apps ssl
Use the apps ssl command to configure Secure Sockets Layer (SSL) parameters for Passive SSL decryption.
The apps ssl command has the following syntax:
apps ssl key alias <alias>
comment <comment>
download type
pkcs12 <url <download URL>> [password <password>]
private-key <key-str <key string> | url <download URL>>
keychain password <password> <confirm password> | <password> | [reset] <password> <confirm password>
service alias <alias>
default-service
server-ip <IP address> [server-port <port number> | any]
You must have an admin level role to execute these commands.
The following table describes the arguments for the apps ssl command:
Argument |
Description |
|||||||||||||||
key alias <alias> |
Adds a comment to an existing SSL private key. Comments can be up to 128 characters. Comments longer than one word must be enclosed in double quotation marks. For example: (config) # apps ssl key alias key1 comment “This is a comment” |
|||||||||||||||
key alias <alias> |
Downloads SSL key types as follows:
The parameters are as follows:
Examples: (config) # apps ssl key alias key1 download type private-key url https://keyserver.domain.com/path/keyfile.pem (config) # apps ssl key alias key2 download type pkcs12 url sftp://test:mytest@10.10.10.10/home/test/ssldecrypt/keys/srv1k.pfx (config) # apps ssl key alias key3 download type private-key key-str "-----BEGIN RSA PRIVATE KEY----- ...-----END RSA PRIVATE KEY-----" The download URL specifies an SSL private key or PKCS12 container. The supported formats for download are HTTP, HTTPS, FTP, TFTP, SCP, and SFTP. Using a secure protocol, such as HTTPS is recommended. The maximum number of keys is 4000 on GigaVUE‑HC2. The maximums are per chassis. With PKCS12, the key will be converted to PEM format, the certificate will be verified, then the key will be added to the keychain. Once the key is added in PEM format to the keychain, no checks will be performed to verify if it has expired. For more information on keys, refer to the “GigaSMART SSL Decryption for Out-of-Band Tools” section in the GigaVUE Fabric Management Guide. |
|||||||||||||||
keychain password <password> <confirm password> |
Creates an SSL keychain password. Use this command when no keys have been installed on the node, for example: (config) # apps ssl keychain passwordCreating a new password for ssl keychain: Password: ********* Confirm: ********* The password is used to encrypt all private keys uploaded to the node. Only strong passwords can be configured. A strong password has at least 10 characters and at least three of the following:
Note: The password is not saved on the node. |
|||||||||||||||
keychain password <password> |
Prompts for the SSL keychain password. When keys are installed on the node, you will be prompted to verify the password after any node reboot when you enter configure terminal mode, for example: (config)# configure terminal (config) # apps ssl keychain password required Please enter ssl keychain password: Password: ********* |
|||||||||||||||
keychain password [reset] <password> <confirm password> |
Resets an SSL keychain password. When keys are installed on the node, a warning is displayed. Note: Resetting the password revokes all existing private keys. For example: (config) # apps ssl keychain password resetWARNING: Password is already set. Reset password will revoke all existing private keys. Password: ********* Confirm: ********* |
|||||||||||||||
service alias <alias> default-service |
Specifies a default SSL service. The default service matches any IP address mapped to a valid key. Note: There can only be one default service defined. For example: (config) # apps ssl service service1 default-service Refer to gsparams for information on mapping the default service to a private key. |
|||||||||||||||
service alias <alias> server-ip <IP address> [server-port <port number> | any] |
Adds a server IP address to a specified service and optionally, adds a server port number. For example: (config) # apps ssl service service1 server-ip 1.1.1.1 server-port 443 A server port number of any means any port. The key applies to the whole IP address, not just to a specified port. For example: (config) # apps ssl service service1 server-ip 1.1.1.1 server-port any |
Related Commands
The following table summarizes other commands related to the apps ssl command:
Task |
Command |
Displays a specified SSL private key. |
# show apps ssl key alias key1 |
Displays all SSL keys. |
# show apps ssl key all |
Displays a specified SSL service. |
# show apps ssl service alias service1 |
Displays all SSL services. |
# show apps ssl service all |
Displays SSL service statistics. |
# show apps ssl service stats |
Displays specified SSL service statistics. |
# show apps ssl service stats alias service1 |
Displays all SSL service statistics. |
# show apps ssl service stats all |
Displays statistics associated with the passive SSL decryption GigaSMART group. For descriptions of the session statistics, refer to the "Flow Ops Report Statistics for Passive SSL Decryption" topic in the GigaVUE-FM User's Guide. |
# show gsgroup flow-ops-report alias gsg1 type ssl-decryption any |
Matches the specified hostname and displays the corresponding session details. |
# show gsgroup flow-ops-report alias gsg1 type ssl-decryption match hostname www.xxxxx.com |
Uploads the flow ops report file to the specified remote server. Specify the remote server path and password to access the server. |
# show gsgroup flow-ops-report alias gsg1 type ssl-decryption any upload scp://username@10.22.0.79:/path/foldername |
Displays GSOP for Passive SSL decryption. |
# show gsop by-application ssl-decrypt |
Displays GSOP statistics for Passive SSL decryption. |
# show gsop stats by-application ssl-decrypt |
Deletes a specified SSL private key. |
(config) # no apps ssl key alias key1 |
Deletes a comment associated with a specified SSL private key. |
(config) # no apps ssl key alias key1 comment |
Deletes all SSL keys. |
(config) # no apps ssl key all |
Deletes a specified SSL service. |
(config) # no apps ssl service alias service1 |
Deletes all SSL services. |
(config) # no apps ssl service all |