Secure web management |
Configuration summary
Assign a login (operator) and enable (manager) password on the switch.
Install a web certificate on the switch.
Enable SSL on the switch.
Assigning a local login (operator) and enabling (manager) password
At a minimum, Hewlett Packard Enterprise recommends that you always assign at least a manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.
Installing the switch's server web host certificate
You must install a server certificate on the switch before enabling web management over SSL/TLS. The switch uses this server certificate, along with a dynamically generated session key pair to negotiate an encryption method and session with a browser trying to connect via SSL to the switch. The session key pair is not visible on the switch, rather It is a temporary, internally generated pair used for a particular switch/client session and then discarded.
When you install a new certificate on the switch, the switch places the key and certificate in flash memory. The switch maintains the certificate across reboots and power cycles.
Removing the switch's web certificate renders the switch unable to engage in secure web operation and automatically disables web management over SSL on the switch.
There are two types of certificate that can be used for the switch’s host certificate:
Self-signed certificate
Authority-signed certificate
Self-signed certificate
Self-signed certificates are generated and digitally signed by the switch utilizing the same key used to create the certificate. Self-signed certificates are not signed by a certificate authority (CA) so they can not be tracked to a trusted root such as a Trust Anchor or CA. A self signed certificate allows the communication connection to be encrypted, not authenticated. There is no guarantee on the behavior of a browser when using a self-signed certificate, see the table below for examples of operating system and browser compatibility.
NOTE: Our self-signed certificates are signed with | |
Self-signed certificate browser compatibility
Browsers | Operating System |
---|---|
Google Chrome | Windows 7+, Mac OS X 10.5+ |
Microsoft Internet Explorer | Windows 7+ |
Mozilla Firefox 1.5 | |
Safari | Mac OS X 10.5+ |
NOTE: | |
Enabling SSL on the switch and anticipating SSL browser contact behavior
The web-management ssl
command
enables SSL on the switch and modifies parameters the switch uses
for transactions with clients. After you enable SSL, the switch can
authenticate itself to SSL enabled browsers. If you want to disable
SSL on the switch, use the no web-management ssl
command.
NOTE: When using self-signed certificates with the switch, there is a possibility for a “man-in-the-middle” attack especially when connecting for the first time; that is, an unauthorized device could pose undetected as a switch, and learn the user names and passwords controlling access to the switch. Use caution when connecting to a switch using self-signed certificates. Before accepting the certificate, closely verify the contents of the certificate (see browser documentation for additional information on viewing contents of certificate.) The security concern described above does not exist when using CA-signed certificates that have been signed by certificate authorities that the web browser already trusts. | |
Using the CLI interface to enable web management over SSL/TLS
Syntax
[no]
web-management ssl
Enables or disables SSL on the switch
[port <1-65535 | default:443>]
The TCP port number for SSL connections (default: 443).
show config
Shows status of the SSL server. When enabled,
webmanagement ssl
is present in the config list.
To enable SSL on the switch:
Install a web certificate if you have not already done so.
Execute the
web-management ssl
command.
To disable SSL on the switch, do either of the following:
Execute
[no]
web-management ssl
.
Remove the switch's host certificate or certificate key.