12-16-2013 09:01 AM
We seen https configuration, involving certificate request to a CA. Can be configured https access to A5120 Web interface with a self signed certificate ? to avoid long and complex configuration ?
Can you write minimum necessary commands so, we can access web interface safaly in https ?
We see this example configuration:
Very complex only to allow https access to web interface...
12-16-2013 11:47 AM - edited 12-16-2013 11:47 AM
newer comware releases have a simplified https configuration, which just requires enabling https (if no cert available, it will use/generate a selfsigned cert).
To original version was quite hard (IMO), it took me quite some time to just get a selfsigned cert to work, but it worked in the end.
Attached the procedure I had saved at the time. Same text below:
****** Configuration steps to import an external certificate on Comware *****
Author Peter Debruyne (firstname.lastname@example.org)
#### copy the exported CA Certificate file and the Personal Certificate file to flash
tftp 126.96.36.199 get hpn_ca.cer
tftp 188.8.131.52 get hpn_local.pfx
#### set correct date and time on Comware, required for the certificate validation (date)
clock datetime xxxx
#### Define PKI Domain configuration object.
pki domain hpn
# Default CRL is enabled, so CA must be reachable when importing a Certificate.
# Since offline procedure is used, the CA is not reachable, so CRL check must be disabled.
crl check disable
# optional, otherwise fingerprint will be prompted during import
# This is the fingerprint from the current example CA Certificate, adjust this if
# you use your own CA certificate.
root-certificate fingerprint sha1 0ACB034B202A5C120C61CD8BC4568E41FC9FC78C
#### Import the CA cert
# The device will look for pki-domain-name_ca.cer
# so the default filename (hpn_ca.cer) should work. At this stage, Comware also validates the
# certificate, so date time should be within the certificate valid dates.
# In case Certificate Revokation List (CRL) is still active, Comware will try to contact the CA.
# If there is any issue, the CA cert validation fails.
pki import-certificate ca domain hpn der
#### Import the Device cert
# the sample certificate sslvpn.hpnet.local has been exported from a Windows server, as a pfx file.
# It contains the Device certificate and the private key.
# the file is protected with password "password"
# Since a private key will be imported from the pfx file, the current
# local keys must be destroyed first (if they were created already), or import will fail:
public-key local destroy rsa
# Import the certificate
pki import-certificate local domain hpn p12 filename hpn_local.pfx
# At this point the certificate is available for use, so an SSL policy can be defined.
#### Define SSL-Server policy
ssl server-policy ssl
#### Use the SSL-Server Policy
# SSL-Server policy can be referenced to by https server or by ssl-vpn
ip https ssl-server-policy ssl
ip https enable
12-17-2013 01:08 AM
Thank you very much. We have updated to new image, so this worked:
[hp5120] undo ip https enable
[hp5120] ip https enable
However, we still kept your solution for old firmware. Very useful !
As you know, can be Web Interface Login "Verify Code" disabled ? this is very boring...