Cisco APIC-EM Security •InformationaboutCiscoAPIC-EMSecurity,onpage1 •InformationaboutPKI,onpage3 •CiscoAPIC-EMControllerCertificateandPrivateKeySupport,onpage9 •CiscoAPIC-EMTrustpoolSupport,onpage13 •SecurityandCiscoNetworkPlugandPlay,onpage15 •ConfiguringtheTLSVersionUsingtheCLI,onpage15 •ConfiguringIPSecTunnelingforMulti-HostCommunications,onpage17 •PasswordRequirements,onpage20 •CiscoAPIC-EMPortsReference,onpage21 Information about Cisco APIC-EM Security TheCiscoAPIC-EMrequiresamulti-layeredarchitecturetosupportitsbasicfunctionality.Thismulti-layered architectureconsistsofthefollowingcomponents: •Externalnetworkornetworks—Theexternalnetworkexistsbetweenadministratorsandapplicationson onesideofthenetwork,andtheGrapevinerootandclientswithinaninternalnetworkorcloudonthe otherside.BothadministratorsandapplicationsaccesstheGrapevinerootandclientsusingthisexternal network. •Internalnetwork—TheinternalnetworkconsistsofboththeGrapevinerootandclients. •Devicemanagementnetwork—Thisnetworkconsistsofthedevicesthataremanagedandmonitoredby thecontroller.Notethatthedevicemanagementnetworkisessentiallythesameastheexternalnetwork describedabove.Thismaybephysicallyorlogicallysegmentedfromtheadminsornorthbound applications. Important Anyinter-communicationsbetweenthelayersandintra-communicationswithinthelayersareprotected throughencryption,authentication,andsegmentation. Note Forinformationaboutthedifferentservicesrunningontheclientswithintheinternalnetwork,seeChapter 4,CiscoAPIC-EMServices. CiscoAPIC-EMSecurity 1 CiscoAPIC-EMSecurity ExternalNetworkSecurity External Network Security TheCiscoAPIC-EMprovidesitsserviceoverHTTPSandpresentsitsX.509serverpubliccertificatetoclient communicationsarrivingatanyoftheexternalinterfaces(eth0,eth1,eth2,etc.).Theexternalclients(for example,northboundRESTAPIconsumerapplications,devicesperformingfiledownloadsfromthecontroller, DMVPNcertificaterenewal,orcertificaterevocationlist(CRL),etc.)mayreachthecontrollerviaaNAT, proxygateway,ordirectly. TheexternalX.509certificatethatispresentedbythecontrollerisonethathasbeeneitherdynamically generatedandself-signedbythecontrolleritself,oronethathasbeenimported(user'sX.509certificate)with aprivatekeyintothecontrollerusingtheGUI.Youhavetheoptiontoeitherusetheaself-signedX.509 certificatefromthecontrollerortoimportanduseyourownX.509certificateandprivatekey.Bydefault, theself-signedX.509certificatepresentedtoanAPIrequestissignedbyGrapevine'sinternalCertificate Authority(CA).Thisself-signedX.509certificatemaynotberecognizedandacceptedbyyourhost.To proceedwithyourAPIrequest,youmustignoreanywarningandtrustthecertificatetoproceed. Note Werecommendagainstusingandimportingaself-signedcertificateintothecontroller.Importingavalid X.509certificatefromawell-known,certificateauthority(CA)isrecommended. NorthboundRESTAPIrequestsfromtheexternalnetworktotheCiscoAPIC-EMaremadesecureusingthe TransportLayerSecurity(TLS)protocol.AlthoughthecontrollersupportsseveralTLSversions,thedefault settingforthecontrollerisTLS,version1.0.YoucanrestrictTLSsupporttoalaterandmoresecureversion usingtheCLI.Foradditionalinformation,seeConfiguringtheTLSVersionUsingtheCLI,onpage15. RelatedTopics ConfiguringtheTLSVersionUsingtheCLI,onpage15 Internal Network Security Severalkeyintra-GrapevinecommunicationsusingHTTParesentoverSSLusingtheinternalpublickey infrastructure(PKI).AlltheinternalGrapevineservices,databaseservers,andtheCiscoAPIC-EMservices themselveslistenonlyontheinternalnetworkinordertokeeptheseservicessegmentedandsecured. Note ThisPKIplaneexistswithintheCiscoAPIC-EM.ThisPKIplaneisinaccessibletonorthboundRESTAPI callers,suchasthird-partyapplications.ForinformationabouttheotherPKIplanes,see CiscoAPIC-EM PKIPlanes,onpage4. RelatedTopics ConfiguringIPSecTunnelingforMulti-HostCommunications,onpage17 Device Management Network Security Devicemanagementnetworksecurityinvolvesbothcontroller-initiatedcommunicationsanddevice-initiated communications. Forcontroller-initiatedcommunications(discoveryorpushingpolicytothedevices),theCiscoAPIC-EM usesthefollowingprotocolstoaccessandprogramnetworkdevices: CiscoAPIC-EMSecurity 2 CiscoAPIC-EMSecurity InformationaboutPKI •SSHversion2 •SNMPversions2cand3 •Telnet(disabledbydefault) Note Ifsupportedbythenetworkdevices,westronglyrecommendusingSNMPversionv3cwithauthentication andprivacyenabled.ThecontrollerdoesnotconnecttodevicesthatareSSHversion1.HTTPandHTTPS arenotsupportedfordevicediscoverybythecontroller. Fordevice-initiatedcommunications,networkdevicescanusethefollowingprotocolstocommunicateand interactwiththecontroller: •HTTP •HTTPS •SNMPversions2c TheuseofHTTPorHTTPSisnotuptothedeviceitself;itisdeterminedbytheNBRESTAPIthatthedevice iscalling.HTTPissupportedforlesssensitivecommunications. RelatedTopics ConfiguringtheTLSVersionUsingtheCLI,onpage15 Information about PKI TheCiscoAPIC-EMreliesonPublicKeyInfrastructure(PKI)toprovidesecurecommunications.PKIconsists ofcertificateauthorities,digitalcertificates,andpublicandprivatekeys. Certificateauthorities(CAs)managecertificaterequestsandissuedigitalcertificatestoparticipatingentities suchashosts,networkdevices,orusers.TheCAsprovidecentralizedkeymanagementfortheparticipating entities. Digitalsignatures,basedonpublickeycryptography,digitallyauthenticatethehosts,devicesand/orindividual users.Inpublickeycryptography,suchastheRSAencryptionsystem,eachentityhasakeypairthatcontains bothaprivatekeyandapublickey.Theprivatekeyiskeptsecretandisknownonlytotheowninghost, deviceoruser.However,thepublickeyisknowntoeveryone.Anythingencryptedwithoneofthekeyscan bedecryptedwiththeother.Asignatureisformedwhendataisencryptedwithasender'sprivatekey.The receiververifiesthesignaturebydecryptingthemessagewiththesender'spublickey.Thisprocessrelieson thereceiverhavingacopyofthesender'spublickeyandknowingwithahighdegreeofcertaintythatitreally doesbelongtothesenderandnottosomeonepretendingtobethesender. Digitalcertificateslinkthedigitalsignaturetothesender.Adigitalcertificatecontainsinformationtoidentify auserordevice,suchasthename,serialnumber,company,department,orIPaddress.Italsocontainsacopy oftheentity'spublickey.TheCAthatsignsthecertificateisathirdpartythatthereceiverexplicitlytruststo validateidentitiesandtocreatedigitalcertificates. TovalidatethesignatureoftheCA,thereceivermustfirstknowtheCA'spublickey.Typicallythisprocess ishandledoutofbandorthroughanoperationdoneatinstallation.Forinstance,mostwebbrowsersare configuredwiththepublickeysofseveralCAsbydefault. CiscoAPIC-EMSecurity 3 CiscoAPIC-EMSecurity CiscoAPIC-EMPKIPlanes Cisco APIC-EM PKI Planes TheCiscoAPIC-EMprovidesPKI-basedconnectionsinthefollowingdistinctPKIplanes: •ControllerPKIPlane—HTTPSconnectionsinwhichthecontrolleristheserverintheclient-server model,andthecontroller'sservercertificatesecurestheconnection.Thecontroller'sservercertificate canbeself-signed(default)orissuedbyanexternalCA(recommended.) •DevicePKIPlane—DMVPNconnectionsbetweendevicesinthecontrolplaneofthenetwork,bilaterally authenticatedandsecuredbythedeviceIDcertificatesofbothdevicesthatparticipateintheconnection. AprivateCAprovidedbytheCiscoAPIC-EMcontroller(theDevicePKICA)managesthesecertificates andkeys. •GrapevineServicePKIPlane—TheGrapevinerootmanagesthisinternalPKIplanethatsecures communicationsbetweenGrapevineservicesinamulti-hostcluster;theGrapevineServicePKIPlane isnotexternallyaccessible,soitisnotdiscussedfurtherhere. ThefollowingisaschematicoftheCiscoAPIC-EMPKIplanes,certificateauthorities,andcertificates.The ControllerPKIPlaneemploysaControllerInternalCAthatinresponsetoexternalrequestsprovidesa ControllerNBcertificateandControllerCAcertificate.TheGrapevinePKIPlaneemploysthesameController InternalCAthatinresponsetointernalrequests(fromcontrollerservices)providesaControllerService Certificate.TheDevicePKIPlaneemploysaSDNInfrastructureCAthatprovidesaCACertificate(Root CAmodeinthisschematic)forIWANandPnPdevices. CiscoAPIC-EMSecurity 4 CiscoAPIC-EMSecurity CiscoAPIC-EMPKIPlanes Figure1:CiscoAPIC-EMPKIPlanes TheCiscoAPIC-EMPKIplanessupportdifferenttrustrelationshipsordomainsasdisplayedwiththeuse casesinthefollowingtable: Table1:PKIPlanesinCiscoAPIC-EM Authentication Encryption UseCase ControllerPKIPlane:externalcallerinitiatesconnectiontocontroller HTTPS Callerpresentsusername Yes RESTclient,including andpasswordorservice CiscoNetworkPlugN ticket;Controllerpresents Play(PnP)mobileappor servercertificate. CiscoPrimeInfrastructure HTTPS One-way:controller Yes CiscoNetworkPlugN presentsitsserver Play(PnP)provisioning certificate. workflow DevicePKIPlane:device-to-deviceconnections CiscoAPIC-EMSecurity 5 CiscoAPIC-EMSecurity ControllerPKIPlane Authentication Encryption UseCase DMVPN Bilateralauthentication Yes DMVPNconnections viaInternetKeyExchange betweendevices Version2(IKEv2)using certificates/keysissuedby aprivateCAwithinthe CiscoAPIC-EM controller. Note ThesecuritycontentanddiscussioninthisdeploymentguideconcernsitselfprimarilywiththeController PKIPlane.ForinformationabouttheDevicePKIPlane,seethePKIPlanesinCiscoAPIC-EMTechnote. Controller PKI Plane WhenanexternalcallerinitiatesanHTTPSconnectiontothecontroller,thecontrollerpresentsitsserver certificate.Suchconnectionsincludethefollowing: •LoginstotheCiscoAPIC-EMGUIviaHTTPS •LoginstotheGrapevineAPIs(port14141)viaHTTPS •InvocationsoftheNBRESTAPIviaHTTPS WhenaNBRESTAPIcallerinitiatesanHTTPSconnectiontothecontrollertoinvokeaNBRESTAPIor todownloadafile(suchasadeviceimage,aconfiguration,andsoon)thecontroller(server)presentsits servercertificatetothecaller(client)thatrequestedtheconnection. OnlytwoNBRESTAPIsuseHTTPinsteadofHTTPS:theAPIthatdownloadsthetrustpoolbundle(GET /ca/trustpool),andtheAPIthatdownloadsthecontroller'scertificate(GET/ca/pem).AllotherNBREST APIsutilizeHTTPS. Notethatcontroller-initiatedconnectionstodevicesdoNOTtakeplacewithintheControllerPKIPlane.Even iftheconnectionsuseSSHorSNMPv3,noCAmanagesthekeysinvolved,sotheconnectionisnotconsidered tobePKI-based.Thecontrollermayinitiateconnectionstodevicesforpurposesthatincludediscovery, managingtags,pushingpolicytodevices,orinteractingwithdevicesonbehalfofaRESTcaller.For compatibilitywitholderdevices,discoverycanoptionallyusetheTELNETprotocol,whichisinsecureand thereforeoutsidethescopeofthisPKIdiscussion. Device PKI Plane IWAN-managedcontrol-planedevicesformDynamicMultipointVPN(DMVPN)connectionsamong themselves.AprivateCertificateAuthority(CA)providedbytheCiscoAPIC-EM(theDevicePKICA) provisionsthecertificatesandkeysthatsecuretheseDMVPNconnections.ThePKIbrokerservicemanages thesecertificatesandkeysasdirectedbyanadminintheIWANGUIorasdirectedbyaRESTcallerthat usesthe/certificate-authorityand/trust-pointNBRESTAPIs. CiscoAPIC-EMSecurity 6 CiscoAPIC-EMSecurity DevicePKIPlaneModes Note Inthedefaultmode,theDevicePKICAintheCiscoAPIC-EMcannotbeasubordinate/intermediateCAto anyexternalCA.ThesetwoPKIplanes(oneforthecontrollerconnectionsandtheotherforthedevice-to-device DMVPNconnections)remaincompletelyindependentofeachanother.Inthecurrentrelease,theIWAN devices’mutualinteractioncertificatesaremanagedonlybytheDevicePKICA.ExternalCAscannotmanage theIWAN-specificcertificatesthatdevicespresenttoeachotherforDMVPNtunnel-creationandrelated operations. Device PKI Plane Modes TheDevicePKIPlanesupportstwomodes: •Rootmode-—TheprivateCAprovidedbytheCiscoAPIC-EMcontrollerdoesnotinteractwithany otherCA.Thisisthedefaultmodeforthecontroller. •SubCAmode—InSubCAmode,theprivateCAprovidedbytheCiscoAPIC-EMcontrollercanbean intermediaryCAtoanexternalCA.ThismeansthattheprivatecontrollerCAstillmanagesthecertificates andkeysthatsecuredevice-to-devicecommunications,butitisinasubordinatepositiontothatexternal CA.Thismodemustbeenabledbyanadministrator(ROLE_ADMIN). ChangingthePKImodefromroottoSubCA(subordinateCA),changesthehierarchyandsubordinatesthe privatecontrollerCAtoanexternalCA.ThefollowingisaschematicofthedistinctPKIplanes,withthe DevicePKIplanebeinginSubCAmode. ThefollowingschematicdisplaystheSubCAmodefortheDevicePKIplane.InthisschematictheRootCA isexternaltothecontroller.See CiscoAPIC-EMPKIPlanes,onpage4foraschematicofRootCAmode fortheDevicePKIplane. CiscoAPIC-EMSecurity 7 CiscoAPIC-EMSecurity DevicePKINotifications Figure2:DevicePKIPlane—SubCAMode RelatedTopics ChangingtheRoleofthePKICertificatefromRoottoSubordinate ViewingtheDeviceCertificateLifetime Device PKI Notifications TheCiscoAPIC-EMprovidesdevicePKInotificationstoassisttheuserwithbothtroubleshootingand serviceability. Important ThedevicePKInotificationsdescribedinthissectionareonlyactivatedfromdevice-to-deviceDMVPN connectionsandnotthecontrollerconnections. CiscoAPIC-EMSecurity 8 CiscoAPIC-EMSecurity CiscoAPIC-EMControllerCertificateandPrivateKeySupport ThefollowingdevicePKInotificationsareavailable: •SystemNotifications—Notificationsindicatingthatuseractionisrequired.Thesenotificationsarevisible fromtheSystemsNotificationsviewthatisaccessiblefromtheGlobaltoolbarintheGUI. •AuditLogNotifications—Notificationsinsystemlogsthatarevisibleusingthecontroller'sAuditLog GUI.Forinformationaboutviewingtheauditlogsinthecontroller'sGUI,seeViewingAuditLogs. ThefollowingPKISystemnotificationtypesaresupported: •Information •Newtrustpointcreation •NewPKCS12filecreation •Successfulenrollmentofadevicecertificate •Successfulrenewalofadevicecertificate •Revocationofadevicecertificate •Warning •Partialrevocation—Deviceunreachableortrustpointisinuse •Enrollmentdelayafter80percentofacertificate'slifetime •Servicelaunchdelay •Critical •CertificateAuthorityhandshakefailed •Enrollmentfailed •Revocationfailed •Renewfailed Thefollowingauditlognotificationsareavailableinthesystemlogs: •Deviceenrollment •Certificatepushtothedevice •Renewalofadevicecertificate •Revocationofadevicecertificate Cisco APIC-EM Controller Certificate and Private Key Support TheCiscoAPIC-EMsupportsaPKIcertificatemanagementfeature(ControllerPKIPlane)thatisusedto authenticatesessions(HTTPS).Thesesessionsusecommonlyrecognizedtrustedagentscalledcertificate authorities(CAs).TheCiscoAPIC-EMusesthePKIcertificatemanagementfeaturetoimport,store,and manageanX.509certificatefromwell-knownCAs.Theimportedcertificatebecomesanidentitycertificate CiscoAPIC-EMSecurity 9 CiscoAPIC-EMSecurity CiscoAPIC-EMControllerCertificateChainSupport forthecontrolleritself,andthecontrollerpresentsthiscertificatetoitsclientsforauthentication.Theclients aretheNBAPIapplicationsandnetworkdevices. TheCiscoAPIC-EMcanimportthefollowingfiles(ineitherPEMorPKCSfileformat)usingthecontroller's GUI: •X.509certificate •Privatekey Note Fortheprivatekey,CiscoAPIC-EMsupportstheimportationofRSAkeys.YoushouldnotimportDSA, DH,ECDH,andECDSAkeytypes;theyarenotsupported.Youshouldalsokeeptheprivatekeysecurein yourownkeymanagementsystem. Priortoimport,youmustobtainavalidX.509certificateandprivatekeyfromawell-known,certificate authority(CA)orcreateyourownself-signedcertificate.Afterimport,thesecurityfunctionalitybasedupon theX.509certificateandprivatekeyisautomaticallyactivated.TheCiscoAPIC-EMpresentsthecertificate toanydeviceorapplicationthatrequeststhem.BoththenorthboundAPIapplicationsandnetworkdevices canusethesecredentialstoestablishatrustrelationshipwiththecontroller. InanIWANconfigurationandfortheNetworkPnPfunctionality,anadditionalprocedureinvolvingaPKI trustpoolisusedtoensuretrustbetweendeviceswithinthenetwork.SeethefollowingCiscoAPIC-EM TrustpoolSupportsectionforinformationaboutthisprocedure. Note Werecommendagainstusingandimportingaself-signedcertificateintothecontroller.Importingavalid X.509certificatefromawell-known,certificateauthority(CA)isrecommended.Additionally,youmust replacetheself-signedcertificate(installedintheCiscoAPIC-EMbydefault)withacertificatethatissigned byawell-knowncertificateauthorityfortheNetworkPnPfunctionalitytoworkproperly. TheCiscoAPIC-EMsupportsonlyoneimportedX.509certificateandprivatekeyatatime.Whenyouimport asecondcertificateandprivatekey,itoverwritesthefirst(existing)importedcertificateandprivatekey values. Note IftheexternalIPaddresschangesforyourcontrollerforanyreason,thenyouneedtore-importanewcertificate withthechangedornewIPaddress. RelatedTopics ImportingtheController'sServerCertificate Cisco APIC-EM Controller Certificate Chain Support TheCiscoAPIC-EMisabletoimportcertificatesandprivatekeysintothecontrollerthroughitsGUI. Iftherearesubordinatecertificatesinvolvedinthecertificatechainleadingtothecertificatethatisimported intothecontroller(controllercertificate),thenboththesubordinatecertificatesaswellastherootcertificate ofthesesubordinateCAsmustbeappendedtogetherintoasinglefiletobeimported.Whenappendingthese certificates,youmustappendtheminthesameorderastheactualchainofcertification. CiscoAPIC-EMSecurity 10