sslcfg command

This command sets and displays the Secure Sockets Layer (SSL) status of the CMM.

Note:
  • When the CMM is set to "Secure" security mode, only secure file transfer methods, such as HTTPS and SFTP, can be used for tasks involving file transfer when the CMM is acting as a server. Unsecure file transfer protocols, such as HTTP, FTP, and TFTP, are disabled when the CMM is acting as a server when the security mode is set to "Secure". Unsecure file transfer protocols remain available for a CMM acting as a client for all commands when the security mode is set to "Secure".
  • For information about how to specify a URL for file transfer, see Specifying a URL for file transfer.
  • SHA256 certificates are not supported for external LDAP servers.

If command syntax is not correctly entered, or if a command fails to run, an error message is returned. See Common errors for a list of error messages that apply to all commands or sslcfg command errors for a list of error messages that are specific to the sslcfg command.

Table 1. sslcfg command.

The command table is a multi-row, four-column table where each row describes a CMM CLI command option: column one lists command function, column two provides a detailed command description, column three shows command-option syntax, and column four lists valid command targets.
Function What it does Command Target (see paths in Command targets)
Display CMM SSL status Displays the SSL status of the specified CMM. This status includes information about SSL certificates. sslcfg
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set SSL (secure LDAP) state for LDAP client Enables or disables SSL (secure LDAP) for the LDAP client.
Note:
  • By default, the LDAP client uses the same SSL certificate as the LDAP server.
  • The LDAP client can be enabled if a certificate is in place.
 sslcfg -client state

where state is enabled or disabled .

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set SSL state for HTTPS server Enables or disables the HTTPS server.
Note: The HTTPS server can be enabled if a certificate is in place.
sslcfg -server state

where state is enabled or disabled .

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
View self-signed certificate Views a certificate authority self-signed root certificate for the CMM. sslcfg -view ca
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Generate self-signed certificate Generates a self-signed certificate for the chassis certificate authority.
Note:
  • If a user executes this command, it will cause all certificates in the chassis to be re-signed. This means that any applications configured to trust certificates in the chassis will no longer trust those certificates. The user should export the new CA certificate and import it into the companion applications so that these applications can continue to manage the chassis. If users had imported the previous CA certificate into a web browser or any other application, they would want to replace it with the new certificate. Additionally, some security configuration artifacts that are signed by the CA certificate might be reprovisioned to the compute nodes.
  • If the crypto -m option is set to comp, for compatibility with all NIST cipher suites (see the crypto command for more information), the sslcfg -gen ca -csa certificate type option must be specified when generating a CA certificate.
  • If the crypto -m option is set to nist800-131a (see the crypto command for more information), the sslcfg -gen ca -csa option is optional; if it is specified, the certificate type must be set to rsa2048sha256.
 sslcfg -gen ca -csa type

where the optional certificate type is:

  • rsa2048sha1
  • rsa2048sha256
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Generate CSR Generates a certificate signing request (CSR) for the CMM HTTPS server or LDAP client.

The following values must be set when generating a CSR:

  • Country using the -c command option.
  • State or province using the -sp command option.
  • City or locality using the -cl command option.
  • Organization name using the -on command option.
  • CMM host name using the -hn command option.
    Note: This host name must match the host name that is used by a web browser to connect to the CMM.

The following optional values can be set when generating a CSR:

  • Contact person using the -cp command option.
  • Email address of the contact person using the -ea command option.
  • Unit within a company or organization using the -ou command option.
  • Additional information such as a surname using the -s command option.
  • Additional information such as a given name using the -gn command option.
  • Additional information such as a initials using the -in command option.
  • Additional information such as a distinguished name qualifier using the -dq command option.
  • Additional information such as a CSR password using the -cpwd command option.
  • Additional information such as an unstructured name qualifier using the -un command option.
 sslcfg -gen csr -c country -sp "state"-cl "city"-on "org"-hn hostname -cp "name"-ea email-ou "org_unit"-s "surname" -gn "given_name"-in "initial"-dq "dn_qualifier"-cpwd password-un "un_name" -t target
where the following required options are:
  • country is two-character alphabetic code for the country.
  • "state" is a state or province name of up to 60 characters in length.
  • "city" is a city or locality name of up to 50 characters in length.
  • "org" is an organization name of up to 60 characters in length.
  • hostname is a valid host name of up to 60 characters in length.
  • target is server or client
where the following optional options are:
  • "name" is up to 60 characters in length.
  • email is a valid email address of up to 60 characters.
  • "org_unit" is up to 60 characters.
  • "surname" is up to 60 characters.

(continued on next page)
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Generate CSR

(continued)

  
  • "given_name" is up to 60 characters.
  • "initial" is up to 20 characters.
  • "dn_qualifier" is up to 60 characters.
  • password is between 6 and 30 characters.
  • "un_name" is up to 60 characters.
Note: Arguments that must be quote-delimited are shown in quotation marks.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
  
Download CA self-signed root certificate file Downloads the specified CA self-signed root certificate file.

The location of the CA self-signed root certificate file, including IP address of the server for downloading and filename, and must be set using the -u command option.

Note: To successfully download and import a CA certificate into an external LDAP server trust store, make sure that secure LDAP is enabled using the sslcfg -server enabled or the sslcfg -client enabled command.
 sslcfg -dnld ca -u URL

where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Download certificate or CSR file of specified format Downloads the specified certificate file, specifying the certificate file format.

The location of the certificate or CSR file, including IP address of the server for downloading and filename, and must be set using the -u command option.

Note: If the certificate or CSR file format is not specified using the -f command option, the format defaults to DER.
 sslcfg -dnld cert_type-f format-u URL -t target
where:
  • cert_type is
    • cert for a certificate
    • csr for a CSR (for the CMM LDAP client certificate)
  • format is
    • der for binary DER encoded certificates
    • pem for X.509v3 files that contain ASCII (Base64) armored data prefixed with a BEGIN line
  • URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.
  • target is server or client
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Import (upload) trusted certificate 1 Import (upload) trusted certificate 1 for the LDAP client.

The upload location of the trusted certificate file, including IP address of the server and filename, an must be set using the -u command option.

 sslcfg -tc1 import -u URL -t client

where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.

Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Import (upload) trusted certificate 2 Import (upload) trusted certificate 2 for the LDAP client.

The upload location of the trusted certificate file, including IP address of the server and filename, an must be set using the -u command option.

 sslcfg -tc2 import -u URL -t client

where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.

Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Import (upload) trusted certificate 3 Import (upload) trusted certificate 3 for the LDAP client.

The upload location of the trusted certificate file, including IP address of the server and filename, an must be set using the -u command option.

 sslcfg -tc3 import -u URL -t client

where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.

Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Export (download) trusted certificate 1 Downloads (exports) trusted certificate 1 for the LDAP client.

The location of the trusted certificate 1 file, including IP address of the server for downloading and filename, and must be set using the -u command option.

 sslcfg -tc1 download -u URL -t client

where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.

Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Export (download) trusted certificate 2 Downloads (exports) trusted certificate 2 for the LDAP client.

The location of the trusted certificate 2 file, including IP address of the server for downloading and filename, and must be set using the -u command option.

 sslcfg -tc2 download -u URL -t client

where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.

Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Export (download) trusted certificate 3 Downloads (exports) trusted certificate 3 for the LDAP client.

The location of the trusted certificate 3 file, including IP address of the server for downloading and filename, and must be set using the -u command option.

 sslcfg -tc3 download -u URL -t client

where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.

Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Remove trusted certificate 1 Removes trusted certificate 1 from the LDAP client. sslcfg -tc1 remove -t client
Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Remove trusted certificate 2 Removes trusted certificate 2 from the LDAP client. sslcfg -tc2 remove -t client
Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Remove trusted certificate 3 Removes trusted certificate 3 from the LDAP client. sslcfg -tc3 remove -t client
Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Import (upload) certificate Import (upload) certificate for the CMM HTTPS server or LDAP client.

The upload location of the certificate file, including IP address and filename, an must be set using the -u command option.

 sslcfg -upld -u URL -t target
where:
  • URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.
  • target is server or client
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Example: To view SSL information for the primary CMM in bay 1, while this CMM is set as the persistent command environment, at the system:mm[1]> prompt, type 
sslcfg
To generate a new key and CSR for the server in the primary CMM in bay 1, with a country of US, a state of NC, a city of Cary, an organization of Lenovo, and a host name of hostname, while this CMM is set as the persistent command environment, at the system:mm[1]> prompt, type 
sslcfg -gen csr -c us -sp "nc"  -cl "cary"  -on "lenovo" -hn hostname -t server

The following example shows the information that is returned from these commands:

system:mm[1]> sslcfg
-server enabled
-client enabled
Certificate Authority certificate status:
 A Root certificate is installed (rsa2048sha1)
SSL Server Certificate status:
 A self-signed certificate is installed
SSL Client Certificate status:
 No certificate has been generated
SSL Client Trusted Certificate status:
 Trusted Certificate 1: Available
 Trusted Certificate 2: Not available
 Trusted Certificate 3: Not available
system:mm[1]>
system:mm[1]> sslcfg -gen csr -c us -sp "nc"  -cl "cary"  -on "lenovo" -hn hostname -t server
Certificate Signing Request (CSR) is ready for downloading.
To get the CSR, use the download CSR command. You can then send
it to a CA for signing.
OK
system:mm[1]>
Parent topic: Command reference