RDL-3000
FAMILY
USER MANUAL
70-00158-03-00
Proprietary Redline Communications © 2015
Page
163
of 254
April 17, 2015
6.5
HTTPS (SSL) for Secure Web
HTTPS is an optional purchased feature enabled by the options key. HTTPS uses
authentication and encryption to provide secure access over an unsecured network.
When HTTPS is required, unsecure methods (TELNET and HTTP) should be disabled.
Out-of-Box Operation
HTTPS is disabled by (factory) default and is activated by installing an options key that is
enabled for HTTPS. For out-of-box operation, an embedded certificate is pre-loaded on
the radio. The operator can load a permanent externally generated key.
The embedded certificate is identical for all radios and is intended only to for initial
system configuration. Use of the embedded certificate does not provide a secure
solution. It is strongly recommended to load user-generated unique certificate and
private-public key files before using the HTTPS feature in a production environment.
When using the embedded certificate, warning messages may be displayed based on
browser security (e.g.,
The security certificate presented was not issued by a trusted
certificate authority. The security certificate presented was issued for a different website
address.
) This message does not interfere with the function and the operator has full
access to the secure Web interface.
Enabling HTTPS (SSL)
HTTPS (SSH) is disabled by (factory) default. Use the following steps to enable HTTPS.
Use Embedded (Temporary) Key
For out-of-box operation, a temporary embedded certificate is loaded on reboot.
1.
Use the CLI or Web interface to enable SSH:
Web interface:
Configuration screen -> Ethernet: HTTPS Enable
CLI Command:
set https on
2.
Save the configuration to activate changes.
3.
Verify the radio is accessible using SSH, and then use the CLI or Web interface to
disable HTTP and Telnet.
To access the radio using HTTPS, the URL entered in the Web browser must specify
'https' or directly reference port 443.
Example: To access the
radio
when HTTPS is enabled (default IP shown):
http://192.168.25.2:443/
(Operator specifies port 443)
https://192.168.25.2/
(Web browser defaults to port 443)
Use Operator Generated (Permanent) Certificate
The operator can load a permanent externally generated key.
1.
Use a commercially available tool to create the certificate and key files. A TFTP
server is required to load the certificate and key files.
The certificate file must conform to the following:
Maximum file size is 1400 bytes
Subject must match the access method (e.g., IP or name)
Filename must be formatted as follows: ssl_cert_<mac>.pem The SSL
(RSA) key file must conform to the following: Maximum 2048 bits.
Filename must be formatted as follows: ssl_key_<mac>.pem The
selected tool must create a file that conforms to the following: Maximum
key size is 2048 bits
Key filename must be in the following format: dsa_key_<mac>.pem
2.
Use a TFTP server to load the key file into the radio (option 2 only).