HPE Community
Switches, Hubs, and Modems
1825766 Members
2091 Online
109687 Solutions
New Discussion

Re: Configuring SSH in PCM

 
SOLVED
Go to solution
Peter[Swe]
Occasional Advisor

‎07-21-2010 01:24 AM

‎07-21-2010 01:24 AM

Configuring SSH in PCM

I was wondering if anyone could help me configure SSH?
Im using PCM 2.3 and i want to use only SSH instead of telnet, i also want the webgui to use SSH.
I have searched the forums and google but i cant seam to find anything useful, so if anyoue could make like a quick guide on how to set it up that would be great.

/Peter
0 Kudos
12 REPLIES 12
Peter[Swe]
Occasional Advisor

‎07-21-2010 01:45 AM

‎07-21-2010 01:45 AM

Re: Configuring SSH in PCM

Edit: I want to use SSL when logging in to the webgui.
0 Kudos
Natasha Samoylenko
Trusted Contributor

‎07-21-2010 02:23 AM

‎07-21-2010 02:23 AM

Solution

Re: Configuring SSH in PCM

You can not configure SSL from PCM.
But you can use group CLI on PCM and configure SSH and SSL on all switches at once.

You need to select all devices in PCM on which you need to configure SSH and SSL. Click right key on mouse or choose configuration menu and select group CLI.

If you want to save configurations after this check box under command window or type wr mem at the end of commands you type.

To configure SSH you can use PCM+, but if you need to configure a lot of switches, group CLI may be more easy to use.

To configure SSL:
crypto key generate cert 1024
crypto host-cert generate self-signed 01/08/2010 12/31/2012 10.1.1.2 "company" "IT Dept" "Town" CA US
web-management ssl
no web-management plaintext

To configure SSH:
crypto key generate ssh
ip ssh
no telnet-server

Command explanation:
crypto key generate cert 1024 ---- generate key pair to SSL
crypto host-cert generate self-signed 01/08/2010 12/31/2012 10.1.1.2 "company" "IT Dept" "Town" CA US ---- it's all one string! in CLI but i will explain it step by step:
01/08/2010 --- Valid start date of certificate (check your switches time)
12/31/2011 --- Valid end date
10.1.1.2 --- Common name â switch IP address or domain name.
"company" --- Organization
"IT Dept" --- Organizational unit
"Town" --- City or location
CA --- State name
US --- Country code
web-management ssl --- enable SSL (HTTPS)
no web-management plaintext --- disable HTTP

SSH:
crypto key generate ssh --- generate key pair to SSH
ip ssh --- enable SSH
no telnet-server --- disable telnet
Peter[Swe]
Occasional Advisor

‎07-21-2010 02:34 AM

‎07-21-2010 02:34 AM

Re: Configuring SSH in PCM

This is great, thank you. But can i somehow use the active directorys certifications (CA) and not self-singed certificates? if this is possible at all.

/Peter
0 Kudos
Natasha Samoylenko
Trusted Contributor

‎07-21-2010 03:22 AM

‎07-21-2010 03:22 AM

Re: Configuring SSH in PCM

Yes, it is possible.

From Access Security Guide:
(This configuration replace two steps:
crypto key generate cert 1024
crypto host-cert generate self-signed 01/08/2010 12/31/2012 10.1.1.2 "company" "IT Dept" "Town" CA US)

But after that you will need to enable ssl and disable http:
web-management ssl
no web-management plaintext

==========
Generate a CA-Signed server host certificate with the Web browser interface:

The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority. The second phase is the actual submission process that involves having the certificate authority verify the certificate request and then digitally signing the request to generate a certificate response (the usable server host certificate). The third phase is the download phase consisting of pasting to the switch web server the certificate response, which is then validated by the switch and put into use by enabling SSL
To generate a certificate request from the web browser interface:
i. Select the Security tab, then select the [SSL] button
ii. Select the Create Certificate/Certificate Request radio button.
iii. Select Create CA Request from the Certificate Type drop-down list.
iv.
Select the key size from the RSA Key Size drop-down list. If you wish to re-use the current certificate key, select Current from the RSA Key Size drop-down list.
v.
Fill in remaining certificate arguments (Refer to â Comments on Certificate Fields.â on page 9-10.)
vi. Click on [Apply Changes] to create the certificate request. A new web browser page appears, consisting of two text boxes. The switch uses the upper text box for the certificate request text. The lower text box appears empty. You will use it for pasting in the certificate reply after you receive it from the certificate authority. (This authority must return a non- PEM encoded certificate request reply.
vii. After the certificate authority processes your request and sends you a certificate reply (that is, an installable certificate), copy and paste it into the lower text box.
viii. Click on the [Apply Changes] button to install the certificate.
==========
Peter[Swe]
Occasional Advisor

‎07-21-2010 04:05 AM

‎07-21-2010 04:05 AM

Re: Configuring SSH in PCM

Im sorry, but i got a little confussed about this command, its the same in both your posts:
crypto key generate cert 1024
crypto host-cert generate self-signed 01/08/2010 12/31/2012 10.1.1.2 "company" "IT Dept" "Town" CA US
web-management ssl
no web-management plaintext

Should i change the line "generate self-signed" to something like "create CA request"?

/Peter
0 Kudos
Natasha Samoylenko
Trusted Contributor

‎07-21-2010 04:20 AM

‎07-21-2010 04:20 AM

Re: Configuring SSH in PCM

I think that this is because of my English :)

1. You need to do this steps from Access Security Guide (This steps you do from switch Web interface):
==========
Generate a CA-Signed server host certificate with the Web browser interface:

The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority. The second phase is the actual submission process that involves having the certificate authority verify the certificate request and then digitally signing the request to generate a certificate response (the usable server host certificate). The third phase is the download phase consisting of pasting to the switch web server the certificate response, which is then validated by the switch and put into use by enabling SSL
To generate a certificate request from the web browser interface:
i. Select the Security tab, then select the [SSL] button
ii. Select the Create Certificate/Certificate Request radio button.
iii. Select Create CA Request from the Certificate Type drop-down list.
iv.
Select the key size from the RSA Key Size drop-down list. If you wish to re-use the current certificate key, select Current from the RSA Key Size drop-down list.
v.
Fill in remaining certificate arguments (Refer to Comments on Certificate Fields. on page 9-10.)
vi. Click on [Apply Changes] to create the certificate request. A new web browser page appears, consisting of two text boxes. The switch uses the upper text box for the certificate request text. The lower text box appears empty. You will use it for pasting in the certificate reply after you receive it from the certificate authority. (This authority must return a non- PEM encoded certificate request reply.
vii. After the certificate authority processes your request and sends you a certificate reply (that is, an installable certificate), copy and paste it into the lower text box.
viii. Click on the [Apply Changes] button to install the certificate.
==========

2. You need to enable ssl and disable http:
web-management ssl
no web-management plaintext


P.S. Step 1 in this post replase this two commands in first post:
crypto key generate cert 1024
crypto host-cert generate self-signed 01/08/2010 12/31/2012 10.1.1.2 "company" "IT Dept" "Town" CA US
Peter[Swe]
Occasional Advisor

‎07-21-2010 04:26 AM

‎07-21-2010 04:26 AM

Re: Configuring SSH in PCM

Okey, now i understand, think it was a combination of me reading it wrong also ;)

But this means i have to do those steps in every switch? Or is there a way to do it faster?
0 Kudos
Natasha Samoylenko
Trusted Contributor

‎07-21-2010 04:40 AM

‎07-21-2010 04:40 AM

Re: Configuring SSH in PCM

Yes, you have to do those steps in every switch.

I check documentation and it states that the only way to request a certificate from CA is from web interface.

Feature: Generating a Certificate Request on the switch
Default: No
Menu: n/a
CLI: n/a
WebAgent: page 9-12
Peter[Swe]
Occasional Advisor

‎07-21-2010 05:23 AM

‎07-21-2010 05:23 AM

Re: Configuring SSH in PCM

Thank you so much Natasha. You have been a great help on this. Now im trying to do something else :) I have alot of 2610 series switches (and others) in my net that are configured as i want them, and now i want to find a way to "clone" that config into any new switches i put in the net, something like "save the config from a existing swich and then be able to apply that config to the new switch"
Trying a few thins at the moment, but if you have the time and will, you are more then welcome to help me whit this to :)
0 Kudos
Natasha Samoylenko
Trusted Contributor

‎07-21-2010 06:55 AM

‎07-21-2010 06:55 AM

Re: Configuring SSH in PCM

You are welcome Peter :)

You can "clone" configuration and deploy it on new switches with PCM.

To do this you need to create a configuration template to 2610 switches. Templates are assigned to one family switches.

But you still will need to configure a basic communication parameters on switches, because PCM will need some way to communicate with them.

You can read ProCurve Manager Network Administratorâ s Guide Version 2.3
http://cdn.procurve.com/training/Manuals/PCM-AdminGuide59908850-0208.pdf

The simplest way is to use Configuration Template Wizard:
In ProCurve Manager Network Administratorâ s Guide go to:
Managing Device Configurations > Using Configuration Templates > Using the Configuration Template Wizard

Deploying a configuration template causes the device to reboot.

Address pool in templates will allow you to assign a different IP addresses to new switches from selected pool.

If you don't like this way, you can do this by manual creation of some template.
Thereafter just copy all necessary command in CLI in global config mode and save config. Or you can copy this file from tftp server on new switch. But you will need to change ip addresses in that template.
Javed Padinhakara
Respected Contributor

‎07-21-2010 07:13 PM

‎07-21-2010 07:13 PM

Re: Configuring SSH in PCM

Hi Peter,

Just wanted to add one more note: Once you have setup the SSH on your devices, in order to manage them via PCM properly, make sure you also configure PCM to indicate that SSH mode should be used to talk to the device....otherwise it may be marked as inaccessible...

`Javed
Javed Padinhakara
Respected Contributor

‎07-21-2010 07:15 PM

‎07-21-2010 07:15 PM

Re: Configuring SSH in PCM

given below are steps which would help you to setup the SSH between PCM and the devices:

1) Generate Key in PCM ( Global Preferences > Device Access > SSH Key )

2) Copy the key file ( will be created under server\config directory, by the name procurveSSH2.pub ) to the switch via tftp. Confirm it has been correctly copied by doing a "show cryto client-public key"

3) Generate key in the switch ("crypto key generate ssh....")

4) Copy the key from switch (do a "show crypto host-public-key fingerprint" and copy it ) and set it in PCM for the device via Device Manager>"Communication parameters in PCM" and pasting the key in the textbox.

5) Now do a "Test communication paramters" on the device using Device Manager feature to make sure the communication parameters have been successfully set.

Hope that helps!
Javed
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.