_____________________________________________________________________
724-746-5500 | blackbox.com
Page 262
OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is
licensed under an Apache-‐style licence, which basically means that you are free to get and use it for commercial and
non-‐commercial purposes subject to some simple license conditions. In the
console server,
OpenSSL is used primarily in
conjunction with ‘http’ to have secure browser access to the GUI management console across insecure networks.
More documentation on OpenSSL is available from:
http://www.openssl.org/docs/apps/openssl.html
http://www.openssl.org/docs/HOWTO/certificates.txt
15.8 HTTPS
The Management Console can be served using HTTPS by running the webserver
via
sslwrap
. The server can be launched
on request using
inetd
.
The HTTP server provided is a slightly modified version of the
fnord-‐httpd
from
http://www.fefe.de/fnord/
The SSL implementation is provided by the
sslwrap
application compiled with OpenSSL support. You can find more
detailed documentation at
http://www.rickk.com/sslwrap/
If your default network address is changed or the unit is to be accessed
via
a known Domain Name, you can use the
following steps to replace the default SSL Certificate and Private Key with ones tailored for your new address.
15.8.1 Generating an encryption key
To create a 1024 bit RSA key with a password, issue the following command on the command line of a linux host with
the
openssl
utility installed:
openssl genrsa -‐des3 -‐out ssl_key.pem 1024
15.8.2 Generating a self-‐signed certificate with OpenSSL
This example shows how to use OpenSSL to create a self-‐signed certificate. OpenSSL is available for most Linux
distributions
via
the default package management mechanism. (Windows users can check
http://www.openssl.org/related/binaries.html
)
To create a 1024 bit RSA key and a self-‐signed certificate, issue the following
openssl
command from the host you have
openssl
installed on:
openssl req -‐x509 -‐nodes -‐days 1000 \
-‐newkey rsa:1024 -‐keyout ssl_key.pem -‐out ssl_cert.pem
You will be prompted to enter a lot of information. Most of it doesn’t matter, but the "Common Name" should be the
domain name of your computer (
e.g.
test.Black Box.com). When you have entered everything, the certificate will be
created in a file called
ssl_cert.pem
.
15.8.3 Installing the key and certificate
We recommend that you use an SCP (Secure Copying Protocol) client to copy files securely to the
console server
unit.
The
scp
utility is distributed with OpenSSH for most Unix distributions, while Windows users can use something like the
PSCP command line utility available with PuTTY.
You can install remotely the files created in the steps above with the
scp
utility as follows:
scp ssl_key.pem root@<address of unit>:/etc/config/
scp ssl_cert.pem root@<address of unit>:/etc/config/
