beautypg.com

Exchanging public keys – Brocade Virtual ADX Global Server Load Balancing Guide (Supporting ADX v03.1.00) User Manual

Page 65

background image

Brocade Virtual ADX Global Server Load Balancing Guide

55

53-1003245-01

Secure GSLB

1

Exchanging public keys

Each ADX device must exchange public keys with each peer ADX device it needs to communicate
with. This exchange allows the peers to authenticate before the GSLB communication starts.

The ADX device uses an out-of-band channel to deliver the fingerprint of the public key, which
ensures the key comes from a trusted authority. To exchange public keys, the network
administrator needs to telephone the peer site administrator to read out the fingerprint of the
public key and verbally verify the keys match. SHA-1 is the algorithm used to generate the
fingerprint.

The public key exchange sequence is illustrated below with an example. In the example, Bob (the
site ADX device) and David (the controller ADX device) are two network administrators who want to
exchange the public keys. For security reasons, We recommend that both administrators be locally
logged into the console ports (not telnetted in) during this procedure.

1. (Optional) Both Bob and David issue the gslb auth-encrypt-communication peer-pub-key-expire

timeout command before exchanging keys using crypto key-exchange passive. If the keys were
exchanged first, a one-time usage would not take affect until the next exchange. Refer to

“Selecting a peer public key management option”

on page 57 for more options. If you do not

set a peer-pub-key-expire, the default value is 180 seconds.

SLB-Site-Virtual ADX(config)#gslb auth-encrypt-communication

peer-pub-key-expire one-time

2. Bob enables a key exchange connection with the following command.

SLB-Site-Virtual ADX(config)#crypto key-exchange passive

Enter Control-c to abort if connection does not complete.

Wait for connection from peer(enter 'y' or 'n'): y

Waiting ....

The command syntax is crypto key-exchange passive [decimal]. The decimal parameter
specifies the TCP port used for the key exchange communication. If you use decimal, the value
configured on both the sending side and receiving side must match.

NOTE

When you specify a TCP port for the key exchange communication, DO NOT use port 182, or
the port that you configured for GSLB communication traffic. The default destination TCP port
for key exchange is 56895.

To change default TCP port when doing public key exchange, enter a command such as the
following.

Virtual ADX(config)#crypto key-exchange passive 111

3. David connects to Bob's device and send his RSA public key. The fingerprint of the key is

displayed on David's screen.

SLB-Ctrl-Virtual ADX(config)#crypto key-exchange 10.1.1.1 Ctrl-Virtual ADX

Public key for Ctrl-Virtual ADX:

Serial Number

Fingerprint 7355edda 95906e7e f04e38a3 61f640fa c2e61fa7

The command syntax is crypto key-exchange IP address name [decimal].

See also other documents in the category Brocade Computer Accessories: