HTTP vs. HTTPS

ArubaOS-Switch devices can be configured through an HTTP interface, which is enabled by default. This method shares the same vulnerability to credential interception as Telnet. It is recommended that the HTTPS interface be enabled and the HTTP interface be disabled. HTTPS is HTTP traffic running over an encrypted Transport Layer Security (TLS) or Secure Sockets Layer (SSL) session.

To use a certificate generated by a trusted Certification Authority (CA), strongly recommended for production environments, the following steps must be completed:

  1. A switch identity profile should be created with subject information to be used for the generated certificate (see Switch identity profile).

  2. A Trust Anchor (TA) profile must be created.

  3. The CA root certificate must be copied to the switch and attached to the created TA profile.

  4. A certificate signing request (CSR) must be generated on the switch using the same TA profile.

  5. The CSR must be provided to the CA to generate a certificate (this is done by copying the full CSR text from the CLI into a text file, then pasting or uploading it to the CA).

  6. The resulting certificate must be installed on the switch through the CLI, file transfer protocol, or web interface.

The following example creates a TA profile named webprofile, copies the CA root certificate to the switch from an SFTP server at 10.10.10.1, and creates a CSR: 

switch(config)# crypto pki ta-profile webprofile
switch(config)# copy sftp ta-certificate webprofile sftpuser@10.10.10.1 cacert.pem
switch(config)# crypto pki create-csr certificate-name webcert ta-profile webprofile usage web key-type rsa key-size 2048
-----BEGIN CERTIFICATE REQUEST-----
< Certificate request string >
-----END CERTIFICATE REQUEST-----

Copy the contents of the certificate signing request (including the BEGIN and END lines) onto the CA, either by pasting them into a web form or by copying them into a file that is uploaded to the CA. In this example, the contents of the CSR have been copied to a file named webcert.csr on a Linux system running OpenSSL (see Local certificate authority with OpenSSL); the following command generates a certificate file named webcert.pem: 

root@localca:~# openssl ca -days 365 -in webcert.csr -out webcert.pem -cert cacert.pem -keyfile cakey.pem -config /etc/ssl/openssl.cnf
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Aug 21 18:31:04 2018 GMT
            Not After : Aug 20 18:31:04 2019 GMT
        Subject:
            commonName                = switch
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                < Subject Key Identifier string >
            X509v3 Authority Key Identifier: 
                < Authority Key Identifier string >

Certificate is to be certified until Aug 20 18:31:04 2019 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Copy the generated certificate file webcert.pem to the SFTP root folder, then transfer it to the switch: 

switch(config)# copy sftp local-certificate sftpuser@10.10.10.1 webcert.pem
000M Transfer is successful

Lastly, enable SSL, disable plaintext HTTP, and set a 5-minute idle timeout: 

switch(config)# web-management ssl 
switch(config)# no web-management plaintext
switch(config)# web-management idle-timeout 300

For more information, refer to the section "Using HTTPS secure connection" in the chapter titled "ArubaOS-Switch UI" in the ArubaOS-Switch Basic Operation Guide.