Cisco Systems IPS 7.1 Home Security System User Manual


  Open as PDF
of 1042
 
4-52
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 4 Setting Up the Sensor
Configuring TLS
Step 3 Enter yes to accept the fingerprint. The host is added to the TLS trusted host list. The Certificate ID
stored for the requested certificate is displayed when the command is successful.
Certificate ID: 10.89.146.110 successfully added to the TLS trusted host table.
sensor(config)#
Step 4 Verify that the host was added.
sensor(config)# exit
sensor# show tls trusted-hosts
10.89.146.110
sensor#
Step 5 View the fingerprint for a specific host.
sensor# show tls trusted-hosts 10.89.146.110
MD5: 4F:BA:15:67:D3:E6:FB:51:8A:C4:57:93:4D:F2:83:FE
SHA1: B1:6F:F5:DA:F3:7A:FB:FB:93:E9:2D:39:B9:99:08:D4:47:02:F6:12
sensor#
Step 6 Remove an entry from the trusted hosts list.
sensor# configure terminal
sensor(config)# no tls trusted-host 10.89.146.110
Step 7 Verify the entry was removed from the trusted host list. The IP address no longer appears in the list.
sensor(config)# exit
sensor# show tls trusted-hosts
No entries
Enabling Strict TLS Certificate Checks
Use the strict-tls-server-validation {enable | disable} command in service web server submode to
enable the sensor to use strict TLS certificate validation for global correlation updates and automatic
signature updates. The default is disabled. If the root CA validation fails, the TLS connection is not
established to download the signature updates from the Cisco server or the global correlation updates
from the update server.
To enable strict TLS server validation, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter web server submode.
sensor# configure terminal
sensor(config)# service web-server
Step 3 Make sure TLS is enabled.
sensor(config-web)# enable-tls true
If you disable TLS, you receive this message:
Warning: TLS protocol support has been disabled. This change will not take effect until
the web server is re-started.
Step 4 Enable strict TLS server validation.
sensor(config-web)# strict-tls-server-validation enable
 previous next