Configuring Secure Socket Layer (SSL)
Configuring the Switch for SSL Operation
N o t e
Before enabling SSL on the switch you must generate the switch’s host
certificate and key. If you have not already done so, refer to “2. Generating the
Switch’s Server Host Certificate” on page 8-8.
When configured for SSL, the switch uses its host certificate to authenticate
itself to SSL clients, however unless you disable the standard ProCurve web
browser interface with the
no web-management
command it will be still avail
able for unsecured transactions.
SSL Client Contact Behavior.
At the first contact between the switch and
an SSL client, if you have not copied the switch’s host certificate into the
browser’s certificate folder, your browser’s first connection to the switch will
question the connection and, for security reasons, give you the option of
accepting or refusing. If a CA-signed certificate is used on the switch, for which
a root certificate exists on the client browser side, then the browser will NOT
prompt the user to ensure the validity of the certificate. The browser will be
able to verify the certificate chain of the switch server certificate up to the
root certificate installed in the browser, thus authenticating the switch
unequivocally. As long as you are confident that an unauthorized device is not
using the switch’s IP address in an attempt to gain access to your data or
network, you can accept the connection.
N o t e
When an SSL client connects to the switch for the first time, it is possible for
a “man-in-the-middle” attack; that is, for an unauthorized device to pose
undetected as the switch, and learn the usernames and passwords controlling
access to the switch. When using self-signed certificates with the switch, there
is a possibility for a “man-in-the-middle” attack when connecting for the first
time; that is, an unauthorized device could pose undetected as a switch, and
learn the usernames and passwords controlling access to the switch. Use
caution when connecting for the first time to a switch using self-signed
certificates. Before accepting the certificate, closely verify the contents of the
certificate (see browser documentation for additional information on viewing
contents of certificate).
The security concern described above does not exist when using CA-signed
certificates that have been generated by certificate authorities that the web
browser already trusts
8-18
Содержание PROCURVE 2910AL
Страница 1: ...Access Security Guide ProCurve Switches W 14 03 2910al www procurve com ...
Страница 2: ......
Страница 3: ...HP ProCurve 2910al Switch February 2009 W 14 03 Access Security Guide ...
Страница 84: ...Configuring Username and Password Security Front Panel Security 2 36 ...
Страница 156: ...TACACS Authentication Operating Notes 4 30 ...
Страница 288: ...Configuring Secure Socket Layer SSL Common Errors in SSL setup 8 22 ...
Страница 416: ...Configuring Advanced Threat Protection Using the Instrumentation Monitor 10 28 ...
Страница 516: ...Configuring Port Based and User Based Access Control 802 1X Messages Related to 802 1X Operation 12 76 ...
Страница 527: ...Configuring and Monitoring Port Security Port Security Figure 13 4 Examples of Show Mac Address Outputs 13 11 ...
Страница 572: ...Using Authorized IP Managers Operating Notes 14 14 ...
Страница 592: ...12 Index ...
Страница 593: ......
Страница 594: ... Copyright 2009 Hewlett Packard Development Company L P February 2009 Manual Part Number 5992 5439 ...