sslcfg command

This command sets and displays the Secure Sockets Layer (SSL) status of the CMM.

Note

When the CMM is set to Secure security mode, only secure file transfer methods, such as HTTPS and SFTP, can be used for tasks involving file transfer when the CMM is acting as a server. Unsecure file transfer protocols, such as HTTP, FTP, and TFTP, are disabled when the CMM is acting as a server when the security mode is set to Secure. Unsecure file transfer protocols remain available for a CMM acting as a client for all commands when the security mode is set to Secure.
For information about how to specify a URL for file transfer, see Specifying a URL for file transfer.
SHA256 certificates are not supported for external LDAP servers.

If command syntax is not correctly entered, or if a command fails to run, an error message is returned. See Common errors for a list of error messages that apply to all commands or sslcfg command errors for a list of error messages that are specific to the sslcfg command.

Table 1. sslcfg command. The command table is a multi-row, four-column table where each row describes a CMM CLI command option: column one lists command function, column two provides a detailed command description, column three shows command-option syntax, and column four lists valid command targets.
Function	What it does	Command	Target (see paths in Command targets)
Display CMM SSL status	Displays the SSL status of the specified CMM. This status includes information about SSL certificates.	`sslcfg`	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Set SSL (secure LDAP) state for LDAP client	Enables or disables SSL (secure LDAP) for the LDAP client. Note By default, the LDAP client uses the same SSL certificate as the LDAP server. The LDAP client can be enabled if a certificate is in place.	`sslcfg -client` state where state is `enabled` or `disabled` . This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Set SSL state for HTTPS server	Enables or disables the HTTPS server. Note The HTTPS server can be enabled if a certificate is in place.	`sslcfg -server` state where state is `enabled` or `disabled` . This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
View self-signed certificate	Views a certificate authority self-signed root certificate for the CMM.	`sslcfg -view ca`	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Generate self-signed certificate	Generates a self-signed certificate for the chassis certificate authority. Note If a user executes this command, it will cause all certificates in the chassis to be re-signed. This means that any applications configured to trust certificates in the chassis will no longer trust those certificates. The user should export the new CA certificate and import it into the companion applications so that these applications can continue to manage the chassis. If users had imported the previous CA certificate into a web browser or any other application, they would want to replace it with the new certificate. Additionally, some security configuration artifacts that are signed by the CA certificate might be reprovisioned to the compute nodes. If the crypto -m option is set to comp, for compatibility with all NIST cipher suites (see the crypto command for more information), the sslcfg -gen ca -csa certificate type option must be specified when generating a CA certificate. If the crypto -m option is set to nist800-131a (see the crypto command for more information), the sslcfg -gen ca -csa option is optional; if it is specified, the certificate type must be set to rsa2048sha256.	`sslcfg -gen ca` `-csa` type where the optional certificate type is: rsa2048sha1 rsa2048sha256 This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Generate CSR	Generates a certificate signing request (CSR) for the CMM HTTPS server or LDAP client. The following values must be set when generating a CSR: Country using the `-c` command option. State or province using the `-sp` command option. City or locality using the `-cl` command option. Organization name using the `-on` command option. CMM host name using the `-hn` command option. Note This host name must match the host name that is used by a web browser to connect to the CMM. The following optional values can be set when generating a CSR: Contact person using the `-cp` command option. Email address of the contact person using the `-ea` command option. Unit within a company or organization using the `-ou` command option. Additional information such as a surname using the `-s` command option. Additional information such as a given name using the `-gn` command option. Additional information such as a initials using the `-in` command option. Additional information such as a distinguished name qualifier using the `-dq` command option. Additional information such as a CSR password using the `-cpwd` command option. Additional information such as an unstructured name qualifier using the `-un` command option.	`sslcfg -gen csr` `-c` country `-sp` "state"`-cl` "city"`-on` "org"`-hn` hostname `-cp` "name"`-ea` email`-ou` "org_unit"`-s` "surname" `-gn` "given_name"`-in` "initial"`-dq` "dn_qualifier"`-cpwd` password`-un` "un_name" `-t` target where the following required options are: country is two-character alphabetic code for the country. "state" is a state or province name of up to 60 characters in length. "city" is a city or locality name of up to 50 characters in length. "org" is an organization name of up to 60 characters in length. hostname is a valid host name of up to 60 characters in length. target is server or client where the following optional options are: "name" is up to 60 characters in length. email is a valid email address of up to 60 characters. "org_unit" is up to 60 characters. "surname" is up to 60 characters. (continued on next page)	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Generate CSR (continued)		"given_name" is up to 60 characters. "initial" is up to 20 characters. "dn_qualifier" is up to 60 characters. password is between 6 and 30 characters. "un_name" is up to 60 characters. Note Arguments that must be quote-delimited are shown in quotation marks. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.
Download CA self-signed root certificate file	Downloads the specified CA self-signed root certificate file. The location of the CA self-signed root certificate file, including IP address of the server for downloading and filename, and must be set using the `-u` command option. Note To successfully download and import a CA certificate into an external LDAP server trust store, make sure that secure LDAP is enabled using the `sslcfg -server enabled` or the `sslcfg -client enabled` command.	`sslcfg -dnld ca -u` URL where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Download certificate or CSR file of specified format	Downloads the specified certificate file, specifying the certificate file format. The location of the certificate or CSR file, including IP address of the server for downloading and filename, and must be set using the `-u` command option. Note If the certificate or CSR file format is not specified using the `-f` command option, the format defaults to DER.	`sslcfg -dnld` cert_type`-f` format`-u` URL `-t` target where: cert_type is `cert` for a certificate `csr` for a CSR (for the CMM LDAP client certificate) format is `der` for binary DER encoded certificates `pem` for X.509v3 files that contain ASCII (Base64) armored data prefixed with a BEGIN line URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. target is server or client This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Import (upload) trusted certificate 1	Import (upload) trusted certificate 1 for the LDAP client. The upload location of the trusted certificate file, including IP address of the server and filename, an must be set using the `-u` command option.	`sslcfg -tc1 import -u` URL `-t client` where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Import (upload) trusted certificate 2	Import (upload) trusted certificate 2 for the LDAP client. The upload location of the trusted certificate file, including IP address of the server and filename, an must be set using the `-u` command option.	`sslcfg -tc2 import -u` URL `-t client` where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Import (upload) trusted certificate 3	Import (upload) trusted certificate 3 for the LDAP client. The upload location of the trusted certificate file, including IP address of the server and filename, an must be set using the `-u` command option.	`sslcfg -tc3 import -u` URL `-t client` where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Export (download) trusted certificate 1	Downloads (exports) trusted certificate 1 for the LDAP client. The location of the trusted certificate 1 file, including IP address of the server for downloading and filename, and must be set using the -u command option.	`sslcfg -tc1 download -u` URL `-t client` where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Export (download) trusted certificate 2	Downloads (exports) trusted certificate 2 for the LDAP client. The location of the trusted certificate 2 file, including IP address of the server for downloading and filename, and must be set using the -u command option.	`sslcfg -tc2 download -u` URL `-t client` where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Export (download) trusted certificate 3	Downloads (exports) trusted certificate 3 for the LDAP client. The location of the trusted certificate 3 file, including IP address of the server for downloading and filename, and must be set using the -u command option.	`sslcfg -tc3 download -u` URL `-t client` where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Remove trusted certificate 1	Removes trusted certificate 1 from the LDAP client.	`sslcfg -tc1 remove -t client` Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Remove trusted certificate 2	Removes trusted certificate 2 from the LDAP client.	`sslcfg -tc2 remove -t client` Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Remove trusted certificate 3	Removes trusted certificate 3 from the LDAP client.	`sslcfg -tc3 remove -t client` Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Import (upload) certificate	Import (upload) certificate for the CMM HTTPS server or LDAP client. The upload location of the certificate file, including IP address and filename, an must be set using the `-u` command option.	`sslcfg -upld -u` URL `-t` target where: URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. target is server or client This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.

Example: To view SSL information for the primary CMM in bay 1, while this CMM is set as the persistent command environment, at the system:mm[1]> prompt, type

sslcfg

To generate a new key and CSR for the server in the primary CMM in bay 1, with a country of US, a state of NC, a city of Cary, an organization of Lenovo, and a host name of hostname, while this CMM is set as the persistent command environment, at the system:mm[1]> prompt, type

sslcfg -gen csr -c us -sp "nc"  -cl "cary"  -on "lenovo" -hn hostname -t server

The following example shows the information that is returned from these commands:

system:mm[1]> sslcfg
-server enabled
-client enabled
Certificate Authority certificate status:
 A Root certificate is installed <span className="ph">(rsa2048sha1)</span>
SSL Server Certificate status:
 A self-signed certificate is installed
SSL Client Certificate status:
 No certificate has been generated
SSL Client Trusted Certificate status:
 Trusted Certificate 1: Available
 Trusted Certificate 2: Not available
 Trusted Certificate 3: Not available
system:mm[1]>
system:mm[1]> sslcfg -gen csr -c us -sp "nc"  -cl "cary"  -on "lenovo" -hn hostname -t server
Certificate Signing Request (CSR) is ready for downloading.
To get the CSR, use the download CSR command. You can then send
it to a CA for signing.
OK
system:mm[1]>

Give documentation feedback