Manual Pages


Table of Contents

NAME

na_secureadmin - Command for secure administration of the appliance

SYNOPSIS

secureadmin command argument ...

DESCRIPTION

This command can be used to configure SSL (Secure Sockets Layer) and SSH (Secure Shell), which are used to provide a secure channel for administering a node or a NetCache appliance in a nontrusted environment.

SSL provides an encrypted administrative exchange between a node or a NetCache appliance and a client browser.

SSH provides an encrypted administrative exchange between a node or a NetCache appliance and an SSH 2.0-compliant client.

USAGE

secureadmin setup [ -f ] ssh
configures the SSH server. The administrator specifies the key strength for the RSA host and server keys. The keys can range in strength from 384 to 2048 bits. The strength of the host key and the server key must differ by at least 128 bits. It does not matter which key is of higher strength.

The -f flag forces setup to run even if the SSH server has already been configured.

secureadmin setup [ -f ] [ -q ] ssl configures the SSL server. The administrator needs to specify the distinguished name (DN) for the appliance.

The process generates a Certificate Signing Request (CSR) and a temporary self-signed certificate. The CSR, located in /etc/keymgr/csr/secureadmin_tmp.pem, can optionally be submitted to a Certificate Authority (CA) for signing. The self-signed certificate allows the SSL server to work without submitting the CSR to a CA. However, the browser may issue a security warning that the appliance's identity cannot be verified. In the US, the administrator can specify the key strengths of 512, 1024, 1536, or 2048. Otherwise it is set to 512.

The -f flag forces setup to run even if the SSL server has already been configured.

The
-q flag is the non-interactive mode for setting up SSL. The format for this command looks like "secureadmin setup -q ssl domestic<t/f> country state locality org unit fqdn email [keylen] [days until expires].

secureadmin addcert ssl [ path to CA-signed cert ] installs a Certificate Authority-signed certificate to the SSL server. The installed certificate allows the browser to verify the identity of the appliance.

The default path of /etc/keymgr/csr/secureadmin.pem is assumed if a path is not specified.

secureadmin enable ssh | ssh1 | ssh2 | ssl | all starts either SSH, SSL, or both servers. The effect is persistent. Use `ssh1' to enable only SSH1.x protocol. Use `ssh' or `ssh2' for enabling only SSH2.0 protocol.

secureadmin disable ssh | ssh1 | ssh2 | ssl | all stops either SSH, SSL, or both servers. The effect is persistent. Use `ssh1' to disable only SSH1.x protocol. Use `ssh' or `ssh2' for disabling only SSH2.0 protocol.

secureadmin status
shows the current status of SSH and SSL servers.

VFILER CONSIDERATIONS

This command is used to configure SSH on the vFiler units to provide a secure channel for administration. Both interactive SSH,and non-interactive SSH are available for vFiler units. All SSH commands listed above can be executed through the secure channel on a vFiler unit. Note: SSL is not supported on vFiler units. SSL commands cannot be executed.


Table of Contents