Chapter 9 Configuring Switch-Based Authentication

Configuring the Switch for Secure Socket Layer HTTP

Use the no crypto ca trustpoint name global configuration command to delete all identity information and certificates associated with the CA.

Configuring the Secure HTTP Server

If you are using a certificate authority for certification, you should use the previous procedure to configure the CA trustpoint on the switch before enabling the HTTP server. If you have not configured a CA trustpoint, a self-signed certificate is generated the first time that you enable the secure HTTP server. After you have configured the server, you can configure options (path, access list to apply, maximum number of connections, or timeout policy) that apply to both standard and secure HTTP servers.

Beginning in privileged EXEC mode, follow these steps to configure a secure HTTP server:

 

Command

Purpose

Step 1

 

 

show ip http server status

(Optional) Display the status of the HTTP server to determine if the secure

 

 

HTTP server feature is supported in the software. You should see one of

 

 

these lines in the output:

 

 

HTTP secure server capability: Present

 

 

or

 

 

HTTP secure server capability: Not present

Step 2

 

 

configure terminal

Enter global configuration mode.

Step 3

 

 

ip http secure-server

Enable the HTTPS server if it has been disabled. The HTTPS server is

 

 

enabled by default.

Step 4

 

 

ip http secure-port port-number

(Optional) Specify the port number to be used for the HTTPS server. The

 

 

default port number is 443. Valid options are 443 or any number in the

 

 

range 1025 to 65535.

Step 5

 

 

ip http secure-ciphersuite

(Optional) Specify the CipherSuites (encryption algorithms) to be used

 

{[3des-ede-cbc-sha][rc4-128-md5]

for encryption over the HTTPS connection. If you do not have a reason to

 

[rc4-128-sha][des-cbc-sha]}

specify a particularly CipherSuite, you should allow the server and client

 

 

to negotiate a CipherSuite that they both support. This is the default.

Step 6

 

 

ip http secure-client-auth

(Optional) Configure the HTTP server to request an X.509v3 certificate

 

 

from the client for authentication during the connection process. The

 

 

default is for the client to request a certificate from the server, but the

 

 

server does not attempt to authenticate the client.

Step 7

 

 

ip http secure-trustpoint name

Specify the CA trustpoint to use to get an X.509v3 security certificate and

 

 

to authenticate the client certificate connection.

 

 

Note Use of this command assumes you have already configured a CA

 

 

trustpoint according to the previous procedure.

Step 8

 

 

ip http path path-name

(Optional) Set a base HTTP path for HTML files. The path specifies the

 

 

location of the HTTP server files on the local system (usually located in

 

 

system flash memory).

Step 9

 

 

ip http access-class access-list-number

(Optional) Specify an access list to use to allow access to the HTTP server.

Step 10

 

 

ip http max-connections value

(Optional) Set the maximum number of concurrent connections that are

 

 

allowed to the HTTP server. The range is 1 to 16; the default value is 5.

 

 

 

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

9-46

OL-9775-02

 

 

Page 248
Image 248
Cisco Systems 3750E manual Configuring the Secure Http Server