Saturday, January 8, 2022

Extreme Switch - How to enable https in EXOS

Here is a step-by-step procedure to enable access to the switch through a GUI interface via HTTPS.

Port 80 will be used for HTTP and Port 443 will be used for HTTPS.
The web server must be enabled in order to use the EXOS REST API.

Step 1. Disable HTTP

In EXOS 15.7 and higher versions, HTTP is enabled by default on an unconfigured switch. So please disable HTTP first with this CLI command: disable web http.

EXOS_switch # disable web http

Step 2. Generate an SSL certificate

If the switch is running 16.1 or earlier, install the EXOS SSH module first.

* Related posts: Extreme Switch - How to enable SSH in EXOS

EXOS version is 16.2 or higher, issue the following command.

configure ssl certificate privkeylen <length> country <country_code> organization <org_name> common-name <name>

EXOS_switch # configure ssl certificate privkeylen 2048 country US organization AnalysisMan common-name

Storing the private key. This may take some time.


※ Key Length
Since 2015, NIST recommends a minimum of 2048-bit keys for RSA. So I set the key length with 2048. Of course, you may choose a bigger key length like 4096. However, longer keys require more computation time on both the server and the client. 4096-bit RSA key verification could be four times slower than 2048-bit.

Step 3. Enable HTTPS

Enable the HTTPS web interface with the command 'enable web https.'

EXOS_switch # enable web https

Step 4. Verify whether HTTPS access is enabled

You can check the web access with the switch's IP address on your web browsers like, or use the following CLI commands.

Option 1. Issue the command: 'show configuration detail thttpd'

EXOS_switch # show configuration detail thttpd
# Module thttpd configuration.
disable web http
enable web https
configure ssl certificate hash-algorithm sha512

Option 2. Issue the command: 'show ssl' and 'show switch management' (or 'show management').

EXOS-switch # show ssl

* X440G2-12p-10G4.5 # show ssl
HTTPS Port Number: 443 (Enabled)
Signature Algorithm configured: sha512 With RSA Encryption
Private Key matches the Certificate's public key.
RSA Private Key: 2048
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=US, O=AnalysisMan,
            Not Before: Nov 20 00:37:30 2021 GMT
            Not After : Nov 20 00:37:30 2022 GMT
        Subject: C=US, O=AnalysisMan,

Manufacturing certificate: Present

EXOS-switch # show switch management
CLI idle timeout                 : Enabled (20 minutes)
CLI max number of login attempts : 3
CLI max number of sessions       : 8
CLI paging                       : Enabled
CLI space-completion             : Disabled (this session only)
CLI configuration logging        : Enabled (without expansion)
CLI journal size                 : 100
CLI password prompting only      : Disabled
CLI display moved-keywords       : Displayed with Help
CLI moved-keywords hidden release: 0.0
CLI RADIUS cmd authorize tokens  : 2
CLI scripting                    : Disabled (this session only)
CLI scripting error mode         : Ignore-Error (this session only)
CLI persistent mode              : Persistent (this session only)
CLI prompting                    : Enabled (this session only)
CLI screen size                  : 29 Lines 136 Columns (this session only)
CLI refresh                      : Enabled
CLI history expansion            : Disabled
Image integrity checking         : Off
Current system port notation     : port
Configured system port notation  : port
Telnet access                    : Disabled (tcp port 23 vr all)
                                 : Access Profile : not set
SSH access                       : Enabled (Key valid, tcp port 22 vr all)
                                 : Secure-Mode    : Off
                                 : Access Profile : not set
SSH2 idle time                   : 60 minutes
SSH2 rekey interval              : 4096 MB and no time limit
Web access                       : Disabled (tcp port 80)
                                 : Access Profile : not set

No comments: