API Guide
Table Of Contents
- Dell EMC SmartFabric OS10 Security Best Practices Guide May 2021
- Contents
- OS10 security best practices
● orgunit unit-name — Enter name of the unit.
● cname common-name — Enter the common name assigned to the certificate. Common name is the main identity that
is presented to connecting devices. By default, the host name of the switch is the common name. You can configure
a different common name for the switch; for example, an IP address. If the common-name value does not match the
device’s presented identity, a signed certificate does not validate.
● email email-address — Enter a valid email address used to communicate with the organization.
● validity days — Enter the number of days that the certificate is valid. For a self-signed certificate, the default is
3650 days.
● length bit-length — Enter a bit value for the keyword length. For FIPS mode, the range is from 2048 to 4096; for
non-FIPS mode, the range is from 1024 to 4096. The default key length for both FIPS and non-FIPS mode is 2048 bits.
The minimum key length value for FIPS mode is 2048 bits. The minimum key length value for non-FIPS mode is 1024 bits.
● altname altname — Enter an alternate name for the organization; for example, using the IP address such as
altname IP:192.168.1.100.
5. Verify if the newly created certificates are present in the home directory.
Switch-A:
Switch-A# dir home
Directory contents for folder: home
Date (modified) Size (bytes) Name
--------------------- ------------ --------------------------------------
2020-12-18T14:20:32Z 1017 dell.crt 2020-12-18T14:20:32Z 1675 dell.ky
6. Copy the certificate and key from Switch-A to an SCP server. In this example, SCP is used but you can also use a TFTP or
FTP server.
Switch-A:
Switch-A# copy home://dell.crt scp://<username>:<password>@100.104.54.214/dell.crt
Switch-A# copy home://dell.ky scp://<username>:<password>@100.104.54.214/dell.ky
7. Copy the certificate and key from the SCP server to Switch- B.
Switch-B:
Switch-B# copy scp://<username>:<password>@100.104.54.214/dell.crt home://dell.crt
Switch-B# copy scp://<username>:<password>@100.104.54.214/dell.ky home://dell.ky
NOTE: All devices in the SFS cluster or VLT domain must have the same certificate and key files.
8. Verify if the certificate is copied to Switch- B.
Switch-B:
Switch-B# dir home
Directory contents for folder: home
Date (modified) Size (bytes) Name
--------------------- ------------ ------------------------------------------
2020-12-18T14:59:51Z 1017 dell.crt 2020-12-18T15:00:42Z 1675 dell.ky
9. Install a self-signed certificate and key file.
Switch-A:
Switch-A# crypto cert install cert-file home://dell.crt key-file home://dell.ky
Switch-B:
Switch-B# crypto cert install cert-file home://dell.crt key-file home://dell.ky
Run the show crypto cert command to make sure that the certificate is installed on the system.
10. Create a security profile.
34
OS10 security best practices