Manual Pages
Table of Contents
na_secureadmin - command for secure administration of the
appliance.
secureadmin command argument ...
This command can be used to configure SSL (Secure Sockets
Layer) and SSH (Secure Shell), which are used to provide a
secure channel for administering a filer or a NetCache
appliance in a nontrusted environment.
SSL provides an encrypted administrative exchange between
a filer or a NetCache appliance and a client browser.
SSH provides an encrypted administrative exchange between
a filer or a NetCache appliance and an SSH 2.0-compliant
client.
secureadmin setup [ -f ] ssh
configures the SSH server. The administrator specifies
the key strength for the RSA host and server
keys. The keys can range in strength from 384 to
2048 bits. The strength of the host key and the
server key must differ by at least 128 bits. It
does not matter which key is of higher strength.
The -f flag forces setup to run even if the SSH
server has already been configured.
secureadmin setup [ -f ] [ -q ] ssl
configures the SSL server. The administrator needs
to specify the distinguished name (DN) for the
appliance.
The process generates a Certificate Signing Request
(CSR) and a temporary self-signed certificate. The
CSR, located in /etc/keymgr/csr/secureadmin_tmp.pem,
can optionally be submitted to a Certificate
Authority (CA) for signing. The selfsigned
certificate allows the SSL server to work
without submitting the CSR to a CA. However, the
browser may issue a security warning that the
appliance's identity cannot be verified. In the US,
the administrator can specify the key strengths of
512, 1024, 1536, or 2048. Otherwise it is set to
512.
The -f flag forces setup to run even if the SSL
server has already been configured.
The
-q flag is the non-interactive mode for setting up
SSL. The format for this command looks like
"secureadmin setup -q ssl domestic<t/f> country
state locality org unit fqdn email [keylen] [days
until expires]
secureadmin addcert ssl [ path to CA-signed cert ]
installs a Certificate Authority-signed certificate
to the SSL server. The installed certificate
allows the browser to verify the identity of the
appliance.
The default path of /etc/keymgr/csr/secureadmin.pem
is assumed if a path is not specified.
secureadmin enable ssh | ssh1 | ssh2 | ssl | all
starts either SSH, SSL or both servers. The effect
is persistent. Use `ssh1' to enable only SSH1.x
protocol. Use `ssh' or `ssh2' for enabling only
SSH2.0 protocol.
secureadmin disable ssh | ssh1 | ssh2 | ssl | all
stops either SSH, SSL or both servers. The effect
is persistent. Use `ssh1' to disable only SSH1.x
protocol. Use `ssh' or `ssh2' for disabling only
SSH2.0 protocol.
secureadmin status
shows the current status of SSH and SSL servers.
This command can be used on vfilers to configure SSH to
provide a secure channel for administering a vfiler hosted
on a physical filer. Any SSH command listed above will
work the same on a vfiler. But only a non-interactive SSH
shell is available for vfilers. SSL is not supported on
vfilers. Any SSL command will not work and return an
error.
Table of Contents