Service manual

Chapter 3: Security 53

To configure an X.509 certificate for SSH:

1. Enter the following command to configure an X.509 certificate. See Table 3.12 for the list

of parameters.

cli> config security profile custom ssh ssh_x509 [parameter] <value>

2. Activate and save your configuration.

The following is an example on how to configure an X.509 certificate.

ssh_x509> cp CA_file /etc/ssh/ca-bundle.crt

ssh_x509> cp hostkey /etc/ssh/hostkey

ssh_x509> cp authorizedkeys /etc/ssh/authorized_keys

ssh_x509> chmod 600 /etc/ssh/authorized_keys

ssh_x509> chmod 755 /

cli> config runconfig

cli> config savetoflash

NOTE: An X.509 certificate for SSH may also be configured by executing the following script at the command

prompt, # ssh_act_x509.

To connect to the console server and serial ports using an SSH X.509 certificate:

1. Configure an X.509 certificate for SSH.

2. Configure the client you need to access with an X.509 certificate.

3. Copy the certificate files to the console server.

To verify that the file was copied, run the following command at the prompt.

[root@acs48 root]# ls -l /etc/ssh/ca/ca-bundle.crt

[root@acs48 root]# ls -l /etc/ssh/hostkey

4. Configure the serial ports for socket_ssh protocol and assign the IP address of the

connected device.

Table 3.12: X.509 Certificate Parameters

Parameter Value

CA_file <path and filename of CA certificate>

hostkey <path and filename of hostkeys>

authorizedkeys path and filename of authorized keys>