sslcfg command

This command sets and displays the Secure Sockets Layer (SSL) status of the CMM.

Note

When the CMM is set to Secure security mode, only secure file transfer methods, such as HTTPS and SFTP, can be used for tasks involving file transfer when the CMM is acting as a server. Unsecure file transfer protocols, such as HTTP, FTP, and TFTP, are disabled when the CMM is acting as a server when the security mode is set to Secure. Unsecure file transfer protocols remain available for a CMM acting as a client for all commands when the security mode is set to Secure.
For information about how to specify a URL for file transfer, see Specifying a URL for file transfer in the Lenovo Chassis Management Module 2 Command-Line Interface Reference Guide.

If command syntax is not correctly entered, or if a command fails to run, an error message is returned. See Common errors for a list of error messages that apply to all commands or sslcfg command errors for a list of error messages that are specific to the sslcfg command.

Table 1. sslcfg command.
The command table is a multi-row, four-column table where each row describes a CMM CLI command option: column one lists command function, column two provides a detailed command description, column three shows command-option syntax, and column four lists valid command targets.
Function	What it does	Command	Target (see paths in Command targets)
Display CMM SSL status	Displays the SSL status of the specified CMM. This status includes information about SSL certificates.	`sslcfg`	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Set SSL (secure LDAP) state for LDAP client	Enables or disables SSL (secure LDAP) or starts transport layer security for the LDAP client. Note By default, the LDAP client uses the same SSL certificate as the LDAP server. The LDAP client can be enabled if a certificate is in place.	`sslcfg -client` state where state is `enabled` , `disabled` , or `starttls` . This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Set SSL state for HTTPS server	Enables or disables the HTTPS server. Note The HTTPS server can be enabled if a certificate is in place.	`sslcfg -server` state where state is `enabled` or `disabled` . This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
View internally signed certificate	Displays internally signed server certificate.	`sslcfg -view intsrv`	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
View self-signed certificate	Displays a certificate authority self-signed root certificate for the CMM.	`sslcfg -view ca`	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Generate self-signed certificate	Generates a self-signed certificate for the chassis certificate authority. Note If a user executes this command, it will cause all certificates in the chassis to be re-signed. This means that any applications configured to trust certificates in the chassis will no longer trust those certificates. The user should export the new CA certificate and import it into the companion applications so that these applications can continue to manage the chassis. If users had imported the previous CA certificate into a web browser or any other application, they would want to replace it with the new certificate. Additionally, some security configuration artifacts that are signed by the CA certificate might be reprovisioned to the compute nodes. If the crypto -m option is set to comp, for compatibility with all NIST cipher suites (see the crypto command for more information), the sslcfg -gen ca -csa certificate type option must be specified when generating a CA certificate. If the crypto -m option is set to nist800-131a (see the crypto command for more information), the sslcfg -gen ca -csa option is optional; if it is specified, the certificate type must be set to rsa2048sha256.	`sslcfg -gen ca` `-csa` type where the optional certificate type is: rsa2048sha1 rsa2048sha256 This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
View externally signed server certificate	Displays externally signed certificate information for the server.	`sslcfg -view extsrv`	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Import (upload) externally signed LDAP client certificate and CA bundle	Import (upload) externally signed LDAP certificate and CA bundle for the LDAP client. The upload locations of the externally signed certificate file and CA bundle are set separately using the `-u` and `-cabu` command options.	`sslcfg -upld -t client -u` URL `-cabu` CA_URL where: URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. CA_URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate bundle is located. Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Delete externally signed LDAP client certificate and CA bundle	Remove an externally signed LDAP certificate and CA bundle from the LDAP client.	`sslcfg -remove -t client` Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
View CA bundle for externally signed server certificate	Displays certificate authority bundle information for the externally signed certificate of the server.	`sslcfg -view extcab`	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Import (upload) externally signed server certificate and CA bundle	Import (upload) externally signed certificate and CA bundle for the server. The upload locations of the externally signed certificate file and CA bundle are set separately using the `-u` and `-cabu` command options.	`sslcfg -upld -t server -u` URL `-cabu` CA_URL where: URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. CA_URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate bundle is located. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Reapply externally signed server certificate	Reapply an externally signed server certificate to the LDAP server. Unsuccessful certificate application lists any compute nodes that are unable to use externally signed certificates: the CMM uses a self-signed certificate for the LDAP server in this case.	`sslcfg -reapply` This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Generate self-signed certificate (for failed externally signed server certificate)	Generates a self-signed certificate for use with an LDAP server that does not support externally signed server certificates. The CMM LDAP server receives an SSL certificate internally signed by the CMM root certificate authority (CA) certificate. The IMM in each compute node then uses the root certificate in the LDAP client to trust the CMM LDAP server. Note If a user executes this command, it will cause all certificates in the chassis to be re-signed. This means that any applications configured to trust certificates in the chassis will no longer trust those certificates. The user should export the new CA certificate and import it into the companion applications so that these applications can continue to manage the chassis. If users had imported the previous CA certificate into a web browser or any other application, they would want to replace it with the new certificate. Additionally, some security configuration artifacts that are signed by the CA certificate might be reprovisioned to the compute nodes. If the crypto -m option is set to comp, for compatibility with all NIST cipher suites (see the crypto command for more information), the sslcfg -gen ca -csa certificate type option must be specified when generating a CA certificate. If the crypto -m option is set to nist800-131a (see the crypto command for more information), the sslcfg -gen ca -csa option is optional; if it is specified, the certificate type must be set to rsa2048sha256.	`sslcfg -gen ldapsrv` `-csa` type where the optional certificate type is: rsa2048sha1 rsa2048sha256 This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
View externally signed LDAP client certificate	Displays externally signed LDAP client certificate information.	`sslcfg -view extclnt`
Generate CSR	Generates a certificate signing request (CSR) for the CMM HTTPS server or LDAP client. The following values must be set when generating a CSR: Country using the `-c` command option. State or province using the `-sp` command option. City or locality using the `-cl` command option. Organization name using the `-on` command option. CMM host name using the `-hn` command option. Note This host name must match the host name that is used by a web browser to connect to the CMM. The following optional values can be set when generating a CSR: Contact person using the `-cp` command option. Email address of the contact person using the `-ea` command option. Unit within a company or organization using the `-ou` command option. Additional information such as a surname using the `-s` command option. Additional information such as a given name using the `-gn` command option. Additional information such as a initials using the `-in` command option. Additional information such as a distinguished name qualifier using the `-dq` command option. Additional information such as a CSR password using the `-cpwd` command option. Additional information such as an unstructured name qualifier using the `-un` command option.	`sslcfg -gen csr` `-c` country `-sp` "state"`-cl` "city"`-on` "org"`-hn` hostname `-cp` "name"`-ea` email`-ou` "org_unit"`-s` "surname" `-gn` "given_name"`-in` "initial"`-dq` "dn_qualifier"`-cpwd` password`-un` "un_name" `-t` target where the following required options are: country is two-character alphabetic code for the country. "state" is a state or province name of up to 60 characters in length. "city" is a city or locality name of up to 50 characters in length. "org" is an organization name of up to 60 characters in length. hostname is a valid host name of up to 60 characters in length. target is server or client where the following optional options are: "name" is up to 60 characters in length. email is a valid email address of up to 60 characters. "org_unit" is up to 60 characters. "surname" is up to 60 characters. (continued on next page)	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Generate CSR (continued)		"given_name" is up to 60 characters. "initial" is up to 20 characters. "dn_qualifier" is up to 60 characters. password is between 6 and 30 characters. "un_name" is up to 60 characters. Note Arguments that must be quote-delimited are shown in quotation marks. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.
Download CA self-signed root certificate file	Downloads the specified CA self-signed root certificate file. The location of the CA self-signed root certificate file, including IP address of the server for downloading and filename, and must be set using the `-u` command option. Note To successfully download and import a CA certificate into an external LDAP server trust store, make sure that secure LDAP is enabled using the `sslcfg -server enabled` or the `sslcfg -client enabled` command.	`sslcfg -dnld ca -u` URL where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Download certificate or CSR file of specified format	Downloads the specified certificate file, specifying the certificate file format. The location of the certificate or CSR file, including IP address of the server for downloading and filename, and must be set using the `-u` command option. Note If the certificate or CSR file format is not specified using the `-f` command option, the format defaults to DER.	`sslcfg -dnld` cert_type`-f` format`-u` URL `-t` target where: cert_type is `cert` for a certificate `csr` for a CSR (for the CMM LDAP client certificate) format is `der` for binary DER encoded certificates `pem` for X.509v3 files that contain ASCII (Base64) armored data prefixed with a BEGIN line URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. target is server or client This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
View trusted certificate 1	Displays trusted certificate 1 information for the LDAP client.	`sslcfg -tc1 view`	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
View trusted certificate 2	Displays trusted certificate 2 information for the LDAP client.	`sslcfg -tc2 view`	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
View trusted certificate 3	Displays trusted certificate 3 information for the LDAP client.	`sslcfg -tc3 view`	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Import (upload) trusted certificate 1	Import (upload) trusted certificate 1 for the LDAP client. The upload location of the trusted certificate file, including IP address of the server and filename, an must be set using the `-u` command option.	`sslcfg -tc1 import -u` URL `-t client` where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Import (upload) trusted certificate 2	Import (upload) trusted certificate 2 for the LDAP client. The upload location of the trusted certificate file, including IP address of the server and filename, an must be set using the `-u` command option.	`sslcfg -tc2 import -u` URL `-t client` where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Import (upload) trusted certificate 3	Import (upload) trusted certificate 3 for the LDAP client. The upload location of the trusted certificate file, including IP address of the server and filename, an must be set using the `-u` command option.	`sslcfg -tc3 import -u` URL `-t client` where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Export (download) trusted certificate 1	Downloads (exports) trusted certificate 1 for the LDAP client. The location of the trusted certificate 1 file, including IP address of the server for downloading and filename, and must be set using the -u command option.	`sslcfg -tc1 download -u` URL `-t client` where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Export (download) trusted certificate 2	Downloads (exports) trusted certificate 2 for the LDAP client. The location of the trusted certificate 2 file, including IP address of the server for downloading and filename, and must be set using the -u command option.	`sslcfg -tc2 download -u` URL `-t client` where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Export (download) trusted certificate 3	Downloads (exports) trusted certificate 3 for the LDAP client. The location of the trusted certificate 3 file, including IP address of the server for downloading and filename, and must be set using the -u command option.	`sslcfg -tc3 download -u` URL `-t client` where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Remove trusted certificate 1	Removes trusted certificate 1 from the LDAP client.	`sslcfg -tc1 remove -t client` Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Remove trusted certificate 2	Removes trusted certificate 2 from the LDAP client.	`sslcfg -tc2 remove -t client` Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Remove trusted certificate 3	Removes trusted certificate 3 from the LDAP client.	`sslcfg -tc3 remove -t client` Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Import (upload) certificate	Import (upload) certificate for the CMM HTTPS server or LDAP client. The upload location of the certificate file, including IP address and filename, an must be set using the `-u` command option.	`sslcfg -upld -u` URL `-t` target where: URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. target is server or client This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
View CRL 1	Displays certificate revocation list 1 for the LDAP client.	`sslcfg -crl1 view`	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
View CRL 2	Displays certificate revocation list 2 for the LDAP client.	`sslcfg -crl2 view`	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
View CRL 3	Displays certificate revocation list 3 for the LDAP client.	`sslcfg -crl3 view`	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Set CRL checking state for LDAP client	Enables or disables certificate revocation list checking for the LDAP client.	`sslcfg -crl` state where state is `enabled` or `disabled` . This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Import (upload) CRL 1	Import (upload) certificate revocation list 1 for the LDAP client. The upload location of the CRL, including IP address of the server and filename, an must be set using the `-u` command option.	`sslcfg -crl1 import -u` URL `-t client` where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the CRL is located. Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Import (upload) CRL 2	Import (upload) certificate revocation list 2 for the LDAP client. The upload location of the CRL, including IP address of the server and filename, an must be set using the `-u` command option.	`sslcfg -crl2 import -u` URL `-t client` where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the CRL is located. Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Import (upload) CRL 3	Import (upload) certificate revocation list 3 for the LDAP client. The upload location of the CRL, including IP address of the server and filename, an must be set using the `-u` command option.	`sslcfg -crl3 import -u` URL `-t client` where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the CRL is located. Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Remove CRL 1	Removes certificate revocation list 1 from the LDAP client.	`sslcfg -crl1 remove -t client` Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Remove CRL 2	Removes certificate revocation list 2 from the LDAP client.	`sslcfg -crl2 remove -t client` Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.
Remove CRL 3	Removes certificate revocation list 3 from the LDAP client.	`sslcfg -crl3 remove -t client` Note The -t client option is optional. If it is not specified, the command defaults to the client target. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	Primary CMM: mm[p] mm[P] mm[x] where x is the primary CMM bay number.

Example: To view SSL information for the primary CMM in bay 1, while this CMM is set as the persistent command environment, at the system:mm[1]> prompt, type

sslcfg

To generate a new key and CSR for the server in the primary CMM in bay 1, with a country of US, a state of NC, a city of Cary, an organization of Lenovo, and a host name of hostname, while this CMM is set as the persistent command environment, at the system:mm[1]> prompt, type

sslcfg -gen csr -c us -sp "nc"  -cl "cary"  -on "lenovo" -hn hostname -t server

The following example shows the information that is returned from these commands:

system:mm[1]> sslcfg
-server enabled
-client disabled
Certificate Authority certificate status:
A Root certificate is installed (rsa2048sha1)
SSL Server Certificate status:
A self-signed certificate is installed
SSL Client Certificate status:
No certificate has been generated
SSL Client Trusted Certificate status:
Trusted Certificate 1: Not available
Trusted Certificate 2: Not available
Trusted Certificate 3: Not available
SSL Client CRL status:
CRL 1: Not available
CRL 2: Not available
CRL 3: Not available
-crl disabled
system:mm[1]>
system:mm[1]> sslcfg -gen csr -c us -sp "nc"  -cl "cary"  -on "lenovo" -hn hostname -t server
Certificate Signing Request (CSR) is ready for downloading.
To get the CSR, use the download CSR command. You can then send
it to a CA for signing.
OK
system:mm[1]>

Give documentation feedback