A5120 https web interface access

Advisor

A5120 https web interface access

We seen https configuration, involving certificate request to a CA. Can be configured https access to A5120 Web interface with a self signed certificate ? to avoid long and complex configuration ?

Can you write minimum necessary commands so, we can access web interface safaly in https ?

 

We see this example configuration:

 

http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Switches/H3C_S5120_Series_Switches/Configuration/Operation_Manual/H3C_S5120-SI_CG-Release_1101-6W105/201108/723591_1285_0.htm

 

Very complex only to allow https access to web interface...

 

 

Thank you

2 REPLIES
Highlighted
Honored Contributor

Re: A5120 https web interface access

[ Edited ]

Hi,

 

newer comware releases have a simplified https configuration, which just requires enabling https (if no cert available, it will use/generate a selfsigned cert).

 

To original version was quite hard (IMO), it took me quite some time to just get a selfsigned cert to work, but it worked in the end.

 

Attached the procedure I had saved at the time. Same text below:

 

****** Configuration steps to import an external certificate on Comware *****
Author     Peter Debruyne (peter.debruyne@belpro.be)
Date     27/11/2011
Version    1.0

#### copy the exported CA Certificate file and the Personal Certificate file to flash
# user-view
tftp 82.1.1.3 get hpn_ca.cer
tftp 82.1.1.3 get hpn_local.pfx

#### set correct date and time on Comware, required for the certificate validation (date)
# user-view
clock datetime xxxx

#### Define PKI Domain configuration object.
# system-view
pki domain hpn
 # Default CRL is enabled, so CA must be reachable when importing a Certificate.
 # Since offline procedure is used, the CA is not reachable, so CRL check must be disabled.
 crl check disable
 
 # optional, otherwise fingerprint will be prompted during import
 # This is the fingerprint from the current example CA Certificate, adjust this if
 # you use your own CA certificate.
 root-certificate fingerprint sha1 0ACB034B202A5C120C61CD8BC4568E41FC9FC78C
 quit

#### Import the CA cert
# The device will look for pki-domain-name_ca.cer
# so the default filename (hpn_ca.cer) should work. At this stage, Comware also validates the
# certificate, so date time should be within the certificate valid dates.
# In case Certificate Revokation List (CRL) is still active, Comware will try to contact the CA.
# If there is any issue, the CA cert validation fails.
pki import-certificate ca domain hpn der
 
#### Import the Device cert
# the sample certificate sslvpn.hpnet.local has been exported from a Windows server, as a pfx file.
# It contains the Device certificate and the private key.
# the file is protected with password "password"

# Since a private key will be imported from the pfx file, the current
# local keys must be destroyed first (if they were created already), or import will fail:
public-key local destroy rsa

# Import the certificate
pki import-certificate local domain hpn p12 filename hpn_local.pfx
password
# At this point the certificate is available for use, so an SSL policy can be defined.

#### Define SSL-Server policy
ssl server-policy ssl
 pki-domain hpn

#### Use the SSL-Server Policy
# SSL-Server policy can be referenced to by https server or by ssl-vpn
ip https ssl-server-policy ssl
ip https enable


Best regards,Peter.

Advisor

Re: A5120 https web interface access

Thank you very much. We have updated to new image, so this worked:

 

[hp5120] undo ip https enable
[hp5120] ip https enable
[hp5120] save

 

However, we still kept your solution for old firmware. Very useful !

 

As you know, can be Web Interface Login "Verify Code" disabled ? this is very boring...