9-13
Configuring Secure Socket Layer (SSL)
Configuring the Switch for SSL Operation
3. Enabling SSL on the Switch and Anticipating SSL
Browser Contact Behavior
T
he
web-management ssl
command enables SSL on the switch and modifies
parameters the switch uses for transactions with clients. After you enable SSL,
the switch can authenticate itself to SSL enabled browsers. If you want to
disable SSL on the switch, use the
no web-management ssl
command.
N o t e
Before enabling SSL on the switch you must generate the switch’s host
certificate and key. If you have not already done so, refer to “2. Generating the
Switch’s Server Host Certificate” on page 9-6.
When configured for SSL, the switch uses its host certificate to authenticate
itself to SSL clients, however unless you disable the standard HP WebAgent
with the
no web-management
command it will be still available for unsecured
transactions.
SSL Client Contact Behavior.
At the first contact between the switch and
an SSL client, if you have not copied the switch’s host certificate into the
browser’s certificate folder, your browser’s first connection to the switch will
question the connection and, for security reasons, give you the option of
accepting or refusing. If a CA-signed certificate is used on the switch, for which
a root certificate exists on the client browser side, then the browser will NOT
prompt the user to ensure the validity of the certificate. The browser will be
able to verify the certificate chain of the switch server certificate up to the
root certificate installed in the browser, thus authenticating the switch
unequivocally. As long as you are confident that an unauthorized device is not
using the switch’s IP address in an attempt to gain access to your data or
network, you can accept the connection.
N o t e
When an SSL client connects to the switch for the first time, it is possible for
a “man-in-the-middle” attack; that is, for an unauthorized device to pose
undetected as the switch, and learn the usernames and passwords controlling
access to the switch. When using self-signed certificates with the switch, there
is a possibility for a “man-in-the-middle” attack when connecting for the first
time; that is, an unauthorized device could pose undetected as a switch, and
learn the usernames and passwords controlling access to the switch. Use
caution when connecting for the first time to a switch using self-signed
certificates. Before accepting the certificate, closely verify the contents of the
certificate (see browser documentation for additional information on viewing
contents of certificate).
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......