Anda di halaman 1dari 11

CCIE Security V4 Technology Labs Section 7:

Confidentiality and Secure Access


Certificate Authority High Availability on
Cisco IOS Routers
Last updated: May 20, 2013
Note:
For this task, either load the Section 7 Initial Configuration Files to initialize your rack
or completely remove any PKI/RSA-related configurations done on R2 and R3 in the
previous task.
Task
Configure R1 and R2 to function as redundant CA servers.
In case of a reload, R1 should always become the active router.
Insert Rack1-HA.ine.com in the Subject field of the CA certificate.
Ensure that client certificates are automatically approved.
Overview
Cisco IOS PKI can be deployed in a High Availability mode, providing redundancy for client
requests. Like other technologies supported by IOS in HA mode, such as Zone Based Firewall
(ZBF) of IPsec, PKI HA uses the Stateful Switch-Over (SSO) redundancy feature. This inter-device
redundancy function relies on two protocols: HSRP and SCTP.
HSRP determines the roles: ACTIVE and STANDBY.
SCTP ensures automatic synchronization between ACTIVE and STANDBY. For PKI, the following
are automatically synchronized from the ACTIVE:
CA server configuration
CA certificate
Certificate revocation list (CRL)
Serial file
RSA keys
To ensure functionality of the IOS PKI High Availability deployment, it is recommended that you use
the following configuration steps:
Configure and verify HSRP functionality.
Configure and verify inter-device SSO redundancy functionality (requires a manual reload on the
STANDBY device).

Do not continue further unless SSO is functional.


Configure and activate PKI server on the ACTIVE device.
Disable PKI server on the ACTIVE device and enable PKI redundancy.
Activate PKI server on the ACTIVE device.
Note:
The High Availability configuration from the PKI Configuration Guide of IOS 15MT is
found in the Configuring Authorization and Revocation of Certificates in a PKI
section.
Note:
Because of the high volume of data required to be synchronized, if the CA runs in
complete database level, the client-issued certificate files (.crt) will not be
synchronized with the standby system. The workaround is to have both CA systems
point to a common external storage for these files, by using the command
database url .
Configuration
R1:
ip http server
!
interface GigabitEthernet0/0
standby ip 136.1.18.12
standby priority 150
standby preempt
standby name PKI
!
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 136.1.18.1
remote-port 5000
remote-ip 136.1.18.2
!
!
redundancy inter-device
scheme standby PKI
R2:
ip http server
!
interface GigabitEthernet0/0
standby ip 136.1.18.12
standby preempt
standby name PKI
!
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 136.1.18.2
remote-port 5000
remote-ip 136.1.18.1
!
!
redundancy inter-device
scheme standby PKI
At this point, we need to save the configuration and reload the standby device to activate the
redundancy. Note that after the manual reload, R2 will detect itself as standby and induce another
forced reload. The following output shows the initial required reload.
Rack1R2#show redundancy inter-device
Redundancy inter-device state: RF_INTERDEV_STATE_INIT
Pending Scheme: Standby (Will not take effect until next reload)
Pending Groupname: PKI
Scheme: <NOT CONFIGURED>
Peer present: UNKNOWN
Security: Not configured
After SSO is functional, configure PKI only on the ACTIVE device; it will be automatically
synchronized to the STANDBY.
R1:
crypto key generate rsa general-keys redundancy label HA modulus 1024
!
crypto pki server HA
database level names
issuer-name CN=Rack1-HA.ine.com
database archive pkcs12 password ciscocisco
grant auto
no shutdown
!
crypto pki server HA
shutdown
redundancy
no shutdown
If PKI functionality is not synchronized as shown in the Verification section, it may be required to
perform another reload of both routers.
Verification
First, verify SSO inter-device redundancy.
Rack1R1#show redundancy inter-device
Redundancy inter-device state: RF_INTERDEV_STATE_ACT
Scheme: Standby
Groupname: PKI Group State: Active
Peer present: RF_INTERDEV_PEER_COMM
Security: Not configured
!
!
Rack1R2#show redundancy inter-device
Redundancy inter-device state: RF_INTERDEV_STATE_STDBY
Scheme: Standby
Groupname: PKI Group State: Standby
Peer present: RF_INTERDEV_PEER_COMM
Security: Not configured
!
!
Rack1R1#show redundancy states
my state = 13 -ACTIVE
peer state = 8 -STANDBY HOT
Mode = Duplex
Unit ID = 0
Maintenance Mode = Disabled
Manual Swact = enabled
Communications = Up
client count = 13
client_notification_TMR = 60000 milliseconds
RF debug mask = 0x0
!
!
Rack1R2#show redundancy states
my state = 8 -STANDBY HOT
peer state = 13 -ACTIVE
Mode = Duplex
Unit ID = 0
Maintenance Mode = Disabled
Manual Swact = cannot be initiated from this the standby unit
Communications = Up
client count = 13
client_notification_TMR = 60000 milliseconds
RF debug mask = 0x0
Verify PKI HA configuration.
Rack1R1#show crypto pki server
Certificate Server HA:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=Rack1-HA.ine.com
CA cert fingerprint: A4D61964 52C12593 9DA4DD90 4C51831D
Granting mode is: auto
Last certificate issued serial number (hex): 1
CA certificate expiration timer: 19:42:37 UTC Apr 30 2016
CRL NextUpdate timer: 01:42:39 UTC May 2 2013
Current primary storage dir: nvram:
Database Level: Names - subject name data written as <serialnum>.cnm
Redundancy configured. This is active.
!
!
Rack1R2#show crypto pki server
Certificate Server HA:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=Rack1-HA.ine.com
CA cert fingerprint: A4D61964 52C12593 9DA4DD90 4C51831D
Granting mode is: auto
Last certificate issued serial number (hex): 1
CA certificate expiration timer: 19:42:37 UTC Apr 30 2016
CRL NextUpdate timer: 01:42:39 UTC May 2 2013
Current primary storage dir: nvram:
Database Level: Names - subject name data written as <serialnum>.cnm
Redundancy configured. This is standby.
!
!
Rack1R1#show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=Rack1-HA.ine.com
Subject:
cn=Rack1-HA.ine.com
Validity Date:
start date: 19:42:37 UTC May 1 2013
end date: 19:42:37 UTC Apr 30 2016
Associated Trustpoints: HA
Storage: nvram:Rack1-HAinec#1CA.cer
!
!
Rack1R2#show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=Rack1-HA.ine.com
Subject:
cn=Rack1-HA.ine.com
Validity Date:
start date: 19:42:37 UTC May 1 2013
end date: 19:42:37 UTC Apr 30 2016
Associated Trustpoints: HA
Storage:
Enroll SW1 in the PKI infrastructure with R1 being the ACTIVE router (you may need to synchronize
time with NTP between SW1 and R1/R2).
SW1:
crypto pki trustpoint HA
enrollment url http://136.1.18.12
!
!
crypto pki authenticate HA
crypto pki enroll HA
Verify that SW1 received the certificate and R2 is synchronized with R1.
Rack1SW1#show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 02
Certificate Usage: General Purpose
Issuer:
cn=Rack1-HA.ine.com
Subject:
Name: Rack1SW1.ine.com
hostname=Rack1SW1.ine.com
Validity Date:
start date: 21:50:18 UTC May 1 2013
end date: 21:50:18 UTC May 1 2014
Associated Trustpoints: HA
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=Rack1-HA.ine.com
Subject:
cn=Rack1-HA.ine.com
Validity Date:
start date: 19:42:37 UTC May 1 2013
end date: 19:42:37 UTC Apr 30 2016
Associated Trustpoints: HA
!
!
Rack1R1#show crypto pki server HA certificates
Serial Issued date Expire date Subject Name
1 <cert file not accessible>
Certificate might have been granted by other CA
2 <cert file not accessible>
Certificate might have been granted by other CA
!
!
Rack1R2#show crypto pki server HA certificates
Serial Issued date Expire date Subject Name
1 <cert file not accessible>
Certificate might have been granted by other CA
2 <cert file not accessible>
Certificate might have been granted by other CA
Move the HSRP ACTIVE role to R2, and re-enroll SW1 in the PKI (when the ACTIVE role changes,
the STANDBY always receive a forced reload to ensure synchronization).
R2:
interface gigabitEthernet 0/0
standby priority 200
SW1:
crypto pki enroll HA
Verify that R2 is now the ACTIVE router/PKI server.
Rack1R2#show crypto pki server
Certificate Server HA:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=Rack1-HA.ine.com
CA cert fingerprint: A4D61964 52C12593 9DA4DD90 4C51831D
Granting mode is: auto
Last certificate issued serial number (hex): 3
CA certificate expiration timer: 19:42:37 UTC Apr 30 2016
CRL NextUpdate timer: 01:42:39 UTC May 2 2013
Current primary storage dir: nvram:
Database Level: Names - subject name data written as <serialnum>.cnm
Redundancy configured. This is active.
!
!
Rack1R1#show crypto pki server
Certificate Server HA:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=Rack1-HA.ine.com
CA cert fingerprint: A4D61964 52C12593 9DA4DD90 4C51831D
Granting mode is: auto
Last certificate issued serial number (hex): 3
CA certificate expiration timer: 19:42:37 UTC Apr 30 2016
CRL NextUpdate timer: 01:42:39 UTC May 2 2013
Current primary storage dir: nvram:
Database Level: Names - subject name data written as <serialnum>.cnm
Redundancy configured. This is standby.
Verify that SW1 received the certificate and R1 is synchronized with R2.
Rack1SW1#show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 03
Certificate Usage: General Purpose
Issuer:
cn=Rack1-HA.ine.com
Subject:
Name: Rack1SW1.ine.com
hostname=Rack1SW1.ine.com
Validity Date:
start date: 21:59:55 UTC May 1 2013
end date: 21:59:55 UTC May 1 2014
Associated Trustpoints: HA
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=Rack1-HA.ine.com
Subject:
cn=Rack1-HA.ine.com
Validity Date:
start date: 19:42:37 UTC May 1 2013
end date: 19:42:37 UTC Apr 30 2016
Associated Trustpoints: HA
!
!
Rack1R2#show crypto pki server HA certificates
Serial Issued date Expire date Subject Name
1 <cert file not accessible>
Certificate might have been granted by other CA
2 <cert file not accessible>
Certificate might have been granted by other CA
3 <cert file not accessible>
Certificate might have been granted by other CA
!
!
Rack1R1#show crypto pki server HA certificates
Serial Issued date Expire date Subject Name
1 <cert file not accessible>
Certificate might have been granted by other CA
2 <cert file not accessible>
Certificate might have been granted by other CA
3 <cert file not accessible>
Certificate might have been granted by other CA