Scribd Logo
Upload

Welcome to Scribd!

  • Certificate Authority High Availability On Cisco IOS Routers

    Uploaded by

    saychetdemnay
    929 views11 pages
    The document describes configuring certificate authority (CA) high availability on Cisco IOS routers R1 and R2 using HSRP and SCTP. Key steps include: 1. Configuring HSRP and SCTP on R1 and R2 to establish an active-standby redundancy relationship. 2. Configuring the PKI server on the active router only. The configuration and issued certificates will synchronize to the standby. 3. Verifying the redundancy, PKI server state, and that certificates issued by the active router are available on the standby.

    Original Description:

    Original Title

    Certificate Authority High Availability on Cisco IOS Routers

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document describes configuring certificate authority (CA) high availability on Cisco IOS routers R1 and R2 using HSRP and SCTP. Key steps include: 1. Configuring HSRP and SCTP on R1 and R2 to establish an active-standby redundancy relationship. 2. Configuring the PKI server on the active router only. The configuration and issued certificates will synchronize to the standby. 3. Verifying the redundancy, PKI server state, and that certificates issued by the active router are available on the standby.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    929 views11 pages

    Certificate Authority High Availability On Cisco IOS Routers

    Uploaded by

    saychetdemnay
    The document describes configuring certificate authority (CA) high availability on Cisco IOS routers R1 and R2 using HSRP and SCTP. Key steps include: 1. Configuring HSRP and SCTP on R1 and R2 to establish an active-standby redundancy relationship. 2. Configuring the PKI server on the active router only. The configuration and issued certificates will synchronize to the standby. 3. Verifying the redundancy, PKI server state, and that certificates issued by the active router are available on the standby.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    CCIE Security V4 Technology Labs Section 7:

    Confidentiality and Secure Access


    Certificate Authority High Availability on
    Cisco IOS Routers
    Last updated: May 20, 2013
    Note:
    For this task, either load the Section 7 Initial Configuration Files to initialize your rack
    or completely remove any PKI/RSA-related configurations done on R2 and R3 in the
    previous task.
    Task
    Configure R1 and R2 to function as redundant CA servers.
    In case of a reload, R1 should always become the active router.
    Insert Rack1-HA.ine.com in the Subject field of the CA certificate.
    Ensure that client certificates are automatically approved.
    Overview
    Cisco IOS PKI can be deployed in a High Availability mode, providing redundancy for client
    requests. Like other technologies supported by IOS in HA mode, such as Zone Based Firewall
    (ZBF) of IPsec, PKI HA uses the Stateful Switch-Over (SSO) redundancy feature. This inter-device
    redundancy function relies on two protocols: HSRP and SCTP.
    HSRP determines the roles: ACTIVE and STANDBY.
    SCTP ensures automatic synchronization between ACTIVE and STANDBY. For PKI, the following
    are automatically synchronized from the ACTIVE:
    CA server configuration
    CA certificate
    Certificate revocation list (CRL)
    Serial file
    RSA keys
    To ensure functionality of the IOS PKI High Availability deployment, it is recommended that you use
    the following configuration steps:
    Configure and verify HSRP functionality.
    Configure and verify inter-device SSO redundancy functionality (requires a manual reload on the
    STANDBY device).

    Do not continue further unless SSO is functional.


    Configure and activate PKI server on the ACTIVE device.
    Disable PKI server on the ACTIVE device and enable PKI redundancy.
    Activate PKI server on the ACTIVE device.
    Note:
    The High Availability configuration from the PKI Configuration Guide of IOS 15MT is
    found in the Configuring Authorization and Revocation of Certificates in a PKI
    section.
    Note:
    Because of the high volume of data required to be synchronized, if the CA runs in
    complete database level, the client-issued certificate files (.crt) will not be
    synchronized with the standby system. The workaround is to have both CA systems
    point to a common external storage for these files, by using the command
    database url .
    Configuration
    R1:
    ip http server
    !
    interface GigabitEthernet0/0
    standby ip 136.1.18.12
    standby priority 150
    standby preempt
    standby name PKI
    !
    !
    ipc zone default
    association 1
    no shutdown
    protocol sctp
    local-port 5000
    local-ip 136.1.18.1
    remote-port 5000
    remote-ip 136.1.18.2
    !
    !
    redundancy inter-device
    scheme standby PKI
    R2:
    ip http server
    !
    interface GigabitEthernet0/0
    standby ip 136.1.18.12
    standby preempt
    standby name PKI
    !
    !
    ipc zone default
    association 1
    no shutdown
    protocol sctp
    local-port 5000
    local-ip 136.1.18.2
    remote-port 5000
    remote-ip 136.1.18.1
    !
    !
    redundancy inter-device
    scheme standby PKI
    At this point, we need to save the configuration and reload the standby device to activate the
    redundancy. Note that after the manual reload, R2 will detect itself as standby and induce another
    forced reload. The following output shows the initial required reload.
    Rack1R2#show redundancy inter-device
    Redundancy inter-device state: RF_INTERDEV_STATE_INIT
    Pending Scheme: Standby (Will not take effect until next reload)
    Pending Groupname: PKI
    Scheme: <NOT CONFIGURED>
    Peer present: UNKNOWN
    Security: Not configured
    After SSO is functional, configure PKI only on the ACTIVE device; it will be automatically
    synchronized to the STANDBY.
    R1:
    crypto key generate rsa general-keys redundancy label HA modulus 1024
    !
    crypto pki server HA
    database level names
    issuer-name CN=Rack1-HA.ine.com
    database archive pkcs12 password ciscocisco
    grant auto
    no shutdown
    !
    crypto pki server HA
    shutdown
    redundancy
    no shutdown
    If PKI functionality is not synchronized as shown in the Verification section, it may be required to
    perform another reload of both routers.
    Verification
    First, verify SSO inter-device redundancy.
    Rack1R1#show redundancy inter-device
    Redundancy inter-device state: RF_INTERDEV_STATE_ACT
    Scheme: Standby
    Groupname: PKI Group State: Active
    Peer present: RF_INTERDEV_PEER_COMM
    Security: Not configured
    !
    !
    Rack1R2#show redundancy inter-device
    Redundancy inter-device state: RF_INTERDEV_STATE_STDBY
    Scheme: Standby
    Groupname: PKI Group State: Standby
    Peer present: RF_INTERDEV_PEER_COMM
    Security: Not configured
    !
    !
    Rack1R1#show redundancy states
    my state = 13 -ACTIVE
    peer state = 8 -STANDBY HOT
    Mode = Duplex
    Unit ID = 0
    Maintenance Mode = Disabled
    Manual Swact = enabled
    Communications = Up
    client count = 13
    client_notification_TMR = 60000 milliseconds
    RF debug mask = 0x0
    !
    !
    Rack1R2#show redundancy states
    my state = 8 -STANDBY HOT
    peer state = 13 -ACTIVE
    Mode = Duplex
    Unit ID = 0
    Maintenance Mode = Disabled
    Manual Swact = cannot be initiated from this the standby unit
    Communications = Up
    client count = 13
    client_notification_TMR = 60000 milliseconds
    RF debug mask = 0x0
    Verify PKI HA configuration.
    Rack1R1#show crypto pki server
    Certificate Server HA:
    Status: enabled
    State: enabled
    Server's configuration is locked (enter "shut" to unlock it)
    Issuer name: CN=Rack1-HA.ine.com
    CA cert fingerprint: A4D61964 52C12593 9DA4DD90 4C51831D
    Granting mode is: auto
    Last certificate issued serial number (hex): 1
    CA certificate expiration timer: 19:42:37 UTC Apr 30 2016
    CRL NextUpdate timer: 01:42:39 UTC May 2 2013
    Current primary storage dir: nvram:
    Database Level: Names - subject name data written as <serialnum>.cnm
    Redundancy configured. This is active.
    !
    !
    Rack1R2#show crypto pki server
    Certificate Server HA:
    Status: enabled
    State: enabled
    Server's configuration is locked (enter "shut" to unlock it)
    Issuer name: CN=Rack1-HA.ine.com
    CA cert fingerprint: A4D61964 52C12593 9DA4DD90 4C51831D
    Granting mode is: auto
    Last certificate issued serial number (hex): 1
    CA certificate expiration timer: 19:42:37 UTC Apr 30 2016
    CRL NextUpdate timer: 01:42:39 UTC May 2 2013
    Current primary storage dir: nvram:
    Database Level: Names - subject name data written as <serialnum>.cnm
    Redundancy configured. This is standby.
    !
    !
    Rack1R1#show crypto pki certificates
    CA Certificate
    Status: Available
    Certificate Serial Number (hex): 01
    Certificate Usage: Signature
    Issuer:
    cn=Rack1-HA.ine.com
    Subject:
    cn=Rack1-HA.ine.com
    Validity Date:
    start date: 19:42:37 UTC May 1 2013
    end date: 19:42:37 UTC Apr 30 2016
    Associated Trustpoints: HA
    Storage: nvram:Rack1-HAinec#1CA.cer
    !
    !
    Rack1R2#show crypto pki certificates
    CA Certificate
    Status: Available
    Certificate Serial Number (hex): 01
    Certificate Usage: Signature
    Issuer:
    cn=Rack1-HA.ine.com
    Subject:
    cn=Rack1-HA.ine.com
    Validity Date:
    start date: 19:42:37 UTC May 1 2013
    end date: 19:42:37 UTC Apr 30 2016
    Associated Trustpoints: HA
    Storage:
    Enroll SW1 in the PKI infrastructure with R1 being the ACTIVE router (you may need to synchronize
    time with NTP between SW1 and R1/R2).
    SW1:
    crypto pki trustpoint HA
    enrollment url http://136.1.18.12
    !
    !
    crypto pki authenticate HA
    crypto pki enroll HA
    Verify that SW1 received the certificate and R2 is synchronized with R1.
    Rack1SW1#show crypto pki certificates
    Certificate
    Status: Available
    Certificate Serial Number: 02
    Certificate Usage: General Purpose
    Issuer:
    cn=Rack1-HA.ine.com
    Subject:
    Name: Rack1SW1.ine.com
    hostname=Rack1SW1.ine.com
    Validity Date:
    start date: 21:50:18 UTC May 1 2013
    end date: 21:50:18 UTC May 1 2014
    Associated Trustpoints: HA
    CA Certificate
    Status: Available
    Certificate Serial Number: 01
    Certificate Usage: Signature
    Issuer:
    cn=Rack1-HA.ine.com
    Subject:
    cn=Rack1-HA.ine.com
    Validity Date:
    start date: 19:42:37 UTC May 1 2013
    end date: 19:42:37 UTC Apr 30 2016
    Associated Trustpoints: HA
    !
    !
    Rack1R1#show crypto pki server HA certificates
    Serial Issued date Expire date Subject Name
    1 <cert file not accessible>
    Certificate might have been granted by other CA
    2 <cert file not accessible>
    Certificate might have been granted by other CA
    !
    !
    Rack1R2#show crypto pki server HA certificates
    Serial Issued date Expire date Subject Name
    1 <cert file not accessible>
    Certificate might have been granted by other CA
    2 <cert file not accessible>
    Certificate might have been granted by other CA
    Move the HSRP ACTIVE role to R2, and re-enroll SW1 in the PKI (when the ACTIVE role changes,
    the STANDBY always receive a forced reload to ensure synchronization).
    R2:
    interface gigabitEthernet 0/0
    standby priority 200
    SW1:
    crypto pki enroll HA
    Verify that R2 is now the ACTIVE router/PKI server.
    Rack1R2#show crypto pki server
    Certificate Server HA:
    Status: enabled
    State: enabled
    Server's configuration is locked (enter "shut" to unlock it)
    Issuer name: CN=Rack1-HA.ine.com
    CA cert fingerprint: A4D61964 52C12593 9DA4DD90 4C51831D
    Granting mode is: auto
    Last certificate issued serial number (hex): 3
    CA certificate expiration timer: 19:42:37 UTC Apr 30 2016
    CRL NextUpdate timer: 01:42:39 UTC May 2 2013
    Current primary storage dir: nvram:
    Database Level: Names - subject name data written as <serialnum>.cnm
    Redundancy configured. This is active.
    !
    !
    Rack1R1#show crypto pki server
    Certificate Server HA:
    Status: enabled
    State: enabled
    Server's configuration is locked (enter "shut" to unlock it)
    Issuer name: CN=Rack1-HA.ine.com
    CA cert fingerprint: A4D61964 52C12593 9DA4DD90 4C51831D
    Granting mode is: auto
    Last certificate issued serial number (hex): 3
    CA certificate expiration timer: 19:42:37 UTC Apr 30 2016
    CRL NextUpdate timer: 01:42:39 UTC May 2 2013
    Current primary storage dir: nvram:
    Database Level: Names - subject name data written as <serialnum>.cnm
    Redundancy configured. This is standby.
    Verify that SW1 received the certificate and R1 is synchronized with R2.
    Rack1SW1#show crypto pki certificates
    Certificate
    Status: Available
    Certificate Serial Number: 03
    Certificate Usage: General Purpose
    Issuer:
    cn=Rack1-HA.ine.com
    Subject:
    Name: Rack1SW1.ine.com
    hostname=Rack1SW1.ine.com
    Validity Date:
    start date: 21:59:55 UTC May 1 2013
    end date: 21:59:55 UTC May 1 2014
    Associated Trustpoints: HA
    CA Certificate
    Status: Available
    Certificate Serial Number: 01
    Certificate Usage: Signature
    Issuer:
    cn=Rack1-HA.ine.com
    Subject:
    cn=Rack1-HA.ine.com
    Validity Date:
    start date: 19:42:37 UTC May 1 2013
    end date: 19:42:37 UTC Apr 30 2016
    Associated Trustpoints: HA
    !
    !
    Rack1R2#show crypto pki server HA certificates
    Serial Issued date Expire date Subject Name
    1 <cert file not accessible>
    Certificate might have been granted by other CA
    2 <cert file not accessible>
    Certificate might have been granted by other CA
    3 <cert file not accessible>
    Certificate might have been granted by other CA
    !
    !
    Rack1R1#show crypto pki server HA certificates
    Serial Issued date Expire date Subject Name
    1 <cert file not accessible>
    Certificate might have been granted by other CA
    2 <cert file not accessible>
    Certificate might have been granted by other CA
    3 <cert file not accessible>
    Certificate might have been granted by other CA

    You might also like