Exchanging public keys – Brocade Communications Systems ServerIron ADX 12.4.00 User Manual
Page 72
60
ServerIron ADX Global Server Load Balancing Guide
53-1002437-01
Secure GSLB
1
ServerIron(config)#wr mem
.Write startup-config in progress.
..Write startup-config done.
ServerIron(config)#Saving SSH host keys process is ongoing. Please wait
.................................................................................
......Writing SSH host keys is done!
SLB-Ctrl-ServerIronADX(config)#^Z
SLB-Ctrl-ServerIronADX#reload
A write mem followed by a reload is required. Next, enter the crypto key generate rsa command on
the site ServerIron ADX and reload.
Notice the public key is cleartext whereas the private key is not.
NOTE
The crypto RSA component calls the same key functions as SSH. Similar to the SSH implementation,
the public and private keys for each ServerIron ADX are stored in its E2PROM. The private key cannot
be seen or displayed using any CLI commands or any other user interface. Not even an administrator
can gain access to the private key.
Exchanging public keys
Each ServerIron ADX must exchange public keys with each peer ServerIron ADX it needs to
communicate with. This exchange allows the peers to authenticate before the GSLB
communication starts.
The ServerIron ADX uses an out-of-band channel to deliver the fingerprint of the public key, which
ensures the key comes from a trusted authority. To exchange public keys, the network
administrator needs to telephone the peer site administrator to read out the fingerprint of the
public key and verbally verify the keys match. SHA-1 is the algorithm used to generate the
fingerprint.
The public key exchange sequence is illustrated below with an example. In the example, Bob (the
site ServerIron ADX) and David (the controller ServerIron ADX) are two network administrators who
want to exchange the public keys. For security reasons, We recommend that both administrators be
locally logged into the console ports (not telnetted in) during this procedure.
1. (Optional) Both Bob and David issue the gslb auth-encrypt-communication peer-pub-key-expire
<timeout> command before exchanging keys using crypto key-exchange passive. If the keys
were exchanged first, a one-time usage would not take affect until the next exchange. Refer to
“Selecting a peer public key management option”
on page 62 for more options. If you do not
set a peer-pub-key-expire, the default value is 180 seconds.
SLB-Site-ServerIronADX(config)# gslb auth-encrypt-communication
peer-pub-key-expire one-time
2. Bob enables a key exchange connection with the following command.
SLB-Site-ServerIronADX(config)#crypto key-exchange passive
Enter Control-c to abort if connection does not complete.
Wait for connection from peer(enter 'y' or 'n'): y
Waiting ....
The command syntax is crypto key-exchange passive [<decimal>]. The <decimal> parameter
specifies the TCP port used for the key exchange communication. If you use <decimal>, the
value configured on both the sending side and receiving side must match.