From the release 20.3.3 the TLS clients and servers in SLX management plane are enabled with the ability to present, receive and validate client certificates to either authenticate itself or authenticate the remote client presenting its certificate to SLX.
Since the TLS clients on SLX are syslog, RADIUS and LDAP the two command options that
are provided to import the pkcs12
format of the client certificates and the private key signing it.
SLX# crypto ca import-pkcs type pkcs12 cert-type <ldap-client/radiusclient/ syslog-client> directory <dir-name> file <file-name> host <host-name/ip> protocol <SCP|FTP> user <server username> password <server-password> pkcs-passphrase <pkcs export password>
When the client certificate is imported to SLX via above command for each of the services, connecting to their servers via secure port that sends client certificates to the server only if the server requests for client certificate. Enabling the server to send client certificate request is external server configuration and not in the scope of the current document.
Since the TLS servers in SLX are HTTPs and secure GNMI, these must authenticate the external clients when the latter presents its client certificates. For this the TLS servers of SLX must send client certificate request in the TLS handshake.
To validate the incoming client certificate against a trusted authority during the TLS handshake, a CA certificate for the client certificate must be imported to SLX. The CA can be imported via the below command for HTTPs and secure GNMI.
To import CA of HTTPs client cert.
SLX#crypto import httpsclientca directory <dir-name> file <file-name> host <host-name/ip> protocol <SCP|FTP> user <server-username> password <server-password>
To import CA of GNMI client cert.
SLX#crypto import gnmiclientca directory <dir-name> file <file-name> host <host-name/ip> protocol <SCP|FTP> user <server-username> password<server-password>
Importing the CA via the above commands acts as a control knob for turning on mutual authentication and enables these services to request client certificate from clients during TLS handshake. When the client certificate is requested clients need to mandatorily present their client certificates issued by the imported CA.
Note
Removing the imported CA‘s via no form of the above commands disables mutual authentication for the respective services.Enabling mutual authentication enhances security such that it prevents a man in the middle attack from imposing clients, which fail to identify themselves to SLX or to establish SLX as a trusted client to TLS servers seeking client authentication.