Cisco APIC-EM Security • InformationaboutCiscoAPIC-EMSecurity, page 1 • InformationaboutPKI, page 3 • CiscoAPIC-EMCertificateandPrivateKeySupport, page 6 • CiscoAPIC-EMTrustpoolSupport, page 7 • SecurityandCiscoNetworkPlugandPlay, page 8 • ConfiguringtheTLSVersionUsingtheCLI, page 9 • ConfiguringIPSecTunnelingforMulti-HostCommunications, page 11 • PasswordRequirements, page 14 • CiscoAPIC-EMPortsReference, page 14 Information about Cisco APIC-EM Security TheCiscoAPIC-EMrequiresamulti-layeredarchitecturetosupportitsbasicfunctionality.Thismulti-layered architectureconsistsofthefollowingcomponents: •Externalnetworkornetworks—Theexternalnetworkexistsbetweenadministratorsandapplications ononesideofthenetwork,andtheGrapevinerootandclientswithinaninternalnetworkorcloudon theotherside.BothadministratorsandapplicationsaccesstheGrapevinerootandclientsusingthis externalnetwork. •Internalnetwork—TheinternalnetworkconsistsofboththeGrapevinerootandclients. •Devicemanagementnetwork—Thisnetworkconsistsofthedevicesthataremanagedandmonitored bythecontroller.Notethatthedevicemanagementnetworkisessentiallythesameastheexternal networkdescribedabove.Thismaybephysicallyorlogicallysegmentedfromtheadminsornorthbound applications. Important Anyinter-communicationsbetweenthelayersandintra-communicationswithinthelayersareprotected throughencryption,authentication,andsegmentation. Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.2.x 1 Cisco APIC-EM Security External Network Security Note Forinformationaboutthedifferentservicesrunningontheclientswithintheinternalnetwork,seeChapter 3,CiscoAPIC-EMServices. External Network Security TheCiscoAPIC-EMprovidesitsserviceoverHTTPSandpresentsitsX.509serverpubliccertificatetoclient communicationsarrivingatanyoftheexternalinterfaces(eth0,eth1,eth2,etc.).Theexternalclients(for example,northboundRESTAPIconsumerapplications,devicesperformingfiledownloadsfromthecontroller, DMVPNcertificaterenewal,orcertificaterevocationlist(CRL),etc.)mayreachthecontrollerviaaNAT, proxygateway,ordirectly. TheexternalX.509certificatethatispresentedbythecontrollerisonethathasbeeneitherdynamically generatedandself-signedbythecontrolleritself,oronethathasbeenimported(user'sX.509certificate)with aprivatekeyintothecontrollerusingtheGUI.Youhavetheoptiontoeitherusetheaself-signedX.509 certificatefromthecontrollerortoimportanduseyourownX.509certificateandprivatekey.Bydefault, theself-signedX.509certificatepresentedtoanAPIrequestissignedbyGrapevine'sinternalCertificate Authority(CA).Thisself-signedX.509certificatemaynotberecognizedandacceptedbyyourhost.To proceedwithyourAPIrequest,youmustignoreanywarningandtrustthecertificatetoproceed. Note Werecommendagainstusingandimportingaself-signedcertificateintothecontroller.Importingavalid X.509certificatefromawell-known,certificateauthority(CA)isrecommended. NorthboundRESTAPIrequestsfromtheexternalnetworktotheCiscoAPIC-EMaremadesecureusingthe TransportLayerSecurity(TLS)protocol.AlthoughthecontrollersupportsseveralTLSversions,thedefault settingforthecontrollerisTLS,version1.0.YoucanrestrictTLSsupporttoalaterandmoresecureversion usingtheCLI.Foradditionalinformation,seeConfiguringtheTLSVersionUsingtheCLI, onpage9. Related Topics ConfiguringtheTLSVersionUsingtheCLI, onpage9 Internal Network Security Severalkeyintra-GrapevinecommunicationsusingHTTParesentoverSSLusingtheinternalpublickey infrastructure(PKI).AlltheinternalGrapevineservices,databaseservers,andtheCiscoAPIC-EMservices themselveslistenonlyontheinternalnetworkinordertokeeptheseservicessegmentedandsecured. Related Topics ConfiguringIPSecTunnelingforMulti-HostCommunications, onpage11 Device Management Network Security Devicemanagementnetworksecurityinvolvesbothcontroller-initiatedcommunicationsanddevice-initiated communications. Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.2.x 2 Cisco APIC-EM Security Information about PKI Forcontroller-initiatedcommunications(discoveryorpushingpolicytothedevices),theCiscoAPIC-EM usesthefollowingprotocolstoaccessandprogramnetworkdevices: •SSHversion2 •Telnet •SNMPversions2cand3 Note Ifsupportedbythenetworkdevices,westronglyrecommendusingSNMPversionv3cwithauthentication andprivacyenabled.ThecontrollerdoesnotconnecttodevicesthatareSSHversion1.HTTPandHTTPS arenotsupportedfordevicediscoverybythecontroller. Fordevice-initiatedcommunications,networkdevicescanusethefollowingprotocolstocommunicateand interactwiththecontroller: •HTTP •HTTPS •SNMPversions2c TheuseofHTTPorHTTPSisnotuptothedeviceitself;itisdeterminedbytheNBRESTAPIthatthedevice iscalling.HTTPissupportedforlesssensitivecommunications. Related Topics ConfiguringtheTLSVersionUsingtheCLI, onpage9 Information about PKI TheCiscoAPIC-EMreliesonPublicKeyInfrastructure(PKI)toprovidesecurecommunications.PKIconsists ofcertificateauthorities,digitalcertificates,andpublicandprivatekeys. Certificateauthorities(CAs)managecertificaterequestsandissuedigitalcertificatestoparticipatingentities suchashosts,networkdevices,orusers.TheCAsprovidecentralizedkeymanagementfortheparticipating entities. Digitalsignatures,basedonpublickeycryptography,digitallyauthenticatethehosts,devicesand/orindividual users.Inpublickeycryptography,suchastheRSAencryptionsystem,eachentityhasakeypairthatcontains bothaprivatekeyandapublickey.Theprivatekeyiskeptsecretandisknownonlytotheowninghost, deviceoruser.However,thepublickeyisknowntoeveryone.Anythingencryptedwithoneofthekeyscan bedecryptedwiththeother.Asignatureisformedwhendataisencryptedwithasender'sprivatekey.The receiververifiesthesignaturebydecryptingthemessagewiththesender'spublickey.Thisprocessrelieson thereceiverhavingacopyofthesender'spublickeyandknowingwithahighdegreeofcertaintythatitreally doesbelongtothesenderandnottosomeonepretendingtobethesender. Digitalcertificateslinkthedigitalsignaturetothesender.Adigitalcertificatecontainsinformationtoidentify auserordevice,suchasthename,serialnumber,company,department,orIPaddress.Italsocontainsacopy oftheentity'spublickey.TheCAthatsignsthecertificateisathirdpartythatthereceiverexplicitlytruststo validateidentitiesandtocreatedigitalcertificates. Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.2.x 3 Cisco APIC-EM Security Supported Cisco APIC-EM PKI Planes TovalidatethesignatureoftheCA,thereceivermustfirstknowtheCA'spublickey.Typicallythisprocess ishandledoutofbandorthroughanoperationdoneatinstallation.Forinstance,mostwebbrowsersare configuredwiththepublickeysofseveralCAsbydefault. Supported Cisco APIC-EM PKI Planes TheCiscoAPIC-EMmaintainstwocompletelyseparatePKIplanesthatdonotsharecertificates,keys,or CAs.EachPKIplanesecuresaparticularsetofconnections: •Controllerconnections Thecontroller'sservercertificatesecuresclient-initiatedconnections(communications)tothecontroller. ThecontrollerwillpresentitsservercertificateinresponsetoHTTPSconnectionrequestsfromNB RESTAPIcallers,suchasthird-partyapplicationsthatinteractwiththecontrollerbymeansofitsuse oftheNBRESTAPI.Additionally,whenarouter,switch,orothercontrol-planedeviceinitiatesan HTTPSconnectiontothecontrollertoinvokeaNBRESTAPIortodownloadafile(suchasadevice image,aconfiguration,etc.)theserverpresentsitscertificatetothedevicethatrequestedtheconnection. Deviceinteractionsinitiatedbythecontroller,includingactionsthatthecontrollertakesonbehalfofa RESTcaller(forexample,discoveringdevices,managingtags.orpushingpolicytodevices)donot currentlyuseHTTPS. Note Thesecuritycontentanddiscussioninthisdeploymentguideconcernsitselfsolelywith thisspecificPKIplane. •Device-to-deviceDMVPNconnections IWAN-manageddevicesformDynamicMultipointVPN(DMVPN)connectionsbetweenthemselves tofulfilltheIWANQoSpolicy.AnembeddedprivateCAintheCiscoAPIC-EMprovisionsthe certificatesandkeysthatsecuretheseDMVPNconnections.ThePKIbrokerembeddedintheCisco APIC-EMmanagesthesecertificatesandkeysasdirectedbyanadminintheIWANGUIoraREST callerthatusesthepki-brokerNBRESTAPI.AnexternalCAcannotmanagethesecertificatesand keys. Currently,onlytheIWANapplicationandtheDMVPNconnectionusetheinternalCAissuedcertificates. Infuture,theremaybeotherservicesthatobtaincertificatesfromtheCiscoAPIC-EMinternalCA. Note ThisdeploymentguidedoesnotdiscusstheIWANDynamicMultipointVPN(DMVPN) connections.Forinformationaboutthistopic,seetheappropriateCiscoIWAN documentation. Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.2.x 4 Cisco APIC-EM Security Supported Cisco APIC-EM PKI Planes Important TheinternalCAembeddedintheCiscoAPIC-EMcannotbeasub/intermediateCAtoanyexternalCA. UntiltheCiscoAPIC-EMaddssuchsupport,thesetwoPKIplanes(oneforthecontrollerconnections andtheotherforthedevice-to-deviceDMVPNconnections)remaincompletelyindependentofeach another.Inthecurrentrelease,theIWANdevices’mutualinteractioncertificatesaremanagedonlybythe CAthatisembeddedintheCiscoAPIC-EM.ExternalCAscannotmanagetheIWAN-specificcertificates thatdevicespresenttoeachotherforDMVPNtunnel-creationandrelatedoperations. PKI Device Notifications TheCiscoAPIC-EMprovidesPKIdevicenotificationstoassisttheuserwithbothtroubleshootingand serviceability. Important ThePKIdevicenotificationsdescribedinthissectionareonlyactivatedfromdevice-to-deviceDMVPN connectionsandnotthecontrollerconnections. ThefollowingPKIdevicenotificationsareavailable: •SystemNotifications—Notificationsindicatingthatuseractionisrequired.Thesenotificationsarevisible fromtheSystemsNotificationsviewthatisaccessiblefromtheGlobaltoolbarintheGUI. •AuditLogNotifications—Notificationsinsystemlogsthatarevisibleusingthecontroller'sAuditLog GUI. ThefollowingPKISystemnotificationtypesaresupported: •Information ◦Newtrustpointcreation ◦NewPKCS12filecreation ◦Successfulenrollmentofadevicecertificate ◦Successfulrenewalofadevicecertificate ◦Revocationofadevicecertificate •Warning ◦Partialrevocation—Deviceunreachableortrustpointisinuse ◦Enrollmentdelayafter80percentofacertificate'slifetime ◦Servicelaunchdelay •Critical ◦CertificateAuthorityhandshakefailed ◦Enrollmentfailed ◦Revocationfailed Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.2.x 5 Cisco APIC-EM Security Cisco APIC-EM Certificate and Private Key Support ◦Renewfailed Thefollowingauditlognotificationsareavailableinthesystemlogs: •Deviceenrollment •Certificatepushtothedevice •Renewalofadevicecertificate •Revocationofadevicecertificate Cisco APIC-EM Certificate and Private Key Support TheCiscoAPIC-EMsupportsaPKIcertificatemanagementfeaturethatisusedtoauthenticatesessions (HTTPS).Thesesessionsusecommonlyrecognizedtrustedagentscalledcertificateauthorities(CAs).The CiscoAPIC-EMusesthePKIcertificatemanagementfeaturetoimport,store,andmanageanX.509certificate fromwell-knownCAs.Theimportedcertificatebecomesanidentitycertificateforthecontrolleritself,and thecontrollerpresentsthiscertificatetoitsclientsforauthentication.TheclientsaretheNBAPIapplications andnetworkdevices. TheCiscoAPIC-EMcanimportthefollowingfiles(ineitherPEMorPKCSfileformat)usingthecontroller's GUI: •X.509certificate •Privatekey Note Fortheprivatekey,CiscoAPIC-EMsupportstheimportationofRSAkeys.YoushouldnotimportDSA, DH,ECDH,andECDSAkeytypes;theyarenotsupported.Youshouldalsokeeptheprivatekeysecure inyourownkeymanagementsystem. Priortoimport,youmustobtainavalidX.509certificateandprivatekeyfromawell-known,certificate authority(CA)orcreateyourownself-signedcertificate.Afterimport,thesecurityfunctionalitybasedupon theX.509certificateandprivatekeyisautomaticallyactivated.TheCiscoAPIC-EMpresentsthecertificate toanydeviceorapplicationthatrequeststhem.BoththenorthboundAPIapplicationsandnetworkdevices canusethesecredentialstoestablishatrustrelationshipwiththecontroller. InanIWANconfigurationandfortheNetworkPnPfunctionality,anadditionalprocedureinvolvingaPKI trustpoolisusedtoensuretrustbetweendeviceswithinthenetwork.SeethefollowingCiscoAPIC-EM TrustpoolSupportsectionforinformationaboutthisprocedure. Note Werecommendagainstusingandimportingaself-signedcertificateintothecontroller.Importingavalid X.509certificatefromawell-known,certificateauthority(CA)isrecommended.Additionally,youmust replacetheself-signedcertificate(installedintheCiscoAPIC-EMbydefault)withacertificatethatis signedbyawell-knowncertificateauthorityfortheNetworkPnPfunctionalitytoworkproperly. TheCiscoAPIC-EMsupportsonlyoneimportedX.509certificateandprivatekeyatatime.Whenyouimport asecondcertificateandprivatekey,itoverwritesthefirst(existing)importedcertificateandprivatekey values. Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.2.x 6 Cisco APIC-EM Security Cisco APIC-EM Certificate Chain Support Note IftheexternalIPaddresschangesforyourcontrollerforanyreason,thenyouneedtore-importanew certificatewiththechangedornewIPaddress. Related Topics ImportingaCertificate Cisco APIC-EM Certificate Chain Support TheCiscoAPIC-EMisabletoimportcertificatesandprivatekeysintothecontrollerthroughitsGUI.The CiscoAPIC-EMalsosupportstheimportationofsubordinatecertificates(intermediatecertificates)froma subordinateCertificateAuthority(CA)throughitsGUI. Iftherearesubordinatecertificatesinvolvedinthecertificatechainleadingtothecertificatethatisimported intothecontroller(controllercertificate),thenboththesubordinatecertificatesaswellastherootcertificate ofthesesubordinateCAsmustbeappendedtogetherintoasinglefiletobeimported.Whenappendingthese certificates,youmustappendtheminthesameorderastheactualchainofcertification. Forexample,assumethatawell-knownandtrustedCAwitharootcertificate(CAroot)signedanintermediate CAcertificate(CA1).Next,assumethatthiscertificate,CA1signsanotherintermediateCAcertificate(CA2). Finally,assumethattheCAcertificate(CA2)wastheCAthatsignedthecontrollercertificate (Controller_Certificate).Inthisexample,thePEMfilethatneedstobecreatedandimportedintothecontroller shouldhavethefollowingorderfromthetop(beginning)ofthefiletothebottomofthefile(end): 1 Controller_Certificate(topoffile) 2 CA2certificate 3 CA1certificate Therequirementtoappendtherootandsubordinatecertificatestothecontrollercertificatetocreateasingle fileonlyappliestoaPEMfile.Therequirementforappendingarootandintermediatecertificatestoaroot certificateforimportisnotrequiredforaPKCSfile. Related Topics ImportingaCertificate Cisco APIC-EM Trustpool Support TheCiscoAPIC-EMandCiscoIOSdevicessupportaspecialPKIcertificatestoreknownasthetrustpool. ThetrustpoolholdsX.509certificatesthatidentifytrustedcertificateauthorities(CAs).TheCiscoAPIC-EM andthedevicesinthenetworkusethetrustpoolbundletomanagetrustrelationshipswitheachotherandwith theseCAs.ThecontrollermanagesthisPKIcertificatestoreandhastheabilitytoupdateitthroughitsGUI whencertificatesinthepoolareduetoexpire,arereissued,ormustbechangedforotherreasons. Note TheCiscoAPIC-EMalsousesthetrustpoolfunctionalitytodeterminewhetheranycertificatefilethatis uploadedviaitsGUIisavalidCAsignedcertificateornot. Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.2.x 7 Cisco APIC-EM Security Security and Cisco Network Plug and Play TheCiscoAPIC-EMcontainsapre-installed,default,Cisco-signedtrustpoolbundlenamedios.p7b.This trustpoolbundleistrustedbysupportedCisconetworkdevicesnatively,sinceitissignedwithaCiscodigital signingcertificate.ThistrustpoolbundleiscriticalfortheCisconetworkdevicestoestablishtrustwithservices andapplicationsthataregenuine.ThisCiscoPKItrustpoolbundlefileisavailableontheCiscowebsite(Cisco InfoSec). Thelinkislocatedat:http://www.cisco.com/security/pki/ Forthecontroller'sNetworkPnPfunctionality,thesupportedCiscodevicesthatarebeingmanagedand monitoredbythecontrollerneedtoimportthisfile.WhenthesupportedCiscodevicesfirstboot-up,they contactthecontrollertoimportthisfile. Note Attimes,youmayneedtoupdatethistrustpoolbundletoanewerversionduetocertificatesinthetrustpool expiring,beingreissued,orforotherreasons.Wheneverthetrustpoolbundlethatexistsonthecontroller needstobeupdated,youcanupdateitbyusingthecontroller'sGUI.ThecontrollercanaccesstheCisco cloud(wheretheCiscoapprovedtrustpoolbundlesarelocated)anddownloadthelatesttrustpoolbundle. Afterdownload,thecontrollerthenoverwritesthecurrent,oldertrustpoolbundlefile.Asapractice,you maywanttoupdatethetrustpoolbundlebeforeanewcertificatefromaCAistobeimportedusingthe CertificatewindowortheProxyGatewayCertificatewindow,orwhenevertheUpdatebuttonisactive andnotgrayedout. TheCiscoAPIC-EMtrustpoolmanagementfeatureoperatesinthefollowingway: 1 Youboot-uptheCiscodeviceswithinyournetworkthatsupportstheNetworkPnPfunctionality. NotethatnotallCiscodevicessupporttheNetworkPnPfunctionality.SeetheReleaseNotesforCisco NetworkPlugandPlayforalistofthesupportedCiscodevices. 2 AspartofinitialPnPflow,thesesupportedCiscodevicesdownloadatrustpoolbundledirectlyfromthe CiscoAPIC-EMusingHTTP. 3 TheCiscodevicesarenowreadytointeractwiththeCiscoAPIC-EMtoobtainfurtherdeviceconfiguration andprovisioningpertheNetworkPnPtrafficflows. Important IfanHTTPproxygatewayexistsbetweenthecontrollerandtheseCiscodevices,thenperformanadditional proceduretoimporttheproxygatewaycertificateintothecontroller.SeeImportingaProxyGateway Certificate. Related Topics ImportingaTrustpoolBundle Security and Cisco Network Plug and Play WiththeCiscoNetworkPlugandPlay(PnP)application,theCiscoAPIC-EMrespondstoHTTPSrequests fromsupportedCisconetworkdevicesandpermitsthesedevicestodownloadandinstallanimageanddesired configuration.Beforeadevicecandownloadthesefilesfromthecontroller,theinitialinteractionbetween thecontrolleranddeviceinvolvestheestablishmentofatrustrelationship. Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.2.x 8 Cisco APIC-EM Security Configuring the TLS Version Using the CLI AtfirstinteractionwithaPnPenableddevice,thatPnPenableddeviceisprovisionedbythecontrollerwith trustinformationthatincludesaCArootcertificatesbundleorattheleastthecertificateoftheCAthatissued theserversidecertificate.Notethatinlattercase,theCAmayormaynotbeawellknownCA. IncertainCiscoNetworkPlugandPlayscenarios,yournetworkconfigurationmayhaveaproxygateway presentbetweenthecontrollerandPnPenableddevices.Forexample,inanIWANdeploymentabranch routermaycommunicatewiththeCiscoAPIC-EMthroughaproxygatewayattheDMZatinitialprovisioning. Dependinguponwhetherthereisaproxygatewaypresentornot,thetrustinformationprovidedbythe controllerattheinitialtransactionwiththedevicesmaycorrespondtotheproxygateway'sortothecontroller’s certificateissuer(ifthecorrespondingservercertificatesarenotvalidCAsigned).Ontheotherhand,ineither proxyornon-proxycases,ifthecertificateisasimpleself-signedcertificate,thenthatcertificatewillbe downloadedbythedeviceintoitstruststore. Note Usingaself-signedcertificateforeithertheCiscoAPIC-EMortheproxygatewayisstronglydiscouraged. WestronglyrecommendusingapubliclyverifiableCAissuedcertificatetobeinstalledonthecontroller, aswellastheproxygatewayifoneispresent. WithavalidCAissuedcertificateforthecontrollerortheproxygateway(ifpresent),thePnPenableddevices candownloadthetrustpoolbundle(ios.p7b)containingallthewellknownCArootcertificates.Thispermits thedevicestoestablishsecureconnectionstothecontrollerortotheproxygatewayforfurtherprovisioning andoperationofthosedevices.IfsuchacertificateisnotavalidCAissuedorself-signed,thenthedevices willhavetodownloadtheissuingCA’sorself-signedcertificatetoproceedfurtherwithasecureconnection tothecontrolleroraproxygatewayinfrontofthecontroller.TheCiscoAPIC-EMfacilitatesautomatic downloadsoftherelevanttrustedcertificatesonthedevices,dependingonthenatureofthecertificateinstalled onit.However;whenaproxygatewayispresent,thecontrollerprovidesaprovisioningGUItofacilitate similarpre-provisioning. Related Topics ImportingaProxyGatewayCertificate Configuring the TLS Version Using the CLI NorthboundRESTAPIrequestsfromtheexternalnetworktotheCiscoAPIC-EM(fromnorthboundREST APIbasedapps,browsers,andnetworkdevicesconnectingtothecontrollerusingHTTPS)aremadesecure usingtheTransportLayerSecurityprotocol(TLS).TheCiscoAPIC-EMsupportsTLSversions1.0,1.1,and 1.2. TheminimumTLSversionthataclient(eitheranorthboundapplicationclientsuchasthecontrollerGUI browseroranetworkdevice)cancommunicatewiththecontrollerbydefaultisTLS1.0.Ifyournetwork deviceIOS/XEversionscansupportahigherversionthanTLS1.0,thenitisstronglyrecommendedto configuretheminimumTLSversionofthecontrollertothehigherversion(besurethatallofyournetwork devicesunderCiscoAPIC-EMcontrolcansupportthishigherTLSversion). Note AnyversionslowerthanTLS1.0(suchasSSLv3andSSLv2)arenotsupportedbyCiscoAPIC-EM. Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.2.x 9 Cisco APIC-EM Security Configuring the TLS Version Using the CLI Important WiththecontrollerTLSversionsetto1.2,aclientinitiatingaTLSversion1.0or1.1connectionwillbe rejectedandanycommunicationsfromthisclientwillfail.WiththecontrollerTLSversionsetto1.0,a clientinitiatingaTLSversion1.1or1.2connectionwillbepermitted. YouconfiguretheTLSversionforthecontrollerbyloggingintothehost(physicalorvirtual)andusingthe CLI. Note Thissecurityfeatureappliesonlytoport443ontheCiscoAPIC-EM. Before You Begin YoumusthavesuccessfullydeployedtheCiscoAPIC-EManditmustbeoperational. YoumusthavegrapevineSSHaccessprivilegestoperformthisprocedure. Step 1 UsingaSecureShell(SSH)client,logintothehost(physicalorvirtual)withtheIPaddressthatyouspecifiedusingthe configurationwizard. Note TheIPaddresstoenterfortheSSHclientistheIPaddressthatyouconfiguredforthenetworkadapter.This IPaddressconnectsthehosttotheexternalnetwork. Step 2 Whenprompted,enteryourLinuxusername('grapevine')andpasswordforSSHaccess. Step 3 EnterthegrapeconfigdisplaycommandattheprompttodisplaythedefaultTLSminimumversion. $ grape config display PROPERTY VALUE ---------------------------------------------------------------------- client_grow_timeout 150 client_heartbeat_timeout 120 client_idle_timeout 60 enable_policy True enable_secure_tunnel True enable_service_rollback False host_cpu_threshold 0.9 host_datastore_threshold 1.0 host_heartbeat_timeout 120 host_memory_threshold 0.00999999977648 https_proxy https_proxy_password https_proxy_username load_multiplier 1.0 max_spare_capacity 1 policy_startup_delay 120 tls_minimum 1_0 (grapevine) Step 4 Enterthegrapeconfigupdatetls_minimum1_2commandattheprompttoupdatetoTLSversion1.2 $ grape config update tls_minimum 1_2 Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.2.x 10