HPE Community
Switches, Hubs, and Modems
1752509 Members
4767 Online
108788 Solutions
New Discussion юеВ

Re: Configuring SSH in PCM

 
SOLVED
Go to solution
Peter[Swe]
Occasional Advisor

тАО07-21-2010 01:24 AM

тАО07-21-2010 01:24 AM

Configuring SSH in PCM

I was wondering if anyone could help me configure SSH?
Im using PCM 2.3 and i want to use only SSH instead of telnet, i also want the webgui to use SSH.
I have searched the forums and google but i cant seam to find anything useful, so if anyoue could make like a quick guide on how to set it up that would be great.

/Peter
0 Kudos
12 REPLIES 12
Peter[Swe]
Occasional Advisor

тАО07-21-2010 01:45 AM

тАО07-21-2010 01:45 AM

Re: Configuring SSH in PCM

Edit: I want to use SSL when logging in to the webgui.
0 Kudos
Natasha Samoylenko
Trusted Contributor

тАО07-21-2010 02:23 AM

тАО07-21-2010 02:23 AM

Solution

Re: Configuring SSH in PCM

You can not configure SSL from PCM.
But you can use group CLI on PCM and configure SSH and SSL on all switches at once.

You need to select all devices in PCM on which you need to configure SSH and SSL. Click right key on mouse or choose configuration menu and select group CLI.

If you want to save configurations after this check box under command window or type wr mem at the end of commands you type.

To configure SSH you can use PCM+, but if you need to configure a lot of switches, group CLI may be more easy to use.

To configure SSL:
crypto key generate cert 1024
crypto host-cert generate self-signed 01/08/2010 12/31/2012 10.1.1.2 "company" "IT Dept" "Town" CA US
web-management ssl
no web-management plaintext

To configure SSH:
crypto key generate ssh
ip ssh
no telnet-server

Command explanation:
crypto key generate cert 1024 ---- generate key pair to SSL
crypto host-cert generate self-signed 01/08/2010 12/31/2012 10.1.1.2 "company" "IT Dept" "Town" CA US ---- it's all one string! in CLI but i will explain it step by step:
01/08/2010 --- Valid start date of certificate (check your switches time)
12/31/2011 --- Valid end date
10.1.1.2 --- Common name ├в switch IP address or domain name.
"company" --- Organization
"IT Dept" --- Organizational unit
"Town" --- City or location
CA --- State name
US --- Country code
web-management ssl --- enable SSL (HTTPS)
no web-management plaintext --- disable HTTP

SSH:
crypto key generate ssh --- generate key pair to SSH
ip ssh --- enable SSH
no telnet-server --- disable telnet
Peter[Swe]
Occasional Advisor

тАО07-21-2010 02:34 AM

тАО07-21-2010 02:34 AM

Re: Configuring SSH in PCM

This is great, thank you. But can i somehow use the active directorys certifications (CA) and not self-singed certificates? if this is possible at all.

/Peter
0 Kudos
Natasha Samoylenko
Trusted Contributor

тАО07-21-2010 03:22 AM

тАО07-21-2010 03:22 AM

Re: Configuring SSH in PCM

Yes, it is possible.

From Access Security Guide:
(This configuration replace two steps:
crypto key generate cert 1024
crypto host-cert generate self-signed 01/08/2010 12/31/2012 10.1.1.2 "company" "IT Dept" "Town" CA US)

But after that you will need to enable ssl and disable http:
web-management ssl
no web-management plaintext

==========
Generate a CA-Signed server host certificate with the Web browser interface:

The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority. The second phase is the actual submission process that involves having the certificate authority verify the certificate request and then digitally signing the request to generate a certificate response (the usable server host certificate). The third phase is the download phase consisting of pasting to the switch web server the certificate response, which is then validated by the switch and put into use by enabling SSL
To generate a certificate request from the web browser interface:
i. Select the Security tab, then select the [SSL] button
ii. Select the Create Certificate/Certificate Request radio button.
iii. Select Create CA Request from the Certificate Type drop-down list.
iv.
Select the key size from the RSA Key Size drop-down list. If you wish to re-use the current certificate key, select Current from the RSA Key Size drop-down list.
v.
Fill in remaining certificate arguments (Refer to ├в Comments on Certificate Fields.├в on page 9-10.)
vi. Click on [Apply Changes] to create the certificate request. A new web browser page appears, consisting of two text boxes. The switch uses the upper text box for the certificate request text. The lower text box appears empty. You will use it for pasting in the certificate reply after you receive it from the certificate authority. (This authority must return a non- PEM encoded certificate request reply.
vii. After the certificate authority processes your request and sends you a certificate reply (that is, an installable certificate), copy and paste it into the lower text box.
viii. Click on the [Apply Changes] button to install the certificate.
==========
Peter[Swe]
Occasional Advisor

тАО07-21-2010 04:05 AM

тАО07-21-2010 04:05 AM

Re: Configuring SSH in PCM

Im sorry, but i got a little confussed about this command, its the same in both your posts:
crypto key generate cert 1024
crypto host-cert generate self-signed 01/08/2010 12/31/2012 10.1.1.2 "company" "IT Dept" "Town" CA US
web-management ssl
no web-management plaintext

Should i change the line "generate self-signed" to something like "create CA request"?

/Peter
0 Kudos
Natasha Samoylenko
Trusted Contributor

тАО07-21-2010 04:20 AM

тАО07-21-2010 04:20 AM

Re: Configuring SSH in PCM

I think that this is because of my English :)

1. You need to do this steps from Access Security Guide (This steps you do from switch Web interface):
==========
Generate a CA-Signed server host certificate with the Web browser interface:

The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority. The second phase is the actual submission process that involves having the certificate authority verify the certificate request and then digitally signing the request to generate a certificate response (the usable server host certificate). The third phase is the download phase consisting of pasting to the switch web server the certificate response, which is then validated by the switch and put into use by enabling SSL
To generate a certificate request from the web browser interface:
i. Select the Security tab, then select the [SSL] button
ii. Select the Create Certificate/Certificate Request radio button.
iii. Select Create CA Request from the Certificate Type drop-down list.
iv.
Select the key size from the RSA Key Size drop-down list. If you wish to re-use the current certificate key, select Current from the RSA Key Size drop-down list.
v.
Fill in remaining certificate arguments (Refer to Comments on Certificate Fields. on page 9-10.)
vi. Click on [Apply Changes] to create the certificate request. A new web browser page appears, consisting of two text boxes. The switch uses the upper text box for the certificate request text. The lower text box appears empty. You will use it for pasting in the certificate reply after you receive it from the certificate authority. (This authority must return a non- PEM encoded certificate request reply.
vii. After the certificate authority processes your request and sends you a certificate reply (that is, an installable certificate), copy and paste it into the lower text box.
viii. Click on the [Apply Changes] button to install the certificate.
==========

2. You need to enable ssl and disable http:
web-management ssl
no web-management plaintext


P.S. Step 1 in this post replase this two commands in first post:
crypto key generate cert 1024
crypto host-cert generate self-signed 01/08/2010 12/31/2012 10.1.1.2 "company" "IT Dept" "Town" CA US
Peter[Swe]
Occasional Advisor

тАО07-21-2010 04:26 AM

тАО07-21-2010 04:26 AM

Re: Configuring SSH in PCM

Okey, now i understand, think it was a combination of me reading it wrong also ;)

But this means i have to do those steps in every switch? Or is there a way to do it faster?
0 Kudos
Natasha Samoylenko
Trusted Contributor

тАО07-21-2010 04:40 AM

тАО07-21-2010 04:40 AM

Re: Configuring SSH in PCM

Yes, you have to do those steps in every switch.

I check documentation and it states that the only way to request a certificate from CA is from web interface.

Feature: Generating a Certificate Request on the switch
Default: No
Menu: n/a
CLI: n/a
WebAgent: page 9-12
Peter[Swe]
Occasional Advisor

тАО07-21-2010 05:23 AM

тАО07-21-2010 05:23 AM

Re: Configuring SSH in PCM

Thank you so much Natasha. You have been a great help on this. Now im trying to do something else :) I have alot of 2610 series switches (and others) in my net that are configured as i want them, and now i want to find a way to "clone" that config into any new switches i put in the net, something like "save the config from a existing swich and then be able to apply that config to the new switch"
Trying a few thins at the moment, but if you have the time and will, you are more then welcome to help me whit this to :)
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.