Network Automation 9.22 Features: RIM and PKI Authentication July 31, 2013
Brought to you by Vivit Network Management Special Interest Group (SIG) Leaders: Wendy Wheeler and Chris Powers www.vivit-worldwide.org
Hosted by Wendy Wheeler Content Manager/Operations Manager HP
Today s Presenters Swamy Mandavilli Functional Architect, NA Product Development Team HP Mietek T. Konczyk Software Development Engineer HP
Housekeeping This LIVE session is being recorded The recording will be available on BrightTALK immediately after this session Q&A: Please type questions in the Questions Box below the presentation screen Additional information available for you behind the Attachment button and later on the Vivit website
RIM Agenda 1. Introduction 2. Management/Provisioning Challenges 3. Solution with NA 9.22 4. Use Case Scenarios 5. Some details on RIM functionality in NA
Resource Identity Examples 1. VLAN IDs 2. ACL IDs/Handles 3. HSRP / VRRP IDs 4. Route Targets 5. Route Distinguishers 6. IP Addresses 7. Phone Numbers 8. Licensing Keys 9. Routing Instance Names 10.Firewall Instance Names 11.Load Balancer Instance Names
Some characteristics of Resource Identities 1. Unique within a context 1. Example: VLAN ID unique within an L2-network 2. Applied on one or multiple network devices 1. Example-1: IP Address applied on one device 2. Example-2: VLAN ID applied on multiple devices 3. Some have a range of numbers 1. Example: VLAN ID 1 4k 4. Some have a pre-known set of values 1. Example: set of License-key values 5. Some can not be re-used once used
Management/Provisioning Challenges 1. Need centralized storage including usage information 1. Spreadsheets are error-prone and require manual work; Not possible to integrate with provisioning systems 2. Categorize based on several criteria/dimensions: 1. Type (VLAN-ID), Context, Customer, 3. Associate meaningful context/details to each Identity 4. Easily integrate with provisioning systems 1. Consequences of not having this could cause significant damage to the network operations 5. Enforce uniqueness with usage 6. Track what is available and what is in use 7. Find one Resource Identity that is available 8. Security/Access control 9. Track History
Resource Identity Management Capability overview with NA 9.22 1. Define Resource Identity Pools 1. Example: Bulding_6_VLAN_IDs 2. Add Custom Attributes to Resource Identity Pools 3. Associate Resource Identity Pools to Partitions 4. Define/Assign Security Privileges 5. Load Resource Identities into a Resource Identity Pool 1. GUI 2. CSV Import for bulk loading 3. API/CLI 6. Request to Acquire/Release a specific Resource Identity 7. Request to acquire any-available Resource ID in a Pool
Use Case: Provisioning scenario-1 Requirement: Provision a set of devices via running a custom script in NA, where each device needs a Resource Identity Steps: 1. Create Advance Command script that has API call to obtain Resource Identity 2. Parameterize any Pool identification context 3. Network Engineer executes the command script as a Task in NA providing necessary parameters
Use Case: Provisioning scenario-2 Requirement: Network Engineer would like to create a new VLAN using NA VLAN Provisioning GUI Steps: 1. Obtains an available VLAN ID from GUI (by requesting any available Resource ID in the appropriate Pool) 2. Copies the acquired VLAN ID to the VLAN provisioning GUI of NA
Use Case: Provisioning scenario-3 Requirement: Network Engineer would like to run a custom script in NA to create a new VLAN Steps: 1. Obtains an available VLAN ID from GUI (by requesting any available Resource ID in the appropriate Pool) 2. Copies the VLAN ID as parameter value for running the command script as task in NA
Use Case: Provisioning scenario-4 Requirement: Run a process through HP OO Flow to provision a network device via NA command script Steps: 1. Programmatically (using NA API) obtain next Resource Identity available (from OO) 2. Pass the Resource Identity value as parameter to NA Command Script (from OO)
NA Resource Identity Management in MSP environments 1. Associate All the Resource Identity Pools for a Customer to the corresponding Partition 2. Can have same name for Resource Identity Pools in different Partitions 3. User permissions for the Resource Identities and Pools are governed by the user s privileges for that Partition
Resource Identity Pool Resource Identity Pool allows organizing logical groups of Resource Identities Associated with ONE Partition (optional) Has a set of Resource Identities Can request for Acquiring a Resource Identity (ANY) Associate a set of Custom-fields that apply to ALL IDs in that Pool
Resource Identity Associated with one Pool Has Unique name within the Pool Status: In Use / Available Can request for Acquiring specific Resource Identity Can Release after done using it
Custom Fields Define global set of Custom Fields Associate specific Custom Fields to appropriate Pools E.g., VLAN-Name to Pools: Bldg-6-vlan-ids, Bldg-5- vlans-ids Semantic of Custom Fields: Can be used as constant value through the lifecycle of the ID (e.g., Subnet-mask for IP-Address) Use-specific (e.g., assigned-to-customer-name)
RIM Security 1. Optional: Associate Resource Identity Pool to Partition relationship 2. Standard NA User/User-Group/Role based security mechanism with RIM specific privileges
CLI / APIs for RIM in NA 9.22 1. Resource Identity Pools 1. add, mod, del, show, list 2. Resource Identities 1. add, del, show, list, mod 2. acquire, release 3. Custom Fields for Resource Identities 1. show, mod, list
HP NA PKI Authentication Using certificates to authenticate NA users
HP NA Authentication Methods User Name & Password Local LDAP HP Server Automation TACACS+ RADIUS RSA SecurID PKI added in 9.22
What is PKI Authentication? Known under several other names: HTTPS or SSL client authentication Client-certificate based authentication Smart card (e.g. CAC) logon X509 certificate authentication PKI Public Key Infrastructure -- a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. PKI separates roles of a definer (CA) of user digital authenticity and verifier (VA) who authenticates user
What is digital certificate? Electronic document that uses a digital signature to bind a public key with an identity. It certifies the ownership of a public key by the named subject of the certificate and makes it public. In this model of trust relationships, CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate -- trust in the user key relies on one's trust in the validity of the CA's key.
Asymmetric Keys Asymmetric keys are used to encrypt and decrypt digital signatures Pair of mathematically associated keys When something is encrypted with one (e.g. private), it can be decrypted with the other (e.g. public). It is infeasible to derive one key using it counterpart Private key should never by distributed or shared. Public key can be distributed to anyone who requests it.
Certificate Authority (CA) CA is identified by the root CA certificate Publicly available commercial CAs Symantec (VeriSign, Thawte, Geotrust) Comodo GoDaddy Private CAs Self-signed certificates CA signed certificates. After receiving a Certificate Signing Request (CSR), CA validates identity and sends back a signed certificate
X.509 X.509 is a standard for PKI X.509 specifies, amongst other things, formats for public key certificates, certificate revocation lists, certificate path validation algorithm. In the X.509 system, a CA issues a certificate binding a public key to a particular distinguished name (DN) or to an alternative name such as an e-mail address or DNS entry.
Digital Certificate Example
Digital Certificate Example
PKI Authentication Configuration Import CA root certificate into NA truststore Manual step that has to be done before PKI authentication is enabled. Use: keytool -import -file -keystore -storepass -alias
PKI Authentication Configuration User Authentication Settings Access: Admin -> Administrative Settings -> User Authentication -> External Authentication Type : PKI Once PKI is saved as an authentication method, it is used solely used to authenticate to NA. No fallback to other methods is supported. Misconfiguration may cause inability to login into NA for everybody.
PKI Authentication Configuration
PKI Authentication Configuration Certificate to user mapping Certificate Subject can be mapped into NA user that is either defined in local or LDAP directory. Even though password is not used for authentication when using PKI, it has to be specified and valid (e.g. not expired). Password is still used to authenticate to devices or for client interfaces that currently cannot be authenticated using PKI (e.g. API, remote telnet/ssh).
PKI Authentication Configuration
PKI Authentication Configuration Certificate constraints To eliminate certificates that don t match the specific conditions in these fields: Extended Key Usage Trusted Issuer Certificate constraints can take multiple values.
PKI Authentication Configuration
PKI Authentication Configuration Certificate revocation checking User certificate can be revoked under various circumstances. Revoked certificates are blacklisted on a certificate revocation list in the PKI, which makes the information available either a list for downloading over HTTP or via OCSP protocol. Both ways of checking for certificate revocation CRL and OCSP are supported in NA. Protocol ordering and if both protocols need to be used for revocation check can be configured. CRL Certificate Revocation List OCSP Online Certificate Status Protocol, direct query to the PKI
PKI Authentication Configuration
PKI Authentication Auto-Login Browser needs a client certificate in a format it can handle to be imported to it. Browser asks to select certificate and provide a pin, if applicable. Browser may use cached authentication data. After successful PKI authentication, user is prompted to press login button to continue. If login directly into Telnet/SSH, user is also prompted for other parameters.
PKI Authentication Logout Authentication data may be cached in browser. Logging out is not good enough NA may receive from the browser the cached authentication data. It is recommended to either close all instances of the browser or to clear cached authentication data.
PKI Authentication Logout Clearing authentication data is browser dependent In IE use Internet Content -> Options Clear SSH state In Firefox use Privacy Options -> Clear recent history, Clear Active Logins