Friday, January 4, 2013

Secure Rancid ViewVC with LDAP authentication

Now that I have a working Rancid install, I wanted to secure the ViewVC web site requiring that users authenticate before being able to see the repository contents.  ViewVC doesn’t have any authentication facilities built into it, but you can use the authentication facilities provided as a part of Apache.
On my CentOS 6.3 install, all of the necessary LDAP authentication modules were already installed and running.  I just needed to define the LDAP connection attributes as well as defining the users I want to be able to authenticate. 
I am using LDAPs on port 636 for my authentications so no credentials are going over the network in cleartext.  The first step to configure this is to create a key pair to use to connect to the Domain Controller over SSL.  I am storing my certificates in /etc/httpd/certificate, but you can store them wherever you like.
  • openssl genrsa 2048 > ldap.key
  • openssl req –new –x509 –nodes –sha1 –days 1825 –key ldap.key > ldap.cer
I specified –days 1825 in the certificate generation command so that the certificate would be good for 5 years.  You can specify any number you like, I just didn’t want to have to remember to renew the cert.
Once the certificates are created, we need to configure Apache.
  • nano /etc/httpd/conf/httpd.conf
In the main config file outside of any Directory or VirtualHost directives, you need to add the following:
  • LDAPVerifyServerCert off
  • LDAPTrustedMode SSL
  • LDAPTrustedGlobalCert CERT_DER /etc/httpd/certificate/ldap.cer
  • LDAPTrustedGlobalCert KEY_DER /etc/httpd/certificate/ldap.key
In the VirtualHost directive we defined for ViewVC, you need to add the following.  Active Directory does not allow anonymous LDAP lookups by default, so you’ll need a user account that can be used to authenticate for lookups.  That user is specified in AuthLDAPBindDN.  The users specified in Require ldap-user are the user accounts allowed to access ViewVC.  I didn’t try it, but I believe this can also be limited to groups with “Require ldap-group “.
<Location "/viewvc">
    AuthType Basic
    AuthName "Login, Please"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthLDAPBindDN "cn=rancid,cn=Users,dc=mydomain,dc=com"
    AuthLDAPBindPassword mypassword
    AuthLDAPURL “ldaps://mydc.mydomain.com:636/dc=mydomain,dc=com?sAMAccountName?sub?”SSL
    Require ldap-user admin1 admin2 admin3
</Location>

Once you’ve saved those changes, you can restart Apache and test that LDAP Auth is working.  Mine worked, but gave me a HTTP 500 error.  I set logging in httpd.conf to debug, and tried to authenticate again.  That gave me the error message
[Fri Jan 04 10:48:37 2013] [info] [client x.x.x.x] [14711] auth_ldap authen
ticate: user myuser authentication failed; URI /viewvc [ldap_search_ext_s() for
user failed][Operations error]
Googling the error led me to an issue with the way that the RedHat apache package is handling authentication referrals.  The fix was to edit /etc/openldap/ldap.conf and add the line:
REFERRALS off
Once I did that, I was able to successfully authenticate and get into ViewVC.
These links were helpful to me in figuring all of this out:
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html
http://acksyn.org/?p=227

Wednesday, January 2, 2013

Using Rancid to backup your configs (Part 3)

If you've followed parts 1 and 2 of this guide, you should have a working Rancid installation with a web interface for CVS.  Now we'll configure email notifications and device polling based on configuration changes made those devices.  I use postfix to send mail notifications, and Simple Event Correlator to trigger Rancid when config changes are made. 
Let’s configure postfix first.  In my environment, this was pretty simple.  We are using Cisco IronPort appliances as mail gateways.  I configured my Rancid box as host allowed to send through the IronPort.  Once that was done, I just needed to configure postfix to use the IronPort as a relay.  You should be able to use other mail systems (e.g. Exchange)  in the same way.
To do that, edit the file /etc/postfix/main.cf.
  • nano /etc/postfix/main.cf
Change the lines that start with relayhost.
  • relayhost = mydomain.oom
  • relayhost = FQDN or ip address of your gateway
Start postfix and test your config.
  • service postfix start
  • telnet localhost 25
  • ehlo mail
  • mail from: rancid@mydomain.com
  • rcpt to: brian.gill@mydomain.com
  • data
  • Subject: Testing postfix
  • Just testing postfix.
  • .
  • quit
There will be feedback to each of those commands, it should look something like this:
[root@rancid]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 rancid.mydomain.com ESMTP Postfix
ehlo mail
250-rancid.mydomain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: rancid@mydomain.com
250 2.1.0 Ok
rcpt to: brian.gill@mydomain.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
subject: Testing postfix
Just testing postfix.
.
250 2.0.0 Ok: queued as 8EF87C0F28
quit221 2.0.0 Bye
Connection closed by foreign host.

If your gateway is configured correctly, you should get a message in your inbox.  If not, the postfix logs at /var/log/ may provide clues to the problem, as well as the logs on your mail system.
Now we can configure triggers based on configuration changes on your devices.  I am monitoring our Cisco routers, so I’ll walkthrough configuring the routers and SEC for Cisco.
We need to install Simple Event Correlator. 
  • yum install sec
We need to configure SEC to look for the configuration change syslog messages.
  • nano /etc/sec/cisco_config_change.sec
We need to define the message to look for as well as the action to take when a syslog comes in showing a configuration change was made.  The following looks for Cisco syslogs indicating a configuration change was made.  Once the change is detected, the action is triggered.  In this case, Rancid is run to check the configs.
type=Single
ptype=substr
pattern=%SYS-5-CONFIG_I:
desc=device configuration
action=shellcmd /bin/su - rancid -c /usr/local/rancid/bin/rancid-run

With the action above, Rancid will run every time a config change is made.  Alternately, SEC can be configured to only trigger the event every x seconds.  Simply change type=SingleWithSuppress and add the line window=x where x is the number of seconds between triggers.  For example, if you used 360, the action would only be fired if 360 seconds (5 minutes) had passed since the last trigger.
The firewall has to be modified to allow the syslog daemon to listen for the messages.

  • nano /etc/sysconfig/iptables
  • -A INPUT  -m state --state NEW –m udp –p udp –-dport 514 –j ACCEPT
  • service iptables restart
Lastly, we need to configure the device to send syslog messages to Rancid.
  • Router(config)# logging on
  • Router(config)# logging ip-address-of-rancid
That’s all there is to it.  You should now have a working Rancid installation with a SSL web interface that polls your devices on a regular basis as well as when changes are made.  Next on my list is configuring the server to require a log in on the web interface based on our Active Directory.  I’ve been able to get Apache to require the log in and successfully authenticate against AD, but ViewVC doesn’t like the authenticated sessions.  Once I have time to figure it out, I’ll post about it.

Monday, December 31, 2012

Using Rancid to backup your configs (Part 2)

In part 1 of this guide, we configured Rancid to backup your router configs.  Now we need to configure an SSL web interface for CVS.

The web interface I am using is ViewVC.  ViewVC is made up of a cgi script and a MySQL database backend.We'll also need to install RCS, and some python packages.  All of this is done as the root user.

    Download ViewVC and RCS:
    • wget ftp://ftp.cs.purdue.edu/pub/RCS/rcs-5.8.tar.gz
    • wget http://viewvc.tigris.org/files/documents/3330/49243/viewvc-1.1.17.tar.gz
          Download ez_setup to get the python packages we need.  Create its own directory to store the files.
          • mkdir ~/python
          • cd ~/python
          • wget http://peak.telecommunity.com/dist/ez_setup.py
          • Type: python ./ez_setup.py
          • Then run easy_install babel 
          • easy_install Genshi
          • easy_install Pygments
          • easy_install docutils
          • easy_install textile
          • easy_install python-mysqldb
          Unpack and install RCS:
          • cd ~
          • tar -zxvf rcs-5.8.tar.gz
          • cd rcs-5.8
          • ./configure
          • make
          • make install  
          Unpack and install ViewVC:
          • cd ~
          • tar -zxvf viewvc-1.1.17.tar.gz
          • cd viewvc-1.1.17
          • ./viewvc-install 
          Edit the ViewVC config file:
          • nano /usr/local/viewvc-1.1.17/viewvc.conf
          • Change the following to look like this, adding any missing options:
          • #cvs_roots = cvs: (Yes, it needs the leading #)
          • root_parents = /usr/local/rancid/var/CVS : cvs
          • rcs_path = /usr/local/bin/
          • address = <a href=mailto:youradmin@yourdomain.com>IT Support</a>
          • use_enscript = 1
          • enscript_path = /usr/bin/
          • use_highlight = 1
          • highlight_path = /usr/bin
          Move the viewvc.cgi file to the right place and set the proper permissions and attributes:
          • cp /usr/local/viewvc-1.1.17/bin/cgi/*.cgi /var/www/cgi-bin
          • chmod +x /var/www/cgi-bin/*.cgi
          • chown apache:apache /var/www/cgi-bin/*.cgi
          Create server key pair to enable ssl on the web server:
          • mkdir /etc/httpd/certificate
          • cd /etc/httpd/certificate
          • Generate the private key, when prompted supply a passphrase of your choosing: openssl genrsa -aes256 -out server.key 2048
          • Generate a certificate request based on the private key you just generated.  Fill in the prompts as appropriate: openssl req -new -key server.key -out server.csr
          • Submit the request to the CA of your choosing.  In my case, I am using a certificate issued by our own Microsoft Enterprise CA.
          • Put the issued certificate in the folder with the private key.  In my case, I called the file server.cer
          • If you leave the passphrase on the private key, you will need to enter it everytime the server is rebooted, or apache is restarted.  You can remove the passphrase with this command, entering your passphrase when prompted:
          • cp server.key server.key.org
            openssl rsa -in server.key.org -out server.key
          Configure apache and iptables for ViewVC:
          • nano /etc/httpd/conf/httpd.conf
          • Add the following to the config, I added mine at the bottom of the file:
          • NameVirtualHost *:443

            <VirtualHost *:443>
                DocumentRoot /var/www
                ServerName rancid.mydomain.com
                ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
                ScriptAlias /viewvc /var/www/cgi-bin/viewvc.cgi
                ScriptAlias /query /var/www/cgi-bin/query.cgi
                ServerSignature On
                SSLEngine on
                SSLProtocol all -SSLv2
                SSLCertificateFile /etc/httpd/certificate/server.cer
                SSLCertificateKeyFile /etc/httpd/certificate/server.key

            <Directory "/var/www/cgi-bin">
                AllowOverride None
                Options None
                Order allow,deny
            </Directory>

            </VirtualHost>
          • Edit iptables to allow apache to listen to incoming connections on port 443
          • nano /etc/sysconfig/iptables
          • Add the following line above the rule permitting inbound SSH:
          • -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
          • Restart apache service httpd restart
          Configure MySQL and create the ViewVC users as well as the ViewVC database.
          • Start MySQL: service mysqld start
          • Set the MySQL root user password, where yourpassword is a password of your choosing: mysqladmin -u root -password yourpassword
          • Create a ViewVC user and grant them permissions to create and use a database.
          • mysql -u root -p - Enter the password you just set when prompted.
          • CREATE USER 'youruser'@'localhost' IDENTIFIED BY 'yourpassword'; Where youruser and yourpassword are of your choosing.  You will need this username and password in a minute.
          • GRANT ALL PRIVILEGES ON *.* TO 'youruser'@'localhost' WITH GRANT OPTION;
          • FLUSH PRIVILEGES;
          • Exit MySQL quit
          • Now you need to create the database supplying the credentials you just created when prompted. Keep the default database name, ViewVC: /usr/local/viewvc-1.1.17/bin/make-database
          • We need a read-only database user:
          • mysql -u root -p
          • CREATE USER 'youruserRO'@'localhost' IDENTIFIED BY 'yourpassword';
          • GRANT SELECT ON ViewVC.* TO 'youruserRO'@'localhost' WITH GRANT OPTION;
          • FLUSH PRIVILEGES;
          • quit
          • Edit the ViewVC config file to tell it how to access the database:
          • nano /usr/local/viewvc-1.1.17/viewvc.conf
          • Add this to the [cvsdb] section of the config file:
          • enabled = 1
            host = localhost
            port = 3306
            database_name = ViewVC
            user = youruser
            passwd = yourpasssword
            readonly_user = youruserRO
            readonly_passwd = yourpassword
            row_limit = 1000 
          • Populate the ViewVC database with the info from CVS, type this all on one line: /usr/local/viewvc-1.1.17/bin/cvsdbadmin rebuild /usr/local/rancid/var/CVS/CVSROOT
          The last step is to ensure that MySQL and apache start when the server boots up.  The following will do just that.
          • chkconfig --levels 2345 mysqld on
            chkconfig --levels 2345 httpd on
            You should now have a working web interface for CVS.  Navigate to https://ipaddress or hostname/viewvc. You should see the repository groups specified in part 1 of this guide.  If you click on a group name, you should see configs, and if you click that, you should see the devices we added in part 1.

            Part 3 of this guide will cover configuring email notifications as well as having Rancid poll your devices when a change is made to their configuration.

              Sunday, December 30, 2012

              Using Rancid to backup your configs (Part 1)

              Where I work, budgets are tight.  It seems like we never have enough money to buy all the things we need.  That means looking at leveraging what we already own, and looking at free products.  We didn't have a means to back up our network gear configs.  I stumbled across a free, open source product called Rancid (Really Awesome New Cisco ConfIg Differ) while I was looking for a free Tacacs server.  Despite its name, Rancid is not limited to Cisco gear only, see this for details.  Rancid uses either CVS or SVN to store configs.  As the name suggests, it also diffs them and can show you the changes made.  Rancid can be configured to poll your gear on a schedule, poll your gear when changes are made, or both.  The folks at Shrubbery.net have links to some helpful config documents, some suggestions in their FAQ's and also maintain a Rancid mailing list.  The list archives are a good source of info, but from what I have seen so far, the list is currently very low activity. 

              I used the walkthrough done by Rhys Evans here as the basis for my config.  Anything beyond that I figured out from the FAQ's or from Google searches, which often pointed me to the list archives.  I had to make a few changes Rhys's guide to make my install work.  This guide assumes a basic knowledge of Linux.  You'll need to know how to edit config files at the command line.  I used CVS.  There are examples out there of how to configure Rancid to use SVN, if you'd rather do that.  Here's what I did.

              I started with a minimal CentOS 6.3 64-bit install in a VMware virtual machine.  I assigned the machine a static ip address during the setup process, and gave it a hostname of rancid.mydomain.com (substitute your domain name for mydomain.com).  All of this is done from an SSH connection to the server.

              We begin by installing the pre-requisites.

              • yum upgrade - because this is a new install, there will be updates to install.
              • yum install nano wget - minimal install does not include wget.  My preferred text editor is nano, so I installed that also.
              You'll need packages from the EPEL (Extra Packages for Enterprise Linux) repository, so we'll install it next.
              • Download it - wget http://mirrors.kernel.org/fedora-epel/6/i386/epel-release-6-8.noarch.rpm
              • Install it - rpm -ivh epel-release-6-8.noarch.rpm
              Now we'll install the rest of the pre-requisites. 
              • yum install expect cvs python httpd mysql mysql-server gcc make autoconf kernel-devel mod_python python-devel
              • yum groupinstall “Development Tools” diffutils
              • yum install php-common php-gd php-mcrypt php-pear php-pecl-memcache php-mysql php-xml MySQL-python mod_ssl
              Reboot your server.
              • shutdown -r now
              Once you log back in, you need to create a group and a user for Rancid to run under.  I used netadm and rancid for the group and user respectively as shown in Rhys's guide.  You can use whatever names you like, you'll need to substitute those names in the latter parts of the config.  I am using /usr/local/rancid as the install location for Rancid, you can use any directory you like, just substitute it where appropriate.
              • groupadd netadm
              • useradd -g netadm -c "Networking Backups" -d /usr/local/rancid rancid
              Now we need to create the directory to store the source.
              • mkdir /usr/local/rancid/tar
              • cd /usr/local/rancid/tar
              Download the latest version, 2.3.8 as of this writing.  Once downloaded, extract and install.
              • wget ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.8.tar.gz
              • tar -zxvf rancid-2.3.8.tar.gz
              • cd rancid-2.3.8
              • ./configure --prefix=/usr/local/rancid/
              • make install
              Copy sample .cloginrc file to the Rancid install and set security on the file.
              • cp cloginrc.sample /usr/local/rancid/.cloginrc
              • chmod 0640 /usr/local/rancid/.cloginrc
              Configure ownership and permissions on the Rancid installation.
              • chown -R rancid:netadm /usr/local/rancid/
              • chmod 770 /usr/local/rancid/
              Now you need to edit the Rancid config file.  The group(s) specified in this step are the categories the configurations will appear under.  I have mine separated out by type.
              • nano /usr/local/rancid/etc/rancid.conf
              • Look for LIST_OF_GROUPS and add group names.  Mine says: LIST_OF_GROUPS="Routers Firewalls Wireless_Controllers Load_Balancers"
              Next you'll need to edit the aliases file to add aliases for your groups you just configured.  In my case, I am the only one that needs mail notifications.  You can configure different groups of devices to go to different people or groups.
              • nano /etc/aliases
              • Add this to the file. You'll want to create the same groups for each group in your rancid.conf: 
              • rancid-admin-Routers: rancid-Routers
              • rancid-Routers: noc
              • Edit the noc alias as appropriate. noc: brian.gill@mydomain.com
              • Once you've saved the file, you need to let your server know about the changes. Type in newaliases.
              Time to add the Rancid info to CVS.
              • switch to the rancid user created earlier. su -rancid
              • /usr/local/rancid/bin/rancid-cvs - This sets up the Rancid info in CVS.  You should see output similar to:
                    No conflicts created by this import
                    cvs checkout: Updating Routers
                    cvs checkout: Updating Routers/configs
                    cvs add: scheduling file `router.db' for addition
                    cvs add: use 'cvs commit' to add this file permanently
                    RCS file: /usr/local/rancid//var/CVS/Routers/router.db,v
                    done
                    Checking in router.db;
                    /usr/local/rancid//var/CVS/Routers/router.db,v <-- router.db
                    initial revision: 1.1
                    done

              Now we can add crontab entries to schedule automatic polling of the devices and to cleanup the Rancid log files.  The following entries will have Rancid poll your devices once an hour 1 minute after the top of the hour and delete logs with a modified date older than 2 days at 11:50 pm every night.  You can adjust these to meet your needs.  The crontab command uses vi to edit the file.  In case you aren't familiar, you need to press i to enter insert mode.  Once you've added your entries hit escape to exit insert mode, and type :wq to save your changes and exit vi.
              • Type in crontab -e and add the following 2 lines
              • 1 * * * * /usr/local/rancid/bin/rancid-run #hourly router dump
                50 23 * * * /usr/bin/find /usr/local/rancid/var/logs -type f –mtime +2 -exec rm -rf {} \;

              Now we need to supply Rancid with a list of devices and the credentials to log in to those devices.  You'll need to edit the router.db files for each group you created earlier.
              • nano /usr/local/rancid/var/Routers/router.db
              • Add a line in the format "hostname or ip:type:up", e.g. 192.168.1.1:cisco:up
              • nano /usr/local/rancid/.cloginrc
              • You'll need to comment out the sample groups in the file by adding a # in front of the line.
              • Add device credentials
              • add user 192.168.1.1 user
              • add password 192.168.1.1 password enablepassword (NOTE: passwords that contain special characters will need to have those characters escaped.  For example, if your password is password!, the ! will need to be escaped, like this: password\!)
              • add method 192.168.1.1 ssh (Rancid defaults to telnet)
              Once you've saved your changes, you can test your Rancid install.
              • /usr/local/rancid/bin/rancid-run
              Once that completes, check the Rancid logs to verify that everything ranc correctly.
              • cd /usr/local/rancid/var/logs
              • ls (list the log files which are in the format Group.yyyymmdd.hhmmss)
              • cat logfilename
              You should see something like this:
                    [root@rancid logs]# cat Routers.20121228.200913
                    starting: Fri Dec 28 20:09:13 EST 2012
                    cvs add: scheduling file `192.168.1.1' for addition
                    cvs add: use 'cvs commit' to add this file permanently
                    RCS file: /usr/local/rancid/var/CVS/Routers/configs/192.168.1.1,v
                    done
                    Checking in 192.168.1.1;
                    /usr/local/rancid/var/CVS/Routers/configs/192.168.1.1,v  <--  192.168.1.1
                    initial revision: 1.1
                    done
                    Added 192.168.1.1

                    Trying to get all of the configs.
                    All routers sucessfully completed.

                    cvs diff: Diffing .
                    cvs diff: Diffing configs
                    cvs commit: Examining .
                    cvs commit: Examining configs
                    Checking in router.db;
                    /usr/local/rancid/var/CVS/Routers/router.db,v  <--  router.db
                    new revision: 1.2; previous revision: 1.1
                    done
                    Checking in configs/192.168.1.1;
                    /usr/local/rancid/var/CVS/Routers/configs/192.168.1.1,v  <--  192.168.1.1
                    new revision: 1.2; previous revision: 1.1
                    done
                 
                    ending: Fri Dec 28 20:09:30 EST 2012

              You should also see a file called 192.168.1.1 in the folder /usr/local/rancid/var/Routers/configs.  This will be the most current config download from your device.  You could use this to restore a device if needed.  Note: the passwords are all redacted from these files.

              Now you have a working Rancid installation.  In later parts of this guide, I'll walk through configuring a web interface for CVS, having Rancid pull your configs when a change is made, setting up e-mail alerts when changes are made.

              Wednesday, April 13, 2011

              Configuring Dell 54xx and 62xx switches for https.

              At work, we recently acquired 3 Dell switches, a 6248P, a 5424 and a 5448.  Based on some older Dell switches we own, Dell has come a long way with their switches.

              Hopefully everyone knows that plaintext protocols are terrible for securely managing devices.  These switches are capable of SSH, telnet, http and https.  SSH is sufficient for remote management of  the switch, but if you need or want a GUI (girls use it) interface, https is the only way to go.  Since Dell doesn't have anything in their documentation about setting it up, and I wasn't able to find a complete configuration guide for enabling https, I thought I'd share what it took for me to get it going.  This guide assumes you have already configured the switch for ssh access, or that you are managing the switch from the console cable.

              Once you've logged into your switch, you will see a prompt like this:  hostname#, where hostname is the name you've assigned to your switch.

              First you need to verify that the time is set correctly.  Show clock will tell us if it is. 
              Dell5424#show clock
              *00:58:11 (UTC+0)  Jan 1 2000
              No time source
              My switch was not set.  You can set it manually with the clock set command.
              Dell5424# clock set 15:37:00 apr 13 2011
              Alternatively, you can configure the switch for simple network time protocol, or sntp.
               Dell5424(config)# clock source sntp
              Dell5424(config)# sntp server x.x.x.x poll  where x.x.x.x is the ip address of the server you want to get sntp info from
              Dell5424(config)# sntp client enable vlan 1 
              Dell5424(config)# clock timezone -5 zone EST
              Dell5424(config)# clock summer-time recurring usa zone EDT
              Dell5424(config)# sntp unicast client enable
              Dell5424(config)# sntp unicast client poll


              Now we can verify that the time settings took

              Dell5424(config)# exit
              Dell5424# show clock detail
               11:47:30 EDT(UTC-5)  Apr 13 2011
              Time source is sntp

              Time zone:
              Acronym is EST
              Offset is UTC-5

              Summertime:
              Acronym is EDT
              Recurring every year.
              Begins at 02 01 03 02:00.
              Ends at 01 01 11 02:00.
              Offset is 60 minutes.
              Dell5424#show sntp status

              Client Mode:                       Unicast
              Last Update Time:                  APR 13 15:40:00 2011

              Unicast servers:
              Server          Status                 Last response
              --------------- ---------------------- --------------------------
              x.x.x.x    Success                15:40:00 Apr 13 2011

              Dell5424#


              Now we need to generate the certificate for the web server to use to secure the connection.

              Dell5424# conf
              Dell5424(config)# crypto certificate 1 generate generate-key  here I'm generating a certificate for slot 1, but you can use either 1 or 2 after certificate.
              We need to assign the newly generated certificate to the https server, turn the server on and disable the http server.

              Dell5424(config)# ip https certificate 1
              Dell5424(config)# ip https server
              Dell5424(config)# no ip http server

              Of course, don't forget to save your work!

               Dell5424# copy running-config startup-config
              Overwrite file [startup-config] ?[Yes/press any key for no]....13-Apr-2011 16:05:55 %COPY-I-FILECPY: Files Copy - source URL running-config destination URL flash://startup-config
              13-Apr-2011 16:06:01 %COPY-N-TRAP: The copy operation was completed successfully
              Copy succeeded
              Dell5424#


              On the 62xx series switches, the commands are slightly different.

              Dell6248P(config)#sntp server x.x.x.x poll
              Dell6248P(config)#sntp unicast client enable
              Dell6248P(config)#clock timezone hours-offset -5 EST
              Dell6248P(config)#clock timezone -5 zone EST
              Dell6248P(config)#clock summer-time recurring usa zone EDT
              Dell6248P(config)#exit
              Dell6248P#show clock
              16:18:38 EDT(UTC-4:00) Apr 13 2011
              Time source is SNTP

              Dell6248P#config
              Dell6248P(config)#crypto certificate 1 generate
              Dell6248P(config-crypto-cert)#key-generate
              Dell6248P(config-crypto-cert)# exit

              Dell6248P(config)# ip https certificate 1
              Dell6248P(config)# ip https server
              Dell6248P(config)# no ip http server

              Dell6248P(config)#exit
              Dell6248P#copy running-config startup-config
              This operation may take a few minutes.
              Management interfaces will not be available during this time.
              Are you sure you want to save? (y/n) y
              Configuration Saved!
              Dell6248P# 


              Coming from the Cisco world where typing "ip http secure-server" generates the certificate, assigns it to the web server and enables the web server, this was a bit more complicated.  Hopefully this will help someone else configure their gear to be more secure.

              NOTE:  Following the steps in this tutorial will generate self-signed certificates on your switches.  Because the certificates are issued by a non-trusted CA, your browser will display an error when you navigate to those pages.  Because of that, these certificates may not be appropriate in your environment.  There are commands to generate certificate requests that can be used to obtain certificates from a trusted authority, I'll publish a tutorial about that sometime in the future.

              Sunday, April 10, 2011

              A little about this blog and me.

              I am a corporate network and server administrator at a consulting firm.  I am beginning a project to leverage  the technologies we already have in place.   My goal is to design and implement a solution that includes intrusion detection, log management, event correlation, config management and better visibility into how our network is operating.  As I embark on this project, I plan to write about the process, from product decisions to deployment and configuration.  I hope you find this information helpful.