- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- A5120 https web interface access
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2013 09:01 AM
12-16-2013 09:01 AM
A5120 https web interface access
We seen https configuration, involving certificate request to a CA. Can be configured https access to A5120 Web interface with a self signed certificate ? to avoid long and complex configuration ?
Can you write minimum necessary commands so, we can access web interface safaly in https ?
We see this example configuration:
Very complex only to allow https access to web interface...
Thank you
- Tags:
- certificate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2013 11:47 AM - edited 12-16-2013 11:47 AM
12-16-2013 11:47 AM - edited 12-16-2013 11:47 AM
Re: A5120 https web interface access
Hi,
newer comware releases have a simplified https configuration, which just requires enabling https (if no cert available, it will use/generate a selfsigned cert).
To original version was quite hard (IMO), it took me quite some time to just get a selfsigned cert to work, but it worked in the end.
Attached the procedure I had saved at the time. Same text below:
****** Configuration steps to import an external certificate on Comware *****
Author Peter Debruyne (peter.debruyne@belpro.be)
Date 27/11/2011
Version 1.0
#### copy the exported CA Certificate file and the Personal Certificate file to flash
# user-view
tftp 82.1.1.3 get hpn_ca.cer
tftp 82.1.1.3 get hpn_local.pfx
#### set correct date and time on Comware, required for the certificate validation (date)
# user-view
clock datetime xxxx
#### Define PKI Domain configuration object.
# system-view
pki domain hpn
# Default CRL is enabled, so CA must be reachable when importing a Certificate.
# Since offline procedure is used, the CA is not reachable, so CRL check must be disabled.
crl check disable
# optional, otherwise fingerprint will be prompted during import
# This is the fingerprint from the current example CA Certificate, adjust this if
# you use your own CA certificate.
root-certificate fingerprint sha1 0ACB034B202A5C120C61CD8BC4568E41FC9FC78C
quit
#### Import the CA cert
# The device will look for pki-domain-name_ca.cer
# so the default filename (hpn_ca.cer) should work. At this stage, Comware also validates the
# certificate, so date time should be within the certificate valid dates.
# In case Certificate Revokation List (CRL) is still active, Comware will try to contact the CA.
# If there is any issue, the CA cert validation fails.
pki import-certificate ca domain hpn der
#### Import the Device cert
# the sample certificate sslvpn.hpnet.local has been exported from a Windows server, as a pfx file.
# It contains the Device certificate and the private key.
# the file is protected with password "password"
# Since a private key will be imported from the pfx file, the current
# local keys must be destroyed first (if they were created already), or import will fail:
public-key local destroy rsa
# Import the certificate
pki import-certificate local domain hpn p12 filename hpn_local.pfx
password
# At this point the certificate is available for use, so an SSL policy can be defined.
#### Define SSL-Server policy
ssl server-policy ssl
pki-domain hpn
#### Use the SSL-Server Policy
# SSL-Server policy can be referenced to by https server or by ssl-vpn
ip https ssl-server-policy ssl
ip https enable
Best regards,Peter.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2013 01:08 AM
12-17-2013 01:08 AM
Re: A5120 https web interface access
Thank you very much. We have updated to new image, so this worked:
[hp5120] undo ip https enable
[hp5120] ip https enable
[hp5120] save
However, we still kept your solution for old firmware. Very useful !
As you know, can be Web Interface Login "Verify Code" disabled ? this is very boring...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2016 04:45 AM - edited 05-10-2021 02:25 AM
10-13-2016 04:45 AM - edited 05-10-2021 02:25 AM
Re: A5120 https web interface access
But new firmware works only with its own certificate which just looks plain ugly!
And I so far could not find an easy way to import certificate (wildcard) or request certificate from AD CA
edit:
Wildcard cannot be imported, but request from local AD CA is quite easy:
http://hpnetworkers.blogspot.co.uk/2012/02/hp-series-h3c-comware-https-howto-with.html
To make sure that certificate obtained from SCEP server is good for SSL one needs to configure temporary correct template in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EncryptionTemplate & GeneralPurposeTemplate
Preferably one that has Server Authentication configured (webserver)
pki domain MyDomain
ca identifier ORG-EntCA
certificate request url http://sp-v-entca.mydomain.local/certsrv/mscep/mscep.dll
certificate request from ra
certificate request entity hpe5900-sr1
crl url http://sp-v-entca.mydomain.local/CertEnroll/SPGS-EntCA(3).crl
#
pki entity HPE5900-SR1
common-name HPE5900-SR1.mydomain.local
country GB
#
ssl server-policy mydomain-ssl
pki-domain mydomain
undo ip https enable
[HPE5900]public-key local create rsa name BG
pki retrieve-certificate domain mydomain ca
pki request-certificate domain mydomain password 30392FF84A6FBB80
( password as obtained from CA https://sp-v-entca.mydomain.local/certsrv/mscep_admin )
ip https ssl-server-policy mydomain-ssl
ip https enable