Comware

 View Only

  • 1.  A5120 https web interface access

    Posted Dec 16, 2013 12:02 PM

    We seen https configuration, involving certificate request to a CA. Can be configured https access to A5120 Web interface with a self signed certificate ? to avoid long and complex configuration ?

    Can you write minimum necessary commands so, we can access web interface safaly in https ?

     

    We see this example configuration:

     

    http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Switches/H3C_S5120_Series_Switches/Configuration/Operation_Manual/H3C_S5120-SI_CG-Release_1101-6W105/201108/723591_1285_0.htm

     

    Very complex only to allow https access to web interface...

     

     

    Thank you


    #certificate


  • 2.  RE: A5120 https web interface access

    Posted Dec 16, 2013 02:47 PM
      |   view attached

    Hi,

     

    newer comware releases have a simplified https configuration, which just requires enabling https (if no cert available, it will use/generate a selfsigned cert).

     

    To original version was quite hard (IMO), it took me quite some time to just get a selfsigned cert to work, but it worked in the end.

     

    Attached the procedure I had saved at the time. Same text below:

     

    ****** Configuration steps to import an external certificate on Comware *****
    Author     Peter Debruyne (peter.debruyne@belpro.be)
    Date     27/11/2011
    Version    1.0

    #### copy the exported CA Certificate file and the Personal Certificate file to flash
    # user-view
    tftp 82.1.1.3 get hpn_ca.cer
    tftp 82.1.1.3 get hpn_local.pfx

    #### set correct date and time on Comware, required for the certificate validation (date)
    # user-view
    clock datetime xxxx

    #### Define PKI Domain configuration object.
    # system-view
    pki domain hpn
     # Default CRL is enabled, so CA must be reachable when importing a Certificate.
     # Since offline procedure is used, the CA is not reachable, so CRL check must be disabled.
     crl check disable
     
     # optional, otherwise fingerprint will be prompted during import
     # This is the fingerprint from the current example CA Certificate, adjust this if
     # you use your own CA certificate.
     root-certificate fingerprint sha1 0ACB034B202A5C120C61CD8BC4568E41FC9FC78C
     quit

    #### Import the CA cert
    # The device will look for pki-domain-name_ca.cer
    # so the default filename (hpn_ca.cer) should work. At this stage, Comware also validates the
    # certificate, so date time should be within the certificate valid dates.
    # In case Certificate Revokation List (CRL) is still active, Comware will try to contact the CA.
    # If there is any issue, the CA cert validation fails.
    pki import-certificate ca domain hpn der
     
    #### Import the Device cert
    # the sample certificate sslvpn.hpnet.local has been exported from a Windows server, as a pfx file.
    # It contains the Device certificate and the private key.
    # the file is protected with password "password"

    # Since a private key will be imported from the pfx file, the current
    # local keys must be destroyed first (if they were created already), or import will fail:
    public-key local destroy rsa

    # Import the certificate
    pki import-certificate local domain hpn p12 filename hpn_local.pfx
    password
    # At this point the certificate is available for use, so an SSL policy can be defined.

    #### Define SSL-Server policy
    ssl server-policy ssl
     pki-domain hpn

    #### Use the SSL-Server Policy
    # SSL-Server policy can be referenced to by https server or by ssl-vpn
    ip https ssl-server-policy ssl
    ip https enable


    Best regards,Peter.



  • 3.  RE: A5120 https web interface access

    Posted Dec 17, 2013 04:08 AM

    Thank you very much. We have updated to new image, so this worked:

     

    [hp5120] undo ip https enable
    [hp5120] ip https enable
    [hp5120] save

     

    However, we still kept your solution for old firmware. Very useful !

     

    As you know, can be Web Interface Login "Verify Code" disabled ? this is very boring...



  • 4.  RE: A5120 https web interface access

    Posted Oct 13, 2016 07:45 AM

    But new firmware works only with its own certificate which just looks plain ugly!

    And I so far could not find an easy way to import certificate (wildcard) or request certificate from AD CA

     

    edit:

    Wildcard cannot be imported, but request from local AD CA is quite easy:

     

     

    http://hpnetworkers.blogspot.co.uk/2012/02/hp-series-h3c-comware-https-howto-with.html

     

     

     

    To make sure that certificate obtained from SCEP server is good for SSL  one needs to configure temporary correct template in

 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EncryptionTemplate & GeneralPurposeTemplate

 Preferably one that has Server Authentication configured (webserver)


pki domain MyDomain
ca identifier ORG-EntCA
certificate request url http://sp-v-entca.mydomain.local/certsrv/mscep/mscep.dll
certificate request from ra
certificate request entity hpe5900-sr1
crl url http://sp-v-entca.mydomain.local/CertEnroll/SPGS-EntCA(3).crl
#
pki entity HPE5900-SR1
common-name HPE5900-SR1.mydomain.local
country GB
#
ssl server-policy mydomain-ssl
pki-domain mydomain
 
 
undo ip https enable
 
 
 
[HPE5900]public-key local create rsa name BG

 
pki retrieve-certificate domain mydomain ca 
 
pki request-certificate domain mydomain password 30392FF84A6FBB80 

( password as obtained from CA https://sp-v-entca.mydomain.local/certsrv/mscep_admin )
 
ip https ssl-server-policy mydomain-ssl
 
ip https enable

     



Related Content