Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Documentation Search

    scio ssl

    Syntax

    scio ssl option argument

    Description

    Manages SSL server keys and certificate authorities (CA) used by the IDP Series device to inspect SSL traffic. Also manages the whitelist of destination servers you want to exempt from decryption and IDP processing.

    Options

    Table 1 describes scio ssl options and arguments and provides examples of command syntax.

    Table 1: Command Reference: scio ssl

    Options

    Usage and Examples

    list all

    Lists all stored SSL keys. Each IDP Series device can store 100 server private keys and 100 servers per key.


    [root@defaulthost admin]# scio ssl list all
    [root@defaulthost admin]#
    

    list key key-id

    Lists all servers associated with a particular key.


    [root@defaulthost admin]# scio ssl list key Key-1
    [root@defaulthost admin]#
    

    add key key-path [password password-string] [server server-ip]

    Adds a key with an optional password and an associated server.

    Use SCP or FTP to copy your SSL server private key file to the IDP Series device. The IDP Series device does not run an FTP server, so you have to initiate the FTP session from the IDP Series device.

    Keys must be based on RSA and be in PEM format. We have verified support for the following RSA private key lengths: 1024 bits, 2048 bits, 3072 bits, and 4096 bits.


    [root@defaulthost admin]# scio ssl add key /tmp/server.key password P@ss-Strong! server 10.1.1.1
    [root@defaulthost admin]#
    

    add server server-ip key key-id

    Associates the specified server with the specified key.


    [root@defaulthost admin]# scio ssl add server 10.1.1.1 key server.key
    [root@defaulthost admin]#
    

    delete all

    Clears the SSL keystore.


    [root@defaulthost admin]# scio ssl delete all
    [root@defaulthost admin]#
    

    delete key key-id [server server-ip ]

    Deletes a particular SSL key from the SSL keystore. To delete a key-server association but not the key, use the server option.


    [root@defaulthost admin]# scio ssl delete key server.key server 10.1.1.1
    [root@defaulthost admin]#
    

    ca {create country-code state locality organization organization-unit common-name e-mail [nbits] | delete | export | show}

    Use these options to configure the CA used by the SSL forward proxy feature.

    Command arguments correspond with the values you want to set for the CA:

    • country-code–A two-letter code. This is the C value in the certificate.
    • state–A string. This is the ST value in the certificate.
    • locality–A string. This is the L value in the certificate.
    • organization–A string. This is the O value in the certificate.
    • organization-unit–A string. This is the OU value in the certificate.
    • common-name–A string. This is the CN value in the certificate.
    • e-mail–An e-mail address. This should be an administrative e-mail address for the issuer.
    • nbits is the RSA private key length. We have verified support for the following RSA private key lengths: 1024 bits, 2048 bits, 3072 bits, and 4096 bits. If you do not specify this option, the key length defaults to 1024 bits.

    Note: Enclose strings that are phrases in single quotation marks.

    The following example creates a root self-signed CA used by the SSL forward proxy feature:


    [root@defaulthost admin]# scio ssl ca create US CA Sunnyvale 'Juniper Networks Inc.' 'SSL Inspection policy' 'Juniper IT Services' 'admin@juniper.net' 1024

    The following example displays the CA settings:


    [root@defaulthost admin]# scio ssl ca show
    serial=8E0012848A2D7CCD
    subject= /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks Inc./OU=SSL Inspection
    policy/CN=Juniper IT Services/emailAddress=admin@juniper.net
    issuer= /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks Inc./OU=SSL Inspection
    policy/CN=Juniper IT Services/emailAddress=admin@juniper.net
    notBefore=Jun 25 22:13:23 2009 GMT
    notAfter=Jun 23 22:13:23 2019 GMT
     

    The following example prints to the screen the CA in PEM format. You can copy this to a file and then import this CA into SSL clients, enabling them to validate and trust certificates signed by the IDP Series device:


    [root@defaulthost admin]# scio ssl ca export
    -----BEGIN CERTIFICATE-----
    MIIC1TCCAj4CCQCOABKEii18zTANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMC
    VVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxHjAcBgNVBAoTFUp1
    bmlwZXIgTmV0d29ya3MgSW5jLjEeMBwGA1UECxMVU1NMIEluc3BlY3Rpb24gcG9s
    aWN5MRwwGgYDVQQDExNKdW5pcGVyIElUIFNlcnZpY2VzMSAwHgYJKoZIhvcNAQkB
    FhFhZG1pbkBqdW5pcGVyLm5ldDAeFw0wOTA2MjUyMjEzMjNaFw0xOTA2MjMyMjEz
    MjNaMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1bm55
    dmFsZTEeMBwGA1UEChMVSnVuaXBlciBOZXR3b3JrcyBJbmMuMR4wHAYDVQQLExVT
    U0wgSW5zcGVjdGlvbiBwb2xpY3kxHDAaBgNVBAMTE0p1bmlwZXIgSVQgU2Vydmlj
    ZXMxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGp1bmlwZXIubmV0MIGfMA0GCSqGSIb3
    DQEBAQUAA4GNADCBiQKBgQDAsn2NFaXTrCpShf9sg+Ccn1rUYzPuVHTw1GUtnHHB
    o/oFXeNGETggLZ/jck+L27lOx3IpGd67yyHs08sXWvgC3MJukbl4kqyTyguy3/E9
    wkiIey8W4XzyBXrCfW2YEgMc0cFExdm+C6DrAailddTQdgelxZ7nfIj24iiBhYYM
    GQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAFTrEz9DHcbohDJFqGWPjS+MDgsX904l
    f/WzHXftak4ZHjOryYvVaRUyitEhMX1KvMPQjYXf+TE2vF9yYqmoCj67l0Liu2ZJ
    Tw4gwy9E9p58krqvZu4F2/kVM+yEAksUIjBme1RIL6Az3kLauHvkyAbMcSFZG2b0
    7Z8WbQqn3o6s
    -----END CERTIFICATE-----
    

    Deleting a CA effectively turns off the SSL forward proxy feature. The following example deletes the CA:


    [root@defaulthost admin]# scio ssl ca delete
    [root@defaulthost admin]#

    whitelist {import filepathname | export }

    Imports or exports a whitelist file. A whitelist file is a list of IP addresses and domain names for destination servers for which traffic should not be inspected. The file must be reachable by the filepathname you specify. We recommend you store the file in the IDP Series device /tmp directory.

    Traffic that matches a whitelist entry is passed through (not decrypted or inspected).

    The following example shows the format of a whitelist file:

    10.0.0.1
    1.0.0.0/8
    70.34.21.82
    trustedsite.com
    landing.trustedsearch.com

    Each line in the whitelist file specifies the IP address or domain name for a destination server. To whitelist multiple sites with one entry, you can use an IP prefix to match address blocks and a domain suffix to include all subdomains.

    The domain name in your whitelist should match the common name entry in the certificate presented by the destination server. For example, suppose the certificate for the E-Trade HTTPS server contains the following subject:

    C=US, ST=Georgia, L=Alpharetta, O=ETRADE FINANCIAL CORPORATION, OU=Global Information Security, CN=us.etrade.com

    You can whitelist this site by adding either us.etrade.com or the domain suffix etrade.com to your whitelist file.

    The following example shows the syntax for the import option.


    [root@defaulthost admin]# scio ssl whitelist import /tmp/whitelist.txt
    [root@defaulthost admin]#

    Note: To update the active whitelist, import an updated whitelist file. To clear the whitelist, import a file that contains only one empty line.

    The following example shows the syntax for the export option. The export option prints the active whitelist to the screen.


    [root@defaulthost admin]# scio ssl whitelist export
    10.0.0.1
    1.0.0.0/8
    70.34.21.82
    trustedsite.com
    landing.trustedsearch.com

    Published: 2011-02-08