Users Guide

Table Of Contents
OS10# show running-configuration crypto security-profile
!
crypto security-profile radius-prof
certificate dv-fedgov-s6010-1
OS10# show running-configuration radius-server
radius-server host radius-server-2.test.com tls security-profile radius-prof key 9
2b9799adc767c0efe8987a694969b1384c541414ba18a44cd9b25fc00ff180e9
Cluster security
When you enable VLT or a fabric automation application, switches that participate in the cluster use secure channels to
communicate with each other. The secure channels are enabled only when you enable the VLT or fabric cluster configuration on
a switch. OS10 installs a default X.509v3 certificate-key pair to establish secure channels between the peer devices in a cluster.
NOTE: From 10.5.1.0 release onwards, there is no need for X.509v3 certificate in a VLT domain if both the VLT peers are
running OS10 software version 10.5.1.0 or later. However, you still need the certificates during VLT upgrade from earlier
version to 10.5.1.0. The upgraded VLT device has to communicate with the other VLT peer in a domain until the other
device is also upgraded to 10.5.1.0.
Replace the default certificate-key pair used for cluster applications:
In a deployment where untrusted devices access management or data ports on an OS10 switch.
Before the default X.509v3 certificate expires on July 27, 2021. If the default certificate-key pair expires, the VLT domain on
peer switches does not come up.
NOTE:
The expiration date for the default certificate-key pair that is installed by OS10 on a switch running the 10.5.0.0
release is July 27, 2021. To ensure secure communication in a cluster before the expiration date, install a more recent
X.509v3 certificate-key pair.
Create a custom X.509v3 certificate-key pair by configuring an application-specific security profile using the cluster
security-profile command. Before the default or custom X.509v3 certificate-key pair that is used between the peer
devices in a VLT domain or fabric application cluster expires, install a valid CA certificate by following the procedures in:
Manage CA certificates.
Request and install host certificates.
When you replace the default certificate-key pair for cluster applications, ensure that all devices in the cluster use the same
custom certificate-key pair or a unique certificate-key pair that is issued by the same CA.
CAUTION:
While you replace the default certificate-key pair, cluster devices temporarily lose their secure
channel connectivity. Dell EMC Networking recommends that you change the cluster security configuration
during a maintenance time.
This example shows how to install an X.509v3 CA and host certificate-key pair for a cluster application. For more information,
see:
Importing and installing a CA certificate see Manage CA certificates.
Generating a CSR and installing a host certificate see Request and install host certificates.
1. Install a trusted CA certificate.
OS10# copy tftp://CAadmin:secret@172.11.222.1/GeoTrust_Universal_CA.crt
home:// GeoTrust_Universal_CA.crt
OS10# crypto ca-cert install home://GeoTrust_Universal_CA.crt
Processing certificate ...
Installed Root CA certificate
CommonName = GeoTrust Universal CA
IssuerName = GeoTrust Universal CA
2. Generate a CSR, copy the CSR to a CA server, download the signed certificate, and install the host certificate.
OS10# crypto cert generate request cert-file home://s4048-001.csr key-file home://
tsr6.key cname "Top of Rack 6" altname "IP:10.0.0.6 DNS:tor6.dell.com" email
admin@dell.com organization "Dell EMC" orgunit Networking locality "Santa Clara" state
California country US length 1024
Processing certificate ...
1372
Security