Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual page 82

Configuring TLS
Use the tls trusted-host ip-address ip-address [port port] command to add a trusted host to the trusted
hosts list. This command retrieves the TLS certificate from the specified host and port and displays its
fingerprint. You can accept or reject the fingerprint based on information retrieved directly from the host
you are requesting to add. The default port is 443.
Each certificate is stored with an identifier field (id). For the IP address and default port, the identifier
field is ipaddress. For the IP address and specified port, the identifier field is ipaddress:port.
TLS at the specified IP address is contacted to obtain the required fingerprint over the network. The
Caution
specified host must by accessible at the moment the command is issued. Use an alternate method to
confirm the fingerprint to protect yourself from accepting an attacker's certificate
To add a trusted host to the trusted hosts list, follow these steps:
Log in to the CLI using an account with administrator or operator privileges.
Step 1
Add the trusted host:
Step 2
sensor# configure terminal
sensor(config)# tls trusted-host ip-address 10.16.0.0
Certificate MD5 fingerprint is 4F:BA:15:67:D3:E6:FB:51:8A:C4:57:93:4D:F2:83:FE
Certificate SHA1 fingerprint is B1:6F:F5:DA:F3:7A:FB:FB:93:E9:2D:39:B9:99:08:D4:
47:02:F6:12
Would you like to add this to the trusted certificate table for this host?[yes]:
The MD5 and SHA1 fingerprints appear. You are prompted to add the trusted host.
If the connection cannot be established, the transaction fails:
sensor(config)# tls trusted-host ip-address 10.89.146.110 port 8000
Error: getHostCertificate : socket connect failed [4,111]
Type yes to accept the fingerprint.
Step 3
Certificate ID: 10.89.146.110 successfully added to the TLS trusted host table.
sensor(config)#
The host has been added to the TLS trusted host list. The Certificate ID stored for the requested
certificate is displayed when the command is successful.
Verify that the host was added:
Step 4
sensor(config)# exit
sensor# show tls trusted-hosts
10.89.146.110
sensor#
Step 5 View the fingerprint for a specific host:
sensor# show tls trusted-hosts 10.89.146.110
MD5: 4F:BA:15:67:D3:E6:FB:51:8A:C4:57:93:4D:F2:83:FE
SHA1: B1:6F:F5:DA:F3:7A:FB:FB:93:E9:2D:39:B9:99:08:D4:47:02:F6:12
sensor#
Remove an entry from the trusted hosts list:
Step 6
sensor# configure terminal
sensor(config)# no tls trusted-host 10.89.146.110
The host is removed from the trusted hosts list.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
4-36
Chapter 4 Initial Configuration Tasks
78-16527-01