sslcfg command

This command sets and displays the Secure Sockets Layer (SSL) status of the advanced management module.

Table 1. sslcfg command
Function	What it does	Command	Valid targets
Display management module SSL status	Displays the SSL status of the specified management module. This status includes information about SSL certificates.	`sslcfg`	`-T system:mm[x]` where x is the primary or standby management-module bay number.
Set SSL certificate handling for standby management module	Enables or disables use of an additional SSL certificate for the standby management module. If disabled, the standby management module uses the same SSL certificate as the primary management module. Note: An additional SSL certificate can only be configured when management module advanced failover is set to "swap" and the standby management module has a valid SSL certificate set up.	`sslcfg -ac` state where state is: `on` to use an additional certificate `off` to use the same certificate This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	`-T system:mm[x]` where x is the standby management-module bay number.
Set SSL state for management module web server	Enables or disables SSL for the management module web server. Note: The SSL for the management module web server can only be enabled if a valid SSL certificate is set up.	`sslcfg -server` state where state is `enabled` or `disabled`. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	`-T system:mm[x]` where x is the primary or standby management-module bay number.
Set SSL state for LDAP client	Enables or disables SSL for the LDAP client. Note: The SSL for the LDAP client can only be enabled if a valid SSL certificate is set up.	`sslcfg -client` state where state is `enabled` or `disabled`. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	`-T system:mm[x]` where x is the primary or standby management-module bay number.
Generate self-signed certificate	Generates a self-signed certificate for the management module web server or the LDAP client. The following values must be set when generating a self-signed certificate: Country using the `-c` command option. State or province using the `-sp` command option. City or locality using the `-cl` command option. Organization name using the `-on` command option. Management module host name using the `-hn` command option. Note: This host name must match the host name that is used by a web browser to connect to the management module. The following optional values can be set when generating a self-signed certificate: Contact person using the `-cp` command option. Email address of the contact person using the `-ea` command option. Unit within a company or organization using the `-ou` command option. Additional information such as a surname using the `-s` command option. Additional information such as a given name using the `-gn` command option. Additional information such as initials using the `-in` command option. Additional information such as a distinguished name qualifier using the `-dq` command option.	`sslcfg -cert` type `-c` country `-sp` "state" `-cl` "city" `-on` "org" `-hn` hostname `-cp` "name" `-ea` email `-ou` "org_unit" -s "surname" `-gn` "given_name" `-in` "initial" `-dq` "dn_qualifier" where the following required options are: type is: `server` for a management module web server certificate. `client` for an LDAP client certificate. country is two-character alphabetic code for the country. "state" is a state or province name of up to 60 characters in length. "city" is a city or locality name of up to 50 characters in length. "org" is an organization name of up to 60 characters in length. hostname is a valid host name of up to 60 characters in length. where the following optional options are: "name" is up to 60 characters in length. email is a valid email address of up to 60 characters. "org_unit" is up to 60 characters. "surname" is up to 60 characters. "given_name" is up to 60 characters. "initial" is up to 20 characters. "dn_qualifier" is up to 60 characters. (continued on next page)	`-T system:mm[x]` where x is the primary or standby management-module bay number.
Generate self-signed certificate (continued)		This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.
Generate CSR	Generates a certificate signing request (CSR) for the management module web server or the LDAP client. The following values must be set when generating a CSR: Country using the `-c` command option. State or province using the `-sp` command option. City or locality using the `-cl` command option. Organization name using the `-on` command option. Management module host name using the `-hn` command option. Note: This host name must match the host name that is used by a web browser to connect to the management module. The following optional values can be set when generating a CSR: Contact person using the `-cp` command option. Email address of the contact person using the `-ea` command option. Unit within a company or organization using the `-ou` command option. Additional information such as a surname using the `-s` command option. Additional information such as a given name using the `-gn` command option. Additional information such as a initials using the `-in` command option. Additional information such as a distinguished name qualifier using the `-dq` command option. Additional information such as a CSR password using the `-cpwd` command option. (continued on next page)	`sslcfg -csr` type `-c` country `-sp` "state" `-cl` "city" `-on` "org" `-hn` hostname `-cp` "name" `-ea` email `-ou` "org_unit" `-s` "surname" `-gn` "given_name" `-in` "initial" `-dq` "dn_qualifier" `-cpwd` password `-un` "un_name" where the following required options are: type is: `server` for a management module web server CSR. `client` for an LDAP client CSR. country is two-character alphabetic code for the country. "state" is a state or province name of up to 60 characters in length. "city" is a city or locality name of up to 50 characters in length. "org" is an organization name of up to 60 characters in length. hostname is a valid host name of up to 60 characters in length. where the following optional options are: "name" is up to 60 characters in length. email is a valid email address of up to 60 characters. "org_unit" is up to 60 characters. "surname" is up to 60 characters. "given_name" is up to 60 characters. (continued on next page)	`-T system:mm[x]` where x is the primary or standby management-module bay number.
Generate CSR (continued)	Additional information such as an unstructured name qualifier using the `-un` command option.	"initial" is up to 20 characters. "dn_qualifier" is up to 60 characters. password is between 6 and 30 characters. "un_name" is up to 60 characters. Note: Arguments that must be quote-delimited are shown in quotation marks. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.
Download certificate file	Downloads the specified certificate file. The IP address of the TFTP server for downloading an SSL self-signed certificate or CSR must be set using the `-i` command. The file name for downloading an SSL self-signed certificate or CSR can be set using the `-l` command. If no file name is specified, the default file name for the file will be used.	`sslcfg -dnld -cert\|-csr` type `-l` filename `-i` ipaddress where: type is `client` for an LDAP client `server` for a management module web server filename is a valid filename of up to 256 characters in length containing any character except the percent sign ( % ), forward-slash ( / ), or double-quote ( " ). ipaddress is the IPv4 or IPv6 IP address of the TFTP server. This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	`-T system:mm[x]` where x is the primary or standby management-module bay number.
Import certificate file	Import (upload) the specified certificate file. The IP address of the TFTP server for uploading an SSL self-signed certificate must be set using the `-i` command. The file name for uploading an SSL self-signed certificate can be set using the `-l` command.	`sslcfg -upld -cert` type `-i` ipaddress `-l` filename where: type is `client` for an LDAP client `server` for a management module web server ipaddress is the IPv4 or IPv6 IP address of the TFTP server. filename is a valid filename of up to 256 characters in length containing any character except the percent sign ( % ), forward-slash ( / ), or double-quote ( " ). This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	`-T system:mm[x]` where x is the primary or standby management-module bay number.
Import/download/remove trusted certificate 1	Perform the specified operation on trusted certificate 1 for the SSL client. Valid operations are: import (upload) download remove The IP address of the TFTP server for uploading or downloading a trusted certificate must be set using the `-i` command. The file name for uploading or downloading a trusted certificate can be set using the `-l` command.	`sslcfg -tc1` operation where operation is: `import` `download` `remove` Note: The `-tc1` option must be used with the following options: `-i` ipaddress `-l` filename where: ipaddress is the IPv4 or IPv6 IP address of the TFTP server. filename is a valid filename of up to 256 characters in length containing any character except the percent sign ( % ), forward-slash ( / ), or double-quote ( " ). This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	`-T system:mm[x]` where x is the primary or standby management-module bay number.
Import/download/remove trusted certificate 2	Perform the specified operation on trusted certificate 2 for the SSL client. Valid operations are: import (upload) download remove The IP address of the TFTP server for uploading or downloading a trusted certificate must be set using the `-i` command. The file name for uploading or downloading a trusted certificate can be set using the `-l` command.	`sslcfg -tc2` operation where operation is: `import` `download` `remove` Note: The `-tc2` option must be used with the following options: `-i` ipaddress `-l` filename where: ipaddress is the IPv4 or IPv6 IP address of the TFTP server. filename is a valid filename of up to 256 characters in length containing any character except the percent sign ( % ), forward-slash ( / ), or double-quote ( " ). This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	`-T system:mm[x]` where x is the primary or standby management-module bay number.
Import/download/remove trusted certificate 3	Perform the specified operation on trusted certificate 3 for the SSL client. Valid operations are: import (upload) download remove The IP address of the TFTP server for uploading or downloading a trusted certificate must be set using the `-i` command. The file name for uploading or downloading a trusted certificate can be set using the `-l` command. For importing a certificate "-l <filename>" is required.	`sslcfg -tc3` operation where operation is: `import` `download` `remove` Note: The `-tc3` option must be used with the following options: `-i` ipaddress `-l` filename where: ipaddress is the IPv4 or IPv6 IP address of the TFTP server. filename is a valid filename of up to 256 characters in length containing any character except the percent sign ( % ), forward-slash ( / ), or double-quote ( " ). This command can only be run by users who have one or more of the following command authorities: Supervisor Chassis configuration See Commands and user authority for additional information.	`-T system:mm[x]` where x is the primary or standby management-module bay number.

Example: To view SSL information for the management module in bay 1, while this management module is set as the persistent command environment, at the system:mm[1]> prompt, type

                  sslcfg

The following example shows the information that is returned from this command:

               system:mm[1]> sslcfg
-server disabled
-client disabled
SSL Server Certificate status:
 A CA-signed certificate is installed
SSL Client Certificate status:
 No certificate has been generated
SSL Client Trusted Certificate status:
 Trusted Certificate 1: Not available
 Trusted Certificate 2: Not available
 Trusted Certificate 3: Not available
system:mm[1]>