Filter
Top Products
4-51
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 4 Setting Up the Sensor
Configuring TLS
• Add the issuer identified in the certificate to the list of trusted CAs of the web browser and trust the
certificate until it expires.
The most convenient option is to permanently trust the issuer. However, before you add the issuer, use
out-of-band methods to examine the fingerprint of the certificate. This prevents you from being
victimized by an attacker posing as a sensor. Confirm that the fingerprint of the certificate appearing in
your web browser is the same as the one on your sensor.
Caution If you change the organization name or hostname of the sensor, a new certificate is generated the next
time the sensor is rebooted. The next time your web browser connects to the IDM, you will receive the
manual override dialog boxes. You must perform the certificate fingerprint validation again for Internet
Explorer and Firefox.
Adding TLS Trusted Hosts
In certain situations, the sensor uses TLS/SSL to protect a session it establishes with a remote web
server. For these sessions to be secure from man-in-the-middle attacks you must establish trust of the
TLS certificates of the remote web servers. A copy of the TLS certificate of each trusted remote host is
stored in the trusted hosts list.
Use the tls trusted-host ip-address ip-address [port port] command to add a trusted host to the trusted
hosts list. This command retrieves the TLS certificate from the specified host/port and displays its
fingerprint. You can accept or reject the fingerprint based on information retrieved directly from the host
you are requesting to add. The default port is 443.
Each certificate is stored with an identifier field (id). For the IP address and default port, the identifier
field is ipaddress. For the IP address and specified port, the identifier field is ipaddress:port.
Caution TLS at the specified IP address is contacted to obtain the required fingerprint over the network. The
specified host must by accessible at the moment the command is issued. Use an alternate method to
confirm the fingerprint to protect yourself from accepting a certificate of an attacker.
To add a trusted host to the trusted hosts list, follow these steps:
Step 1 Log in to the CLI using an account with administrator or operator privileges.
Step 2 Add the trusted host.
sensor# configure terminal
sensor(config)# tls trusted-host ip-address 10.16.0.0
Certificate MD5 fingerprint is 4F:BA:15:67:D3:E6:FB:51:8A:C4:57:93:4D:F2:83:FE
Certificate SHA1 fingerprint is B1:6F:F5:DA:F3:7A:FB:FB:93:E9:2D:39:B9:99:08:D4:
47:02:F6:12
Would you like to add this to the trusted certificate table for this host?[yes]:
The MD5 and SHA1 fingerprints appear. You are prompted to add the trusted host.
If the connection cannot be established, the transaction fails.
sensor(config)# tls trusted-host ip-address 10.89.146.110 port 8000
Error: getHostCertificate : socket connect failed [4,111]