Opengear ACM5000, User Manual

Page: 294 / 335

Chapter 16:
KCS Client Configuration
294
Console Server & RIM Gateway User Manual
SDT Connector will now use public key authentication when SSH connecting through the console server . You may have
to restart SDT Connector to shut down any existing tunnels that were established using password authentication.
If you have a host behind the console server that you connect to by clicking the SSH button in SDT Connector, you can
also configure it for public key authentication. Essentially what you are using is SSH over SSH, and the two SSH
connections are entirely separate, and the host configuration is entirely independent of SDT Connector and the
console
server . You must configure the SSH client that SDT Connector launches (e.g. Putty, OpenSSH) and the host's SSH
server for public key authentication.
15.7 Secure Sockets Layer (SSL) Support
Secure Sockets Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the Internet. SSL
works by using a private key to encrypt data that's transferred over the SSL connection.
The console server includes OpenSSL. The OpenSSL Project is a collaborative effort to develop a robust, commercial-
grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a
worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its
related documentation.
OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit
is licensed under an Apache-style licence, which basically means that you are free to get and use it for commercial and
non-commercial purposes subject to some simple license conditions. In the
console server OpenSSL is used primarily in
conjunction with ‘http’ in order to have secure browser access to the GUI management console across insecure networks.
More documentation on OpenSSL is available from:
http://www.openssl.org/docs/apps/openssl.html
http://www.openssl.org/docs/HOWTO/certificates.txt
15.8 HTTPS
The Management Console can be served using HTTPS by running the webserver via stunnel . The server can be
launched on request using inetd .
The HTTP server is a lighttpd server (early versions used fnord-httpd).
The SSL implementation is provided by stunnel (early versions used sslwrap compiled with OpenSSL support).
If your default network address is changed or the unit is to be accessed via a known Domain Name you can use the
following steps to replace the default SSL Certificate and Private Key with ones tailored for your new address.
15.8.1 Generating an encryption key
To create a 1024 bit RSA key with a password issue the following command on the command line of a linux host with the
openssl utility installed:
openssl genrsa -des3 -out ssl_key.pem 1024
15.8.2 Generating a self-signed certificate with OpenSSL
This example shows how to use OpenSSL to create a self-signed certificate. OpenSSL is available for most Linux
distributions
via the default package management mechanism. (Windows users can check
http://www.openssl.org/related/binaries.html )
To create a 1024 bit RSA key and a self-signed certificate issue the following openssl command from the host you have
openssl installed on:
openssl req -x509 -nodes -days 1000 \
-newkey rsa:1024 -keyout ssl_key.pem -out ssl_cert.pem