Factory Application Certificates and Keys Products: SB700EX, SB70LC

Similar documents
Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Encrypted Connections

Displaying SSL Certificate and Key Pair Information

Configuring SSL Termination

SECURITY IN ELECTRONIC COMMERCE MULTIPLE-CHOICE QUESTIONS

CS 772. Network Security: Concepts, Protocols and Programming Fall 2008 Final Exam Time 2 & 1/2 hours Open Book & Notes.

X.509 and SSL. A look into the complex world of X.509 and SSL UUASC 07/05/07. Phil Dibowitz

Displaying SSL Certificate and Key Pair Information

SSL Certificates in IPBrick

Certificate Policy and Certification Practice Statement CNRS/CNRS-Projets/Datagrid-fr

[SMO-SFO-ICO-PE-046-GU-

SECURITY IN ELECTRONIC COMMERCE - SOLUTION MULTIPLE-CHOICE QUESTIONS

, ) I Transport Layer Security

Automated Vulnerability Scan Results

Public Key Infrastructure in idrac

SBClient SSL. Ehab AbuShmais

Virtual Private Network with OpenVPN

Implementing Secure Sockets Layer on iseries

Overview. SSL Cryptography Overview CHAPTER 1

Acano solution. Certificate Guidelines R1.7. for Single Split Acano Server Deployments. December F

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

OpenADR 2.0 Security. Jim Zuber, CTO QualityLogic, Inc.

Grid Computing - X.509

Angel Dichev RIG, SAP Labs

Security Policy Revision Date: 23 April 2009

Certificates and network security

Apache, SSL and Digital Signatures Using FreeBSD

Apache Security with SSL Using Ubuntu

Setting up Single Sign-on in Service Manager

SSL (Secure Socket Layer)

Clearswift Information Governance

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

2014 IBM Corporation

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

All your private keys are belong to us

Secure Transfers. Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3

Chapter 17. Transport-Level Security

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Acano solution. Certificate Guidelines R1.7. for Single Combined Acano Server Deployments. December H

Enabling SSL and Client Certificates on the SAP J2EE Engine

Crypto Lab Public-Key Cryptography and PKI

MINICA: A WEB-BASED CERTIFICATE AUTHORITY. A Project. Presented to the. Faculty of. California State University, San Bernardino

Web Security: Encryption & Authentication

Building a Secure RedHat Apache Server HOWTO

Install an SSL Certificate onto SilverStream. Sender Recipient Attached FIles Pages Date. Development Internal/External None 5 6/16/08

Installing an SSL Certificate Provided by a Certificate Authority (CA) on the BlueSecure Controller (BSC)

Configuring Secure Socket Layer (SSL)

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

WebLogic Server 6.1: How to configure SSL for PeopleSoft Application

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

Configuration (X87) SAP Mobile Secure: SAP Afaria 7 SP5 September 2014 English. Building Block Configuration Guide

ADFS Integration Guidelines

How To Install A Citrix Netscaler On A Pc Or Mac Or Ipad (For A Web Browser) With A Certificate Certificate (For An Ipad) On A Netscaler (For Windows) With An Ipro (For

SolarWinds Technical Reference

ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example

Configuring Secure Socket Layer HTTP

Active Directory LDAP Quota and Admin account authentication and management

SSL Certificate Generation

Bank link technical specifications. Information for programmers

GNUTLS. a Transport Layer Security Library This is a Draft document Applies to GnuTLS by Nikos Mavroyanopoulos

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

Safety 1st Mobile Security. Markus Kopf payleven

Configuring Global Protect SSL VPN with a user-defined port

Overview. Author: Seth Scardefield Updated 11/11/2013

Security. Learning Objectives. This module will help you...

A quick overview of the DANE WG. * DNS-based Authentication of Named Entities

WEB SERVICES CERTIFICATE GUIDE

FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE. SSL/FTP (File Transfer Protocol over Secure Sockets Layer)

SSL Offload and Acceleration

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Domino and Internet. Security. IBM Collaboration Solutions. Ask the Experts 12/16/2014

BEA Weblogic Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

MatrixSSL Developer's Guide Version 3.7

Secure Data Transfer

App Orchestration 2.5

(n)code Solutions CA A DIVISION OF GUJARAT NARMADA VALLEY FERTILIZERS COMPANY LIMITED P ROCEDURE F OR D OWNLOADING

WS_FTP Professional 12. Security Guide

WXOS 5.5 SSL Optimization Implementation Guide for Configuration and Basic Troubleshooting

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

FIPS Security Policy LogRhythm Log Manager

Netzwerksicherheit Übung 6 SSL/TLS, OpenSSL

Support Advisory: ArubaOS Default Certificate Expiration

webmethods Certificate Toolkit

Tivoli Endpoint Manager for Remote Control Version 8 Release 2. Internet Connection Broker Guide

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

StoneGate SSL VPN Technical Note Adding Bundled Certificates

Quick Note 041. Digi TransPort to Digi TransPort VPN Tunnel using OpenSSL certificates.

Apache Security with SSL Using Linux

Lab 7. Answer. Figure 1

Enabling Remote Access to the ACE

Network Management Card Wizard--1. Introduction... 1 Using the Network Management Card Wizard... 5

Virtual Private Network (VPN) Lab

Einführung in SSL mit Wireshark

Transcription:

Factory Application Certificates and Keys Products: SB700EX, SB70LC 1

Contents 1 Overview... 3 2 Certificates and Keys... 3 2.1 What is in a Certificate?... 4 3 SSL Certificates and Keys... 6 3.1 NetBurner Web Server and SSL Serial-to-Ethernet Server... 6 3.1.1 SSL Server Handshake Sequence... 7 3.1.2 Advanced Information for Software Developers... 7 3.2 NetBurner SSL Serial-to-Ethernet Client... 8 3.2.1 SSL Client Handshake Sequence Without Certificate Checking... 8 3.2.2 SSL Client Handshake Sequence with List of Certificate Authorities... 9 4 SSH Keys... 10 4.1.1 SSH Server Handshake Sequence... 11 4.1.2 Advanced Information for Software Developers... 12 2

1 Overview This guide will use the term NetBurner Device, abbreviated as NBD, to refer to the SB700EX and SB70LC NetBurner devices. The factory program for these devices have similar functionality. The NetBurner NBD Factory Application supports the following types of encrypted connections: SSL Web Server. A web browser may use the HTTPS to connect to the NBD. SSL incoming network connections for serial-to-ethernet. If the SSL option is enabled in the NBD for the serial-to-ethernet connection, an external host application may initiate a connection to the specified IP address and port number. The NBD uses the same SSL certificate and key used for the web server. SSL outgoing network connections for serial-to-ethernet. The NBD may initiate an outgoing SSL connection to a SSL server. SSL outgoing network connections with certificate checking for serial-to-ethernet. In addition to initiating the outgoing connection, the NBD will check the destination SSL Server s certificate against a list of Certificate Authorities. SSH incoming network connection for serial-to-ethernet. 2 Certificates and Keys Description SSL Certificate and Public Key RSA Public/Private Key Pair Used By Web Server (HTTPS) SSL Server for incoming SSL connections NBD Configuration web page: HTTPS SSH RSA Public/Private Key Pair SSH DSA Public/Private Key Pair SSH Server for incoming SSH connections NBD Configuration web page: SSH CA Certificates NBD Configuration web page: CA Certs SSL Client for outgoing SSL connections. If no CA Certs are defined, then no CA Certificate checking is done for outgoing SSL connections. If one or more CA Certs are defined, all outgoing SSL Client connections will perform client side certificate checking of the destination server s SSL certificate. Note that the CA must be the same CA as the one used to create the server s certificate. 3

2.1 What is in a Certificate? A certificate contains the following information: Public Key Name Signature, signed by a Certificate Authority (CA) Please see the Creating a Code Module for SSL Client Certificates section of the NetBurner Security Libraries document for information on creating a certificate. The example below is the certificate output created by the certificate creation utility: Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5withrsaencryption Issuer: C=US, ST=California, L=San Diego, O=NetBurner, Inc., CN=NetBurner/emailAddress=sales@netburner.com Validity Not Before: Aug 27 17:10:41 2008 GMT Not After : Aug 25 17:10:41 2018 GMT Subject: C=US, ST=California, L=San Diego, O=NetBurner, Inc., CN=NetBurner/emailAddress=sales@netburner.com Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (512 bit) Modulus (512 bit): 00:ee:10:bd:b8:41:fb:06:ff:c9:8f:65:99:54:86: 2a:c5:28:6d:9d:bd:bb:4e:cc:d5:ee:8f:a4:30:98: 01:37:be:38:12:be:65:d4:63:75:2c:3a:43:ba:e8: 8d:de:e4:f0:75:59:eb:c2:3f:13:08:b0:10:78:88: cb:13:a0:c7:51 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 50:A7:32:D3:0F:49:05:E4:5C:80:BB:C8:88:05:5E:EE:93:68:CA:5B X509v3 Authority Key Identifier: keyid:50:a7:32:d3:0f:49:05:e4:5c:80:bb:c8:88:05:5e:ee:93:68:ca:5b DirName:/C=US/ST=California/L=San Diego/O=NetBurner, Inc./CN=NetBurner/emailAddress=sales@netburner.com serial:00 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5withrsaencryption 2d:e6:85:c4:e3:95:a4:56:41:91:74:7d:25:b9:02:ef:41:2a: e4:2a:c4:be:31:fd:df:38:0f:37:8b:b4:7d:d7:a0:0c:c0:bd: 89:72:0a:1e:39:d4:5c:8c:a2:4a:1d:f1:1a:b2:59:3e:23:f0: d9:b1:c9:ad:9f:3c:a9:7e:15:19 4

PEM encoded certificate file usually created with the extension of.crt example: -----BEGIN CERTIFICATE----- MIICTjCCAfigAwIBAgIBADANBgkqhkiG9w0BAQQFADBWMQswCQYDVQQGEwJVUzEL MAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNBTiBESUVHTzESMBAGA1UEChMJTkVUQlVS TkVSMRIwEAYDVQQDEwlORVRCVVJORVIwHhcNMTAwNDIyMjIzNDA2WhcNMjAwNDE5 MjIzNDA2WjBWMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNB TiBESUVHTzESMBAGA1UEChMJTkVUQlVSTkVSMRIwEAYDVQQDEwlORVRCVVJORVIw XDANBgkqhkiG9w0BAQEFAANLADBIAkEAvJVGJ9MpVPy9GAs14I1ixhxmrsF9gK7W wfotgzxpvtuke9gi0j5atnu2a7hcgxnmzvjypovzjmtq/+1ovlfz1qidaqabo4gw MIGtMB0GA1UdDgQWBBRVaZ/WaGJCJwb/GxInSqiMBQGzJzB+BgNVHSMEdzB1gBRV az/wagjcjwb/gxinsqimbqgzj6fapfgwvjelmakga1uebhmcvvmxczajbgnvbagt AkNBMRIwEAYDVQQHEwlTQU4gRElFR08xEjAQBgNVBAoTCU5FVEJVUk5FUjESMBAG A1UEAxMJTkVUQlVSTkVSggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD QQAgHJADyS+zhqWoANUsF0M+1XcMvpo6AiNk6Qhyl67rO4rUQ6oNbZrFjkKT/Ej5 5nSuUQS6486RY6znIAm+5daw -----END CERTIFICATE----- PEM encoded public/private key file usually created with extension.key example. -----BEGIN RSA PRIVATE KEY----- MIIBOgIBAAJBAOrfRkFnPMI0K41ufL1HLzlpf2yieGLSGE8kL2OQjX0Pp4Qq+91F DRYD1YuKiPfjxsAkVBqlY7v23ZvzEfNcgDUCAwEAAQJAaFT2KGdrnfj+v7ysvIe6 eo5ahc9hut4i3l78jgxqvbsemhatb+rmyusshggq3+2ph6eqqabbstvuwwl5aaku oqihaptpcjpqiaqtqo1u64t/pr5fx2iuzmbohivw8czddkf3aiea7yjxoegml+8o 4v8pLFZqR0s4P4G/wgScuqtCPLtjtrMCICrH5QWruxl669rFVS58gKDEeearMFQu MD/bg6nkWKRhAiBTMuwz8vnFFUclCN069mkMmkdcGHgsN8yKR+/IDuyWbwIhAKZ9 KgZz3UZCnWHDXaelDFJI+Xdstx5XwBdTAlqwOU+L -----END RSA PRIVATE KEY----- 5

3 SSL Certificates and Keys 3.1 NetBurner Web Server and SSL Serial-to-Ethernet Server The NBD Factory Application provides a default SSL certificate, which contains the public key, and a default RSA public/private key pair. The default certificate is present for the sole purpose of enabling you to communicate to the device and upload your own certificate. Creating keys is beyond the scope of this document, but you can use a utility such as OpenSSL. Certificates and keys can be purchased from companies such as Verisign. The default and user installed SSL certs and keys are stored in the NBD flash memory, and are used for incoming SSL connections to either the web server or SSL enabled serial-to-ethernet ports. NBD SSL Certificate and Public/Private Key Pair Web Server (HTTPS) Incoming SSL Connection Web Browser SSL Client Certificate and key files typically have a file name suffix of.crt and.key. Once you have these files, they can be uploaded to the NBD through the HTTPS web page as shown below. Once your certificate and keys have been uploaded, the description will change from Default to User Installed. 6

3.1.1 SSL Server Handshake Sequence Client Client Hello Server Hello Certificate Server Hello Done Client Key Exchange Client Finished Server Finished Server (NetBurner) 3.1.2 Advanced Information for Software Developers The default SSL certificate and keys for the factory application are defined in the program files permanentcert.h and permanentkey.h, which are compiled into the application. During the initial NBD boot sequence, this information is used to create the actual default certificate and key files stored in the Embedded Flash File System (EFFS). When a user installs their own certificate and key the default files will be overwritten in the EFFS, and become the active certificate and keys. During normal operation the certificate and key are copied from the EFFS to a structure in memory during the boot sequence: gsslcertificatepemencoded and gsslcertificatekeypemencoded. A common way to create your own certificates and keys is the OpenSSL program. If you use the NetBurner OpenSSL.exe program in the \nburn\pcbin directory, it will create a file named key.cpp in addition to the.crt and.key files. The.cpp file contains the certificate, public key and private key, and can be used to compile a custom certificate into your custom application. 7

3.2 NetBurner SSL Serial-to-Ethernet Client Client mode means that instead of the NBD listening for an incoming connection, it makes an outgoing connection on power-up or when serial data is available. Two SSL Client modes are supported: Standard SSL Client connection. SSL Client connection with Certificate Authority (CA) certificate authentication of the server s certificate. 3.2.1 SSL Client Handshake Sequence Without Certificate Checking NBD Web Server Outgoing SSL Connection SSL Server Client (NetBurner) Server Client Hello Server Hello Certificate Server Hello Done Client Key Exchange Client Finished Server Finished 8

3.2.2 SSL Client Handshake Sequence with List of Certificate Authorities SSL Certificate Authority List NBD Outgoing SSL Connection Web Server SSL Server In this mode of operation the NBD, as the SSL Client, will only allow a connection if the certificate sent by the SSL Server matches a Certificate Authority certificate, which can be uploaded via the CA Certs configuration web page: Client (NetBurner) Server Client Hello Server Hello Certificate Server Hello Done Client CA Check Client Key Exchange Client Finished Server Finished 9

4 SSH Keys The NBD Factory Application supports SSH Server operation and provides default RSA and DSA public and private SSH key pairs. To provide secure communication you should create or purchase your own keys. Creating keys is beyond the scope of this document, but you can use a utility such as OpenSSL. The default and user installed SSH keys are stored in the NBD flash memory, and are used for incoming SSH connections to SSH enabled serial-to-ethernet ports. NBD RSA and DSA Public/Private Key Pairs Incoming SSL Connection SSH Client Key files can be uploaded to the NBD through the SSH Keys web page as shown below. Once your keys have been uploaded, the description will change from Default to User Installed. 10

4.1.1 SSH Server Handshake Sequence Client ID ID Hello Hello Key Exchange Change Cipher Key Exchange Change Cipher Service Request Service Response Auth. Request Auth. Methods Auth. Request Auth. Response Channel Open Channel Open Conf. Channel Data Server (NetBurner) Channel Close 11

4.1.2 Advanced Information for Software Developers The default SSH RSA and DSA keys for the factory application are defined in the program files: permannetkeyrsa.h and permanentkeydsa.h, and are built into the application at compile time. During the initial NBD boot sequence, this information is used to create the actual default key files stored in the Embedded Flash File System (EFFS). When a user installs their own keys, the default files will be overwritten in the EFFS and become the active certificate and keys. During normal operation the certificate and key are copied from the EFFS to a structure in memory during the boot sequence: gsshrsakeypemencoded and gsshdsakeypemencoded. A call to SshConnect() cause user supplied function SshUserGetKey() to load the key from global data. Please refer to the SSH library API and example programs for more information. 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information