At a minimum, HP recommends that you always assign at least a manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.
You must install a server certificate on the switch before enabling web management over SSL/TLS. The switch uses this server certificate, along with a dynamically generated session key pair to negotiate an encryption method and session with a browser trying to connect via SSL to the switch. The session key pair is not visible on the switch, rather It is a temporary, internally generated pair used for a particular switch/client session and then discarded.
When you install a new certificate on the switch, the switch places the key and certificate in flash memory. The switch maintains the certificate across reboots and power cycles.
Removing the switch's web certificate renders the switch unable to engage in secure web operation and automatically disables web management over SSL on the switch.
There are two types of certificate that can be used for the switch’s host certificate:
-
Self-signed certificate
-
Authority-signed certificate
Self-signed certificates are generated and digitally signed by the switch utilizing the same key used to create the certificate. Self-signed certificates are not signed by a certificate authority (CA) so they can not be tracked to a trusted root such as a Trust Anchor or CA. A self signed certificate allows the communication connection to be encrypted, not authenticated. There is no guarantee on the behavior of a browser when using a self-signed certificate, see the table below for examples of operating system and browser compatibility.
|
|
|
![[NOTE: ]](images/note.gif) |
NOTE: Our self-signed certificates are signed with |
|
|
Self-signed certificate browser compatibility
| Bowsers | Operating System |
|---|---|
| Google Chrome | |
| Internet Explorer | Windows 7 |
| Internet Explorer 7+ | Windows Vista |
| Internet Explorer 7+ | Windows XP SP3 |
| Firefox 1.5 | |
| Netscape 7.1 | |
| Mozilla 1.4 | |
| Safari | Mac OS X 10.5 |
| Opera 9.0+ | |
| Konqueror 3.5 | |
| Products Mozilla based on NSS 3.8+ | |
| Products based on OpenSSL 0.9.8+ | |
| Products based on Java 1.4.2+ |
|
|
|
|
|
NOTE: |
|
|
The web-management ssl command enables SSL on the switch and modifies parameters the switch uses for transactions with clients. After you enable SSL, the switch can authenticate itself to SSL enabled browsers. If you want to disable SSL on the switch, use the no web-management ssl command.
|
|
|
|
|
NOTE: When using self-signed certificates with the switch, there is a possibility for a “man-in-the-middle” attack especially when connecting for the first time; that is, an unauthorized device could pose undetected as a switch, and learn the user names and passwords controlling access to the switch. Use caution when connecting to a switch using self-signed certificates. Before accepting the certificate, closely verify the contents of the certificate (see browser documentation for additional information on viewing contents of certificate.) The security concern described above does not exist when using CA-signed certificates that have been signed by certificate authorities that the web browser already trusts. |
|
|