Comware Based
1748255 Members
4098 Online
108760 Solutions
New Discussion

Re: A5120 https web interface access

 
robyaps
Advisor

A5120 https web interface access

We seen https configuration, involving certificate request to a CA. Can be configured https access to A5120 Web interface with a self signed certificate ? to avoid long and complex configuration ?

Can you write minimum necessary commands so, we can access web interface safaly in https ?

 

We see this example configuration:

 

http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Switches/H3C_S5120_Series_Switches/Configuration/Operation_Manual/H3C_S5120-SI_CG-Release_1101-6W105/201108/723591_1285_0.htm

 

Very complex only to allow https access to web interface...

 

 

Thank you

3 REPLIES 3
Peter_Debruyne
Honored Contributor

Re: A5120 https web interface access

Hi,

 

newer comware releases have a simplified https configuration, which just requires enabling https (if no cert available, it will use/generate a selfsigned cert).

 

To original version was quite hard (IMO), it took me quite some time to just get a selfsigned cert to work, but it worked in the end.

 

Attached the procedure I had saved at the time. Same text below:

 

****** Configuration steps to import an external certificate on Comware *****
Author     Peter Debruyne (peter.debruyne@belpro.be)
Date     27/11/2011
Version    1.0

#### copy the exported CA Certificate file and the Personal Certificate file to flash
# user-view
tftp 82.1.1.3 get hpn_ca.cer
tftp 82.1.1.3 get hpn_local.pfx

#### set correct date and time on Comware, required for the certificate validation (date)
# user-view
clock datetime xxxx

#### Define PKI Domain configuration object.
# system-view
pki domain hpn
 # Default CRL is enabled, so CA must be reachable when importing a Certificate.
 # Since offline procedure is used, the CA is not reachable, so CRL check must be disabled.
 crl check disable
 
 # optional, otherwise fingerprint will be prompted during import
 # This is the fingerprint from the current example CA Certificate, adjust this if
 # you use your own CA certificate.
 root-certificate fingerprint sha1 0ACB034B202A5C120C61CD8BC4568E41FC9FC78C
 quit

#### Import the CA cert
# The device will look for pki-domain-name_ca.cer
# so the default filename (hpn_ca.cer) should work. At this stage, Comware also validates the
# certificate, so date time should be within the certificate valid dates.
# In case Certificate Revokation List (CRL) is still active, Comware will try to contact the CA.
# If there is any issue, the CA cert validation fails.
pki import-certificate ca domain hpn der
 
#### Import the Device cert
# the sample certificate sslvpn.hpnet.local has been exported from a Windows server, as a pfx file.
# It contains the Device certificate and the private key.
# the file is protected with password "password"

# Since a private key will be imported from the pfx file, the current
# local keys must be destroyed first (if they were created already), or import will fail:
public-key local destroy rsa

# Import the certificate
pki import-certificate local domain hpn p12 filename hpn_local.pfx
password
# At this point the certificate is available for use, so an SSL policy can be defined.

#### Define SSL-Server policy
ssl server-policy ssl
 pki-domain hpn

#### Use the SSL-Server Policy
# SSL-Server policy can be referenced to by https server or by ssl-vpn
ip https ssl-server-policy ssl
ip https enable


Best regards,Peter.

robyaps
Advisor

Re: A5120 https web interface access

Thank you very much. We have updated to new image, so this worked:

 

[hp5120] undo ip https enable
[hp5120] ip https enable
[hp5120] save

 

However, we still kept your solution for old firmware. Very useful !

 

As you know, can be Web Interface Login "Verify Code" disabled ? this is very boring...

spgsitsupport
Regular Advisor

Re: A5120 https web interface access

But new firmware works only with its own certificate which just looks plain ugly!

And I so far could not find an easy way to import certificate (wildcard) or request certificate from AD CA

 

edit:

Wildcard cannot be imported, but request from local AD CA is quite easy:

 

 

http://hpnetworkers.blogspot.co.uk/2012/02/hp-series-h3c-comware-https-howto-with.html

 

 

 

To make sure that certificate obtained from SCEP server is good for SSL  one needs to configure temporary correct template in

 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EncryptionTemplate & GeneralPurposeTemplate

 Preferably one that has Server Authentication configured (webserver)


pki domain MyDomain
ca identifier ORG-EntCA
certificate request url http://sp-v-entca.mydomain.local/certsrv/mscep/mscep.dll
certificate request from ra
certificate request entity hpe5900-sr1
crl url http://sp-v-entca.mydomain.local/CertEnroll/SPGS-EntCA(3).crl
#
pki entity HPE5900-SR1
common-name HPE5900-SR1.mydomain.local
country GB
#
ssl server-policy mydomain-ssl
pki-domain mydomain
 
 
undo ip https enable
 
 
 
[HPE5900]public-key local create rsa name BG

 
pki retrieve-certificate domain mydomain ca 
 
pki request-certificate domain mydomain password 30392FF84A6FBB80 

( password as obtained from CA https://sp-v-entca.mydomain.local/certsrv/mscep_admin )
 
ip https ssl-server-policy mydomain-ssl
 
ip https enable