Manual Chapter :
Authentication & Access
Applies To:
Show VersionsF5OS-C
- 1.6.1
Authentication & Access
Authentication and access overview
You can manage the
VELOS
system at all levels
from the CLI, the webUI, or using REST APIs. Each of these levels is distinct from one another requiring separate user names and passwords.
The
VELOS
system has three
levels of user management:- System controller level (chassis)
- At the system controller level, after basic configuration is complete, the system includes default root (Bash access only) and admin accounts that you can use to log in to the system. The system controller administrator uses the admin account and changes the default passwords when logging in the first time. At that point, the admin user can also create additional accounts for other users, such as other system controller administrators or operators. The system controller administrator also creates the chassis partitions, terminal server administrators, or operators.
- Chassis partition level
- At the chassis partition level, the chassis partition administrator logs into the chassis partition previously created by the system controller administrator. The chassis partition provides a default admin account and a chassis partition root account. The chassis partition administrator utilizes the admin account for managing the chassis partition, adding users, such as additional partition administrators, operators, and tenant console operators. You can use the root account to log into the blades in the partition (when accessing the serial consoles of the blades), but cannot log into the partition webUI or CLI.
- Tenant level
- Since the tenants are independent of the rest of theVELOSsystem, management of tenant users is not covered in this guide. For more information, see the tenant documentation (such asBIG-IPsoftware documentation at my.f5.com).
User roles overview
There are multiple user roles for managing the
VELOS
system, and each role performs different sets of
administrative actions at conceptually different levels.On
VELOS
systems,
users with admin access can make configuration changes at the level in which
they are working (either the system controller level or the chassis partition
level).System controller-level user roles
This table lists user roles at the system controller
level.
Role |
Description |
---|---|
admin |
Provides access to the system controller CLI or system
controller webUI to configure the system at the system controller level
with unrestricted read/write access. Can unlock any system controller
users. Logs in to the active system controller or floating IP address.
No Bash access. Has broader ability and can create
chassis partitions, configure management interfaces, install system
controller level software, modify system settings, activate
licensing, set up high availability for the two system controllers,
and perform user management for the system controllers. The default login credentials
are admin/admin. When logging in as admin for the first time, the
system prompts you to change the password. This also changes the
default password for the root account to match that of the admin
account. |
limited |
F5 internal use only. |
operator |
Allows read access to system controller level configurations
from the system controller CLI or system controller webUI, and write
access to change password only. Logs in to the active system controller
or floating management IP address. No Bash access. Has read-only access to every screen and every
configuration object at the level in which they are working (either the system
controller level or the chassis partition level) . If an
operator tries to modify any setting, however, the system displays a
warning that explains that their role is unauthorized to make the
configuration change. |
partition_n (1-n) |
Can be assigned from the system controller CLI. The system
controller administrator can create one partition console role per
partition, where n refers to the chassis partition ID. When a user with
the chassis partition_n role logs in on a specific blade port using root
credentials, they are presented with the blade console through the
terminal server. This is for troubleshooting and debugging the
system. |
resource admin |
Similar to the Admin user role, but cannot create, modify, or
delete local user accounts; create, modify, or delete server groups; or
modify any authentication settings. This user role can modify their own
user detail to change their own password. |
root |
Created by the system. Used by the system controller
administrator. Provides Bash shell access to the entire system
including all components including the blades. The system
controller root account can be accessed from any system
controller IP address, and from the system controller console.
The root password can be changed using the
passwd command, or by an admin user
from the CLI. On first login, you are
forced to change the password. If you change the root user
password and the admin password is ‘admin’ at that time,
the admin user will have the same new password. F5 recommends
disabling the root account using appliance mode in
production to reduce the attack surface of the system and
protect it from any vulnerabilities. |
Chassis partition-level user roles
This table lists user roles at the chassis partition
level.
Role |
Description |
---|---|
admin |
Used for the chassis partition administrator. Provides access
to the chassis partition CLI or chassis partition webUI to configure the
system at the chassis partition level with unrestricted read/write
access. Can unlock operator users. Logs in to the chassis partition
management IP address. No Bash access. Can access only the chassis
partition to which they have been assigned. They can configure
network settings, port groups, interfaces, VLANs, LAGs, partition
log settings, tenant deployments, system settings, and perform user
management for those chassis partitions. The default login credentials are admin/admin.
When logging in as admin for the first time, the system prompts you
to change the password. This also changes the default password for
the root account to match that of the admin account. |
limited |
F5 internal use only. |
operator |
Used for the chassis partition operator. Allows read access to
the chassis partition configuration from the chassis partition CLI or
chassis partition webUI, and write access to change password only. Logs
in to the chassis partition management IP address. No Bash access. Has read-only access to every screen and every
configuration object at the level in which they are working (either the system
controller level or the chassis partition level) . If an
operator tries to modify any setting, however, the system displays a
warning that explains that their role is unauthorized to make the
configuration change. |
resource admin |
Similar to the Admin user role, but cannot create, modify, or
delete local user accounts; create, modify, or delete server groups; or
modify any authentication settings. This user role can modify their own
user detail to change their own password. |
tenant
console |
Has virtual console access to tenants from the chassis
partition CLI. Tenant console access is authenticated by tenant root
credentials. No access to any part of the chassis partition. |
partition
root |
Has Bash access to blades that are part of the chassis
partition. Provided on the system. Log in to the console on a blade.
Should be used only in rare cases when troubleshooting the system. The root password can be changed using the
passwd
command or by an admin user from the CLI. On first login, you are
forced to change the password. If you change the root password and
the admin password is ‘admin’ at that time, admin will have the same
new password.F5 recommends disabling the root account and
using appliance mode in production to reduce the attack surface of
the system and protect it from any vulnerabilities. |
Remote authentication overview
The
VELOS
system includes support
for using a remote authentication server to store system user accounts. After you have
created system accounts on the remote server (using the server vendor's instructions),
you can configure the VELOS
system to use that
server type to authenticate and authorize users. You can enable all available remote
authentication methods and use either the CLI or webUI to indicate the order in which
you would like the methods to be attempted when a user logs in.Enable remote authentication from the webUI
If you want to use a remote authentication server
with your
VELOS
system, you must configure the
type of authentication and settings to use at both the system controller/chassis level
and chassis partition level. You can configure LDAP, RADIUS, Active Directory, and/or
TACACS+ for external authentication from either the system controller or chassis
partition webUI.- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- ForAuthentication Methods, from theAvailablelist, select one or more options and click the arrows to move them to theSelectedlist.The authentication server must be configured and reachable from the system.TheLocal (Always Selected)option is always enabled and cannot be changed. Local authentication is always enabled, by default, so the administrator can always access the system in case of external authentication server failure.
- ClickShowto display additional settings, as needed, such as those in the Common LDAP Configuration area.This is required only if you want to use LDAP and create LDAP server groups with LDAP servers.
- ClickSave.
The authentication settings are configured at the
system controller/chassis level or the chassis partition in which you are working. When
a user logs in, the system attempts to authenticate them against the configured
authentication methods. When the account has a match within any of the configured
authentication methods, the user is authenticated and given access.
Configure remote authentication priority from the
webUI
You can configure the order in which the
VELOS
system attempts
authentication methods when a user logs in to the system from either the
system controller or chassis partition webUI.- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- ForAuthentication Methods, from theSelectedlist, select an authentication method and click the arrows to move it up or down in the list.TheLocal (Always Selected)option is always enabled and cannot be changed. Local authentication is always enabled, by default, so the administrator can always access the system in case of external authentication server failure.
- ClickSave.
Create authentication server groups from the webUI
You can create authentication server
groups from either the system controller or chassis partition webUI to
organize servers using the same type of authentication method at both the
system controller/chassis level and the chassis partition level. This is
because the authentication servers used on the chassis partition might differ
from those used on the system controllers at the chassis level.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- ClickAdd.
- ForName, enter a recognizable name for the server group.
- ForProvider Type, selectLDAP,OSCP,RADIUS, orTACACS+to qualify the type of servers that will be in the group.
- ClickSave & Close.
You have created the authentication server
group.
Next, you can add servers to the server
group.
Add servers to authentication server groups from the
webUI
Before you add server groups, you
must have previously created at least one server group.
You can add servers to an authentication
server group from either the system controller or chassis partition
webUI.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- Click the server group to which you want to add servers.The Edit Server Group screen displays.
- ClickAdd.
- Add server information for the server group.
- Provider Typeis set when you create the server group and cannot be changed.
- For an LDAP server group, you can change thePortnumber orTypeof the server.Select from these options:LDAP over TCPorLDAP over SSL(requires SSL certificate) depending on which protocol the LDAP server uses.
- For an OCSP server group, you can change thePortnumber.
- For a RADIUS server group, you can change thePortnumber,Secret(string or password), orTimeout(seconds to wait for a response from the server).
- For a TACACS+ server group, you can change thePortnumber,Secret(string or password), orSource Address.
- ClickSave & Close.
Add as many servers as needed to the authentication server group. OCSP
server groups can contain only one OCSP server.
Group IDs (GIDs) and system authentication roles
Users with the admin role can configure the system to use these
authentication methods to authenticate users:
- External LDAP Server (includes Active Directory)
- External RADIUS Server
- External TACACS+ Server
- Local (local UNIX authentication)
Each user role is internally mapped to a group ID. Users
created and managed on external LDAP, Active Directory, RADIUS, or TACACS+
servers must have the same group IDs on the external servers as they do on
F5
VELOS
systems to enable authentication and authorization
to occur on VELOS
systems. Users
created on external LDAP, Active Directory, RADIUS, or TACACS+ servers must be
associated with one of these group IDs on the system.You can only use existing roles and
cannot create new roles.
The group IDs are specified in a user configuration file on
the external server (file locations vary on different servers). You can assign
these F5 user attributes:
F5-F5OS-UID=1001 F5-F5OS-GID=9000 <-- THIS MUST MATCH /etc/group items F5-F5OS-HOMEDIR=/tmp <-- Optional; prevents sshd warning msgs F5-F5OS-USERINFO=test_user <-- Optional user info F5-F5OS-SHELL=/bin/bash <-- Ignored; always set to /var/lib/controller/f5_confd_cli
Setting
F5-F5OS-HOMEDIR=/tmp
is a good idea to avoid warning messages
from sshd that the directory does not exist. Also, the source address in the
TACACS+ configuration is not used by the VELOS
system.If F5-F5OS-UID is not set, it defaults to 1001. F5-F5OS-GID is required; if
not set, user authentication will fail. The F5-F5OS-USERINFO is a comment field.
Essentially, F5-F5OS-GID is the only hard requirement and must coincide with the group
ID's user role.
Group IDs for system controller roles
This table lists group IDs for system controller
roles.
Role |
Group ID |
---|---|
admin |
9000 |
operator |
9001 |
partition_1 |
9101 |
partition_2 |
9102 |
partition_3 |
9103 |
partition_4 |
9104 |
partition_5 |
9105 |
partition_6 |
9106 |
partition_7 |
9107 |
partition_8 |
9108 |
resource admin |
9003 |
root |
0 |
ts_admin |
9100 |
user |
9002 (internal F5 use only) |
Group IDs for chassis partition roles
This table lists group IDs for chassis partition
roles.
Role |
VELOS Group ID |
---|---|
admin |
9000 |
operator |
9001 |
resource admin |
9003 |
root |
0 |
ts_admin |
9100 |
Group ID configuration examples
RADIUS server
The user configuration file is often named
/etc/raddb/users
. This is
an example of an entry for an administrator with admin privileges:radius_user Cleartext-Password := test F5-F5OS-UID := 1001, F5-F5OS-GID := 9000, F5-F5OS-HOMEDIR := "/tmp", F5-F5OS-SHELL := "/var/lib/controller/f5_confd_cli"
TACACS+ server
For example, on a TACACS+ server, the user configuration file is
typically named
/etc/tac_plus.conf
. This is an example of an entry for an
administrator with admin privileges:group = admin { service = ppp protocol = ip { default attribute=permit F5-F5OS-UID=1001 F5-F5OS-GID=9000 F5-F5OS-HOMEDIR=/tmp F5-F5OS-USERINFO=test_user } } user = test_tacacs_user { global = cleartext "test-tacplus" member = admin }
Display user roles for system controllers from the CLI
You can display the administrator roles
with their associated group IDs from the system controller CLI using an
account with admin or operator access.
- Log in to the command line interface (CLI) of the system controller using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Display user roles for the system controllers.show system aaa authentication rolesA summary similar to this example displays:syscon-1-active# show system aaa authentication roles ROLENAME GID USERS ---------------------------- admin 9000 - operator 9001 - partition_1 9101 - partition_2 9102 - partition_3 9103 - partition_4 9104 - partition_5 9105 - partition_6 9106 - partition_7 9107 - partition_8 9108 - resource-admin 9003 - ts_admin 9100 - user 9002 -
Display user roles for chassis partitions from the CLI
You can display the administrator roles with their
associated group IDs from the chassis partition CLI using an account
with admin or operator access.
- Log in to the command line interface (CLI) of the chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Display user roles for the chassis partition.show system aaa authentication rolesA summary similar to this example displays:default-1# show system aaa authentication roles ROLENAME ROLENAME GID USERS ----------------------------------------------- admin admin 9000 - limited limited 9999 - operator operator 9001 - resource-admin resource-admin 9003 - tenant-console tenant-console 9100 -
Custom remote group IDs (GIDs)
Using an account with admin or operator access, you can
configure a custom remote group ID (GID) for all remote authentication methods
(LDAP, TACACS+, RADIUS). For example, this enables LDAP administrators to
specify admin and operator groups, and then associate those GIDs to the
associated roles rather than the hard-coded 9000 and 9001. The default GID
fields (that is, 9000 and 9001) are not affected, and the system maps the
remote GID to the default GID.
You can assign remote GID mappings for only one remote
authentication method at a time. If you switch from LDAP to RADIUS, for
example, you will have to reconfigure the settings for RADIUS. If you then
decide to go back to LDAP, you will have to reconfigure again. F5 recommends
that you avoid assigning multiple F5-mapped GIDs to a single user
account.
Configure remote group IDs (GIDs) from the CLI
Using an account with admin or operator access, you
can configure a custom group ID (GID) for all remote authentication methods (LDAP,
TACACS+, Radius) from either the system controller or chassis partition CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Configure a remote GID.system aaa authentication roles role <role-name> config remote-gidThis example assigns a remote GID to the admin user:syscon-1-active(config)# system aaa authentication roles role admin config remote-gid (<unsignedInt>) (9000): 6000
- Commit the configuration changes.commit
- Return to user (operational) mode.end
- Verify that the operator user role is assigned the custom remote GID.show system aaa authentication rolesA summary similar to this example displays:syscon-2-active# show system aaa authentication roles ROLENAME GID USERS ----------------------------- admin 9000 - operator 9001 - partition_1 9101 - partition_2 9102 - partition_3 9103 - partition_4 9104 - partition_5 9105 - partition_6 9106 - partition_7 9107 - partition_8 9108 - resource-admin 9003 - ts_admin 9100 - user 9002 -
Verify that the remote GID for the user matches the GID on the remote
authentication server.
LDAP/AD configuration overview
You can configure the
VELOS
system to
use an LDAP or Microsoft Windows Active Directory (AD) server for
authenticating VELOS
system user
accounts.Before you begin:
- Verify that the LDAP service is set up on a server that is accessible to theVELOSsystem. The default port for the LDAP service is 389 for unsecure protocol (LDAP) or 636 for secure protocol (LDAPS). If the service is configured with a different port, make note of it, as you will need that port number during configuration.
- Import one or more LDAP certificates if you want to verify the certificate of the authentication server.
- Assign users to valid system group IDs on the external LDAP or Active Directory servers. For more information, see Group IDs (GIDs) and system authentication roles.
- For the system to recognize an Active Directory user, the user's uidNumber attribute must be set to a valid value. The gidNumber for important groups must also be set to a valid value. While these attributes are typically present in a basic LDAP configuration, they are often missing from a basic AD configuration.
LDAP/AD configuration from the webUI
Configure LDAP/AD authentication from the webUI
You can configure the use of LDAP/Active
Directory (AD) authentication with
VELOS
systems from either the system controller or chassis
partition webUI.- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- ForAuthentication Methods, from theAvailablelist, selectLDAPand click the arrows to move it to theSelectedlist.The LDAP server must be configured and reachable from the system.TheLocal (Always Selected)option is always enabled and cannot be changed. Local authentication is always enabled, by default, so the administrator can always access the system in case of external authentication server failure.
- In the Common LDAP Configuration area, clickShowto expand the settings.The Common LDAP Configuration settings are required only if you want to use LDAP and create LDAP server groups with LDAP servers.
- ForBase DN, enter the base distinguished name (name-value pairs) from which to start the search for the LDAP user (for example,dc=example,dc=org).
- ForBind, specify the information for binding the LDAP service account.
- ForDN, enter the distinguished name with which to bind to the LDAP directory server for lookups (for example:cn=admin,dc=example,dc=org).
- ForPassword, enter the admin password for the LDAP server.F5 recommends that the LDAP service account password is set to never expire. Otherwise, if it expires, LDAP authentication will not be possible and might result in users getting locked out of the system.
- ForConfirm, retype the password.
To clear the password, clickClear. - ForConnect Timeout, specify the maximum amount of time, in seconds, that the system waits before timing out when trying to reach the LDAP server.
- ForRead Timeout, specify the maximum amount of time, in seconds, that the system waits to receive an LDAP response before aborting the read attempt.
- ForIdle Timeout, specify the maximum amount of time, in seconds, that an LDAP connection can be inactive before the connection is closed.
- ForLDAP Version, select the version of the LDAP protocol to use, or use the default of3.
- ForChase Referrals, select whether to enable LDAP referral chasing.The default value isTrue, which specifies that the system queries all LDAP servers in the domain. This might cause delays and timeouts when authenticating against an LDAP server.
- If the LDAP server has Transport Layer Security (TLS) support, fromTLS, select whether to use TLS to encrypt the transfer of authentication data between the LDAP server and the system.OptionDescriptionOnUse TLS to secure all connections.OffDo not use TLS.StartTLSStarts a connection in unencrypted mode on a port configured for plain text and negotiates the encryption with the client. If selected, it is used rather than raw LDAP over SSL.If set toOnorStartTLS, additional TLS-related fields are enabled.
- ForTLS Certificate Validation, specify what checks to perform on a server-supplied certificateOptionDescriptionNeverTLS certificate is not required.AllowAllow the connection. The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it is ignored and the session proceeds normally.TryRequest the TLS certificate. The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated.DemandRequest the certificate. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.HardRequest the certificate. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.
- ForTLS CA Certificate, clickShowand paste the contents of the X.509 certificate (self-signed or from a CA) for peer authentication.
- ForCipher String, enter the cipher string to specify the type of encryption to use (for example, ECDHE-RSA-AES256-GCM-SHA384 or ECDHE-RSA-AES128-GCM-SHA256).The cipher string can take several additional forms. It can consist of a single cipher suite such as RC4-SHA. It can represent a list of cipher suites containing a certain algorithm, or cipher suites of a certain type. For example, SHA1 represents all cipher suites using the digest algorithm SHA1, and SSLv3 represents all SSLv3 algorithms.You can combine lists of cipher suites into a single cipher string using the + character as a logical AND operation. For example, SHA1+DES represents all cipher suites containing the SHA1 and DES algorithms.For additional information, see the ciphers man page at www.openssl.org/docs/manpages.html.
- In theTLS Certificatefield, clickShowand paste the text of the local certificate for client TLS authentication.
- In theTLS Keyfield, clickShowand paste the text of the private key for client TLS authentication.
- ForAuthenticate with Active Directory, selectTrueif you want LDAP to authenticate against an Active Directory (AD) server.
- ClickSave.
LDAP/AD authentication for users is
configured on the system. When a user logs in, the system attempts to
authenticate them against the configured authentication method. When the
account has a match within any of the configured authentication methods, the
user is authenticated and given access.
Next, you can create a server group.
Configure an LDAP/AD server group from the webUI
You can configure an LDAP/Active
Directory (AD) server group from either the system controller or chassis
partition webUI.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- ClickAdd.
- ForName, create a recognizable name for the server group.
- ForProvider Type, selectLDAPto qualify the type of servers that will be in the group.
- ClickSave & Close.
- Add servers to the server group:
- ForServer, type the IPv4, IPv6 address, or FQDN of the LDAP server to add.
- ForPort, make sure the port number is correct for LDAP traffic.The default value is636.
- From theTypelist, selectLDAP over TCPorLDAP over SSL(secured) depending on which is supported.
- ClickSave & Close.
Add as many servers as needed to the
group.
LDAP/AD configuration from the CLI
Configure LDAP/Active Directory authentication
from the CLI
You can configure
VELOS
for
LDAP/Active Directory authentication from either the system controller or chassis
partition CLI.- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Set the authentication method to LDAP.system aaa authentication config authentication-method LDAP_ALL
- Commit the configuration changes.commit
- Set the LDAP or Active Directory configuration details.system aaa authentication ldapactive_directory{true | false }base<dn-name>bind_timelimit<number-of-seconds>binddn<dn-acct-info>bindpw<password>chase-referrals{ true | false }idle_timelimit<number-of-seconds>ldap_version<version-number>ssl{ on | off | start_tls }timelimit<number-of-seconds>tls_cacert<path-to-cert>tls_cert<path-to-cert>tls_ciphers<cipher-suite>tls_key<path-to-file>tls_reqcert{ never | allow | try | demand | hard }This example specifies a search base distinguished name for LDAP authentication:syscon-1-active(config)# system aaa authentication ldap base dc=example,dc=localThis example enables Active Directory authentication, by setting theactive_directoryoption to true:syscon-1-active(config)# system aaa authentication config authentication-method LDAP all system aaa authentication ldap active_directory true
- Add the LDAP/AD server details to the authentication server groups.
- Create the server group.system aaa server-groups server-group ldap-group config name ldap-group type LDAP
- Add the server and IP address of the LDAP service.servers server <ip-address> config address <ip-address>
- Customize the LDAP configuration details.ldap config auth-port <port-number> type ldapsThis example shows secure LDAP configuration:syscon-1-active(config)# ldap config auth-port 636 type ldaps
- Commit the configuration changes.commit
LDAP/Active Directory authentication
for users is configured on the system controllers or chassis partition in
which you are working.
Create an LDAP server group from the CLI
You can create an LDAP server group
(including Active Directory servers), if you have multiple external LDAP
servers to which you want to connect, from either the system controller or
chassis partition CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Create the server group.system aaa server-groups server-group <group-name> config name <group-name> type LDAPThis example creates an LDAP server group namedldap-test:syscon-1-active(config)# system aaa server-groups server-group ldap-test config name ldap-test type LDAP
- Commit the configuration changes.commit
- Add the host name for the LDAP service.This host name might have to be resolved in/etc/hostsor by DNS.This example adds a host name to the LDAP service:syscon-1-active(config)# servers server ldap.company.com config address ldap.company.com
- Commit the configuration changes.commit
Add LDAP certificates from the CLI
You can add an LDAP certificate
and key from either the system controller or chassis partition CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Add the TLS config key.system aaa tls config key (<AES-encrypted-string>)A summary similar to this example displays:syscon-1-active(config)# system aaa tls config key (<AES encrypted string>): [Multiline mode, exit with ctrl-D.] > -----BEGIN PRIVATE KEY----- > MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDarxbhnYlm8DoQ > W23fxEm6qZF5+DEBinym3IAZe7V3eV/v1UmuqSMKmz3pLX5oYTZ0Fqj+mW4XdMxK > kW93w91xYLZoOOn/P9ELt4Cu9YIoDTy3OU68EETjQarw9wd+0/JqKTRPWa+VAWGn > hMg6N2OCY7hNc8FWFU2YD2x6MryacVCgCi20uhzde2G89pJlqGrm9KpbCN1ZV4Hc > 4OWEnMAO/yyb8FceKQNgJ0pk9+kBosKfyYypZ8SjP9Bg4E76of5xMHBtbXNu/f3Y > hJk/0gmMyuoTKl5d9AAUhU+gOZP6z2GTc2UfWnG0dfG6SWUGVmBtZ8u8y3nPi7Y9 > G1K5R3TzAgMBAAECggEAVamQhQB4+mHP3OhzudviJcSWv/iA+eGNwq9NXq4e/5YE > Bqa+HjUTDOyS6+xuP+UUt5TIzjK79WRDQlKGH5wR+n+v9FOXFe2hrb1MIzz4p0fI > KN3CAdk9oufuVkXuIbhUlVFetFalePD5l+1joapgyIrXfz+A1H+zzYT9MUD+sGBJ > bYkTqxFgAwsJoMaPruemfzFLHeWRDh/o0fG7aA6v4AA+urIaK13bEs+U/38A6D4X > j+Mzr2RP4bQJHBKE5vYJ0bwqfO3we21CPYpkla4APJUNGOLuZwfGhH1QREQy31rA > sIru7KRBcxYikvfKI4oL8aUfPurcZbnaCD1bdUhlQQKBgQD3lQ4Qp53c3QGww/bQ > s0tvJD6T86t5ve47j0V6hKHbp8Kq/zm+3jkRVNjH8nipyleQ44YJuSqPfo4EVKLC > OYPDEEQP+2fAWmt1LUugoB/ilQHOHMJVuPUj9Hyt7wetp1EeFZqNqpgohdP9eM5/ > R8jSIuNhqIjPKTliqwOn4hLnvwKBgQDiHoE/O87/GadvmS/G6ExWFAE2j7l16y1f > pz/cqY/p674TF/VUYsyKaLKM08iOhT6XeDACto+z7TYd5YNYAgawuxcDvDWXOZxe > mWLpdzlQGzumeTz2Rsx3U3NnXETlGBWEjj6kAUq4oqFrRSBNGbHb4D7XVNuQPPSX > rZ8CfNxfzQKBgG/rZ7JLs2c2WR9JVve9NWqGnetQCcI9A8bU23mpH2omii+2tKn9 > 1xpomp64k6ddmvwafmtC02SOtzBp+jGGwnOZlMsMwTgJJ+6OjVONTxykc25zPb52 > oAqi6QHPvk7YBiltZrKH3cTjypMY23BaSQQFVXi+MSpE3nYmDL8FyboNAoGAVIDp > 9GO5nAROWpp5DHDL9m9LdMSJntPhBRpP93s22UjMo/4UJRE3N5KhB5guH3UUSy8T > YjAvzCIeU1Xum/lF3s5Mb4zqyjUxhvjzyiRQOuuygyhT7AXRa9a4DiyhYqx5fixa > pJgHALFmedw/khDEM1O+qGKCG4lsLzMndZqMERECgYEA5LQ128pxYmpp3lyK6a62 > 01W/1/BtuiApuEFdcqwk6MTtateS5Kpb5uA9orWISmtd7mZLcXZGTBuJEoWsHBs4 > BE/B1urijsnmFzGRwmwF9DwhhDuyLW/cAqQSWAb4IBkU0lo0MOwm80EgcLwoy/53 > zicLAzdPQOiNQEyIh5U46xg= > -----END PRIVATE KEY-----
- Add the TLS config certificate.system aaa tls config certificate (<string>)A summary similar to this example displays:syscon-1-active(config)# system aaa tls config certificate (<string>): [Multiline mode, exit with ctrl-D.] > -----BEGIN CERTIFICATE----- > MIIESzCCAzOgAwIBAgIJALgGgs+5qgX1MA0GCSqGSIb3DQEBCwUAMIG7MQswCQYD > VQQGEwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZ > MBcGA1UECgwQU29tZU9yZ2FuaXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXph > dGlvbmFsVW5pdDEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkwJwYJ > KoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0yMDEwMjMy > MjMwNTZaFw0yMTEwMjMyMjMwNTZaMIG7MQswCQYDVQQGEwItLTESMBAGA1UECAwJ > U29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZMBcGA1UECgwQU29tZU9yZ2Fu > aXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXphdGlvbmFsVW5pdDEeMBwGA1UE > AwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkwJwYJKoZIhvcNAQkBFhpyb290QGxv > Y2FsaG9zdC5sb2NhbGRvbWFpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC > ggEBANqvFuGdiWbwOhBbbd/ESbqpkXn4MQGKfKbcgBl7tXd5X+/VSa6pIwqbPekt > fmhhNnQWqP6Zbhd0zEqRb3fD3XFgtmg46f8/0Qu3gK71gigNPLc5TrwQRONBqvD3 > B37T8mopNE9Zr5UBYaeEyDo3Y4JjuE1zwVYVTZgPbHoyvJpxUKAKLbS6HN17Ybz2 > kmWoaub0qlsI3VlXgdzg5YScwA7/LJvwVx4pA2AnSmT36QGiwp/JjKlnxKM/0GDg > Tvqh/nEwcG1tc279/diEmT/SCYzK6hMqXl30ABSFT6A5k/rPYZNzZR9acbR18bpJ > ZQZWYG1ny7zLec+Ltj0bUrlHdPMCAwEAAaNQME4wHQYDVR0OBBYEFJ8f90ExRYYD > 0j2rQSKhMbRaKz0vMB8GA1UdIwQYMBaAFJ8f90ExRYYD0j2rQSKhMbRaKz0vMAwG > A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACzFSIiJ01qLtl9Nom5rtFRh > m+iH0RewmO2YV9rQTl53shma1/Wa2D5PXsFt6w0wiXRa6Gab1YVxaHkP9E4RK6us > B5s5pR+SijP02Ijw5y4RICegkWApx86wlW09NDBgPFQdz+xQnpx8LfAFDzkAEf02 > eI4SI25Vi3fDW6qeOKeQmS5itcRFXBi/E2+FwYu3zvtMEIp7WB90f0mvxiEd1bz8 > UY0pODHlYUzc/4jl9CGWGPl+80KHsjppqwsFzZs3koe2IyKbzMKfpdQ+oIiJP17+ > IVJgNbRCO5TgGXtFW3p3CJ2fHzEPongFdvbPOTr/cE/KkGxKqcoeN7d22g7POas= > -----END CERTIFICATE-----
- Commit the configuration changes.commit
RADIUS configuration overview
You can configure the
VELOS
system to use a RADIUS server for authenticating VELOS
system user accounts.Before you begin, you must verify that the RADIUS service is set up on a
server that is accessible to the
VELOS
system. The default port for RADIUS service is
1812. If the service is configured with a different port, make note of it,
as you will need it during the configuration.- Assign users to valid system group IDs on the external RADIUS server. For more information, see Group IDs (GIDs) and system authentication roles.
RADIUS dictionary
When configuring remote RADIUS authentication for the
F5
system, you add these F5OS
vendor-specific attributes (VSA) to the F5
vendor-specific RADIUS dictionary file on the RADIUS server. Be
sure to add the vendor lines if you are using the RADIUS server for the first
time.VENDOR F5 3375 BEGIN-VENDOR F5 ATTRIBUTE F5-F5OS-UID 21 integer ATTRIBUTE F5-F5OS-GID 22 integer ATTRIBUTE F5-F5OS-HOMEDIR 23 string ATTRIBUTE F5-F5OS-SHELL 24 string ATTRIBUTE F5-F5OS-USERINFO 25 string END-VENDOR F5
RADIUS configuration from the webUI
Configure RADIUS authentication from the webUI
You can configure the use of RADIUS
authentication with
VELOS
systems
from either the system controller or chassis partition webUI.- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- ForAuthentication Methods, from theAvailablelist, selectRADIUSand click the arrows to move it to theSelectedlist.The RADIUS server must be configured and reachable from the system.TheLocal (Always Selected)option is always enabled and cannot be changed. Local authentication is always enabled, by default, so the administrator can always access the system in case of external authentication server failure.
- ClickSave.
RADIUS authentication for users is
configured on the system. When a user logs in, the system attempts to
authenticate them against the configured authentication method. When the
account has a match within any of the configured authentication methods, the
user is authenticated and given access.
Next, you can create a server
group.
Configure a RADIUS server group from the webUI
You can configure a RADIUS server
group from either the system controller or chassis partition webUI.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- ClickAdd.
- ForName, create a recognizable name for the server group.
- ForProvider Type, selectRADIUSto qualify the type of servers that will be in the group.
- ClickSave & Close.
- Click the server group to which you want to add servers.The Edit Server Group screen displays.
- ClickAdd.
- ForServer, enter the IPv4, IPv6 address, or FQDN of the RADIUS server to add.
- ForPort, make sure the port number is correct for RADIUS traffic.The default value is1812.
- ForSecret, enter the shared secret used to access the server.
- ForTimeout (seconds), type the number of seconds to timeout if unable to access the server.The default value is5.
- ClickSave & Close.
Add as many servers as needed to the group.
RADIUS configuration from the CLI
Configure RADIUS authentication from the
CLI
You can configure the system for
RADIUS authentication from either the system controller or chassis partition
CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Set the authentication method to RADIUS.system aaa authentication config authentication-method RADIUS_ALL
- Commit the configuration changes.commit
- Add the RADIUS service details to the authentication server groups:
- Create the server group.system aaa server-groups server-group radius-group config name radius-group type RADIUS
- Add the server and IP address for the RADIUS service.servers server <ip-address> config address <ip-address>
- Customize the RADIUS configuration details.radius config auth-port <port-number> secret-key secret timeout <timeout-in-seconds>
- Commit the configuration changes.commit
RADIUS authentication for users is
configured on the system controllers or chassis partition in which you are
working.
Create a RADIUS server group from the CLI
If you have multiple RADIUS servers to
which you want to connect, you can create a RADIUS server group from either
the system controller or chassis partition CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Create the server group.system aaa server-groups server-group <group-name> config name <group-name> type RADIUSThis example creates a RADIUS server group namedradius-group:syscon-1-active(config)# system aaa server-groups server-group radius-group config name radius-group type RADIUS
- Commit the configuration changes.commit
- Add the server and IP address of the RADIUS service.servers server <ip-address> config address <ip-address>
- Commit the configuration changes.commit
TACACS+ configuration overview
You can configure the
VELOS
system to
use a TACACS+ server for
authenticating VELOS
system user
accounts.Before you begin:
- Verify that TACACS+ is set up on a server that is accessible to theVELOSsystem.
- Assign users to valid system group IDs on the external TACACS+ server. For more information, see Group IDs (GIDs) and system authentication roles.
TACACS+ configuration from the webUI
Configure TACACS+ authentication from the webUI
You can configure the use of TACACS+
authentication with
VELOS
systems
from the webUI.- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- ForAuthentication Methods, from theAvailablelist, selectTACACS+and click the arrows to move it to theSelectedlist.The TACACS+ server must be configured and reachable from the system.TheLocal (Always Selected)option is always enabled and cannot be changed. Local authentication is always enabled, by default, so the administrator can always access the system in case of external authentication server failure.
- ClickSave.
TACACS+ authentication for users is
configured on the system. When a user logs in, the system attempts to
authenticate them against the configured authentication method. When the
account has a match within any of the configured authentication methods, the
user is authenticated and given access.
Next, you can create a server
group.
Configure a TACACS+ server group from the webUI
You can configure a TACACS+ server group
from the webUI.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- ClickAdd.
- ForName, create a recognizable name for the server group.
- ForProvider Type, selectTACACS+to qualify the type of servers that will be in the group.
- ClickSave & Close.
- Click the server group to which you want to add servers.The Edit Server Group screen displays.
- ClickAdd.
- ForServer, type the IPv4, IPv6 address, or FQDN of the TACACS+ server to add.
- ForPort, make sure the port number is correct for TACACS+ traffic.The default value is49.
- ForSecret, enter the shared secret used to access the server.
- ClickSave & Close.
Add as many servers as needed to the group.
TACACS+ configuration from the CLI
Configure TACACS+ authentication from the
CLI
You can configure
TACACS+ authentication from either the system controller or chassis partition CLI..
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Set the authentication method to TACACS+.system aaa authentication config authentication-method TACACS_ALL
- Commit the configuration changes.commit
- Add the TACACS+ service details to the authentication server groups.
- Create a server group.system aaa server-groups server-group <group-name> config name <group-name> type TACACSThis example creates a TACACS+ server group namedtacacs-group:syscon-1-active(config)# system aaa server-groups server-group tacacs-group config name tacacs-group type TACACS
- Add a server to the server group.servers server <ip-address> config address <ip-address>This example adds a server at specified IP address:syscon-1-active(config-server-group-tacacs-group)# servers server 192.0.2.22
- Customize other TACACS+ configuration details, as needed.tacacs config port <port-number> secret-key <secret>This example shows configuring a port number:syscon-1-active(config-server-192.0.2.22)# tacacs config port 49
- Commit the configuration changes.commit
TACACS+ authentication for users is
configured on the system. When a user logs in, the system attempts to
authenticate them against the configured authentication method. When the
account has a match within any of the configured authentication methods, the
user is authenticated and given access.
OCSP configuration overview
Admin users can configure the
VELOS
system to use Online Certificate Status Protocol
(OCSP) to verify certificate validity and revoke expired certificates. The
system sends an OCSP request, which includes the certificate serial number, to
an OCSP responder, and receives a response with the certificate status (good,
revoked, or unknown). OCSP is a similar to CRL checking, and you can configure
the system to use both at the same time.OCSP configuration from the webUI
Configure OCSP for certificate validation from the
webUI
You can configure Online Certificate
Status Protocol (OCSP) for certificate validation from either the system controller or chassis partition webUI.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- In the OCSP Configuration area, clickShowto expand the settings.
- ForOCSP Checking, selectDisabledorEnabled.The default value isDisabled.
- ForNonce Request, specify whether queries to OCSP responders should include a nonce (a unique identifier) in the request.
- ForOverride Responder, specify whether the OCSP default responder is required for certificate validation.
- ForResponse Max Age, specify the maximum amount of time, in seconds, for OCSP responses.
- ForResponse Time Skew, specify the maximum allowable time skew, in seconds, for OCSP response validation.
- ClickSave.
Next, you can create a server
group.
Configure an OCSP server group from the webUI
You can configure an Online
Certificate Status Protocol (OCSP) server group from either the system
controller or chassis partition webUI. The server group can contain only one
OCSP server.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- TheProvider Typeis set when you create the server group, and it cannot be changed here.
- ForHost, type the IPv4 address, IPv6 address, or the fully qualified domain name (FQDN) of the OCSP server.
- ForPort, enter the port for the OCSP server.The default value is 80.
- ClickSave.
The OSCP server is added to the
server group.
OCSP configuration from the CLI
Configure OCSP for certificate validation from the
CLI
You can configure Online
Certificate Status Protocol (OCSP) for certificate validation from the
CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Enable OCSP.system aaa authentication ocsp config enabled
- Configure the OCSP responder address that will be used for client certificate validation using one of these methods:
- Provide the OCSP responder address using the client certificate.syscon-1-active(config)# system aaa authentication ocsp config override-responder off
- Provide the OCSP IP address using a server group.syscon-1-active(config)# system aaa authentication ocsp config override-responder on syscon-1-active(config)# system aaa server-groups server-group ocsp1 config name ocsp1 type OCSP syscon-1-active(config-server-group-ocsp1)# servers server 192.0.2.17 syscon-1-active(config-server-192.0.2.17)# config address 192.0.2.17 syscon-1-active(config-server-192.0.2.17)# ocsp config port 23456
- Configure additional OCSP options, if needed.The system creates the responder address using default values fornonce-request(on) andresponse-time-skew(300).system aaa authentication ocsp config nonce-request {off|on} response-max-age <time-in-seconds> response-time-skew <time-in-seconds>Fornonce-request, the default value ison. Forresponse-max-age, the default value is-1, which disables the maximum age check. The range is from -1 to 214748364. Forresponse-time skew, the default value is300.
- Commit the configuration changes.commit
Next, you can create a server
group.
Configure an OCSP server group from the CLI
You can configure an Online Certificate
Status Protocol (OCSP) server group from the CLI. The server group can contain
only one OCSP server.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Create an OCSP server group.system aaa server-groups server-group <group-name> config name <group-name> type OCSPThis example creates an OCSP server group namedocsp-group:syscon-1-active(config)# system aaa server-groups server-group ocsp-group config type OCSP
- Add an OCSP server to the server group.servers server <ip-address> config address <ip-address>This example adds a server at a specified IP address, with the default value for port number (80):syscon-1-active(config-server-group-ocsp-group)# servers server 192.0.2.25 ocsp config port 88
- Commit the configuration changes.commit
SSH public key authentication overview
Using SSH public key authentication to connect to a remote system is a robust, more
secure alternative to logging in with an account password or passphrase. SSH public key
authentication relies on asymmetric cryptographic algorithms that generate a pair of
separate keys (a key pair), one "private" and the other "public". You keep the private
key a secret and store it on the computer you use to connect to the remote system.
Configure SSH public key authentication from the CLI
You can configure Secure Shell
(SSH) public key authentication from the system controller or chassis
partition CLI. You can configure multiple authorized keys in one step. This
feature supports all SSH key algorithms that are supported in the latest SSHD
version. Root users cannot use this feature.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Configure SSH public key authentication.system aaa authentication users user <username> config authorized_keysPress Enter to enable multi-line mode and paste the contents. Paste the first SSH public key into the prompt, press enter to paste the next key, and continue until you have entered all keys. Press Ctrl-D to exit multi-line mode.In this example, you configure public key authentication for a specified user:syscon-1-active(config)# system aaa authentication users user jdoe config authorized-keys (<string, min: 1 chars>): [Multiline mode, exit with ctrl-D.] > hdsjhfashlksdfklahkjdhsakfdhaskhfkjasdhfjashd
- Commit the configuration changes.commit
Delete SSH public key authentication from the CLI
You can delete a Secure Shell (SSH)
public key authentication from the system controller or chassis partition
CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Remove the authorized key.no system aaa authentication users user <username> config authorized-keys
- Commit the configuration changes.commit
Transport Layer Security (TLS) configuration
overview
Before
VELOS
systems can
exchange data with one another, they must exchange device certificates, that is, digital
certificates and keys used for secure communication.If you are using LDAP with transport layer security (TLS) for user
authentication, you can choose to require TLS Certificate Validation in the
authentication settings. You can add a certificate and key into the system, and when you
create a certificate signing request (CSR), it saves the generated key and certificate
to these directories:
- system/aaa/tls/config/key
- system/aaa/tls/config/certificate
When you install an SSL certificate, you also install a certificate
authority (CA) bundle, which is a file that contains root and intermediate certificates.
The CA bundle and server certificate complete the SSL chain of trust.
The
VELOS
system also supports using
self-signed certificates.You can also configure a Certificate Revocation List (CRL) entry
for the system to use to check revocation status of a certificate prior to
authenticating a client. Note that once you have configured a CRL, there must
be a CRL certificate for each CA. If there are two CAs configured and one CRL
is been added for one of the CAs, you need to provide a CRL for the other CA
even if it is not revoked.
For information about client certification authentication, see Client certificate authentication overview.
Client certificate authentication overview
For enhanced security, users with admin access can configure the
system so that webUI users use a client certificate to provide a username and
authenticate before granting access to the
VELOS
system. The system verifies a user's identity by
validating the client certificate against a list of trusted Certificate
Authority (CA) certificates, and optionally checks the certificate status
against a configured Certificate Revocation List (CRL) or Online Certificate
Status Protocol (OCSP) responder. The system extracts the user name from the
certificate and uses it to query an external server for group membership
information for the user, which is used to determine what features they can
access on the system. You can also configure client certificate authentication
to work with an LDAP authentication provider.Client certificate authentication from the webUI
Configure client certificate verification from the
webUI
You can enable verification of
httpd client certificates from either the system controller or chassis
partition webUI.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- In the Client Certificate Verification area, clickSettings.The Client Certificate Verification screen displays.
- ForVerify Client, select whether to enable client certificate verification.The default value is false (verification is disabled).
- ForClient Depth, select the client certificate verification depth.The default value is 1, which indicates that the client certificate can be self-signed or must be signed by a Certificate Authority (CA) that is known to the server. A depth of 0 indicates that only self-signed client certificates are accepted. The range is from 0 to 100. The value you provide for depth indicates the maximum number of CA certificates allowed to be followed while verifying the client certificate. You might need to raise the default depth if you received more than one chained root certificate in addition to a client certificate from your CA.
- ClickSave.
Log in to the system webUI using a client
certificate
Before you can log in to the webUI using client
certificate authentication, you must have configured client certificate authentication
from the CLI and imported the certificate to your browser. This procedure varies
depending on operating system and browser.
You can log in to the webUI
using a client certificate for authentication.
- Connect to the webUI by entering the management IP address in your browser.
- On the login screen, review the client certificate authentication agreement, if available, and then clickLog in.
- When prompted to select a certificate, select the certificate from the list and clickOK.When authentication completes, the Dashboard displays. If you did not import a certificate to your browser, the authentication fails and displays an error message.
Client certificate authentication from the CLI
Configure client certificate verification settings from
the CLI
You can configure client certificate
verification settings from either the system controller or chassis partition CLI. The
value you provide for depth indicates the maximum number of Certificate Authority (CA)
certificates allowed to be followed while verifying the client certificate. You might
need to raise the default depth if you received more than one chained root certificate
in addition to a client certificate from your CA. The default depth of 1 indicates that
the client certificate can be self-signed or must be signed by a CA that is known to the
server. A depth of 0 indicates that only self-signed client certificates are accepted.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Specify whether to use client certificate verification.system aaa tls config verify-client {false|true}In this example, you enable client certificate verification:syscon-1-active(config)# system aaa tls config verify-client true
- Configure client certificate verification depth.The default value is 1. The range is from 1 to 100.system aaa tls config verify-client-depth <depth>In this example, you specify a depth of 10:syscon-1-active(config)# system aaa tls config verify-client-depth 10
- Commit the configuration changes.commit
Configure client certificate verification with
self-signed certificates from the CLI
Before you configure client certificate
verification on your system, you must first:
- Create your self-signed certificates, ensuring that the CN name for the server is the server name from the client's perspective (either an IP address or fully-qualified domain name (FQDN)).
- Configure the server name in your SSL server's httpd configuration files.
You can configure HTTP server SSL
settings with client certificate verification and self-signed certificates
from either the system controller or chassis partition CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Add the TLS config key:system aaa tls config key (<AES-encrypted-string>)Press Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.A summary similar to this example displays:appliance-1(config)# system aaa tls config key (<AES encrypted string>): [Multiline mode, exit with ctrl-D.] > -----BEGIN PRIVATE KEY----- > MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDarxbhnYlm8DoQ > W23fxEm6qZF5+DEBinym3IAZe7V3eV/v1UmuqSMKmz3pLX5oYTZ0Fqj+mW4XdMxK > kW93w91xYLZoOOn/P9ELt4Cu9YIoDTy3OU68EETjQarw9wd+0/JqKTRPWa+VAWGn > hMg6N2OCY7hNc8FWFU2YD2x6MryacVCgCi20uhzde2G89pJlqGrm9KpbCN1ZV4Hc > 4OWEnMAO/yyb8FceKQNgJ0pk9+kBosKfyYypZ8SjP9Bg4E76of5xMHBtbXNu/f3Y > hJk/0gmMyuoTKl5d9AAUhU+gOZP6z2GTc2UfWnG0dfG6SWUGVmBtZ8u8y3nPi7Y9 > G1K5R3TzAgMBAAECggEAVamQhQB4+mHP3OhzudviJcSWv/iA+eGNwq9NXq4e/5YE > Bqa+HjUTDOyS6+xuP+UUt5TIzjK79WRDQlKGH5wR+n+v9FOXFe2hrb1MIzz4p0fI > KN3CAdk9oufuVkXuIbhUlVFetFalePD5l+1joapgyIrXfz+A1H+zzYT9MUD+sGBJ > bYkTqxFgAwsJoMaPruemfzFLHeWRDh/o0fG7aA6v4AA+urIaK13bEs+U/38A6D4X > j+Mzr2RP4bQJHBKE5vYJ0bwqfO3we21CPYpkla4APJUNGOLuZwfGhH1QREQy31rA > sIru7KRBcxYikvfKI4oL8aUfPurcZbnaCD1bdUhlQQKBgQD3lQ4Qp53c3QGww/bQ > s0tvJD6T86t5ve47j0V6hKHbp8Kq/zm+3jkRVNjH8nipyleQ44YJuSqPfo4EVKLC > OYPDEEQP+2fAWmt1LUugoB/ilQHOHMJVuPUj9Hyt7wetp1EeFZqNqpgohdP9eM5/ > R8jSIuNhqIjPKTliqwOn4hLnvwKBgQDiHoE/O87/GadvmS/G6ExWFAE2j7l16y1f > pz/cqY/p674TF/VUYsyKaLKM08iOhT6XeDACto+z7TYd5YNYAgawuxcDvDWXOZxe > mWLpdzlQGzumeTz2Rsx3U3NnXETlGBWEjj6kAUq4oqFrRSBNGbHb4D7XVNuQPPSX > rZ8CfNxfzQKBgG/rZ7JLs2c2WR9JVve9NWqGnetQCcI9A8bU23mpH2omii+2tKn9 > 1xpomp64k6ddmvwafmtC02SOtzBp+jGGwnOZlMsMwTgJJ+6OjVONTxykc25zPb52 > oAqi6QHPvk7YBiltZrKH3cTjypMY23BaSQQFVXi+MSpE3nYmDL8FyboNAoGAVIDp > 9GO5nAROWpp5DHDL9m9LdMSJntPhBRpP93s22UjMo/4UJRE3N5KhB5guH3UUSy8T > YjAvzCIeU1Xum/lF3s5Mb4zqyjUxhvjzyiRQOuuygyhT7AXRa9a4DiyhYqx5fixa > pJgHALFmedw/khDEM1O+qGKCG4lsLzMndZqMERECgYEA5LQ128pxYmpp3lyK6a62 > 01W/1/BtuiApuEFdcqwk6MTtateS5Kpb5uA9orWISmtd7mZLcXZGTBuJEoWsHBs4 > BE/B1urijsnmFzGRwmwF9DwhhDuyLW/cAqQSWAb4IBkU0lo0MOwm80EgcLwoy/53 > zicLAzdPQOiNQEyIh5U46xg= > -----END PRIVATE KEY-----
- Add the TLS config certificate.system aaa tls config certificate (<string>)Press Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.In this example, you add a certificate:syscon-1-active(config)# system aaa tls config certificate (<string>): [Multiline mode, exit with ctrl-D.] > -----BEGIN CERTIFICATE----- > MIIESzCCAzOgAwIBAgIJALgGgs+5qgX1MA0GCSqGSIb3DQEBCwUAMIG7MQswCQYD > VQQGEwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZ > MBcGA1UECgwQU29tZU9yZ2FuaXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXph > dGlvbmFsVW5pdDEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkwJwYJ > KoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0yMDEwMjMy > MjMwNTZaFw0yMTEwMjMyMjMwNTZaMIG7MQswCQYDVQQGEwItLTESMBAGA1UECAwJ > U29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZMBcGA1UECgwQU29tZU9yZ2Fu > aXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXphdGlvbmFsVW5pdDEeMBwGA1UE > AwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkwJwYJKoZIhvcNAQkBFhpyb290QGxv > Y2FsaG9zdC5sb2NhbGRvbWFpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC > ggEBANqvFuGdiWbwOhBbbd/ESbqpkXn4MQGKfKbcgBl7tXd5X+/VSa6pIwqbPekt > fmhhNnQWqP6Zbhd0zEqRb3fD3XFgtmg46f8/0Qu3gK71gigNPLc5TrwQRONBqvD3 > B37T8mopNE9Zr5UBYaeEyDo3Y4JjuE1zwVYVTZgPbHoyvJpxUKAKLbS6HN17Ybz2 > kmWoaub0qlsI3VlXgdzg5YScwA7/LJvwVx4pA2AnSmT36QGiwp/JjKlnxKM/0GDg > Tvqh/nEwcG1tc279/diEmT/SCYzK6hMqXl30ABSFT6A5k/rPYZNzZR9acbR18bpJ > ZQZWYG1ny7zLec+Ltj0bUrlHdPMCAwEAAaNQME4wHQYDVR0OBBYEFJ8f90ExRYYD > 0j2rQSKhMbRaKz0vMB8GA1UdIwQYMBaAFJ8f90ExRYYD0j2rQSKhMbRaKz0vMAwG > A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACzFSIiJ01qLtl9Nom5rtFRh > m+iH0RewmO2YV9rQTl53shma1/Wa2D5PXsFt6w0wiXRa6Gab1YVxaHkP9E4RK6us > B5s5pR+SijP02Ijw5y4RICegkWApx86wlW09NDBgPFQdz+xQnpx8LfAFDzkAEf02 > eI4SI25Vi3fDW6qeOKeQmS5itcRFXBi/E2+FwYu3zvtMEIp7WB90f0mvxiEd1bz8 > UY0pODHlYUzc/4jl9CGWGPl+80KHsjppqwsFzZs3koe2IyKbzMKfpdQ+oIiJP17+ > IVJgNbRCO5TgGXtFW3p3CJ2fHzEPongFdvbPOTr/cE/KkGxKqcoeN7d22g7POas= > -----END CERTIFICATE-----
- Enable client certificate verification.system aaa tls config verify-client {false|true}In this example, you enable client certificate verification:syscon-1-active(config)# system aaa tls config verify-client true
- Configure client certificate verification depth.The default value is 1. The range is from 1 to 100.system aaa tls config verify-client-depth <depth>In this example, you specify a depth of 10:syscon-1-active(config)# system aaa tls config verify-client-depth 10
- Add a CA bundle.system aaa tls ca-bundles ca-bundle <ca-bundle-name> config name <ca-bundle-name> contentPress Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.In this example, you add a CA bundle named "test_caaaa":syscon-1-active(config)# system aaa tls ca-bundles ca-bundle test_caaaa config name test_caaaa content (<string>): [Multiline mode, exit with ctrl-D.]
- Commit the configuration changes.commit
Configure client certificate authentication from the
CLI
Before you configure client certificate authentication, be sure that you
have enabled client certificate verification. For more information, see Configure client certificate verification settings from the CLI.
You can configure client certificate
authentication settings on the
VELOS
system from either the system controller or chassis partition CLI.Only users with admin access can
configure client certificate authentication.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Enable client certificate authentication.system aaa authentication config cert-auth {disabled|enabled}In this example, you enable client certificate authentication:syscon-1-active(config)# system aaa authentication config cert-auth enabled
- Configure the client certificate name field if you want to use a custom OID value for the client certificate username.system aaa authentication clientcert config client-cert-name-field {san-gen-dns|san-gen-email|san-gen-othernameOID { <OID> |UPN} |san-gen-uri|subjectname-cn}In these examples, you configure an OID using one of these valid formats:syscon-1-active(config)# system aaa authentication clientcert config client-cert-name-field san-gen-othername OID UPNsyscon-1-active(config)# system aaa authentication clientcert config client-cert-name-field san-gen-othername OID 1.1syscon-1-active(config)# system aaa authentication clientcert config client-cert-name-field san-gen-othername OID 1.3.6.1.4.1.311.20.2.3
- Commit the configuration changes.commit
Next, you can configure the login banner with a client certificate
agreement, if needed. For more information, see General system configuration overview.
Certificate management from the webUI
View or configure a TLS key and certificate from the
webUI
Before you can install device certificates, you must
enable LDAP as an authentication method in the system controller or chassis partition in
which you are working (
). You can view or replace TLS device
certificates from either the system controller or chassis partition webUI. The
device certificates apply only to the area in which you are working.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- To display a previously-installed TLS certificate or key, or to install a TLS certificate or key, in the TLS Certificate & Key area, clickShow.A text area opens and displays the certificate or key, if one has been previously installed.
- To install aTLS Certificate, paste the text of the local certificate for client TLS authentication into the text box.
- To install aTLS Key, paste the text of the local certificate for client TLS authentication into the text box.
- If the TLS key is encrypted, a TLS Key Passphrase field displays. Enter the passphrase.
- ClickSave.
Configure a Certificate Authority (CA) bundle from the
webUI
You can add or delete a Certificate
Authority (CA) bundle from either the system controller or chassis partition
webUI.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- In the CA Bundles area, clickAdd.The Add CA Bundle screen displays.
- ForName, enter the bundle name.
- ForTLS CA Certificate, paste the certificate text.
- ClickSave.
- To delete a CA bundle, underCA Bundles, click the name of the bundle in the table and clickDelete.
Configure a Certification Revocation List (CRL) from the
webUI
You can add or delete a Certificate
Revocation List (CRL) from the webUI.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- In the Certificate Revocation List area, clickAdd.The Add CRL screen displays.
- ForName, enter the list name.
- ForRevocation Key, paste the revocation key.
- ClickSave.
- To delete a Certificate Revocation List, in the Certificate Revocation List area, select the list name in the table and then clickDelete.
Create a self-signed certificate from the webUI
You can create a self-signed certificate from
either the system controller or chassis partition webUI.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- In the Self-Signed Certificate area, clickCreate Certificate.
- ForName, enter the common name of the certificate.
- ForEmail, enter the contact email for the certificate.
- ForCity, enter the city or locality.
- ForState, enter the state, county, or region.
- ForOrganization, enter the full name of the certificate originator organization.
- ForUnit, enter the organizational unit or division.
- ForVersion, enter the certificate version.The default value is 1.
- ForDays Valid, enter the number of days for which the certificate is valid.The default value is 30.
- ForKey Type, select a key type.Available options are RSA, ECDSA, Encrypted RSA, or Encrypted ECDSA. These additional fields display.
- ForKey Passphrase, enter the key passphrase.This field is required. The range is between 6 and 255 characters.
- ForConfirm Key Passphrase, re-enter the key passphrase to confirm.
- ForStore TLS, select whether to store the key and certificate insystem/aaa/tls/config/keyandsystem/aaa/tls/config/certificate.The default value is False.
- ClickSave.
Create a Certificate Signing Request (CSR) from the webUI
You can create a Certificate Signing Request
(CSR) from either the system controller or chassis partition webUI.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- In the Certificate Signing Request area, clickCreate CSR.The Create CSR screen displays.
- ForName, enter the common name of the certificate.For example, the server's hostname.
- ForEmail, enter the contact email address for the certificate.
- ForCity, enter the city or locality.
- ForState, enter the state, county, or region.
- ForCountry, enter the two-letter country code.For example, US for United States.
- ForOrganization, enter the full name of the certificate originator organization.For example, your company's name.
- ForUnit, enter the organizational unit or division name.For example, IT.
- ForVersion, enter the certificate version.The default value is 1.
- ForDays Valid, enter the number of days for which the certificate is valid.The default value is 30.
- ClickSave.
Certificate management from the CLI
Configure a TLS key and certificate from the CLI
Before you can enable TLS encryption, you must have
already configured a key and certificate on the system.
You can configure a TLS key and certificate from
either the system controller or chassis partition CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Configure a certificate.system aaa tls config certificatePress Enter to enable multi-line mode and then paste the contents. Press Ctrl-D to exit multi-line mode.syscon-1-active(config)# system aaa tls config certificate (<string>): [Multiline mode, exit with ctrl-D.] > ...
- Commit the configuration changes.commit
- Configure a key.system aaa tls config keyPress Enter to enable multi-line mode and then paste the contents. Press Ctrl-D to exit multi-line mode.syscon-1-active(config)# system aaa tls config key (<string>): [Multiline mode, exit with ctrl-D.] > ...
- Commit the configuration changes.commit
- Return to user (operational) mode.end
- Verify that the certificate is configured.show system aaa tls state certificateA summary similar to this example displays:syscon-1-active# show system aaa tls state certificate response Certificate: Data: Version: 3 (0x2) Serial Number: 322234828 (0x1334e9cc) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=WA, L=Seattle, O=MyCompany, OU=IT, CN=localhost.localdomain/emailAddress=root@localhost.localdomain Validity Not Before: Mar 18 21:40:28 2020 GMT Not After : Mar 16 21:40:28 2030 GMT Subject: C=US, ST=WA, L=Seattle, O=MyCompany, OU=IT, CN=localhost.localdomain/emailAddress=root@localhost.localdomain Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bc:ba:b9:8d:51:c7:c9:fe:81:86:52:ea:ef:08: bf:af:68:df:dc:22:6d:a3:23:fa:a5:5b:cd:89:3e: be:fb:cb:92:c4:bc:d7:a6:a5:f3:8b:6b:84:fa:b4: 31:39:88:8b:9a:96:2a:35:1c:3f:ee:23:4a:25:8f: bf:ca:ae:fa:e2:38:5d:9f:43:9d:18:c2:8f:1f:f7: 27:a7:75:a1:12:71:2f:ec:8f:37:e2:a6:74:cc:59: d4:c4:68:26:0c:0d:b6:b0:92:76:38:59:86:e1:54: 40:0e:0e:5d:6e:d6:e7:21:07:94:9e:43:6d:f0:50: 25:5a:68:64:39:fe:a6:df:6d:3f:f8:3c:69:9b:68: 5d:e7:36:88:5c:67:5a:02:01:99:e3:2c:d9:08:cc: d5:9e:1c:cd:46:28:3a:85:76:59:fb:b3:f1:61:bc: 4f:03:57:2c:20:5d:6c:1d:11:1e:56:30:b2:91:67: 99:32:3f:d3:08:6d:4f:cd:a3:8d:f6:e6:34:9c:87: 04:8e:f2:79:f2:8c:1f:cc:1a:8b:2c:25:cf:b4:0c: c7:73:93:e4:49:d5:03:00:eb:1f:90:3c:04:c3:59: 10:90:c9:dd:29:32:cb:27:9f:04:37:f5:05:20:f9: 79:32:c1:50:66:76:1d:6d:2d:78:95:16:d2:65:7b: 4c:f1 Exponent: 65530 (x10001) Signature Algorithm: sha256WithRSAEncryption 47:21:0e:06:80:ab:df:05:9f:04:80:9f:d6:db:b9:2e:c8:d7: 39:8b:ac:6a:cf:cc:7b:5b:64:5c:59:2c:72:fe:57:d5:46:91: 0a:d4:40:0d:42:c1:95:a6:69:d9:1e:36:ac:d1:dd:f4:a1:b0: 08:3c:71:09:31:57:1a:0b:33:83:13:17:99:84:e4:70:82:85: f3:72:c7:fa:ba:0e:1a:fe:55:a1:ce:f7:96:2b:39:ef:4d:7a: 7a:23:71:44:01:c1:6c:10:58:e8:5f:6b:a8:b6:70:cc:8f:65: c8:cd:7b:aa:4b:e2:6a:bc:1c:fe:59:8f:c8:85:08:f0:46:67: 8d:15:a6:01:d0:a3:a2:fd:9c:db:c5:5b:51:07:6f:db:59:f8: bc:ba:9d:4a:30:ea:a7:7c:0c:fb:bb:9a:ea:c9:c2:a4:c1:82: e3:b8:2e:57:cd:32:6a:b1:a8:95:75:e3:82:8a:ea:c2:f8:37: c4:6f:a2:b4:e5:82:6c:3a:5d:c1:1f:a7:8e:da:7d:4c:51:d1: 49:36:da:97:31:4a:64:92:bf:bb:85:e3:bd:67:16:79:fe:53: 92:df:a8:3f:dc:8c:4e:e4:7c:b9:5e:ba:d6:ab:3d:7d:29:59: 01:27:d9:ca:52:10:58:60:00:02:19:f9:1d:74:07:5c:0d:f7: 5e:c2:d6:82
Configure a Certificate Authority (CA) bundle from the CLI
When you install an SSL
certificate, you also install a certificate authority (CA) bundle, which is a
file that contains root and intermediate certificates. The CA bundle and
server certificate complete the SSL chain of trust. You can add or delete a CA
bundle from either the system controller or chassis partition CLI.
- Log in to the command line interface (CLI) of the system controller using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- To add a CA bundle.system aaa tls ca-bundles ca-bundle <ca-bundle-name> config name <ca-bundle-name> content
- Press Enter to enable multi-line mode and press ctrl-D to exit multi-line mode.
In this example, you add a CA bundle named "test_caaaa":syscon-1-active(config)# system aaa tls ca-bundles ca-bundle test_caaaa config name test_caaaa content - Commit the configuration changes.commit
- To delete a CA bundle.no system aaa tls ca-bundles ca-bundle <ca-bundle-name>In this example, you delete a CA bundle named "test_caaaa":syscon-1-active(config)# no system aaa tls ca-bundles ca-bundle test_caaaa
- Commit the configuration changes.commit
Configure a Certification Revocation List (CRL) from the CLI
You can configure a Certificate Revocation
List (CRL) entry from either the system controller or chassis partition CLI.
- Log in to the command line interface (CLI) of the system controller using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- To configure a CRL entry.system aaa tls crls crl <crl-name>In this example, you configure a CRL named "bbb":syscon-1-active(config)# system aaa tls crls crl bbb
- Press Enter to enable multi-line mode and press ctrl-D to exit multi-line mode.
Value for 'config revocation-key'(<string>): [Multiline mode, exit with ctrl-D.] > ...- Enter the key value.
- Commit the configuration changes.commit
- To delete a CRL entry.no system aaa tls crls crl <crl-name>In this example, you delete a CRL entry named "bbb":syscon-1-active(config)# no system aaa tls crls crl bbb
- Commit the configuration changes.commit
- Return to user (operational) mode.end
- View the CRLs currently on the system.show system aaa tls crls crlThis example shows the CRLs currently on the system:syscon-1-active# show system aaa tls crls crl DATE NAME ADDED -------------------- *name* 3/11/2021
Create a private key and self-signed certificate from the
CLI
You can create a private key and a
self-signed certificate from either the system controller or chassis partition CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Create a private key and self-signed certificate.system aaa tls create-self-signed-cert name <name> email <email-address> city <city> region <region> country <country> organization <org-name> unit <org-unit> version <cert-version> days-valid <number> key-type {rsa|ecdsa} store-tls {true|false}Thestore-tlsoption stores the private key and self-signed certificate insystem/aaa/tls/config/keyandsystem/aaa/tls/config/certificateinstead of returning in the CLI output.This example creates a private key and self-signed certificate with city, country, days valid, email, key type, name, organization, region, unit and version options specified, and with store TLS set to false:syscon-1-active(config)# system aaa tls create-self-signed-cert city Seattle country US days-valid 365 email jdoe@company.com key-type ecdsa name Godzilla organization "Company" region Washington unit DEV version 1 curve-name prime239v2 store-tls false response -----BEGIN EC PRIVATE KEY----- MHECAQEEHiyJEVihDTnVi+v9RjfK3LhZ2PdSOXZFMJf3lyXaoaAKBggqhkjOPQMB BaFAAz4ABHFISUTEi8wEdG0iBF3iqTi5m5b62xUSbhOJrXR8d0S6h+anvpo9xrH3 QKbVuacF7ZSNMj2tX/wyqVNePg== -----END EC PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIICAzCCAa4CCQCR5RKtuBFcxTAKBggqhkjOPQQDAjCBjTELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEzARBgNVBAoM CkY1IE5ldG9ya3MxEDAOBgNVBAsMB1NXRElBR1MxETAPBgNVBAMMCEdvZHppbGxh MR0wGwYJKoZIhvcNAQkBFg5qLm1vb3JlQGY1LmNvbTAeFw0yMTAzMjcwMjE2NTFa Fw0yMjAzMjcwMjE2NTFaMIGNMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGlu Z3RvbjEQMA4GA1UEBwwHU2VhdHRsZTETMBEGA1UECgwKRjUgTmV0b3JrczEQMA4G A1UECwwHU1dESUFHUzERMA8GA1UEAwwIR29kemlsbGExHTAbBgkqhkiG9w0BCQEW DmoubW9vcmVAZjUuY29tMFUwEwYHKoZIzj0CAQYIKoZIzj0DAQUDPgAEcUhJRMSL zAR0bSIEXeKpOLmblvrbFRJuE4mtdHx3RLqH5qe+mj3GsfdAptW5pwXtlI0yPa1f /DKpU14+MAoGCCqGSM49BAMCA0MAMEACHh38OAyBBjAsVRBklBXZUIuynHq3/tr4 3VUQsMtYHQIeeP3vCrRm2qjPtK62QwtbkqDA9h2qTvuDj6uYL8EI -----END CERTIFICATE-----
- Commit the configuration changes.commit
Create a Certificate Signing Request (CSR) from the CLI
You can create a text-based certificate
signing request (CSR) from either the system controller or chassis partition
CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Create a CSR.system aaa tls create-csrname <name> email <email-address> city <city> region <region> country <country> organization <org-name> unit <org-unit> version <cert-version>This example creates a CSR with name, email, organization, and unit options specified:syscon-1-active# (config): system aaa tls create-csr name company.com email dev@company.com organization "Company" unit engineering response -----BEGIN CERTIFICATE REQUEST----- MIIC0zCCAbsCAQEwgY0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u MRAwDgYDVQQHEwdTZWF0dGxlMRQwEgYDVQQKFAtGNV9OZXR3b3JrczEUMBIGA1UE CxMLZGV2ZWxvcG1lbnQxGTAXBgkqhkiG9w0BCQEWCmRldkBmNS5jb20xEDAOBgNV BAMTB3Rlc3Rjc3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCinnAV Dv/G6+qbiBVO7zIPmFFatYcrzdUnvpTGXfPuh6VBRqcW90jJy12FwtYOL8P6mED+ gfjpxRWe+vjnztjZSIDpyh7Dn+F3MRF3zkgnSKlYKI9qqzlRHRAwi2U7GfujeR5H CXrJ4uxYK2Wp8WVSa7TWwj6Bnps8Uldnj0kenBJ1eUVUXoQAbUmZQg6l+qhKRiDh 3E/xMOtaGWg0SjD7dEQij5l+8FBEHVhQKEr52d4OifR62/MZSnPw2MY5OJ69p2Wn k7Fr7m4I5z9lxJduYDNmiddVilpWdqRaCB2j29XCmpVJduF2v6EsMx693K18IJ1h iRice6oKL7eoI/NdAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAGjWSAqKUPqMY eLlSDamuLAR+ckia5r/TITqamMN+m8TqQI8Pk0tAnwHCl8HHS+4cI8QuupgS/3aU ls7OtxceoQZ1VFX2sQFkrDJFe0ewZQLm5diip5kxFrnap0oA0wRy84ks0wxeiCWD New3hgSXfzyXI0g0auT6KNwsGaO8ZuhOX3ICNnSLbfb00aYbhfI9jKopXQgZG/LO pOct33fdpf/U6kQA9Rw/nzs3Hz/nsVleOrl3TH1+9veMMF+6eq8KKPpbYKh9bhA+ pYI3TtbZHuyRyQbq/r4gf4JkIu/PGszzy/rsDWy+b9g9nXMh1oFj+xhTrBjBk8a2 0ov+Osy2iA== -----END CERTIFICATE REQUEST-----
- Commit the configuration changes.commit
Authentication and access management from the webUI
Configure basic authentication from the webUI
You can configure basic authentication (user
name and password) from either the system controller or the chassis partition
webUI.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- ForBasic Authentication, select whether to enable authenticating using a username and password.The default value isEnabled.
- ClickSave.
Configure token lifetime from the webUI
You can choose how long your webUI session
will remain active (in minutes) by configuring the token lifetime from the
webUI.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- ForToken Lifetime, enter the token lifetime length in minutes.The range is from 1 to 1440 minutes.The default value is15.
- ClickSave.
Configure local password policy from the webUI
A password policy enables you to
qualify criteria for valid passwords and configure maximum password attempts
for Local Authentication (
/etc/passwd
). You can configure local password policy at both
the chassis and the chassis partition levels from either the system controller
or chassis partition webUI.- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- ClickShowto display the Local Password Policy area.
- ForMinimum Length, enter the minimum number of characters required for a password.The allowed range is 6 to 255.
- ForRequired Characters, enter the minimum number ofNumeric,Uppercase,Lowercase, andSpecialcharacters required in a valid password.
- ForNew/Old Password Differential, enter the number of character changes in the new password that differentiate it from the old password.The default value is 8.
- ForDisallow Username, select whether to check the password for the user name in forward or reversed form.When set toTrue, if any variant of the username is found in the password, the new password is rejected.
- SetApply Password Policy to Root AccounttoTrueto use the same password policy for the root account.The default value isFalse.
- ForMaximum Password Retries, enter the number of times a user can try to create an acceptable password at the prompt.The default value is 3.
- ForMaximum Login Attempts, enter the allowed number of times a user can attempt to log in before the account is temporarily suspended.The default value is 10 tries. If set to 0, there is no limit to the number of login attempts.
- ForLockout Duration, type the amount of time in minutes that must lapse before a previously suspended user's account is unlocked.The default auto value is 1 minute. If the value is set to 0, the administrator will have to manually unlock the user's account.
- ForMax Password Age, type the maximum number of days the password will expire after being changed.If the last change was today and Maximum Password Age is 90, then the password will expire in 91 days. If set to 0 (the default), the password never expires.
- ClickSave.
You have configured the local password
policy for the system or on the chassis partition in which you are working. On
the same screen, you can configure other authentication settings.
Add users from the webUI
You can add users at both the
chassis level and the chassis partition level. Default root and admin accounts
are provided on the system. You can change the passwords on those accounts,
but they cannot be deleted.
You can create only
admin and operator users from the webUI. You can create other roles from
the CLI.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- ClickAdd.
- ForAuthentication Method, the value is fixed asLocal.
- ForUsername, enter a name for the user.
- ForSet Password, enter a valid password according to the local password policy defined in the Authentication Settings.
- ForConfirm Password, retype the password.
- From theRolelist, select the role to assign appropriate capabilities for the user. BothPrimary RoleandSecondary Rolefields have the following options:At the chassis level:OptionDescriptionAdminUsed for the chassis administrator. Provides access to the chassis CLI or chassis webUI to configure the system at the chassis level (unrestricted read/write access). Can unlock any chassis users. Logs in to the active system controller or floating IP address.Resource AdminSimilar to the Admin user role, but cannot create, modify, or delete local user accounts; create, modify, or delete server groups; or modify any authentication settings. This user role can modify their own user detail to change their own password.OperatorUsed for the chassis operator. Provides read access to chassis level configuration; write access to change password only. Logs in to the active system controller or floating IP address.At the chassis partition level:OptionDescriptionAdminUsed for the chassis partition administrator. Provides access to the chassis partition CLI and webUI to configure the system at the chassis partition level (unrestricted read/write access). Can unlock Operator users. Logs in to the chassis partition management IP address.Resource AdminSimilar to the Admin user role, but cannot create, modify, or delete local user accounts; create, modify, or delete server groups; or modify any authentication settings.OperatorUsed for the chassis partition operator. Provides read access to chassis partition configuration using the chassis partition CLI and webUI. Has write access to change password only. Logs in to the chassis partition management IP address.
- ForAuthorized Keys, add the required list of keys.
- From theExpiry Statuslist, select the applicable status.Available options are:OptionDescriptionEnabledThis option enables the selected expiry date which means the user account login is available.LockedThis options allows the expiry date is locked until the new expiry date is selected. It means the user account login is not available or expired.Expiry dateWhenExpiry dateis selected, this option displays a calendar widget. The user can select a future date and adjust an existingexpiry date including lengthening or shortening the duration/date. The selected and saved date will be in YYYY-MM-DD format.
- ClickSave & Close.
The user account is created where you
are working at either the chassis level or the chassis partition. Create as
many users as needed to manage the system at the chassis level and the chassis
partition.
Authentication and access management from the CLI
Add a user from the CLI
You can create additional users on
your system from either the system controller or chassis partition
CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Add a user.system aaa authentication users user <user-name> config username <user-name> role <role> expiry-date <yyyy-mm-dd>Where expiry-date is the date <yyyy-mm-dd> you want the account to expire. Other values for expiry-date are -1 for no expiration date (the default value), and 1 for expired.This example creates an admin user namedtestuserwith an account expiration date of November 20, 2025:syscon-1-active(config)# system aaa authentication users user testuser config username test role admin expiry-date 2025-12-20These roles are available:RoleDescriptionadminHas full read/write access and can make configuration changes at the level in which they are working (chassis or chassis partition).limitedIs for F5 internal use only.operatorHas read-only access to every screen and every configuration object at the level in which they are working (chassis or chassis partition).partition_nHas admin access to a specific chassis partition. The chassis administrator can create one terminal server role per chassis partition, wherenrefers to the chassis partition ID. When a user with the chassis partition_nrole logs in to a specific blade port, they are presented with the blade console through the terminal server. This is for troubleshooting and debugging the system.resource-adminSimilar to the Admin user role, but cannot create, modify, or delete local user accounts; create, modify, or delete server groups; or modify any authentication settings. This user role can modify their own user detail to change their own password.rootHas full read/write access and can make configuration changes at all levels, including the Bash shell.ts_adminHas admin access to the terminal server (TS). A user with this role has terminal server access to all consoles on the system regardless of chassis partition restrictions.userIs unprivileged and cannot do anything on the system. One or more supported roles need to be assigned to make this user account useful.
- Commit the configuration changes.commit
The system creates the account with
the specified role.
Disable a user from the CLI
You can disable user accounts on your
VELOS
system from either the system controller or chassis partition
CLI.- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Disable a user.An expiry-status of "locked" disables the account immediately, and "enabled" causes the account never to expire. You can also set the expiry-status to a future date. In that case, set the expiry-status in yyyy-mm-dd format to the date you want the account to expire.system aaa authentication users user <user-name> config expiry-status [ locked | enabled | <yyyy-mm-dd> ]This example disables a user namedtestuser:syscon-1-active(config)# system aaa authentication users user testuser config expiry-status locked
- Commit the configuration changes.commit
Delete a user from the CLI
You can delete a specified user from
either the system controller or chassis partition CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Delete a user.no system aaa authentication users user <user-name>This example deletes a user namedtestuser:syscon-1-active(config)# no system aaa authentication users user testuser
- Commit the configuration changes.commit
Set an admin password from the CLI
You can set an admin user's password from either the system controller or chassis partition CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Set a password for an admin user.system aaa authentication users user <user-name> config set-passwordThis example sets the password for an admin user namedtestadmin:syscon-1-active(config)# system aaa authentication users user testadmin config set-passwordThe system prompts you to set a new password for the specified admin user.
Set maximum password age
You can globally set the maximum password
age for all users from either the system controller or chassis partition CLI.
To do this, you specify the number of days after which the password will
expire since it was last changed. For example, if the last change was today
and the maximum age is 1, the password will expire tomorrow.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Specify the number of days after which a password will expire since it was last changed.system aaa password-policy config max-age <number-of-days>Set the expiry-date to a future date in yyyy-mm-dd format or set the expiry-date to -1 to indicate that the account never expires.system aaa authentication users user <user-name> config expiry-date { -1 | <yyyy-mm-dd> }This example indicates that passwords expire on 2021-12-12:syscon-1-active(config)# system aaa password-policy config max-age 2021-12-12
- Commit the configuration changes.commit
When you log in to the CLI, you receive a
message that the password will expire in the specified number of
days.
Change a password from the CLI
You can change the password for a specified
user from either the system controller or chassis partition CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Change a specified user's password.system aaa authentication users user <user-name> config change-passwordThis example changes the password for a user namedtestuser:syscon-1-active(config)# system aaa authentication users user testuser config change-passwordThe system prompts you to confirm the old password, set a new password, and confirm the new password for the specified user.
- Commit the configuration changes.commit
Modify user options from the CLI
You can modify or set options for a specified
user from either the system controller or chassis partition CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Change user options for a user.system aaa authentication users user <user-name> config last-change <time> expiry-date <mm-dd-yyyy>This example sets a last change date of zero (0) and an expiration date of January 1, 2030 for an admin user namedtestuser:syscon-1-active(config)# system aaa authentication users user testuser config last-change 0 expiry-date 01-01-2030
- Commit the configuration changes.commit
Show system login activity from the CLI
You can display the login time, method, host, and status
of system login activity from the CLI. The system maintains information for 7 login records
before overwriting the earliest records.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Display the system login activity.show system login-activityThis example displays the system login activity.syscon-1-active# show system login-activity admin 2023-04-26 16:21:23 http 172.18.65.114 success 2023-04-26 16:55:32 http 172.18.65.114 success root 2023-04-14 01:21:55 ssh 10.145.71.88 success 2023-04-14 01:23:08 ssh 10.145.71.88 success