDK 를받습니다. Cisco ISE(Identity Services Engine) 1.3 이설치된것을전제로합니다. OSX 10.8.5 를실행중인 Mac 은 pxgrid 클라이언트로사용됩니다. Linux OS 도사용할수있습니다. pxgrid 클라이언트에는 Oracle Java Development Kit 7 또는 8 이필요합니다. Deploying pxgrid with Certificates 시리즈에는다음과같은두가지의다른문서가있습니다. CA(Certificate Authority) 서명 ISE pxgrid 노드인증서및 pxgrid 클라이언트사용 CA(Certificate Authority) 서명 pxgrid 클라이언트및 ISE 자체서명 pxgrid 노드사용 3 페이지

서론 ISE pxgrid 노드및 pxgrid 클라이언트에모두자체서명인증서를사용하여 pxgrid 를구축하는것은 pxgrid SDK 의샘플인증서를사용하지않고테스트하기위한대체적인방법입니다. 자체서명인증서는트러스트된소스에서생성되지않으며 CA(Certificate Authority) 를사용하는것보다보안성이낮습니다. 그러나이문서에서 ISE 는 pxgrid 클라이언트의퍼블릭키를 ISE 트러스트된인증서저장소로가져와 pxgrid 클라이언트의퍼블릭키를트러스트합니다. pxgrid 클라이언트는 pxgrid 클라이언트의트러스트된저장소에있는 ISE 퍼블릭인증서를트러스트합니다. 이는일반적으로자체서명인증서를사용하는것보다더높은보안성을제공합니다. 4 페이지

인증서컨피그레이션예 다음은이문서에사용된인증서의예를나타냅니다. 자체서명 ISE pxgrid 노드인증서및 pxgrid 페르소나컨피그레이션 이섹션에서는 ISE 자체서명인증서를 ISE 트러스트된인증서저장소로가져옵니다. ISE ID 인증서가트러스트된인증서저장소에있으면 ISE 노드의 pxgrid 페르소나가활성화됩니다. pxgrid ISE 노드가 Primary 로변경됩니다. 1 단계자체서명 ISE ID 인증서를내보내고.pem 파일로저장합니다. Administration->System->Certificates 를차례로누른다음 ISE identity cert->export( 퍼블릭키만 ) 를선택합니다. 2 단계저장된 ISE.pem 파일을 ISE 트러스트된인증서저장소로가져옵니다. Administration->System->Certificates->Trusted Certificates->Browse 를차례로누른다음파일을업로드하고 Submit 을누릅니다. trust for authentication within ISE 를활성화합니다. 5 페이지

ISE 트러스트된인증서가져오기가표시됩니다. 3 단계 ISE 에서 pxgrid 페르소나를활성화합니다. Administration->System->Deployment->Enable pxgrid 를차례로누른다음역할을 Primary 로변경하고 Save 를누릅니다. 6 페이지

참고 : 역할을 Primary 로반드시변경해야하는것은아닙니다. 4 단계게시된서비스가시작되었는지확인합니다. Administration->pxGrid Services 참고 : ISE 게시노드가표시되기전까지지연이발생할수있습니다. pxgrid 페르소나가활성화되기전에인증서를설치해야합니다. 7 페이지

자체서명 pxgrid 클라이언트인증서 이섹션에서는 pxgrid 클라이언트에서자체서명인증서를생성하는프로세스를자세히살펴봅니다. pxgrid 퍼블릭 / 프라이빗키쌍이생성되면프라이빗키 ( 예 : self1.key) 에서 PKCS 12 파일 (self1.p12) 이생성됩니다. 이 PKCS 12 파일은대상또는 ID 키저장소 ( 예 : self1.jks) 에가져오기되며, 이러한저장소는 pxgrid 스크립트의 keystorefilename 및 keystorepassword 역할을합니다. ISE ID 인증서및퍼블릭인증서도모두이키저장소에추가됩니다. ISE ID 인증서는 truststorefilename 및 truststorepassword 역할을하는트러스트키저장소 ( 예 : root1.jks) 에도추가됩니다. 1 단계 pxgrid 클라이언트에대한프라이빗키 ( 예 : self1.key) 를생성합니다. openssl genrsa -out self1.key 4096 Generating RSA private key, 4096 bit long modulus...++...++ e is 65537 (0x10001) 2 단계자체서명 CSR(self1.csr) 요청을생성하고챌린지비밀번호를제공합니다. openssl req -new -key self1.key -out self1.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU: State or Province Name (full name) [Some-State: Locality Name (eg, city) [: Organization Name (eg, company) [Internet Widgits Pty Ltd: Organizational Unit Name (eg, section) [: Common Name (e.g. server FQDN or YOUR name) [: Email Address [: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password [:cisco123 An optional company name [:LAB 참고 : 유지관리의용이성을높이고오류를줄이려면이문서전체에서같은비밀번호를사용하십시오. 3 단계자체서명퍼블릭키쌍인증서 ( 예 : self1.cer) 를생성합니다. openssl req -x509 -days 365 -key self1.key -in self1.csr -out self1.cer 8 페이지

4 단계 PKCS12 파일 ( 예 : self1.p12) 이프라이빗키에서생성됩니다. openssl pkcs12 -export -out self1.p12 -inkey self1.key -in self1.cer Enter Export Password: cisco123 Verifying - Enter Export Password: cisco123 5 단계 self1.p12 파일이 ID 키저장소 ( 예 : self1.jks) 에가져오기됩니다. 키저장소파일이름은확장자가.jks 인임의의이름일수있습니다. 이는 pxgrid 스크립트에서 keystorefilename 및 associated keystorepassword 역할을합니다. keytool -importkeystore -srckeystore self1.p12 -destkeystore self1.jks -srcstoretype PKCS12 Enter destination keystore password: cisco123 Re-enter new password: cisco123 Enter source keystore password: cisco123 Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled 6 단계퍼블릭 ISE ID 인증서만 pxgrid 클라이언트로내보내며, 이는.pem 형식으로이루어집니다. 확장자가.pem 인파일의이름을더읽기쉽게변경할수있으며, 이예에서해당파일의이름은 isemnt.pem 으로변경되었습니다. 7 단계.pem 파일을.der 형식으로변환합니다. openssl x509 -outform der -in isemnt.pem -out isemnt.der 8 단계 ISE ID 인증서를 ID 키저장소에추가합니다. 이는 pxgrid 세션다운로드스크립트를실행할경우 ISE MNT 노드에서벌크세션다운로드의보안을강화하기위해사용됩니다. keytool -import -alias mnt1 -keystore self1.jks -file isemnt.der Enter keystore password: cisco123 Owner: CN=ise.lab6.com Issuer: CN=ise.lab6.com Serial number: 548502f500000000ec27e53c1dd64f46 Valid from: Sun Dec 07 17:46:29 PST 2014 until: Mon Dec 07 17:46:29 PST 2015 Certificate fingerprints: 9 페이지

MD5: 04:7D:67:04:EC:D2:F5:BC:DC:79:4D:0A:FF:62:09:FD SHA1: 5A:7B:02:E4:07:A1:D2:0B:7D:A5:AE:83:27:3B:E7:33:33:30:1E:32 SHA256: C4:21:6C:6F:5B:06:F3:2C:D7:26:35:CB:BE:2B:1B:FF:0E:EE:09:91:F6:B6:54:0C:6F:63:CB:43:1F:77:F2:37 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 #2: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverauth clientauth #3: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_Encipherment Key_Agreement Key_CertSign #4: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL server #5: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: C4 F3 1A 9E 7B 1B 14 4F 51 9E A4 88 33 07 7A AC...OQ...3.z. 0010: 75 37 36 D4 u76. Trust this certificate? [no: yes Certificate was added to keystore Johns-MacBook-Pro:bin jeppich$ Johns-MacBook-Pro:bin jeppich$ keytool -import -alias pxgridclient1 -keystore self1.jks -file self1.cer Enter keystore password: Certificate already exists in keystore under alias <1> Do you still want to add it? [no: n Certificate was not added to keystore 9 단계 pxgrid 클라이언트인증서를 ID 키저장소로가져옵니다. keytool -import -alias pxgridclient1 -keystore self1.jks -file self1.cer Enter keystore password: Certificate already exists in keystore under alias <1> Do you still want to add it? [no: n Certificate was not added to keystore 10 페이지

참고 : 다음메시지가표시될경우인증서가이미기존에있는키저장소에추가된것이므로, "no" 를입력하면그대로유지됩니다. 여기에서는 "yes" 를선택했으므로인증서가나중에추가되었음을확인할수있습니다. 10 단계 ISE ID 인증서를트러스트키저장소 ( 예 : root1.jks) 로가져옵니다. 저장소는 pxgrid 스크립트의 truststore Filename 및 truststore Password 역할을합니다. keytool -import -alias root1 -keystore root1.jks -file isemnt.der Enter keystore password: Re-enter new password: Owner: CN=ise.lab6.com Issuer: CN=ise.lab6.com Serial number: 548502f500000000ec27e53c1dd64f46 Valid from: Sun Dec 07 17:46:29 PST 2014 until: Mon Dec 07 17:46:29 PST 2015 Certificate fingerprints: MD5: 04:7D:67:04:EC:D2:F5:BC:DC:79:4D:0A:FF:62:09:FD SHA1: 5A:7B:02:E4:07:A1:D2:0B:7D:A5:AE:83:27:3B:E7:33:33:30:1E:32 SHA256: C4:21:6C:6F:5B:06:F3:2C:D7:26:35:CB:BE:2B:1B:FF:0E:EE:09:91:F6:B6:54:0C:6F:63:CB:43:1F:77:F2:37 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 #2: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverauth clientauth #3: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_Encipherment Key_Agreement Key_CertSign #4: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL server #5: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: C4 F3 1A 9E 7B 1B 14 4F 51 9E A4 88 33 07 7A AC...OQ...3.z. 0010: 75 37 36 D4 u76. Trust this certificate? [no: yes Certificate was added to keystore 11 단계 pxgrid 클라이언트퍼블릭인증서 (self1.cer) 를 ISE 트러스트된인증서저장소에업로드합니다. Administration->System Certificates->Trusted Certificates 를차례로누른다음 pxgrid 클라이언트에서 self1.cer 를업로드합니다. 11 페이지

12 단계 ID 키저장소 (self1.jks) 및트러스트키저장소 (root1.jks) 를../samples/bin/.. 폴더에복사합니다. pxgrid 클라이언트및 ISE pxgrid 노드테스트 샘플 pxgrid 스크립트인 register.sh 및 session_download.sh 는 pxgrid 클라이언트연결및 pxgrid 등록을확인하기위해실행됩니다. 1 단계 pxgrid 클라이언트등록./register.sh -keystorefilename self1.jks -keystorepassword cisco123 -truststorefilename root1.jks - truststorepassword cisco123 -username pxgridclient -hostname 10.0.0.96 -group Session -description test1 ------- properties ------- version=1.0.0 hostnames=10.0.0.96 username=pxgridclient descriptipon=test1 keystorefilename=self1.jks keystorepassword=cisco123 truststorefilename=root1.jks truststorepassword=cisco123 -------------------------- registering... connecting... connected. done registering. connection closed 12 페이지

2 단계세션다운로드실행./session_download.sh -keystorefilename self1.jks -keystorepassword cisco123 -truststorefilename root1.jks - truststorepassword cisco123 -username pxgridclient -hostname 10.0.0.96 ------- properties ------- version=1.0.0 hostnames=10.0.0.96 username=pxgridclient keystorefilename=self1.jks keystorepassword=cisco123 truststorefilename=root1.jks truststorepassword=cisco123 filter=null start=null end=null -------------------------- connecting... connected. starting at Wed Dec 10 11:16:04 PST 2014... session (ip=10.0.0.18, Audit Session Id=0A0000020000000B006E1086, User Name=jeppich, AD User DNS Domain=lab6.com, AD Host DNS Domain=null, AD User NetBIOS Name=LAB6, AD Host NETBIOS Name=null, Calling station id=00:0c:29:d1:8d:90, Session state= STARTED, Epsstatus=null, Security Group=null, Endpoint Profile=VMWare-Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/15, RADIUSAVPairs=[ Acct-Session- Id=00000002, Posture Status=null, Posture Timestamp=, Session Last Update Time=Wed Dec 10 08:27:59 PST 2014 )... ending at: Wed Dec 10 11:16:04 PST 2014 --------------------------------------------------- downloaded 1 sessions in 74 milliseconds --------------------------------------------------- connection closed 키저장소항목보기 키저장소항목을확인하여 ID 및트러스트키저장소의트러스트된인증서항목을볼수있습니다. keytool -list -v -keystore self1.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN 13 페이지

Your keystore contains 2 entries Alias name: 1 Creation date: Dec 10, 2014 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1: Owner: O=Internet Widgits Pty Ltd, ST=Some-State, C=AU Issuer: O=Internet Widgits Pty Ltd, ST=Some-State, C=AU Serial number: e44965db7b264e4e Valid from: Wed Dec 10 10:18:47 PST 2014 until: Thu Dec 10 10:18:47 PST 2015 Certificate fingerprints: MD5: 62:81:21:DF:44:DF:83:44:04:47:36:5B:B0:C0:8A:DD SHA1: B5:E6:6A:CE:B2:49:1E:35:46:E1:12:63:0A:73:DA:DD:F9:53:9F:6F SHA256: C4:62:A3:A3:F7:2F:C7:2E:26:0E:06:88:AE:09:18:E9:00:DC:05:3C:E4:1D:EC:50:7E:C5:99:1F:80:DC:AC:12 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 35 04 62 FF 50 78 C2 1C 7E AD 57 6D 05 72 E1 46 5.b.Px...Wm.r.F 0010: 20 6B 08 21 k.! [O=Internet Widgits Pty Ltd, ST=Some-State, C=AU SerialNumber: [ e44965db 7b264e4e #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 35 04 62 FF 50 78 C2 1C 7E AD 57 6D 05 72 E1 46 5.b.Px...Wm.r.F 0010: 20 6B 08 21 k.! ******************************************* ******************************************* Alias name: mnt1 Creation date: Dec 10, 2014 Entry type: trustedcertentry Owner: CN=ise.lab6.com Issuer: CN=ise.lab6.com Serial number: 548502f500000000ec27e53c1dd64f46 Valid from: Sun Dec 07 17:46:29 PST 2014 until: Mon Dec 07 17:46:29 PST 2015 Certificate fingerprints: MD5: 04:7D:67:04:EC:D2:F5:BC:DC:79:4D:0A:FF:62:09:FD SHA1: 5A:7B:02:E4:07:A1:D2:0B:7D:A5:AE:83:27:3B:E7:33:33:30:1E:32 SHA256: C4:21:6C:6F:5B:06:F3:2C:D7:26:35:CB:BE:2B:1B:FF:0E:EE:09:91:F6:B6:54:0C:6F:63:CB:43:1F:77:F2:37 Signature algorithm name: SHA1withRSA Version: 3 14 페이지

Extensions: #1: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 #2: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverauth clientauth #3: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_Encipherment Key_Agreement Key_CertSign #4: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL server #5: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: C4 F3 1A 9E 7B 1B 14 4F 51 9E A4 88 33 07 7A AC...OQ...3.z. 0010: 75 37 36 D4 u76. keytool -list -v -keystore root1.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: root1 Creation date: Dec 10, 2014 Entry type: trustedcertentry Owner: CN=ise.lab6.com Issuer: CN=ise.lab6.com Serial number: 548502f500000000ec27e53c1dd64f46 Valid from: Sun Dec 07 17:46:29 PST 2014 until: Mon Dec 07 17:46:29 PST 2015 Certificate fingerprints: MD5: 04:7D:67:04:EC:D2:F5:BC:DC:79:4D:0A:FF:62:09:FD SHA1: 5A:7B:02:E4:07:A1:D2:0B:7D:A5:AE:83:27:3B:E7:33:33:30:1E:32 SHA256: C4:21:6C:6F:5B:06:F3:2C:D7:26:35:CB:BE:2B:1B:FF:0E:EE:09:91:F6:B6:54:0C:6F:63:CB:43:1F:77:F2:37 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 #2: ObjectId: 2.5.29.37 Criticality=false 15 페이지

ExtendedKeyUsages [ serverauth clientauth #3: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_Encipherment Key_Agreement Key_CertSign #4: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL server #5: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: C4 F3 1A 9E 7B 1B 14 4F 51 9E A4 88 33 07 7A AC...OQ...3.z. 0010: 75 37 36 D4 u76. 문제해결 이섹션에서는트러블슈팅에대한정보를제공합니다. pxgrid 클라이언트호스트이름및 ISE pxgrid 가 DNS 를통해확인가능한지파악하여 pxgrid 스크립팅오류메시지를방지합니다. 트러스트저장소가변경되고유사한오류메시지가표시될경우, ISE VM 에서 ISE 애플리케이션을중지하고다시시작합니다../register.sh -keystorefilename self1.jks -keysrepassword cisco123 -truststorefilename root1.jks - truststorepassword cisco123 -username pxgridclient -hostname 10.0.0.96 -group Session -description test1 ------- properties ------- version=1.0.0 hostnames=10.0.0.96 username=pxgridclient descriptipon=test1 keystorefilename=self1.jks keystorepassword=cisco123 truststorefilename=root1.jks truststorepassword=cisco123 -------------------------- registering... connecting... javax.net.ssl.sslhandshakeexception: Received fatal alert: unknown_ca at sun.security.ssl.alerts.getsslexception(alerts.java:192) at sun.security.ssl.alerts.getsslexception(alerts.java:154) at sun.security.ssl.sslsocketimpl.recvalert(sslsocketimpl.java:1991) at sun.security.ssl.sslsocketimpl.readrecord(sslsocketimpl.java:1104) at sun.security.ssl.sslsocketimpl.performinitialhandshake(sslsocketimpl.java:1343) at sun.security.ssl.sslsocketimpl.starthandshake(sslsocketimpl.java:1371) at sun.security.ssl.sslsocketimpl.starthandshake(sslsocketimpl.java:1355) at org.jivesoftware.smack.xmppconnection.proceedtlsreceived(xmppconnection.java:806) at org.jivesoftware.smack.packetreader.parsepackets(packetreader.java:267) at org.jivesoftware.smack.packetreader.access$000(packetreader.java:43) at org.jivesoftware.smack.packetreader$1.run(packetreader.java:70) 16 페이지

Exception in thread "main" com.cisco.pxgrid.gclexception: SASL authentication failed: at com.cisco.pxgrid.gridconnection.connect(gridconnection.java:197) at com.cisco.pxgrid.samples.ise.register.main(register.java:99) Caused by: SASL authentication failed: at org.jivesoftware.smack.saslauthentication.authenticate(saslauthentication.java:281) at org.jivesoftware.smack.xmppconnection.login(xmppconnection.java:206) at com.cisco.pxgrid.configuration.connect(configuration.java:194) at com.cisco.pxgrid.gridconnection.connect(gridconnection.java:134)... 1 more ISE 서비스다시시작 application stop ise application start ise 17 페이지