Sunday, February 19, 2012

HP A-Series / H3C / Comware HTTPS howto with Microsoft CA 2008

As most leading switching vendors, Comware has an HTTPS management interface available. Unlike some of the leading switching vendors, Comware's web interface actually lets you do a whole lot of core stuff besides applying macros to interfaces.
With that said, Comware based switches do not have provisions for creating self signed certificates. Some are flustered by this shortcoming - usually the same folks that get a false feeling of security just typing https:// instead of http:// and who dont understand that it takes 5 seconds to fire up an MITM tool with HTTPS support to intercept the credentials.
This article is a short howto on using a Microsoft Windows 2008 CA to automatically (SCEP) generate certificates for HP Comware-based switches, including Comware configuration to get this going. 
Before we begin lets make sure NTP is correctly setup and that your switches are somewhat in sync with the CA's time. This isnt a requirement per-se, but the switch will refuse CA certificates with issuance times in the future.
 1) Configure the PKI entity, which defined parameters for the switch itself.
#
pki entity a5120
  common-name a5120.mforelab.com
  country CA
#

2) Configure the PKI domain, which defines parameters for your CA.
#
pki domain mforelab
  ca identifier win2k8
  certificate request url http://10.1.4.65/certsrv/mscep/mscep.dll
  certificate request from ra
  certificate request entity a5120
  crl check disable
#


3) Request the CA certificate through SCEP.
[A5120-24G-PoE+]pki retrieval-certificate ca domain mforelab
The trusted CA's finger print is:
    MD5  fingerprint:E27E 2F32 9ADF B410 C5C1 12B9 2A45 5DA7
    SHA1 fingerprint:4AD6 5188 2394 441F 66F7 65B8 0D41 EB89 1CB8 7FB8

Is the finger print correct?(Y/N):Y

Saving CA/RA certificates chain, please wait a moment......
%Feb 19 21:46:44:336 2012 A5120-24G-PoE+ PKI/6/PKI_CA_CERT_TRUSTED: Root CA certificate of the domain mforelab is trusted.....
CA certificates retrieval success.
%Feb 19 21:46:49:064 2012 A5120-24G-PoE+ PKI/6/PKI_RETRIEVAL_CA_SUCC: Retrieved the CA certificates of domain mforelab successfully.

3) Comware does not support SCEP challenge, so on 2008 you have to set the following registry key to 0 (its an actual configuration option in 2003):
HKLM\Software\Microsoft\Cryptography\MSCEP\EnforcePassword\EnforcePassword

4) Lets request the certificate. The first attempt is what happens if your Windows CA is still enforcing the challenge password. The second, successful one is with SCEP password disabled with the previously mentioned registry entry (don’t forget to restart the services – that’s why I got the below failure on the first try).

[A5120-24G-PoE+]pki request-certificate domain mforelab
Certificate is being requested, please wait......
[A5120-24G-PoE+]
Enrolling the local certificate,please wait a while......
Certificate request failed.

### ... forgot to restart the darn CA service after regedit - here we go again ###
[A5120-24G-PoE+]pki request-certificate domain mforelab
Certificate is being requested, please wait......
[A5120-24G-PoE+]
Enrolling the local certificate,please wait a while......
Certificate request Successfully!
Saving the local certificate to device......
Done!

%Feb 19 21:53:26:224 2012 A5120-24G-PoE+ PKI/6/PKI_REQUEST_CERT_SUCC: Requested the local certificate of domain mforelab successfully.
[A5120-24G-PoE+]

4) Configure the SSL policy, bind to HTTPS service and enable HTTPS
#
ssl server-policy sslswitch
 pki-domain mforelab
#
 ip https ssl-server-policy sslswitch
 ip https enable
#

Dont forget that you must trust the CA certificate of the issuing CA on the machines from which you plan on managing your Comware environment from in addition of creating A records for all the managed devices in DNS and/or static host file.

3 comments: