Securing the Cisco APIC-EM • AboutCiscoAPIC-EMSecurity, page 1 • PKIandtheCiscoAPIC-EM, page 2 • CiscoAPIC-EMControllerCertificateandPrivateKeySupport, page 8 • CiscoAPIC-EMTrustpoolSupport, page 12 • SecurityandCiscoNetworkPlugandPlay, page 13 • ConfiguringtheTLSVersionUsingtheCLI, page 14 • ConfiguringIPSecTunnelingforMulti-HostCommunications, page 16 • PasswordRequirements, page 18 • CiscoAPIC-EMPortsReference, page 19 • CiscoAPIC-EMAccessedCloudServerReference, page 21 • ConfiguringSecuritySettings, page 22 About Cisco APIC-EM Security TheCiscoAPIC-EMrequiresamulti-layeredarchitecturetosupportitsbasicfunctionality.Thismulti-layered architectureconsistsofthefollowingcomponents: •Externalnetworkornetworks—Theexternalnetworkexistsbetweenadministratorsandapplications ononesideofthenetwork,andtheGrapevinerootandclientswithinaninternalnetworkorcloudon theotherside.BothadministratorsandapplicationsaccesstheGrapevinerootandclientsusingthis externalnetwork. •Internalnetwork—TheinternalnetworkconsistsofboththeGrapevinerootandclients. •Devicemanagementnetwork—Thisnetworkconsistsofthedevicesthataremanagedandmonitored bythecontroller.Notethatthedevicemanagementnetworkisessentiallythesameastheexternal networkdescribedabove.Thismaybephysicallyorlogicallysegmentedfromtheadminsornorthbound applications. Cisco Application Policy Infrastructure Controller Enterprise Module Administrator Guide, Release 1.6.x 1 Securing the Cisco APIC-EM PKI and the Cisco APIC-EM Important Anyinter-communicationsbetweenthelayersandintra-communicationswithinthelayersareprotected throughencryption,authentication,andsegmentation. Note Forinformationaboutthedifferentservicesrunningontheclientswithintheinternalnetwork,seeChapter 4,CiscoAPIC-EMServices. PKI and the Cisco APIC-EM TheCiscoAPIC-EMreliesonPublicKeyInfrastructure(PKI)toprovidesecurecommunications.PKIconsists ofcertificateauthorities,digitalcertificates,andpublicandprivatekeys. Certificateauthorities(CAs)managecertificaterequestsandissuedigitalcertificatestoparticipatingentities suchashosts,networkdevices,orusers.TheCAsprovidecentralizedkeymanagementfortheparticipating entities. Digitalsignatures,basedonpublickeycryptography,digitallyauthenticatethehosts,devicesand/orindividual users.Inpublickeycryptography,suchastheRSAencryptionsystem,eachentityhasakeypairthatcontains bothaprivatekeyandapublickey.Theprivatekeyiskeptsecretandisknownonlytotheowninghost, deviceoruser.However,thepublickeyisknowntoeveryone.Anythingencryptedwithoneofthekeyscan bedecryptedwiththeother.Asignatureisformedwhendataisencryptedwithasender'sprivatekey.The receiververifiesthesignaturebydecryptingthemessagewiththesender'spublickey.Thisprocessrelieson thereceiverhavingacopyofthesender'spublickeyandknowingwithahighdegreeofcertaintythatitreally doesbelongtothesenderandnottosomeonepretendingtobethesender. Digitalcertificateslinkthedigitalsignaturetothesender.Adigitalcertificatecontainsinformationtoidentify auserordevice,suchasthename,serialnumber,company,department,orIPaddress.Italsocontainsacopy oftheentity'spublickey.TheCAthatsignsthecertificateisathirdpartythatthereceiverexplicitlytruststo validateidentitiesandtocreatedigitalcertificates. TovalidatethesignatureoftheCA,thereceivermustfirstknowtheCA'spublickey.Typicallythisprocess ishandledoutofbandorthroughanoperationdoneatinstallation.Forinstance,mostwebbrowsersare configuredwiththepublickeysofseveralCAsbydefault. Cisco APIC-EM PKI Planes TheCiscoAPIC-EMprovidesPKI-basedconnectionsinthefollowingdistinctPKIplanes: •ControllerPKIPlane—HTTPSconnectionsinwhichthecontrolleristheserverintheclient-server model,andthecontroller'sservercertificatesecurestheconnection.Thecontroller'sservercertificate canbeself-signed(default)orissuedbyanexternalCA(recommended.) •DevicePKIPlane—DMVPNconnectionsbetweendevicesinthecontrolplaneofthenetwork,bilaterally authenticatedandsecuredbythedeviceIDcertificatesofbothdevicesthatparticipateintheconnection. AprivateCAprovidedbytheCiscoAPIC-EMcontroller(theDevicePKICA)managesthesecertificates andkeys. Cisco Application Policy Infrastructure Controller Enterprise Module Administrator Guide, Release 1.6.x 2 Securing the Cisco APIC-EM Cisco APIC-EM PKI Planes •GrapevineServicePKIPlane—TheGrapevinerootmanagesthisinternalPKIplanethatsecures communicationsbetweenGrapevineservicesinamulti-hostcluster;theGrapevineServicePKIPlane isnotexternallyaccessible,soitisnotdiscussedfurtherhere. ThefollowingisaschematicoftheCiscoAPIC-EMPKIplanes,certificateauthorities,andcertificates.The ControllerPKIPlaneemploysaControllerInternalCAthatinresponsetoexternalrequestsprovidesa ControllerNBcertificateandControllerCAcertificate.TheGrapevinePKIPlaneemploysthesameController InternalCAthatinresponsetointernalrequests(fromcontrollerservices)providesaControllerService Certificate.TheDevicePKIPlaneemploysaSDNInfrastructureCAthatprovidesaCACertificate(Root CAmodeinthisschematic)forIWANandPnPdevices. Figure 1: Cisco APIC-EM PKI Planes TheCiscoAPIC-EMPKIplanessupportdifferenttrustrelationshipsordomainsasdisplayedwiththeuse casesinthefollowingtable: Table 1: PKI Planes in Cisco APIC-EM Authentication Encryption Use Case ControllerPKIPlane:externalcallerinitiatesconnectiontocontroller Cisco Application Policy Infrastructure Controller Enterprise Module Administrator Guide, Release 1.6.x 3 Securing the Cisco APIC-EM Cisco APIC-EM PKI Planes Authentication Encryption Use Case HTTPS Callerpresentsusername Yes RESTclient,including andpasswordorservice CiscoNetworkPlugN ticket;Controllerpresents Play(PnP)mobileappor servercertificate. CiscoPrime Infrastructure HTTPS One-way:controller Yes CiscoNetworkPlugN presentsitsserver Play(PnP)provisioning certificate. workflow DevicePKIPlane:device-to-deviceconnections DMVPN Bilateralauthentication Yes DMVPNconnections viaInternetKey betweendevices ExchangeVersion2 (IKEv2)using certificates/keysissuedby aprivateCAwithinthe CiscoAPIC-EM controller. Note ThesecuritycontentanddiscussioninthisdeploymentguideconcernsitselfprimarilywiththeController PKIPlane.ForinformationabouttheDevicePKIPlane,seethePKIPlanesinCiscoAPIC-EMTechnote. Controller PKI Plane WhenanexternalcallerinitiatesanHTTPSconnectiontothecontroller,thecontrollerpresentsitsserver certificate.Suchconnectionsincludethefollowing: •LoginstotheCiscoAPIC-EMGUIviaHTTPS •LoginstotheGrapevineAPIs(port14141)viaHTTPS •InvocationsoftheNBRESTAPIviaHTTPS WhenaNBRESTAPIcallerinitiatesanHTTPSconnectiontothecontrollertoinvokeaNBRESTAPIor todownloadafile(suchasadeviceimage,aconfiguration,andsoon)thecontroller(server)presentsits servercertificatetothecaller(client)thatrequestedtheconnection. OnlytwoNBRESTAPIsuseHTTPinsteadofHTTPS:theAPIthatdownloadsthetrustpoolbundle(GET /ca/trustpool),andtheAPIthatdownloadsthecontroller'scertificate(GET/ca/pem).AllotherNBREST APIsutilizeHTTPS. Notethatcontroller-initiatedconnectionstodevicesdoNOTtakeplacewithintheControllerPKIPlane.Even iftheconnectionsuseSSHorSNMPv3,noCAmanagesthekeysinvolved,sotheconnectionisnotconsidered tobePKI-based.Thecontrollermayinitiateconnectionstodevicesforpurposesthatincludediscovery, Cisco Application Policy Infrastructure Controller Enterprise Module Administrator Guide, Release 1.6.x 4 Securing the Cisco APIC-EM Cisco APIC-EM PKI Planes managingtags,pushingpolicytodevices,orinteractingwithdevicesonbehalfofaRESTcaller.For compatibilitywitholderdevices,discoverycanoptionallyusetheTELNETprotocol,whichisinsecureand thereforeoutsidethescopeofthisPKIdiscussion. Device PKI Plane IWAN-managedcontrol-planedevicesformDynamicMultipointVPN(DMVPN)connectionsamong themselves.AprivateCertificateAuthority(CA)providedbytheCiscoAPIC-EM(theDevicePKICA) provisionsthecertificatesandkeysthatsecuretheseDMVPNconnections.ThePKIbrokerservicemanages thesecertificatesandkeysasdirectedbyanadminintheIWANGUIorasdirectedbyaRESTcallerthat usesthe/certificate-authorityand/trust-pointNBRESTAPIs. Note Inthedefaultmode,theDevicePKICAintheCiscoAPIC-EMcannotbeasubordinate/intermediateCA toanyexternalCA.ThesetwoPKIplanes(oneforthecontrollerconnectionsandtheotherforthe device-to-deviceDMVPNconnections)remaincompletelyindependentofeachanother.Inthecurrent release,theIWANdevices’mutualinteractioncertificatesaremanagedonlybytheDevicePKICA. ExternalCAscannotmanagetheIWAN-specificcertificatesthatdevicespresenttoeachotherforDMVPN tunnel-creationandrelatedoperations. Device PKI Plane Modes TheDevicePKIPlanesupportstwomodes: •Rootmode-—TheprivateCAprovidedbytheCiscoAPIC-EMcontrollerdoesnotinteractwithany otherCA.Thisisthedefaultmodeforthecontroller. •SubCAmode—InSubCAmode,theprivateCAprovidedbytheCiscoAPIC-EMcontrollercanbe anintermediaryCAtoanexternalCA.ThismeansthattheprivatecontrollerCAstillmanagesthe certificatesandkeysthatsecuredevice-to-devicecommunications,butitisinasubordinatepositionto thatexternalCA.Thismodemustbeenabledbyanadministrator(ROLE_ADMIN). ChangingthePKImodefromroottoSubCA(subordinateCA),changesthehierarchyandsubordinatesthe privatecontrollerCAtoanexternalCA.ThefollowingisaschematicofthedistinctPKIplanes,withthe DevicePKIplanebeinginSubCAmode. Cisco Application Policy Infrastructure Controller Enterprise Module Administrator Guide, Release 1.6.x 5 Securing the Cisco APIC-EM Cisco APIC-EM PKI Planes ThefollowingschematicdisplaystheSubCAmodefortheDevicePKIplane.InthisschematictheRootCA isexternaltothecontroller.See CiscoAPIC-EMPKIPlanes, onpage2foraschematicofRootCAmode fortheDevicePKIplane. Figure 2: Device PKI Plane—Sub CA Mode Related Topics ChangingtheRoleofthePKICertificatefromRoottoSubordinate, onpage30 ConfiguringtheDeviceCertificateLifetime, onpage28 Cisco Application Policy Infrastructure Controller Enterprise Module Administrator Guide, Release 1.6.x 6 Securing the Cisco APIC-EM Cisco APIC-EM PKI Planes Device PKI Notifications TheCiscoAPIC-EMprovidesdevicePKInotificationstoassisttheuserwithbothtroubleshootingand serviceability. Important ThedevicePKInotificationsdescribedinthissectionareonlyactivatedfromdevice-to-deviceDMVPN connectionsandnotthecontrollerconnections. ThefollowingdevicePKInotificationsareavailable: •SystemNotifications—Notificationsindicatingthatuseractionisrequired.Thesenotificationsarevisible fromtheSystemsNotificationsviewthatisaccessiblefromtheGlobaltoolbarintheGUI. •AuditLogNotifications—Notificationsinsystemlogsthatarevisibleusingthecontroller'sAuditLog GUI.Forinformationaboutviewingtheauditlogsinthecontroller'sGUI,seetheCiscoApplication PolicyInfrastructureControllerEnterpriseModuleTroubleshootingGuide. ThefollowingPKISystemnotificationtypesaresupported: •Information ◦Newtrustpointcreation ◦NewPKCS12filecreation ◦Successfulenrollmentofadevicecertificate ◦Successfulrenewalofadevicecertificate ◦Revocationofadevicecertificate •Warning ◦Partialrevocation—Deviceunreachableortrustpointisinuse ◦Enrollmentdelayafter80percentofacertificate'slifetime ◦Servicelaunchdelay •Critical ◦CertificateAuthorityhandshakefailed ◦Enrollmentfailed ◦Revocationfailed ◦Renewfailed Thefollowingauditlognotificationsareavailableinthesystemlogs: •Deviceenrollment •Certificatepushtothedevice •Renewalofadevicecertificate Cisco Application Policy Infrastructure Controller Enterprise Module Administrator Guide, Release 1.6.x 7 Securing the Cisco APIC-EM PKI Certificate Management •Revocationofadevicecertificate PKI Certificate Management TheCiscoAPIC-EMprovidesPKI-basedconnectionsinthefollowingdistinctPKIplanes: •ControllerPKIPlane—Withthisplane,thereexistsHTTPSconnectionsinwhichthecontrolleristhe serverintheclient-servermodel,andthecontroller'sservercertificatesecurestheconnection. •DevicePKIPlane—Withthisplane,thereexistsDMVPNconnectionsbetweendevicesinthecontrol planeofthenetwork,bilaterallyauthenticatedandsecuredbythedeviceIDcertificatesofbothdevices thatparticipateintheconnection.Thesecertificates/keysareissuedbyaprivateCAthattheCisco APIC-EMcontrollerprovides(DevicePKICA). ThefollowingPKIcertificatemanagementproceduresthataredescribedinthischapterinvolveonlythe DevicePKIplane: •ChangingtheRoleofthePKICertificatefromRoottoSubordinate, onpage30—Thisprocedure requiresthatyoureplacetheCAcertificateoftheprivateCAwithonesignedbytheexternalCA. •ConfiguringtheDeviceCertificateLifetime, onpage28—Thisprocedurehelpsyousecurethe device-to-deviceconnectionsbetweenIWAN-manageddevices. Cisco APIC-EM Controller Certificate and Private Key Support TheCiscoAPIC-EMsupportsaPKIcertificatemanagementfeature(ControllerPKIPlane)thatisusedto authenticatesessions(HTTPS).Thesesessionsusecommonlyrecognizedtrustedagentscalledcertificate authorities(CAs).TheCiscoAPIC-EMusesthePKIcertificatemanagementfeaturetoimport,store,and manageanX.509certificatefromwell-knownCAs.Theimportedcertificatebecomesanidentitycertificate forthecontrolleritself,andthecontrollerpresentsthiscertificatetoitsclientsforauthentication.Theclients aretheNBAPIapplicationsandnetworkdevices. TheCiscoAPIC-EMcanimportthefollowingfiles(ineitherPEMorPKCSfileformat)usingthecontroller's GUI: •X.509certificate •Privatekey Note Fortheprivatekey,CiscoAPIC-EMsupportstheimportationofRSAkeys.YoushouldnotimportDSA, DH,ECDH,andECDSAkeytypes;theyarenotsupported.Youshouldalsokeeptheprivatekeysecure inyourownkeymanagementsystem. Priortoimport,youmustobtainavalidX.509certificateandprivatekeyfromawell-known,certificate authority(CA)orcreateyourownself-signedcertificate.Afterimport,thesecurityfunctionalitybasedupon theX.509certificateandprivatekeyisautomaticallyactivated.TheCiscoAPIC-EMpresentsthecertificate toanydeviceorapplicationthatrequeststhem.BoththenorthboundAPIapplicationsandnetworkdevices canusethesecredentialstoestablishatrustrelationshipwiththecontroller. Cisco Application Policy Infrastructure Controller Enterprise Module Administrator Guide, Release 1.6.x 8 Securing the Cisco APIC-EM Cisco APIC-EM Controller Certificate Chain Support InanIWANconfigurationandfortheNetworkPnPfunctionality,anadditionalprocedureinvolvingaPKI trustpoolisusedtoensuretrustbetweendeviceswithinthenetwork.SeethefollowingCiscoAPIC-EM TrustpoolSupportsectionforinformationaboutthisprocedure. Note Werecommendagainstusingandimportingaself-signedcertificateintothecontroller.Importingavalid X.509certificatefromawell-known,certificateauthority(CA)isrecommended.Additionally,youmust replacetheself-signedcertificate(installedintheCiscoAPIC-EMbydefault)withacertificatethatis signedbyawell-knowncertificateauthorityfortheNetworkPnPfunctionalitytoworkproperly. TheCiscoAPIC-EMsupportsonlyoneimportedX.509certificateandprivatekeyatatime.Whenyouimport asecondcertificateandprivatekey,itoverwritesthefirst(existing)importedcertificateandprivatekey values. Note IftheexternalIPaddresschangesforyourcontrollerforanyreason,thenyouneedtore-importanew certificatewiththechangedornewIPaddress. Related Topics ImportingtheController'sServerCertificate, onpage22 Cisco APIC-EM Controller Certificate Chain Support TheCiscoAPIC-EMisabletoimportcertificatesandprivatekeysintothecontrollerthroughitsGUI. Iftherearesubordinatecertificatesinvolvedinthecertificatechainleadingtothecertificatethatisimported intothecontroller(controllercertificate),thenboththesubordinatecertificatesaswellastherootcertificate ofthesesubordinateCAsmustbeappendedtogetherintoasinglefiletobeimported.Whenappendingthese certificates,youmustappendtheminthesameorderastheactualchainofcertification. Forexample,assumethatawell-knownandtrustedCAwitharootcertificate(CAroot)signedanintermediate CAcertificate(CA1).Next,assumethatthiscertificate,CA1signsanotherintermediateCAcertificate(CA2). Finally,assumethattheCAcertificate(CA2)wastheCAthatsignedthecontrollercertificate (Controller_Certificate).Inthisexample,thePEMfilethatneedstobecreatedandimportedintothecontroller shouldhavethefollowingorderfromthetop(beginning)ofthefiletothebottomofthefile(end): 1 Controller_Certificate(topoffile) 2 CA2certificate 3 CA1certificate Therequirementtoappendtherootandsubordinatecertificatestothecontrollercertificatetocreateasingle fileonlyappliestoaPEMfile.Therequirementforappendingarootandintermediatecertificatestoaroot certificateforimportisnotrequiredforaPKCSfile. Related Topics ImportingtheController'sServerCertificate, onpage22 Cisco Application Policy Infrastructure Controller Enterprise Module Administrator Guide, Release 1.6.x 9 Securing the Cisco APIC-EM Obtaining a CA-Signed Certificate for the Cisco APIC-EM Controller Obtaining a CA-Signed Certificate for the Cisco APIC-EM Controller YoucanperformthefollowingstepstoobtainaCAsignedcertificatetoimportintoandusefortheCisco APIC-EM. 1 DeterminetheIPaddressorDNS-resolvableFQDNofyourCiscoAPIC-EMcluster. 2 UsethatIPaddressortheDNS-resolvableFQDNofyourCiscoAPIC-EMclusterasthecommonname inyourcertificatesigningrequest(CSR). Note ItispreferablefortheSubjectAlternateName(SAN)fieldtoalsobeused,sothatboththeIPaddress andtheDNS-resolvableFQDNareincludedinthecertificate. 3 FollowtheproceduredescribedbelowtocreatetheCSR. 4 SendthecompletedCSRtothecertificateauthority(CA)thatyouhaveselected. 5 ReceivethesignedcertificatebackfromtheCA. 6 Installthecertificateintothecontrollerusingthecontroller'sGUI. Note ThisexampleprocedureisperformedonthehostwheretheCiscoAPIC-EMisinstalled.Youcanalso performthisproceduretogenerateaCSRandprivatekeyonaLinuxOSorAppleMacintoshcomputer. YoudonothavetoperformthisprocedureonthehostwheretheCiscoAPIC-EMisinstalled. Before You Begin Beforeyouattemptthisprocedure,youshouldhaveknowledgeofthesetopics: •HowtousetheOpenSSLapplication •Publickeyinfrastructureanddigitalcertificates Step 1 UsingaSecureShell(SSH)client,logintothehost(physicalorvirtual)withtheIPaddressthatyouspecifiedusingthe configurationwizard. TheIPaddresstoenterfortheSSHclientistheIPaddressthatyouconfiguredforthenetworkadapter.ThisIPaddress connectsthehosttotheexternalnetwork. Step 2 Whenprompted,enteryourLinuxusername('grapevine')andpasswordforSSHaccess. Step 3 EnterthefollowingcommandtocreateaprivatekeyandaCSR. $ openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key Generating a 2048 bit RSA private key .......................................................+++ ........+++ writing new private key to 'privateKey.key' ----- You are about to be asked to enter information that will be incorporated Cisco Application Policy Infrastructure Controller Enterprise Module Administrator Guide, Release 1.6.x 10