Setting Up SSL Encryption, 14-1 | Western Telematic AFS-16-1

14 Setting Up SSL Encryption

This section describes the procedure for setting up a secure connection via an https web connection to the AFS-16.

Note: SSL parameters cannot be defined via the Web Browser Interface. In order to set up SSL encryption, you must contact the AFS-16 via the Text Interface.

There are two different types of https security certificates: "Self Signed" certificates and "Signed" certificates.

Self Signed certificates can be created by the AFS-16, without the need to go to an outside service, and there is no need to set up your domain name server to recognize the AFS-16. The principal disadvantage of Self Signed certificates, is that when you access the AFS-16 command mode via the Web Browser Interface, the browser will display a message which warns that the connection might be unsafe. Note however, that even though this message is displayed, communication will still be encrypted, and the message is merely a warning that the AFS-16 is not recognized and that you may not be connecting to the site that you intended.

Signed certificates must be created via an outside security service (e.g., VeriSign®, Thawte™, etc.) and then uploaded to the AFS-16 unit to verify the user's identity. In order to use Signed certificates, you must contact an appropriate security service and set up your domain name server to recognize the name that you will assign to the AFS-16 unit (e.g., service.wti.com.) Once a signed certificate has been created and uploaded to the AFS-16, you will then be able to access command mode without seeing the warning message that is normally displayed for Self Signed certificate access.

WEB ACCESS:

HTTP:

1. Enable: On

2. Port: 80

HTTPS:

3. Enable: On

4. Port: 443

SSL	Certificates:
5.	Common Name:
6.	State or Province:
7.	Locality:
8.	Country:
9.	Email Address:
10.	Organization Name:
11.	Organizational Unit:	15.	Export Server Private Key:
12.	Create CSR:	15.	Export Server Private Key:
13.	View CSR:	16.	Import Server Private Key:
14.	Import CRT:	17.	Harden Web Security: On

Enter: #<CR> to change,

<ESC> to return to previous menu ...

Figure 14.1: Web Access Parameters (Text Interface Only)

14-1

Image 105

Western Telematic AFS-16-1 manual Setting Up SSL Encryption, 14-1

Contents

AFS-16-1 Secure Racking Shock Hazard Do Not Enter Lithium Battery Two Power Supply Cables Disconnect Power Table of Contents Basic Configuration Telnet & SSH Functions Upgrading AFS-16 Firmware Command Reference Guide Vii List of Figures Introduction Security and Co-Location Features Environmental Monitoring and Management Typographic ConventionsWTI Management Utility Bold Font Dual Power Supply Module  Power Switch and on IndicatorUnit Description Control Module Control Module Unit Description Circuit Module Circuit Module Apply Power to the AFS-16 Getting StartedConnect Your PC to the AFS-16 Communicating with the AFS-16 Fallback Switching Text Interface Fallback Switching Fallback Switching Web Browser Interface Hardware Installation Connecting the Power Supply CablesConnecting the Network Cable Connecting an External Modem Optional Connecting a Local Control Device A/C/B Connectors Module Set UpCircuit Module Set Up Control Module SetUp Basic Configuration Communicating with the AFS-16 UnitText Interface Web Browser Interface Access Via PDA Configuration Menus Defining System Parameters Basic Configuration Real Time Clock and Calendar Invalid Access Lockout Feature Log Configuration Web Browser Interface Callback Security Basic Configuration Scripting Options Basic Configuration User Accounts Command Access Levels Granting Circuit Module Access Managing User Accounts Viewing User AccountsAdding User Accounts Basic Configuration Deleting User Accounts Modifying User Accounts Circuit Configuration Viewing Circuit Groups Circuit Group Directory Adding Circuit Groups Modifying Circuit GroupsDeleting Circuit Groups Serial Port Configuration Menu Serial Port ConfigurationCommunication Settings 1. RS232 Port Modes Port Mode Parameters Network Configuration Network Port Parameters Network Parameters Basic Configuration IP Security Basic Configuration Net/Mask Pairs Except Domain Name Server Static Route Snmp Access Parameters Snmp Trap Parameters Ldap Parameters Group Membership Value Type Default = DN Basic Configuration Tacacs Parameters Basic Configuration Radius Parameters WTI-Group-Access=111000 WTI-Circuit-Access=0101WTI-Super=2 Example Email Messaging Parameters Save User Selected Parameters Restore Configuration Adding Ping-No-Answer Profiles Ping-No-Answer Fallback Switching Ping-No-Answer Fallback Switching Viewing Ping-No-Answer Profiles Modifying Ping-No-Answer ProfilesDeleting Ping-No-Answer Profiles Alarm Configuration Output Contacts Control Module AUX Connector Output Contacts Over Temperature Alarms Alarm Configuration Ping-No-Answer Alarm Configuring the Ping-No-Answer AlarmDefining Ping-No-Answer IP Addresses Alarm Configuration Invalid Access Lockout Alarm Alarm Configuration Power Cycle Alarm Monitor/Alarm Input Alarm Configuration High Low Monitor Input Level Settings Alarm Configuration Status Screens Product StatusNetwork Status Screen Circuit Status Screen Circuit Group Status Screen Audit Log Event Logs Temperature Log Alarm Log A/B Switching Web Browser Interface OperationCircuit Control Screen Web Browser Interface Circuit Group Control Screen Web Browser Interface Operation Circuit Status Screen Text Interface A/B Switching Text Interface 2. A/B Switching Commands Text Interface TA 1 Enter or /TA Datacenter EnterTB 2 Enter or /TB Servers Enter TA ROUTER,Y or /T 2,B,Y B Enter or /T SERVERS,A EnterTB 1+3+4 Enter +3+4,B Enter TA 13 Enter Manual Operation Logging Out of Command Mode SSH Encryption Telnet & SSH FunctionsEnter 10-1 Telnet ip port raw Enter Creating an Outbound Telnet ConnectionTelnet 255.255.255.255 2000 raw Enter 10-2 SSH ip -l username Enter Creating an Outbound SSH ConnectionUsername SSH 255.255.255.255 -l employee Enter Configuration Syslog Messages11-1 11-2 Testing Syslog Configuration 12-1 Snmp Traps 12-2 Testing the Snmp Trap Function Configuration via Snmp AFS-16 Snmp Agent SNMPv3 Authentication and EncryptionUserTableuserAccessLevel Account access level Operation via Snmp Adding Users Viewing UsersModifying Users Deleting Users Controlling Circuits Circuit Control via SnmpControlling Circuit Groups 13-3 Circuit Status Viewing AFS-16 Status via Snmp155 Unit Environment Status 13-5 Sending Traps via Snmp 14-1 Setting Up SSL Encryption 14-2 Creating a Self Signed Certificate 14-3 Creating a Signed Certificate 14-4 Downloading the Server Private Key Saving and Restoring Configuration Parameters Sending Parameters to a File15-1 15-2 Restoring Saved Parameters 15-3 Restoring Previously Saved Parameters 16-1 Upgrading AFS-16 Firmware 16-2 Command Conventions Command Reference GuideTA * Enter 17-1 17-2 Command Summary Display Circuit Status Screen Command SetDisplay Circuit Group Status Screen Display Network Status Log Functions Exit Command ModeDisplay Site ID / Unit Information Connect TA 2+3,Y Enter Toggle to a PositionToggle to B Position TB 2+3,Y Enter Set All Circuits to Default States Toggle Command+3,A,Y Enter Send Parameters to File Send SSH Key Unlock Port Invalid Access LockoutTelnet Outbound Telnet Format /TELNET ip port raw Enter Format /SSH ip -l username Enter SSH Outbound SSHSet System Parameters Set Serial Port Parameters Alarm Configuration Parameters PNA Configure Ping-No-Answer FunctionCircuit Group Parameters Network Port Parameters Reboot System Default Upgrade FirmwareTest Test Network Parameters When not connected When connectedAppendix A. Interface Description Serial Port RS232 Switching Appendix B. SpecificationsPhysical/Environmental Apx-2 Apx-3 Appendix C. Customer Service Trademark and Copyright Information Trademarks and Copyrights Used in this ManualApx-4 Index-1 Index Radius CLI Index-2 Ldap Index-3 Tacacs Index-4 NTP Index-5 Index-6 Snmp Index-7 SNMPV3 Index-8