Filter
Top Products
Fabric OS Administrator’s Guide 183
53-1002745-02
Secure Sockets Layer protocol
6
You should upgrade to the Java 1.6.0 plug-in on your management workstation. To find the Java
version that is currently running, open the Java console and look at the first line of the window.
For more details on levels of browser and Java support, refer to the Web Tools
Administrator’s Guide.
SSL configuration overview
You configure SSL access for a switch by obtaining, installing, and activating digital certificates.
Certificates are required on all switches that are to be accessed through SSL.
Also, you must install a certificate in the Java plug-in on the management workstation, and you may
need to add a certificate to your web browser.
Configuring for SSL involves these main steps, which are shown in detail in the next sections.
1. Choose a certificate authority (CA).
2. Generate the following items on each switch:
a. A public and private key by using the secCertUtil genkey command.
b. A certificate signing request (CSR) by using the secCertUtil gencsr command.
3. Store the CSR on a file server by using the secCertUtil export command.
4. Obtain the certificates from the CA.
You can request a certificate from a CA through a web browser. After you request a certificate,
the CA either sends certificate files by e-mail (public) or gives access to them on a remote host
(private).
5. On each switch, install the certificate. Once the certificate is loaded on the switch, HTTPS
starts automatically.
6. If necessary, install the root certificate to the browser on the management workstation.
7. Add the root certificate to the Java plug-in keystore on the management workstation.
Certificate authorities
To ease maintenance and allow secure out-of-band communication between switches, consider
using one certificate authority (CA) to sign all management certificates for a fabric. If you use
different CAs, management services operate correctly, but the Web Tools Fabric Events button is
unable to retrieve events for the entire fabric.
Each CA (for example, Verisign or GeoTrust) has slightly different requirements; for example, some
generate certificates based on IP address, while others require an FQDN, and most require a 1024-bit
public/private key pair while some may accept a 2048-bit key. Consider your fabric configuration,
check CA websites for requirements, and gather all the information that the CA requires.
Generating a public-private key pair
Use the following procedure to generate a public-private key pair.
NOTE
You must perform this procedure on each switch.