apps ssl

Use the apps ssl command to configure Secure Sockets Layer (SSL) parameters for Passive SSL decryption.

The apps ssl command has the following syntax:

apps ssl   key alias <alias>
      comment <comment>
      download type
         pkcs12 <url <download URL>> [password <password>]
         private-key <key-str <key string> | url <download URL>>
   keychain password <password> <confirm password> | <password> | [reset] <password>       <confirm password>
   service alias <alias>
      default-service
      server-ip <IP address> [server-port <port number> | any]

You must have an admin level role to execute these commands.

The following table describes the arguments for the apps ssl command:

Argument

Description

key alias <alias>
   comment <comment>

Adds a comment to an existing SSL private key. Comments can be up to 128 characters. Comments longer than one word must be enclosed in double quotation marks. For example:

(config) # apps ssl key alias key1 comment “This is a comment”

key alias <alias>
   download type
      pkcs12 <url <download URL>> [password <password>]
      private-key <key-str <key string> | url <download URL>>

Downloads SSL key types as follows:

pkcs12—Specifies a PKCS12 file containing the private key and the certificate.
private-key—Specifies a private key.

The parameters are as follows:

url—Specifies the download URL for either PKCS12 or private key.
password—Specifies an optional password for PKCS12. If a password is not specified after the password keyword, you will be prompted for it.
key-str—Specifies the SSL key PEM file by providing a key string for a private key. Enclose the key string in double quotation marks.

Examples:

(config) # apps ssl key alias key1 download type private-key url https://keyserver.domain.com/path/keyfile.pem

(config) # apps ssl key alias key2 download type pkcs12 url sftp://test:mytest@10.10.10.10/home/test/ssldecrypt/keys/srv1k.pfx

(config) # apps ssl key alias key3 download type private-key key-str "-----BEGIN RSA PRIVATE KEY----- ...-----END RSA PRIVATE KEY-----"

The download URL specifies an SSL private key or PKCS12 container. The supported formats for download are HTTP, HTTPS, FTP, TFTP, SCP, and SFTP. Using a secure protocol, such as HTTPS is recommended.

The maximum number of keys is 4000 on GigaVUE‑HC2. The maximums are per chassis.

With PKCS12, the key will be converted to PEM format, the certificate will be verified, then the key will be added to the keychain. Once the key is added in PEM format to the keychain, no checks will be performed to verify if it has expired.

For more information on keys, refer to the “GigaSMART SSL Decryption for Out-of-Band Tools” section in the GigaVUE Fabric Management Guide.

keychain password <password> <confirm password>

Creates an SSL keychain password. Use this command when no keys have been installed on the node, for example:

(config) # apps ssl keychain passwordCreating a new password for ssl keychain:

Password: *********

Confirm: *********

The password is used to encrypt all private keys uploaded to the node.

Only strong passwords can be configured. A strong password has at least 10 characters and at least three of the following:

uppercase letters
lowercase letters
numbers
special characters

Note:  The password is not saved on the node.

keychain password <password>

Prompts for the SSL keychain password. When keys are installed on the node, you will be prompted to verify the password after any node reboot when you enter configure terminal mode, for example:

(config)# configure terminal

(config) # apps ssl keychain password required

Please enter ssl keychain password:

Password: *********

keychain password [reset] <password> <confirm password>

Resets an SSL keychain password. When keys are installed on the node, a warning is displayed.

Note:  Resetting the password revokes all existing private keys.

For example:

(config) # apps ssl keychain password resetWARNING: Password is already set. Reset password will revoke all existing private keys.

Password: *********

Confirm: *********

service alias <alias>   default-service

Specifies a default SSL service. The default service matches any IP address mapped to a valid key.

Note:  There can only be one default service defined.

For example:

(config) # apps ssl service service1 default-service

Refer to gsparams for information on mapping the default service to a private key.

service alias <alias>   server-ip <IP address> [server-port <port number> | any]

Adds a server IP address to a specified service and optionally, adds a server port number.

For example:

(config) # apps ssl service service1 server-ip 1.1.1.1 server-port 443

A server port number of any means any port. The key applies to the whole IP address, not just to a specified port.

For example:

(config) # apps ssl service service1 server-ip 1.1.1.1 server-port any

Related Commands

The following table summarizes other commands related to the apps ssl command:

Task

Command

Displays a specified SSL private key.

# show apps ssl key alias key1

Displays all SSL keys.

# show apps ssl key all

Displays a specified SSL service.

# show apps ssl service alias service1

Displays all SSL services.

# show apps ssl service all

Displays SSL service statistics.

# show apps ssl service stats

Displays specified SSL service statistics.

# show apps ssl service stats alias service1

Displays all SSL service statistics.

# show apps ssl service stats all

Displays statistics associated with the passive SSL decryption GigaSMART group. For descriptions of the session statistics, refer to the "Flow Ops Report Statistics for Passive SSL Decryption" topic in the GigaVUE-FM User's Guide.

# show gsgroup flow-ops-report alias gsg1 type ssl-decryption any

Matches the specified hostname and displays the corresponding session details.

# show gsgroup flow-ops-report alias gsg1 type ssl-decryption match hostname www.xxxxx.com

Uploads the flow ops report file to the specified remote server. Specify the remote server path and password to access the server.

# show gsgroup flow-ops-report alias gsg1 type ssl-decryption any upload scp://username@10.22.0.79:/path/foldername

Displays GSOP for Passive SSL decryption.

# show gsop by-application ssl-decrypt

Displays GSOP statistics for Passive SSL decryption.

# show gsop stats by-application ssl-decrypt

Deletes a specified SSL private key.

(config) # no apps ssl key alias key1

Deletes a comment associated with a specified SSL private key.

(config) # no apps ssl key alias key1 comment

Deletes all SSL keys.

(config) # no apps ssl key all

Deletes a specified SSL service.

(config) # no apps ssl service alias service1

Deletes all SSL services.

(config) # no apps ssl service all