KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

251

252

253

254

255

256

257

258

259

260

9 Secure web management

Configuration summary

1. Assign a login (operator) and enable (manager) password on the switch.

2. Install a web certificate on the switch.

3. Enable SSL on the switch.

Assigning a local login (operator) and enabling (manager) password

At a minimum, HP recommends that you always assign at least a manager password to the switch.

Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify

the switch’s configuration.

Using the WebAgent to configure local passwords

You can configure both the operator and manager password in the WebAgent.

Installing the switch's server web host certificate

You must install a server certificate on the switch before enabling web management over SSL/TLS.

The switch uses this server certificate, along with a dynamically generated session key pair to

negotiate an encryption method and session with a browser trying to connect via SSL to the switch.

The session key pair is not visible on the switch, rather It is a temporary, internally generated pair

used for a particular switch/client session and then discarded.

When you install a new certificate on the switch, the switch places the key and certificate in flash

memory. The switch maintains the certificate across reboots and power cycles.

Removing the switch's web certificate renders the switch unable to engage in secure web operation

and automatically disables web management over SSL on the switch.

There are two types of certificate that can be used for the switch’s host certificate:

• Self-signed certificate

• Authority-signed certificate

Self-signed certificate

Self-signed certificates are generated and digitally signed by the switch utilizing the same key used

to create the certificate. Self-signed certificates are not signed by a certificate authority (CA) so

they can not be tracked to a trusted root such as a Trust Anchor or CA. A self signed certificate

allows the communication connection to be encrypted, not authenticated. There is no guarantee

on the behavior of a browser when using a self-signed certificate, see the table below for examples

of operating system and browser compatibility.

NOTE: Our self-signed certificates are signed with sha256withRSAEncryption. Administrators

do not have the choice between sha1withRSAEncryption and sha256withRSAEncryption

for self-signed certificates. This can effect or limit your ability to upgrade to K.15.14 and above.

Table 25 Self-signed certificate browser compatibility

Operating SystemBowsers

Google Chrome

Windows 7Internet Explorer

Windows VistaInternet Explorer 7+

Windows XP SP3Internet Explorer 7+

256 Secure web management