Secure web management

Configuration summary

  1. Assign a login (operator) and enable (manager) password on the switch.

  2. Install a web certificate on the switch.

  3. Enable SSL on the switch.

Assigning a local login (operator) and enabling (manager) password

At a minimum, Hewlett Packard Enterprise recommends that you always assign at least a manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.

Using the WebAgent to configure local passwords

You can configure both the operator and manager password in the WebAgent.

Installing the switch's server web host certificate

You must install a server certificate on the switch before enabling web management over SSL/TLS. The switch uses this server certificate, along with a dynamically generated session key pair to negotiate an encryption method and session with a browser trying to connect via SSL to the switch. The session key pair is not visible on the switch, rather It is a temporary, internally generated pair used for a particular switch/client session and then discarded.

When you install a new certificate on the switch, the switch places the key and certificate in flash memory. The switch maintains the certificate across reboots and power cycles.

Removing the switch's web certificate renders the switch unable to engage in secure web operation and automatically disables web management over SSL on the switch.

There are two types of certificate that can be used for the switch’s host certificate:

  • Self-signed certificate

  • Authority-signed certificate

Self-signed certificate

Self-signed certificates are generated and digitally signed by the switch utilizing the same key used to create the certificate. Self-signed certificates are not signed by a certificate authority (CA) so they can not be tracked to a trusted root such as a Trust Anchor or CA. A self signed certificate allows the communication connection to be encrypted, not authenticated. There is no guarantee on the behavior of a browser when using a self-signed certificate, see the table below for examples of operating system and browser compatibility.


[NOTE: ]

NOTE: Our self-signed certificates are signed with sha256withRSAEncryption. Administrators do not have the choice between sha1withRSAEncryption and sha256withRSAEncryption for self-signed certificates. This can effect or limit your ability to upgrade to K.15.14 and above.


Self-signed certificate browser compatibility

Browsers Operating System
Google Chrome Windows 7+, Mac OS X 10.5+
Microsoft Internet Explorer Windows 7+
Mozilla Firefox 1.5  
Safari Mac OS X 10.5+

[NOTE: ]

NOTE: sha256withRSAEncryption is not compatible with certain operating system and browser combinations. It is supported in Google Chrome on operating systems Windows Vista and above only. Similarly, Internet Explorer 8 with Windows 2003 Server is not compatible with sha256withRSAEncryption. All other browsers certificate tested appear to work. For more details about Self-signed compatibility of browsers go to https://sha256.tbsinternet.com/limitations_certs_sha256.html.en.


Authority-signed certificate

Authority-signed certificate is digitally signed by a certificate authority, and has a chain of trust leading to the Trust Anchor or a root CA certificate.

Enabling SSL on the switch and anticipating SSL browser contact behavior

The web-management ssl command enables SSL on the switch and modifies parameters the switch uses for transactions with clients. After you enable SSL, the switch can authenticate itself to SSL enabled browsers. If you want to disable SSL on the switch, use the no web-management ssl command.


[NOTE: ]

NOTE: When using self-signed certificates with the switch, there is a possibility for a “man-in-the-middle” attack especially when connecting for the first time; that is, an unauthorized device could pose undetected as a switch, and learn the user names and passwords controlling access to the switch. Use caution when connecting to a switch using self-signed certificates. Before accepting the certificate, closely verify the contents of the certificate (see browser documentation for additional information on viewing contents of certificate.) The security concern described above does not exist when using CA-signed certificates that have been signed by certificate authorities that the web browser already trusts.


Using the CLI interface to enable web management over SSL/TLS

Syntax

[no]web-management ssl

Enables or disables SSL on the switch

[port <1-65535 | default:443>]

The TCP port number for SSL connections (default: 443).

show config

Shows status of the SSL server. When enabled, webmanagement ssl is present in the config list.

To enable SSL on the switch:

  1. Install a web certificate if you have not already done so.

  2. Execute the web-management ssl command.

To disable SSL on the switch, do either of the following:

  • Execute

    [no]web-management ssl

    .

  • Remove the switch's host certificate or certificate key.