Tag Archive : TLS

/ TLS

LDAP(s) Configuration on Brocade switches

26/10/2021 | SAN | No Comments

Brocade LDAPs

 

In this tutorial we will go through the steps that need to be followed in order to implement LDAP(s) Microsoft Active Directory on Brocade SAN switches.
Authenticating with a local user on any network devices is not only time consuming, but also very dangerous in terms of security.

Before making any changes to your infrastructure, it is always recommended to make a copy of your switch configuration. Always make sure to perform changes onto testing devices before replicating them to your production environment.

On Fabric OS we have the possibility to use LDAP or LDAPS. As you can tell by its name, LDAP is the simple & unsecure protocol, and LDAPS uses certificates to perform the secure authentication.

Certificate for LDAPs service

  1. Log in to your switch using an priviledged account
  2. To list the available certificate on the switch, use the command:
    seccertmgmt show --all
  3. To create the Certificate Signing Request (.csr) use:
    seccertmgmt generate -csr ldap
  4. Note the file name created in the previous step. File should end with .csr extension.
  5. To export the CSR file from the switch use the following command. Make sure to have any FTP client ready for transfer.
    seccertmgmt export -csr ldap -protocol ftp
  6. Have the CSR file signed by your certificate administrator.
  7. First, we will import the CA (root & intermediate) bundled certificate.
    seccertmgmt import -ca -client ldap
  8. If you don’t know how to combine root & intermediate CA certificate, please check Enable HTTPS protocol on Brocade switches under Combining Root and Intermediate certificate.
  9. Next, we will import the bundled certificate again, under server role. Use the same file as on step 6.
    seccertmgmt import -ca -server ldap
  10. Finally, we will import the switch/client certificate that we exported in the previous step, and which should be signed by our certificate administrator.
    seccertmgmt import -cert ldap
  11.  At this point, we have completed LDAP certificates, we can continue with implementation.

Switch authentication methods

There are several methods to authenticate on the switch but we will make use of two. We will use LDAPS as primary authentication and Local DB as secondary. The secondary authentication comes in force if LDAP does not respond or if a local account & password is matched.

To see the current configuration use:

aaaconfig --show
Fabric OS - Show authentication methods
Brocade – Show authentication methods

To add an LDAP server to the switch use the following command:

aaaconfig --add <LDAP server FQDN> -conf ldap -d <domain name>

Where <LDAP server FQDN> is the Fully Qualified Domain Name of the LDAP server, for example ldap1.storcom.com

Where <domain name> is the domain name where the LDAP server resides in.

Finally, we will configure LDAP as primary authentication method, and local database as secondary:

aaaconfig --authspec "ldap;local"

LDAP supported configurations

In the picture below we see different authentication configurations. In this tutorial we will use Option 3: LDAPv3 with TLS and Certificate over port 389

LDAP Authentication Supported Configurations
Brocade LDAP Authentication Supported Configurations

LDAPS implementation

Prior to performing any other configuration, we will have to create authentication groups in LDAP, or Active Directory in our case. Make sure to create the desired groups in AD so that we can make the link between them and the switch configuration.

In this example I have created an AD group called “STORCOM FOS Admins”. This LDAP group will be mapped against the local admin role on the switch.

To map the LDAP group with the SAN switch role, use the following command:

ldapcfg --maprole "STORCOM FOS Admins" admin

To add extra attributes, for example domain ID’s, use the following command:

ldapcfg -- mapattr "STORCOM FOS Admins" -l "admin=1-128" -h 128 -c admin

For more available attributes, please check Brocade Fabric OS Command Reference.

To see the existing role mappings, use:

ldapcfg --show

To unmap a role, use:

ldapcfg --unmaprole "STORCOM FOS Admins" admin

Any suggestion or question? Leave a reply below, or feel free to contact us. Also make sure to subscribe to our mailing list to get the latest updates.

Free SSL certificate for your website

05/03/2019 | WebDev | No Comments

 

Nothing more annoying that browsing a website that indicates insecure content with an red sign on the address bar.

Imagine running a website that deals with sensitive data, being it personal records coming from a web form or anything else where the connection is insecure. Your visitors wouldn’t be happy with that.

Today, most of the professional websites utilize SSL certificates. Even Google pushes towards secure URL in its indexing mechanism. Some sources even claim that HTTPS-links are better crawled by search engines.

In the article, we will go through some possibilities on how to get rid of the “red sign address bar”. Furthermore, implementing an SSL certificate on your website doesn’t need to be costly – if not free of charge 😉

What is SSL or an SSL Certificate?

SSL stands for Secure Socket Layer and it is the standard security technology for establishing an encrypted link between a web server and a browser. This secure link ensures that visitors (=customers) data remains private and encrypted during transmission.
An SSL Certificate is a digital certificate that proves the host (website’s visitors) that the corresponding web service has the ownership of the domain. The issuance is done by the Certificate Authority (CA).

There are different Certificate Authority entities worldwide, with Comodo, Symantec, GlobalSign, DigiCert being the well known. A W3Techs survey from May 2018 shows that IdenTrust, a cross-signer of Let’s Encrypt intermediates, has risen to be the most popular SSL certificate authority.

Let’s Encrypt and CloudFlare

Let’s Encrypt and CloudFlare are 2 SSL CA providers where I would like to pay attention at.

Let’s Encrypt is a non-profit certificate authority that provides X.509 certificates at no charge. The certificates issued by Let’s Encrypt remain valid for 90 days, and during the time they can also be renewed. The project’s goals are to make the World Wide Web servers standard encrypted.

On the other hand, CloudFlare is a company that provides content delivery network services, DDoS attack protection, internet security and Domain Name Server services. I personally recommend using CloudFlare’s services for your website.

CloudFlare

CloudFlare is my favourite free method to encrypt the traffic to my website. It is also easier and simple to configure.

All you need to do is create an account, verify domain ownership and replace your domain name servers with CloudFlare’s own nameservers.

Let’s Encrypt

Enabling and installing an SSL certificate on your web depends on the type of web hosting you own. If your web runs on a dedicated server and you have root permissions you can easily request and install an SSL certificate from Let’s Encrypt – just read the manual.

In my case, I use Linux (shared) hosting from GoDaddy and my host runs on a Linux Cloud OS with limited root access rights.

Basically, if your hosting provider does not support Let’s Encrypt by default, you’ll have to use alternative ways to create the certificate request and approve it by Let’s Encrypt.

Hosting providers that support Let’s Encrypt can be found here.

In order to create the Certificate Signing Request (CSR) we will use an online freeware called ZeroSSL.

  1. Navigate to ZeroSSL.com
  2. Click on Online Tools
  3. Click Start to start the FREE SSL Certificate Wizard
  4. Enter your domain name (include a record with and without www-prefix)
  5. Make sure to check the following boxes:
    – HTTP verification
    – Accept ZeroSSL TOS
    – Accept Let’s Encrypt SA (pdf)
  6. In my case, I only entered storcom.com without the www-prefix but the wizard asked if I wanted to add the prefix
  7. Hit Next to proceed
  8. At this point, we have received the CSR (Certificate Signing Request)
  9. Click Download or Save it manually in a text file
  10. Click Next to continue
  11. Once the Key Account is created, download it or save it manually
  12. At this point, we should have 2 separate files
    – The CSR file and
    – The Key Account file
  13. Next we will need to verify the domain ownership. Download 2 files below
  14. Navigate to your web hosting’s CPANEL and open the file manager
  15. On the root directory (i.g. public_html) create a folder .well-known and a subfolder acme-challenge. The directory structure should look like this:
  16. If the folder is not visible, go to Settings (top right corner) and check Show Hidden Files (dotfiles)
  17. Under the .well-known/acme-challenge upload the 2 files we downloaded from step 13
  18. Navigate back to the ZeroSSL web and click on the links

    If the links are resolved into text files you have uploaded, you should be OK to continue.
  19. Proceed by clicking Next and your certificate should be created and valid for 90 days.
  20. Below the page, download the Certificate file (CRT) and the Domain (Key) file
  21. Navigate to your hosting’s CPANEL and open TLS/SSL
  22. Click on Manage SSL sites
  23. Select your domain
  24. Copy the text from the Certificate (CRT) file and paste it into the Certificate: (CRT) text box

    Notice that the CRT file includes both: the certificate itself and the certificate bundle. Cut or remove the certificate bundle, and paste it below on the 3rd box Certificate Bundle.
  25. Copy and paste the Domain Key into the Private Key (KEY) text box
  26. Make sure the Certificate Authority Bundle (CABUNDLE) has been filled in and click Install Certificate
  27. Congrats! You have installed a free certificate on your website.

  28. Your website should indicate a valid SSL certificate.

Redirect HTTP to HTTPS

Finally, in order to use the installed certificate correctly, you will need to tell your webserver to always use HTTPS for incoming requests. 

WordPress

  1. Go to your WP admin panel
  2. Navigate to Settings > General
  3. Modify the WordPress (URL) and Site Address (URL) to point to https

Non-CMS

Another way to accomplish it is to tell your webserver to redirect all HTTP requests to https. This can be easily done by adding a code to the .htaccess file.

Redirect on Apache webserver

  1. Go to your hosting’s file manager
  2. On the root directory /public_html edit or create a file called .htaccess
  3. Append the following code at the end:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Redirect on Nginx webserver

  1. Go to your hosting’s file manager
  2. Look for nginx config-file
  3. Append the following code:
server {
listen 80;
server_name domain.com www.domain.com;
return 301 https://domain.com$request_uri;
}

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.