Comware

 View Only
last person joined: 3 days ago 

Expand all | Collapse all

How to import a certificate to 10508 switch

This thread has been viewed 25 times
  • 1.  How to import a certificate to 10508 switch

    Posted Jun 14, 2022 03:10 PM

    Hello,

    I am new to HPE. I am trying to integrate LDAP 636 between HPE 10508 and our AD server. I couldn't find and documentation of how to import a certificate to 10508 switch.
    Can any one help me with that please.

    Thanks
    Hassan


  • 2.  RE: How to import a certificate to 10508 switch

    EMPLOYEE
    Posted Jun 15, 2022 07:19 AM
    Hi Hassan,

    Check this version of Security Configuration Guide - https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=c05368314 , section "Configuring PKI". However, I foresee the issue with LDAPS (LDAP over TLS, at least since you mentioned '636' it must be a port number that LDAPS uses), because as far as I know this switch doesn't support it.



    ------------------------------
    Ivan Bondar
    ------------------------------



  • 3.  RE: How to import a certificate to 10508 switch

    Posted Jun 15, 2022 10:57 AM
    Hi Ivan,

    Thank you for your response. So you are saying, 10508 switch doesn't support secure LDAP?

    Thank you
    Hassan


  • 4.  RE: How to import a certificate to 10508 switch

    EMPLOYEE
    Posted Jun 15, 2022 11:04 AM
    Yes, at least neither release notes nor configuration guides have any mention about LDAP over TLS (or LDAPS). What they say they support is clear-text LDAP v2 or v3.

    ------------------------------
    Ivan Bondar
    ------------------------------



  • 5.  RE: How to import a certificate to 10508 switch

    Posted Jun 15, 2022 11:17 AM
    Thank you Ivan. I've been looking for quite sometime now.


  • 6.  RE: How to import a certificate to 10508 switch

    Posted Jun 22, 2022 11:03 AM
    Hi Ivan,

    I tried to configure LDAP plain connection "using port 389" with the below configuration, but still unable to authenticate using LDAP. Am I missing something here? I have checked the documentation you shared and followed the exampled mentioned.
    I am configuring this on {HPE Comware Software, Version 7.1.070, Release 7557P03
    Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP
    HP 10508  }



    system-view
    local-user admin class manage
    password simple P@ssw0rD123!!!
    service-type ssh
    authorization-attribute user-role network-admin
    authorization-attribute user-role network-operator
    quit
    public-key local create rsa
    public-key local create dsa
    ssh server enable
    line vty 0 63
    authentication-mode scheme
    protocol inbound ssh
    quit
    ldap server hpe-LDAP
    ip 192.168.1.10
    ip 192.168.1.11
    login-dn CN=netuser,OU=Network_admins,OU=Primary,OU=Data,DC=mydomain,DC=ca
    login-password simple LD@P!!@@##
    search-base-dn DC=mydomain,DC=ca
    quit
    ldap scheme HPE-LDAP-SCHEME
    authentication server HPE-LDAP
    quit
    domain mydomain
    authentication login ldap-scheme HPE-LDAP-SCHEME local
    authorization login none
    accounting loging none
    user-name-format without-domain
    quit
    save force


    Thank you, I appreciate your help
    Hassan


  • 7.  RE: How to import a certificate to 10508 switch

    EMPLOYEE
    Posted Jun 22, 2022 11:20 AM
    It's been a long time since I played with LDAP, at first glance configuration looks fine, but check a couple of things:

    - IPs 192.168.1.10 and .11 are reachable from the switch. If ICMP is not filtered on the server, just ping them.
    - You log in with the domain name. Since you have configured 'domain mydomain' In your case it is '@mydomain', not '@mydomain.ca'. For example 'network-admin@mydomain'.

    ------------------------------
    Ivan Bondar
    ------------------------------



  • 8.  RE: How to import a certificate to 10508 switch

    Posted Jun 22, 2022 11:27 AM
    Thank you for the quick response, that was my first test, there's reachability between the switch and the server. I have tried accessing with/without the domain name, but still. I tested this user and it's connected, actually I am using the same user to bind LDAP on Palo Alto and it's working fine.