KB.15.15

To enable SSL on the switch:

1. Install a web certificate if you have not already done so.

2. Execute the web-management ssl command.

To disable SSL on the switch, do either of the following:

• Execute

[no]web-management ssl

• Remove the switch's host certificate or certificate key.

Overview

HP Switches use SSLv3 and TLSv1.0, TLS v1.1, TLS v1.2 to provide secure web access.

• HP Switches use SSL/TLS for all secure web transactions, and all references to SSL mean using

one of these algorithms unless otherwise noted.

• HP Switches use RSA public-key algorithms and Diffie-Hellman, and all references to a key

mean keys generated using these algorithms unless otherwise noted.

• SSL provides all the web functions but, unlike standard web access, SSL provides encrypted,

authenticated transactions. The authentication type includes server certificate authentication

with user password authentication.

• The certificate key pair is not be confused with the SSH key. The certificate key and the SSH

key are independent of each other.

NOTE: For the 5400zl and 8200zl switches, when the switch is in enhanced secure mode, the

SSL server will not allow protocol versions lower than TLS 1.0. For more information, see “Secure

Mode (3800, 5400zl, and 8200zl Switches)” (page 498).

Server certificate authentication with user password authentication

This is a subset of full certificate authentication of the user and host, only available when the switch

has SSL enabled. As in Figure 180 (page 258), the switch authenticates itself to SSL-enabled web

browser, creating a secure SSL/TLS connection. Users on SSL browser then authenticate themselves

to the switch - operator and manager levels - by providing passwords stored locally on the switch

or on a TACACS+ or RADIUS server. However, the client does not use a certificate to authenticate

itself to the switch.

Figure 180 Switch/user authentication

258 Secure web management