logo

Manual Pages


Table of Contents

NAME

na_secureadmin - command for secure administration of the appliance.

SYNOPSIS

secureadmin command argument ...

DESCRIPTION

This command can be used to configure SSL (Secure Sockets Layer) and SSH (Secure Shell), which are used to provide a secure channel for administering a filer or a NetCache appliance in a nontrusted environment.

SSL provides an encrypted administrative exchange between a filer or a NetCache appliance and a client browser.

SSH provides an encrypted administrative exchange between a filer or a NetCache appliance and an SSH 2.0-compliant client.

USAGE

secureadmin setup [ -f ] ssh
configures the SSH server. The administrator specifies the key strength for the RSA host and server keys. The keys can range in strength from 384 to 2048 bits. The strength of the host key and the server key must differ by at least 128 bits. It does not matter which key is of higher strength.

The -f flag forces setup to run even if the SSH server has already been configured.

secureadmin setup [ -f ] [ -q ] ssl configures the SSL server. The administrator needs to specify the distinguished name (DN) for the appliance.

The process generates a Certificate Signing Request (CSR) and a temporary self-signed certificate. The CSR, located in /etc/keymgr/csr/secureadmin_tmp.pem, can optionally be submitted to a Certificate Authority (CA) for signing. The selfsigned certificate allows the SSL server to work without submitting the CSR to a CA. However, the browser may issue a security warning that the appliance's identity cannot be verified. In the US, the administrator can specify the key strengths of 512, 1024, 1536, or 2048. Otherwise it is set to 512.

The -f flag forces setup to run even if the SSL server has already been configured.

The
-q flag is the non-interactive mode for setting up SSL. The format for this command looks like "secureadmin setup -q ssl domestic<t/f> country state locality org unit fqdn email [keylen] [days until expires]

secureadmin addcert ssl [ path to CA-signed cert ] installs a Certificate Authority-signed certificate to the SSL server. The installed certificate allows the browser to verify the identity of the appliance.

The default path of /etc/keymgr/csr/secureadmin.pem is assumed if a path is not specified.

secureadmin enable ssh | ssh1 | ssh2 | ssl | all starts either SSH, SSL or both servers. The effect is persistent. Use `ssh1' to enable only SSH1.x protocol. Use `ssh' or `ssh2' for enabling only SSH2.0 protocol.

secureadmin disable ssh | ssh1 | ssh2 | ssl | all stops either SSH, SSL or both servers. The effect is persistent. Use `ssh1' to disable only SSH1.x protocol. Use `ssh' or `ssh2' for disabling only SSH2.0 protocol.

secureadmin status
shows the current status of SSH and SSL servers.

VFILER CONSIDERATIONS

This command can be used on vfilers to configure SSH to provide a secure channel for administering a vfiler hosted on a physical filer. Any SSH command listed above will work the same on a vfiler. But only a non-interactive SSH shell is available for vfilers. SSL is not supported on vfilers. Any SSL command will not work and return an error.


Table of Contents