API Guide
System logging over TLS requires that:
● X.509v3 PKI certificates are configured on a certification authority (CA) and installed on the switch. Both the switch and
syslog server exchange a public key in a signed X.509v3 certificate to authenticate each other. For more information, see
X.509v3 certificates.
● You configure a security profile for system logging as described in Security profiles.
Configure system logging over TLS
1. Copy an X.509v3 certificate created by a CA server using a secure method, such as SCP or HTTPS, as described in Manage
CA certificates. Then install the trusted CA certificate in EXEC mode.
crypto ca-cert install ca-cert-filepath [filename]
● ca-cert-filepath specifies the local path to the downloaded certificate; for example, home://CAcert.pem or
usb://CA-cert.pem.
● filename specifies an optional filename that the certificate is stored under in the OS10 trust-store directory. Enter the
filename in the filename.crt format.
2. Obtain an X.509v3 host certificate from the CA server as described in Request and install host certificates:
a. Create a private key and generate a certificate signing request for the switch.
b. Copy the CSR file to the CA server for signing.
c. Copy the CA-signed certificate to the home directory on the switch.
d. Install the host certificate:
crypto cert install cert-file home://cert-filepath key-file {key-path | private}
[password passphrase] [fips]
When you install an X.509v3 certificate-key pair:
● Both take the name of the certificate. For example, if you install a certificate using:
OS10# crypto cert install cert-file home://Dell_host1.pem key-file home://abcd.key
The certificate-key pair is installed as Dell_host1.pem and Dell_host1.key. In configuration commands, refer to
the pair as Dell_host1. When you configure a security profile, you would enter Dell_host1 in the certificate
certificate-name command.
● For security reasons, because the key file contains private key information, it copied to a secure location in the OS10 file
system and deleted from its original location specified in the key-file key-path parameter.
NOTE:
fips installs the certificate-key pair as FIPS-compliant. Enter fips to install a certificate-key pair that is used
by a FIPS-aware application, such as Syslog over TLS. If you do not enter fips, the certificate-key pair is stored as a
non-FIPS-compliant pair.
You determine if the certificate-key pair is generated as FIPS-compliant. Do not use FIPS-compliant certificate-key pairs
outside of FIPS mode. When FIPS mode is enabled, you can still generate CSRs for non-FIPS certificates for use with
non-FIPS applications. Be sure to install these certificates as non-FIPS with the crypto cert install command.
3. Configure a security profile for system logging over TLS using an X.509v3 certificate.
a. Create a Syslog security profile in CONFIGURATION mode. See Security profiles for more information.
crypto security-profile profile-name
b. Assign an X.509v3 certificate and private key pair to the security profile in SECURITY-PROFILE mode. For
certificate-name, enter the name of the certificate-key pair as it appears in the show crypto certs output
without the .pem extension.
certificate certificate-name
exit
c. Create a system logging-specific profile in CONFIGURATION mode.
logging security-profile profile-name
Where profile-name is the name of the Syslog security profile created in Step 2a with the crypto security-
profile profile-name command. You cannot delete a crypto server profile if it is configured for a logging server.
Troubleshoot Dell EMC SmartFabric OS10
1437