Configuring Web System Login

S600-E V200R019C10 Configuration Guide - Basic Configuration

This document describes the configurations of Basic, including CLI Overview, EasyDeploy Configuration, Logging In to a Device for the First Time, CLI Login Configuration, Web System Login Configuration, File Management, Configuring System Startup, BootLoad Menu Operation.

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Configuring Web System Login

You can conveniently manage and maintain a switch through the GUIs provided by the web system. Ensure that the PC and the switch are routable to each other before configuring web system login.

Common Configurations for Web System Login

By default, you can directly log in to a switch using the user name for the first login and the changed password without any extra configuration. To add a web user or change user information, perform the following steps:

Create a web user and its login password.
Configure the access type and privilege level for web users.

Operation Procedure

Create a web user and set a login password for the user.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 password irreversible-cipher abcd@123
						
							//Create a local user admin123 and set the login password to abcd@123.

Set an access type and privilege level for the web user.

[HUAWEI-aaa] local-user admin123 privilege level 15
						
							//Set the privilege level of the local user admin123 to 15.
						
Warning: This operation may affect online users, are you sure to change the user privilege level ?[Y/N]y
[HUAWEI-aaa] local-user admin123 service-type http
						
							//Set the access type of the local user admin123 to HTTP.
						
[HUAWEI-aaa] quit

View HTTPS server information.

[HUAWEI] display http server
   HTTP Server Status              : enabled
   HTTP Server Port                : 80(80)
   HTTP Timeout Interval           : 20
   Current Online Users            : 3
   Maximum Users Allowed           : 5
   HTTP Secure-server Status       : enabled
   HTTP Secure-server Port         : 443(443)
   HTTP SSL Policy                 : ssl_server
   HTTP IPv6 Server Status         : disabled
   HTTP IPv6 Server Port           : 80(80)
   HTTP IPv6 Secure-server Status  : disabled
   HTTP IPv6 Secure-server Port    : 443(443)
   HTTP server source address      : 0.0.0.0

When a device starts without any configuration, HTTP uses the randomly generated self-signed certificate to support HTTPS. The self-signed certificate may bring risks. Therefore, you are advised to replace it with the officially authorized digital certificate. For details about how to replace the certificate, see Load a digital certificate and bind an SSL policy to the switch.

Log in to the device through the web system.

After basic functions of web system login are configured, open the web browser on the PC, enter https://IP address in the address bar, and press Enter. The web system login page then is displayed. As shown in Figure 6-2, enter the configured web user name and password and select the language of the web system.

Figure 6-2 Web system login page
- The password change page is displayed the first time you log in to the web system.
- The password change page is also displayed if your password is due to expire or has expired. To access the web system main page, you must change the password.
- For security purposes, a password must contain at least two types of the following: lowercase letters, uppercase letters, digits, and special characters (such as ! $ # %). In addition, the password cannot contain spaces or single quotation marks (').
- If the web user is an administrator and the default local user exists in the system, the system prompts the user to change the default local user regardless of the user name and password used to log in to the web system.
  The default username and password are available in S Series Switches Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

Other Configurations for Web System Login

Load a web page file.

Generally, a web page file has been integrated in the system software of a switch and loaded. If you need to upgrade the web page file, log in to the Huawei official website to download a separate web page file and upload it to the switch.
1. Upload a web page file to the switch.
  
  To obtain a web page file, log in to the Huawei enterprise support website (http://support.huawei.com/enterprise), choose the product model and version, and select a patch version under Public Patch in V and R Version to download the required web page file. The file name is in the format of product name-software version number.web page file version number.web.7z.
  
  Each web page file corresponds to a signature file. The method of downloading the signature file is the same as that of downloading the web page file.
  
  For details about how to load necessary files to a switch, see File Management.
2. Load a web page file.
```
<HUAWEI> system-view
[HUAWEI] http server load web.7z
							
```
3. Enable the HTTPS service.
```
[HUAWEI] http secure-server enable
								
									//By default, the HTTP IPv4 service function is enabled, and the HTTP IPv6 service function is disabled.
								
							
```
Load a digital certificate and bind an SSL policy to the switch.
1. Upload the server's digital certificate and private key file to the switch. The Subject: CN field in the certificate must match the domain name of the login device.
  
  You can upload the server's digital certificate and private key file using SFTP and the digital certificate and private key file are saved in the security directory. If the switch does not have the security directory, run the mkdir security command to create it. For details about how to load necessary files to a switch, see File Management.
  
  After the server's digital certificate and private key file are uploaded, run the dir command in the user view to check whether the sizes of the uploaded server's digital certificate and private key file are the same as those on the file server. If not, an exception may occur during file uploading. You can re-upload the files.
2. Create an SSL policy and load a digital certificate. A PEM digital certificate is used as an example here.
```
[HUAWEI] ssl policy http_server
[HUAWEI-ssl-policy-http_server] certificate load pem-cert 1_servercert_pem_dsa.pem key-pair dsa key-file 1_serverkey_pem_dsa.pem auth-code cipher 123456
[HTTPS-Server-ssl-policy-http_server] quit
							
```
3. Bind the SSL policy to the switch and enable the HTTPS service.
```
[HUAWEI] http secure-server ssl-policy http_server
[HUAWEI] http secure-server enable
							
```
4. View detailed information about the loaded digital certificate.
```
[HUAWEI] display ssl policy

       SSL Policy Name: http_server
     Policy Applicants: Config-Webs
         Key-pair Type: DSA
 Certificate File Type: PEM
      Certificate Type: certificate
  Certificate Filename: 1_servercert_pem_dsa.pem
     Key-file Filename: 1_serverkey_pem_dsa.pem
             Auth-code: ******
                   MAC:
              CRL File:
       Trusted-CA File:
           Issuer Name:
   Validity Not Before:
    Validity Not After:
```

Related Commands

For detailed command description, see Command Reference.

Table 6-1 Common commands

Function	Command	Description
Create a local AAA user and set a password for the user.	local-user user-name password irreversible-cipher password	The default username and password are available in S Series Switches Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it. NOTE: If you have logged in to a switch through CLI and changed the password of the default user, use the new password.
Set the access type of the local AAA user.	local-user user-name service-type http	By default, a local user cannot use any access type.
Set the privilege level of the local user.	local-user user-name privilege level level	By default, the privilege level of a local user is 15, indicating an administrator.
Load a web page file.	http server load { file-name \| default }	By default, the web page file integrated in the system software has been loaded to switches.
Create an SSL policy and display the SSL policy view.	ssl policy policy-name	By default, no SSL policy is created.
Bind an SSL policy to a switch.	http secure-server ssl-policy policy-name	A default SSL policy is available on an HTTP server.
Enable the HTTPS service.	http [ ipv6 ] secure-server enable	By default, the HTTPS IPv4 service function is enabled, and the HTTPS IPv6 service function is disabled.

Table 6-2 Other commands

Function	Command	Description
Check the validity of a web page file.	check file-integrity filename signature-filename	If the check fails, the file cannot be used as the system software, patch file, web page file, or mod file.
Set a port number of an HTTPS server.	http [ ipv6 ] secure-server port port-number	The default port number is 443.
Set a source interface for an HTTPS server.	http server-source -i loopback interface-number	Before setting a source interface for an HTTPS server, ensure that the loopback interface to be specified as the source interface has been created. If not, this command cannot be correctly executed.
Set the HTTPS session inactivity period.	http timeout timeout	By default, the HTTPS session inactivity period is 20 minutes.
Customize an SSL cipher suite policy.	ssl cipher-suite-list customization-policy-name	By default, a switch supports only security algorithms. You can run this command to customize a cipher suite policy.
Set cipher suites for a customized SSL cipher suite policy.	set cipher-suite { tls12_ck_dss_aes_128_gcm_sha256 \| tls12_ck_dss_aes_256_gcm_sha384 \| tls12_ck_rsa_aes_128_gcm_sha256 \| tls12_ck_rsa_aes_256_gcm_sha384 }	By default, no cipher suite is configured for a customized SSL cipher suite policy. The system software does not support the tls12_ck_rsa_aes_256_cbc_sha256, tls1_ck_dhe_dss_with_aes_128_sha, tls1_ck_dhe_dss_with_aes_256_sha, tls1_ck_dhe_rsa_with_aes_128_sha, tls1_ck_dhe_rsa_with_aes_256_sha, tls1_ck_rsa_with_aes_128_sha, and tls1_ck_rsa_with_aes_256_sha parameters. To use these parameters, you need to install the WEAKEA plug-in. For security purposes, you are advised to use other parameters. You can search for Plug-in Usage Guide at the Huawei technical support website (Enterprise Network or Carrier), and choose the desired plug-in usage guide based on the switch model and software version. If you do not have permission to access the website, contact technical support personnel.
Set the minimum SSL version of an SSL policy.	ssl minimum version { tls1.1 \| tls1.2 }	The default minimum SSL version of an SSL policy is TLS1.2. The system software does not support the tls1.0 parameter. To use this parameter, you need to install the WEAKEA plug-in. For security purposes, you are advised to specify the tls1.2 parameter. You can search for Plug-in Usage Guide at the Huawei technical support website (Enterprise Network or Carrier), and choose the desired plug-in usage guide based on the switch model and software version. If you do not have permission to access the website, contact technical support personnel.
Bind a specified customized SSL cipher suite policy to an SSL policy.	binding cipher-suite-customization customization-policy-name	By default, each SSL policy uses a default cipher suite. If the cipher suite in the customized cipher suite policy bound to an SSL policy contains only one type of algorithm (RSA or DSS), the corresponding certificate must be loaded for the SSL policy to ensure successful SSL negotiation.
Load a PEM digital certificate/certificate chain and specify a private key file.	certificate load pem-cert cert-filename key-pair { dsa \| rsa } key-file key-filename auth-code cipher auth-code certificate load pem-chain cert-filename key-pair { dsa \| rsa } key-file key-filename auth-code cipher auth-code	Only one certificate or certificate chain can be loaded to an SSL policy. (A certificate chain is a list of trust certificates, starting from the device's certificate and ending at the root CA certificate.) If a certificate or certificate chain has been loaded, run the undo certificate load command to unload the old certificate or certificate chain before loading a new one. Select the corresponding configuration based on the certificate type. When loading a PEM certificate or certificate chain, run one of the following commands based on whether a user obtains a digital certificate or certificate chain from the CA. Command 1 is used to load a PEM digital certificate and specify a private key file. Command 2 is used to load a PEM certificate chain and specify a private key file.
Load an ASN1 digital certificate and specify a private key file.	certificate load asn1-cert cert-filename key-pair { dsa \| rsa } key-file key-filename
Load a PFX digital certificate and specify a private key file.	certificate load pfx-cert cert-filename key-pair { dsa \| rsa } { mac cipher mac-code \| key-file key-filename } auth-code cipher auth-code
Force a specified web user to go offline.	free http user-id user-id	Currently, the switch supports a maximum of five concurrent online web users.
Set personalized greeting messages on the web system.	web welcome-message message	N/A
View online web user information.	display http user [ username username ]	N/A

Translation

简体中文

Download

Updated: 2022-05-25

Document ID: EDOC1100127196

Downloads: 37

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate