No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R011C10 Web-based Configuration Guide

This document describes the configuration and maintenance of device through the web network management system. The web network management system provides the functions of viewing device information and managing the entire system, interfaces, services, ACL, QoS, routes, security, and tools.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Device Login Through the Web System (Secure Mode)

Configuring Device Login Through the Web System (Secure Mode)

Pre-configuration Tasks

Before configuring login through the web system (secure mode), complete the following tasks:

  • Configure a reachable route between a terminal and the device.
  • Obtain a digital certificate and private key file from the CA.

Configuration Procedure

The following configuration tasks must be performed in sequence.

Uploading and Loading a Web Page File

Context

The system software of the switch contains a web page file, and the web page file is pre-loaded to the switch before delivery. If you use this web page file, you do not need to perform the following configuration. To upgrade the web page file on the switch, log in to Huawei official website to download an independent web page file, upload and load the file to the switch.

NOTE:

To obtain a web page file, log in to the Huawei enterprise support website (http://support.huawei.com/enterprise), choose the product model and version, and select a patch version under Public Patch in V and R Version to download the required web page file. The file name is in the format of product name-software version number.web page file version number.web.7z.

After downloading the file, compare the downloaded web page file with that on the website to check whether their sizes are the same. If not, an error may occur during file download. Download the file again.

Each web page file corresponds to a signature file. The method of downloading the signature file is the same as that of downloading the web page file.

Procedure

  1. Upload the web page file.

    You can upload the web page file using SFTP or other modes. For details, see Local File Management.

    NOTE:

    After the file is uploaded to the switch, run the dir command in the user view to check whether the uploaded file has the same size as that on the file server. If not, an error may occur during file upload. Upload the file again.

  2. (Optional) Run check file-integrity filename signature-filename

    The web page file validity is checked.

  3. Load the web page file.
    1. Run system-view

      The system view is displayed.

    2. Run http server load { file-name | default }

      The web page file is loaded.

      By default, the web page file in system software is pre-loaded on the switch.

      If default is specified, the web page file in the system software is loaded. If file-name is specified, an independent web page file is loaded.

Configuring an SSL Policy and Loading a Digital Certificate

Context

To provide enhanced security, you can acquire a trust digital certificate and private key file from the CA and manually configure an SSL policy.

The device supports certificates in PEM, ASN1, and PFX formats. Certificates have the same content regardless of format.
  • The PEM (.pem) digital certificate is most commonly used. It applies to text transmission between systems.
  • The ASN1 (.der) format is a universal digital certificate format and the default format for most browsers.
  • The PFX (.pfx) format is a universal digital certificate format and a binary format that can be converted into PEM or ASN1 format.

Procedure

  1. Upload the digital certificate and private key file.

    You can upload the digital certificate and private key file using SFTP or other modes and save them to the security directory. If this directory does not exist, run the mkdir security command to create it. For procedure on uploading files, see Local File Management.

    NOTE:

    After the files are uploaded to the device, run the dir command in the user view to check if the uploaded files are the same size as those on the file server. If not, an error may have occurred. Upload the files again.

  2. Configure an SSL policy and load the digital certificate.
    1. Run system-view

      The system view is displayed.

    2. (Optional) Customize SSL cipher suite.

      1. Run ssl cipher-suite-list customization-policy-name

        An SSL cipher suite policy is customized and the view of the cipher suite policy is displayed. If the SSL cipher suite policy already exists, the command directly displays its view.

        By default, no customized SSL cipher suite policy is configured.

        To improve system security, the device only supports secure algorithms. To improve compatibility, the device also allows you to customize cipher suite policies. To customize a cipher suite policy, run the ssl cipher-suite command.

      2. Run set cipher-suite { tls1_ck_rsa_with_aes_256_sha | tls1_ck_rsa_with_aes_128_sha | tls1_ck_rsa_rc4_128_sha | tls1_ck_dhe_rsa_with_aes_256_sha | tls1_ck_dhe_dss_with_aes_256_sha | tls1_ck_dhe_rsa_with_aes_128_sha | tls1_ck_dhe_dss_with_aes_128_sha | tls12_ck_rsa_aes_256_cbc_sha256 }

        The cipher suite for a customized SSL cipher suite policy is configured.

        By default, no customized SSL cipher suite policy is configured.

        To configure cipher suites for a customized SSL cipher suite policy, run the ssl cipher-suite-list command.

        If a customized SSL cipher suite policy is being referenced by an SSL policy, the cipher suites in the customized cipher suite policy can be added, modified, or partially deleted. Deleting all of the cipher suites is not allowed.

      3. Run quit

        Return to the system view.

    3. Run ssl policy policy-name

      An SSL policy is created and the SSL policy view is displayed.

    4. (Optional) Run ssl minimum version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 }

      The minimum version of an SSL policy is set.

      By default, the minimum version of an SSL policy is TLS1.1.

    5. (Optional) Run binding cipher-suite-customization customization-policy-name

      A customized SSL cipher suite policy is bound to an SSL policy.

      By default, no customized cipher suite policy is bound to an SSL policy. Each SSL policy uses a default cipher suite.

      After a customized cipher suite policy is unbound from an SSL policy, the SSL policy uses one of the following default cipher suites:

      • tls1_ck_rsa_with_aes_256_sha
      • tls1_ck_rsa_with_aes_128_sha
      • tls1_ck_dhe_rsa_with_aes_256_sha
      • tls1_ck_dhe_dss_with_aes_256_sha
      • tls1_ck_dhe_rsa_with_aes_128_sha
      • tls1_ck_dhe_dss_with_aes_128_sha
      • tls12_ck_rsa_aes_256_cbc_sha256

      After a customized SSL cipher suite policy is bound to an SSL policy, the device uses an algorithm in the specified cipher suite to perform SSL negotiation.

      The customized cipher suite policy to be bound to an SSL policy contains cipher suites.

      If the cipher suite contains only one type of algorithm (RSA or DSS), the corresponding certificate must be loaded for the SSL policy. This facilitates SSL negotiation.

    6. Load the digital certificate and specify the private key file.

      Only one certificate or certificate chain can be loaded to an SSL policy. (A certificate chain is a list of trust certificates, starting from end entity's certificate and ending at the root CA certificate.) If a certificate or certificate chain has been loaded, run the undo certificate load command to unload the old certificate or certificate chain before loading a new one. Select the corresponding configuration based on the certificate type.

      NOTE:

      When loading a certificate or certificate chain to an SSL policy, ensure that the length of the key pair in the certificate or certificate chain does not exceed 2048 bits. If the key pair length exceeds 2048 bits, the certificate or certificate chain cannot be uploaded to the device.

      • Load a PEM certificate or certificate chain. Run either of the following commands based on whether a user obtains a digital certificate or certificate chain from the CA.
        • Run certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key-filename auth-code cipher auth-code

          A PEM digital certificate is loaded and the private key file is specified.

        • Run certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key-filename auth-code cipher auth-code

          A PEM certificate chain is loaded and the private key file is specified.

      • Run certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key-filename

        An ASN1 digital certificate is loaded and the private key file is specified.

      • Run certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac cipher mac-code | key-file key-filename } auth-code cipher auth-code

        A PFX digital certificate is loaded and the private key file is specified.

Enabling the HTTPS Service

Context

Enabling HTTPS service enhances device security, and preserves resources during timeout periods. To log in to the web system in secure mode, bind an SSL policy to the device and enable the HTTPS service. You can change the port number of the HTTPS server to prevent attackers from accessing the server using the default port number. In addition, you can set a timeout period for an HTTPS session to prevent waste of web channel resources.

By default, only the HTTPS IPv4 service (not HTTPS IPv6) is enabled on a device. On the HTTPS server, port 443 is used, the timeout period of an HTTPS session is 20 minutes, and login requests from all interfaces are accepted. If you use the HTTPS IPv4 service, default port number, default timeout period, and accept login requests from all interfaces, you only need to bind an SSL policy to the device. To use the HTTPS IPv6 service, you need to enable it first.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run http secure-server ssl-policy policy-name

    An SSL policy is bound to the device.

    policy-name specifies the SSL policy created in Configuring an SSL Policy and Loading a Digital Certificate.

  3. Run http [ ipv6 ] secure-server enable

    The HTTPS service is enabled.

    By default, the HTTPS IPv4 service is enabled on a device while the HTTPS IPv6 service is disabled.

  4. Run http [ ipv6 ] secure-server port port-number

    The port number of the HTTPS server is specified.

    The default port number of the HTTPS server is 443.

  5. Run http server-source -i loopback interface-number

    A loopback interface is specified as the source interface of the HTTPS server.

    Before specifying a source interface for an HTTPS server, ensure that the loopback interface has been created. If the loopback interface is not created, the http server-source command cannot be correctly executed.

  6. Run http timeout timeout

    A timeout period is set for HTTPS sessions.

    The default timeout period is 20 minutes.

Configuring a Web User and Logging In to the Web System

Context

A web user account can be configured based on the user name, password, level, and access type. After configuration, you can log in to the web system. Enter the user name and password to log in to a web system.

NOTE:

The default upload/download directory is the root directory. You can modify the upload/download directory by running the corresponding command in the AAA view.

Procedure

  1. Configure a web user.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run local-user user-name password irreversible-cipher password

      A local user name and a password are configured.

      By default, the local user admin exists in the system, with the password admin@huawei.com.

      NOTE:
      If you have logged in to the device through the CLI and changed the password of the user admin, the changed password takes effect.

    4. Run local-user user-name service-type http

      The access type of the local user is set to HTTP.

      By default, no access type is configured for a local user.

    5. Run local-user user-name privilege level level

      The local user level is set.

      By default, the level of the local user admin is 15 and the user is an administrator.

      Users of level 3 or higher are administrator users and have all operation rights of a web page. Users of level 2 or lower are monitoring users and can perform only ping and tracert operations.

      After logging in to the web system, monitoring users receive a message, showing their current level and prompting them to raise their user level.

      Figure 2-9  Message received by a monitoring user logging in to the web system

  2. Log in to the web system.
    1. Open the web browser on a PC, enter https://IP address in the address box, and press Enter. The web system login page is displayed. Enter the web user name and password and select a language for the web system, as shown in Figure 2-10.

      IP address specifies the device's management IP address, which can be an IPv4 or IPv6 address, depending on the HTTPS service type.

      To ensure compatibility, a user logging in through HTTP is redirected to https://IP address if the user enters http://IP address in the address box.

      Figure 2-10  Web system login page
      NOTE:
      • The operating system required for web system login must be the Windows 7.0, Windows 8.0, Windows 8.1, Windows 10.0, or iOS operating system.
      • To log in to the Web system, you must use Microsoft Edge, Internet Explorer 10.0, Internet Explorer 11.0, Firefox 53.0 to 59.0, or Google Chrome 54.0 to 66.0. If the browser version or browser patch version is not within the preceding ranges, the web page may not be properly displayed. Upgrade the browser and browser patch. In addition, the browser must support JavaScript.
      • When logging in to the web system using the Internet Explorer, ensure that active scripting in the Security tab page is enabled; otherwise, an exception may occur during web system login.
      • The best resolution of the display for web system login is 1316px. If the resolution is less than 1280px, the system displays a prompt message.
      • By default, the earliest SSL version used in SSL policies on the device is TLS1.1. When logging in to the device through the web system, ensure that the SSL version supported by the browser is the same as that supported by the device; otherwise, an exception may occur during web system login. It is recommended that you upgrade the browser based on the displayed page or modify the SSL configuration. Take the Internet Explorer as an example. Choose Tools > Internet Options, and click the Advanced tab to view and select the SSL version.
      • If you use Internet Explorer 8.0 running on Windows XP to log in to the web system, you must configure the RC4 algorithm for the customized SSL cipher suite policy. Otherwise, you will be unable to log in to the web system. To perform this configuration, run the set cipher-suite { tls1_ck_rsa_with_aes_256_sha | tls1_ck_rsa_with_aes_128_sha | tls1_ck_rsa_rc4_128_sha | tls1_ck_dhe_rsa_with_aes_256_sha | tls1_ck_dhe_dss_with_aes_256_sha | tls1_ck_dhe_rsa_with_aes_128_sha | tls1_ck_dhe_dss_with_aes_128_sha | tls12_ck_rsa_aes_256_cbc_sha256 } command.
      • The web system identifies device information based on the Item value in the device's electronic label, but the device hardware driver determines whether to start the device based on the BarCode value. Since the values of BarCode and Item may not be the same, the web system may not read or display the card information.
      • The web system does not support back, forward, and refresh buttons of the browser. You may return to the login page when you use the buttons.
      • If you log in to the Web systems with the same IP address through multiple windows on a browser, only the latest login is saved. If the Web systems have the same IP address and the same port number, the latest login account is displayed on earlier web pages after all the windows are refreshed. If the Web systems have the same IP address but different port numbers, timeout messages are displayed on earlier web pages after all the windows are refreshed.
      • If the software version of the device changes (for example, the device software is upgraded or rolled back), clear the browser cache before using the web system. Otherwise, the web page may be displayed incorrectly.
      • You can click Open Source software Notice to view details of the open source software notice.

    2. Access the password change page of the web system.

      On the web system login page, click GO or press Enter to access the password change page, as shown in Figure 2-11. Change the password and re-log in to the web system as prompted. You can manage and maintain the device after logging in to the web system.

      Figure 2-11  Password change page of the web system
      NOTE:
      • The password change page is displayed during the login process only the first time you log in to the web system.
      • The password change page is also displayed if your password will expire or has expired. To access the web system main page, you must change the password.
      • For security purposes, a password must contain at least two types of the following: lowercase letters, uppercase letters, digits, and special characters (such as ! $ # %). In addition, the password cannot contain spaces or single quotation marks (').

    3. (Optional) Change the default user password.

      If you are logged in as an administrator and the password of the default user admin is admin@huawei.com, the system prompts you to change this password. Figure 2-12 shows the prompt. Click Confirm to display the User Management page on which you can change the password of the default user. Changing this password is recommended to improve security.

      Figure 2-12  Changing the default user
      NOTE:
      • Only when you log in to the web system as an administrator user (level 3 or higher), the dialog box is displayed.

      • A secure password should contain at least two types of the following: lowercase letters, uppercase letters, numerals, special characters (such as ! $ # %). In addition, the password cannot contain spaces or single quotation marks (').

Verifying the Configuration of Device Login Through the Web System

Context

After completing the configuration, run the following commands in any view on the CLI to check information about the SSL policy, loaded digital certificate, online web users, and current HTTPS server.

Procedure

  • Run the display ssl policy [ policy-name ] command to check the configured SSL policy and loaded digital certificate.
  • Run the display http user [ username username ] command to check online web user information.
  • Run the display http server command to check current HTTPS server information.
Translation
Download
Updated: 2019-03-30

Document ID: EDOC1000178031

Views: 32951

Downloads: 8

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next