Search

Page tree

Contents

You can configure Infoblox DHCP servers to publish DHCP data to an IF-MAP server. The IF-MAP server takes real-time information from different sources and stores it in a shared database from which clients can retrieve information about network devices, their status and activities. For details about the IF-MAP protocol, refer to http://www.trustedcomputinggroup.org. For information about the Infoblox IF-MAP server, refer to the Infoblox Administrator Guide for Infoblox Orchestration Server.
Each Infoblox DHCP server in a Grid can function as an IF-MAP client, with the ability to publish lease information to an IF-MAP server. For information about how to configure an IF-MAP client, see Configuring Members as IF-MAP Clients. You can configure the client to publish ip-mac and ip-duid (for DHCPv6 leases) metadata at the Grid and member levels. You can also configure the client to publish metadata for specific leases by overriding the Grid or member publishing settings at the network (IPv4 and IPv6) or range (IPv4 only) level. The DHCP server sends updates to the IF-MAP server using the XML format and SOAP/HTTPS bindings specified in IF-MAP v1.1r5 and v2.0r26. The DHCP server supports the IF-MAP 2.0 protocol by default. You can also enable the support for IF-MAP 1.1, as described in Configuring a Grid to Support IF-MAP.
When the DHCP server grants an IPv4 lease and sends the DHCPACK packet to the DHCP client, it updates the link in the IF-MAP server between the leased IP address and client MAC address with ip-mac metadata with the following attributes: start-time, end-time, and dhcp-server. The dhcp-server attribute contains the DHCP server hostname. The ip-mac metadata is attached to a link with:

  • An ip-address identifier with the type attribute set to IPv4, a value attribute that contains the leased IP address, and the administrative-domain attribute set to the network view to which the IP address belongs.
  • A mac-address identifier with a value attribute that contains the client MAC address. It does not have the administrative-domain attribute.

When the DHCP server grants an IPv6 lease and sends the Reply message to the DHCP client, it updates the link in the IF-MAP server between the leased IP address and client DHCP Unique Identifier (DUID) with ip-duid metadata that contains the following attributes: start-time, end-time, and dhcp-server. The dhcp-server attribute contains the DHCP server hostname. The ip-duid metadata is attached to a link with:

  • An ip-address identifier with the type attribute set to IPv6, a value attribute that contains the leased IP address, and the administrative-domain attribute set to the network view to which the IP address belongs.
  • A duid identifier with a value attribute that contains the client DUID. It does not have the administrative-domain attribute.

The Infoblox DHCP server also publishes data when an IPv4 or IPv6 lease changes. When a lease is released or when an active lease expires, the DHCP server sends a "publish delete" request to the IF-MAP server.
You can define how the IF-MAP server handles the existing ip-mac and ip-duid information before the DHCP client sends the next update. For example, you can specify the IF-MAP server to always delete existing ip-mac and ip-duid information before the next update. For information, see Deleting Existing Data Before Publishing.
Following are the tasks to enable DHCP servers in a Grid to function as IF-MAP clients:

  1. Enable IF-MAP in the Grid and specify the URL and port of the IF-MAP server, as described in Configuring a Grid to Support IF-MAP.
  2. Optionally, enable the validation of the IF-MAP server certificate and import the CA certificate, as described in Validating the IF-MAP Server Certificate.
  3. Enable IF-MAP on each Grid member and specify an authentication method the member uses to connect to the IF-MAP server, as described in Configuring Members as IF-MAP Clients.
  4. Optionally, override publishing settings at the member, network, or range level, as described in Overriding IF-MAP Publishing Settings.

You can also delete DHCP data published by a specific member, or define how the IF-MAP server deletes existing DHCP data before a client publishes an update. For information, see Deleting Data from the IF-MAP Server.

Configuring a Grid to Support IF-MAP

  1. From the Data Management tab, select the DHCP tab, and then click Grid DHCP Properties from the Toolbar.
  2. In the Grid DHCP Properties editor, click Toggle Advanced Mode.
  3. Click the IF-MAP tab, and then complete the following:
    • Enable IF-MAP: Select this check box to enable the IF-MAP service for the Grid. Note that you must enable the IF-MAP service in order to enable or disable publishing at the Grid, member, network, or range level.
    • IF-MAP Server URL: Enter the URL of the IF-MAP server to which the Grid members publish DHCP data. The URL must begin with https://. For example, https://<server_ip_addr>/ifmap.
    • IF-MAP Server Port: The default HTTP port is 80 and the default HTTPS port is 443. Optionally, you can specify a different port on the IF-MAP server.
    • Enable IF-MAP publishing: Select this check box to enable IF-MAP publishing for the Grid. When you select this, IF-MAP publishing is enabled for all members, networks (IPv4 and IPv6), and DHCP ranges (IPv4 only). You can override the Grid property at a specific level to control the ip-mac and ip-duid metadata you want the client to publish for specific leases. For information, see Overriding IF-MAP Publishing Settings.
    • IF-MAP Protocol Version: Select the IF-MAP protocol version you want the IF-MAP client to use to connect to the IF-MAP server. The default is IF-MAP 2.0.
  4. Save the configuration and click Restart if it appears at the top of the screen.
  5. You can also configure how the IF-MAP server deletes existing metadata before the IF-MAP client publishes another update. For information, see Deleting Data from the IF-MAP Server.

Validating the IF-MAP Server Certificate

You can configure the IF-MAP client to validate the IF-MAP server certificate before the client establishes a connection or performs IF-MAP transactions. To validate an IF-MAP server certificate, you must first import the certificate of the CA that signs the IF-MAP server certificate.
To configure the IF-MAP client to validate the IF-MAP server certificate:

  1. From the Data Management tab, select the DHCP tab, and then click Grid DHCP Properties from the Toolbar.
  2. In the Grid DHCP Properties editor, click Toggle Advanced Mode.
  3. Click the IF-MAP tab and complete the following:
    • Enable IF-MAP: Select this check box to enable the IF-MAP service for the Grid.
    • Enable IF-MAP server certificate validation: Select this check box to enable the validation of the IF-MAP server certificate, and then click Import to import the CA certificate. In the Upload dialog box, click Select to navigate to the certificate, and then click Upload. You can also copy and paste the CA certificate here.
  4. Save the configuration and click Restart if it appears at the top of the screen.

Configuring Members as IF-MAP Clients

To configure a member to be an IF-MAP client, you must first enable IF-MAP on the member and then configure a client authentication method. The IF-MAP client can authenticate itself to the IF-MAP server through user name and password credentials or digital certificate. Note that each member must have unique credentials or certificates. You cannot use the same credentials or certificates on multiple members. The appliance supports only one CA-signed certificate on each member. If you want to use a roll-over certificate, you must replace the existing certificate and restart services on the member.
To enable an appliance to function as an IF-MAP client:

  1. From the Data Management tab, select the DHCP tab -> Members tab -> member check box, and then click the Edit icon.
  2. In the Member DHCP Properties dialog box, click Toggle Advanced Mode.
  3. Click the IF-MAP tab and complete the following:
    • Enable IF-MAP: Select this check box to enable the IF-MAP service on the member. Note that you must enable the IF-MAP service in order to enable or disable publishing at the network and range levels.
    • Authentication: Select one of the following authentication methods:
      • Certificate: Select this to use the IF-MAP client certificate for client authentication. You must already have a certificate configured for the member before you can select and save this configuration. For information about creating a client certificate, see Creating IF-MAP Client Certificates.
      • Basic: Select this to use username and password credentials for IF-MAP client authentication.
        Complete the following:
        • Username: Enter the username the member uses to connect to the IF-MAP server. This username must have been configured as a valid username on the IF-MAP server. Each member must have its own username.
        • Password: Enter the password the member uses to connect to the IF-MAP server.
        • ConfirmPassword: Enter the password again.

Note

When you upgrade to a new NIOS release, the basic authentication credentials are retained if IF-MAP was enabled and basic authentication was used before the upgrade.


      • Enable IF-MAP publishing: Click Override to override the Grid setting. Select this check box to enable IF-MAP publishing for all the networks that are served by this member. Ensure that you enable IF-MAP at either the Grid or member level in order to enable IF-MAP publishing for all networks.

    4. Save the configuration and click Restart if it appears at the top of the screen.

Creating IF-MAP Client Certificates

Before you can select "Certificate" as the client authentication method, you must first create a certificate for the specified member.
You can do one of the following to generate an IF-MAP client certificate:

Generating Self-Signed Certificates

You can replace the default certificate with a self-signed certificate that you generate. When you generate a
self-signed certificate, you can specify the correct hostname and change the public/private key size, enter valid dates and specify additional information specific to the member. If you have multiple members, you can generate a certificate for each appliance with the appropriate hostname.
To generate a self-signed certificate:

  1. From the Data Management tab, select the DHCP tab -> Members tab -> member check box, and then click IF-MAP Client Certificate -> Generate Self-signed Certificate from the Toolbar.
  2. In the Generate Self-Signed Certificate dialog box, complete the following:
    • Secure Hash Algorithm and Key Size: You can select SHA-1 and a RSA key size of 1024 or 2048. SHA-256 (SHA-2) can be selected together with a RSA key size of 2048 or 4096. The default value is SHA-256 2048.
    • Days Valid: Specify the validity period of the certificate.
    • Common Name: Specify the domain name of the member. You can enter the FQDN (fully qualified domain name) of the appliance.
    • Organization: Enter the name of your company.
    • Organizational Unit: Enter the name of your department.
    • Locality: Enter a location, such as the city or town of your company.
    • State or Province: Enter the state or province.
    • Country Code: Enter the two-letter code that identifies the country, such as US.
    • Admin E-mail Address: Enter the email address of the appliance administrator.
    • Comment: Enter information about the certificate.

3. Click OK.

4. If the appliance already has an existing client certificate, the new certificate replaces the existing one. In the Replace IFMAP Certificate Confirmation dialog box, click Yes.

Generating Certificate Signing Requests

You can generate a CSR (certificate signing request) that you use to obtain a signed certificate from your own trusted CA. Once you receive the signed certificate, you can import it to the member, as described in Uploading Certificates.
To generate a CSR:

  1. From the Data Management tab, select the DHCP tab -> Members tab -> member check box, and then click IF-MAP Client Certificate -> Create Signing Request from the Toolbar.
  2. In the Create Certificate Signing Request dialog box, enter the following:
    • Secure Hash Algorithm and Key Size: You can select SHA-1 and a RSA key size of 1024 or 2048. SHA-256 (SHA-2) can be selected together with a RSA key size of 2048 or 4096. The default value is SHA-256 2048.
    • Common Name: Specify the domain name of the member. You can enter the FQDN of the appliance.
    • Organization: Enter the name of your company.
    • Organizational Unit: Enter the name of your department.
    • Locality: Enter a location, such as the city or town of your company.
    • State or Province: Enter the state or province.
    • Country Code: Enter the two-letter code that identifies the country, such as US.
    • Admin E-mail Address: Enter the email address of the appliance administrator.
    • Comment: Enter information about the certificate.
  3. Click OK.

Uploading Certificates

When you receive the certificate from the CA, the appliance finds the matching CSR and takes the private key associated with the CSR and associates it with the newly imported certificate. The appliance then automatically deletes the CSR.
To import a certificate:

  1. From the Data Management tab, select the DHCP tab -> Members tab -> member check box, and then click IF-MAP Client Certificate -> Upload Certificate from the Toolbar.
  2. Navigate to where the certificate is located and click Open.
  3. If the appliance already has an existing IF-MAP client certificate, the new certificate replaces the existing one. In the Replace IF-MAP Certificate Confirmation dialog box, click Yes.

Downloading Certificates

You can download the current certificate or a self-signed certificate. To download a certificate:

  1. From the Data Management tab, select the DHCP tab -> Members tab -> member check box, and then click IF-MAP Client Certificate -> Download Certificate from the Toolbar.
  2. Navigate to where you want to save the certificate, enter the file name, and then click Save.

Overriding IF-MAP Publishing Settings

When you enable IF-MAP publishing at the Grid level, all members, networks (IPv4 and IPv6), and DHCP ranges (IPv4 only) in the Grid inherit the same setting. To control which ip-mac and ip-duid metadata is published for specific leases that belong to a specific network or address range, you can override the Grid settings at a specific member, network, or range level. Note that you must first enable the IF-MAP service at the Grid and member levels in order to enable or disable IF-MAP publishing at other levels. For example, if you want the DHCP server to publish IF-MAP data for specific leases in a specific network that is served by a specific member, you must first enable the IF-MAP service at the Grid and member levels, as described in Configuring a Grid to Support IF-MAP. Then, you can enable IF-MAP publishing at the range level, as described in this section.
Though you can configure and save the settings of IF-MAP publishing any time at any level, the publishing does not actually happen unless the IF-MAP service is enabled at the Grid or member level. If a network or DHCP range is served by a specific member and you want to enable IF-MAP publishing for the network or range, you must first enable the IF-MAP service for the specified member.
To override IF-MAP publishing settings:

  1. Member: From the Data Management tab, select the DHCP tab -> Members tab -> member check box, and then click the Edit icon.
    Network: From the Data Management tab, select the DHCP tab -> Networks tab -> network check box, and then click the Edit icon.
    DHCP Range: From the Data Management tab, select the DHCP tab -> Networks tab -> network -> addr_range check box, and then click the Edit icon.
  2. In the editor, click Toggle Advanced Mode, and then click the IF-MAP tab.
  3. Click Override and complete the following:
    • Enable IF-MAP Publishing: Select this check box to instruct the DHCP server to publish metadata to the IF-MAP server when the IF-MAP service is enabled for the Grid or member. Clear this check box so the DHCP server does not publish metadata to the server.

Deleting Data from the IF-MAP Server

The appliance allows you to delete IF-MAP data from the IF-MAP server. You can delete all IF-MAP data published by a specific member. You can also define how the IF-MAP server handles the deletion of existing metadata before the IF-MAP client publishes another update.

Deleting All Data

You can delete all IF-MAP data published by a specified member. To delete data published by all members in a Grid, you must delete data for each member individually.
To delete IF-MAP data published by a member from the IF-MAP database:

  1. From the Data Management tab, select the DHCP tab -> Members tab, and then click Clear -> IF-MAP Data from the Toolbar.
  2. In the Purge IF-MAP Data dialog box, click Select Member to select a member. If there are multiple members, Grid Manager displays the Member Selector dialog box from which you can select one. Click the member name in the dialog box, and then click Purge to delete all the DHCP data published by the Grid member. You can also click Clear to clear the displayed member and select a new one.

Deleting Existing Data Before Publishing

You can define how the IF-MAP server deletes existing metadata before an IF-MAP client publishes new data. You can configure the IF-MAP client to instruct the server to always delete existing data, never delete it, or delete the data before a specified time period.
To define how the IF-MAP server deletes DHCP data before the next publish:

  1. From the Data Management tab, select the DHCP tab, and then click Grid DHCP Properties from the Toolbar.
  2. In the Grid DHCP Properties editor, click Toggle Advanced Mode.
  3. Click the IF-MAP tab and complete the following:
    • Enable IF-MAP: Select this check box to enable the IF-MAP service.
    • Delete existing metadata: You can define how the IF-MAP server deletes the existing metadata before the IF-MAP client publishes new data. Select one of the following:
      • Always delete: Select this to always delete existing metadata before the IF-MAP client publishes updates. This is the default.
      • Do not delete: Select this to never delete the existing metadata before the IF-MAP client publishes updates.
      • Earlier than: Select this to delete metadata that was published before a given time before the IF-MAP client publishes updates. When you select this option, enter a time value, and then select a time unit from the drop-down list.
  4. Save the configuration and click Restart if it appears if it appears at the top of the screen.

This page has no comments.