Ssl and enhanced stacking – Allied Telesis AT-S62 User Manual

Page 658

background image

Chapter 33: Public Key Infrastructure Certificates

Section VII: Management Security

658

SSL and

Enhanced

Stacking

Secure Sockets Layer (SSL) is supported in an enhanced stack, but only
when all switches in the stack are using the feature.

A web server can operate in one of two modes -- HTTP or HTTPS. When a
switch’s web server is operating in HTTP, management packets are
transmitted in plaintext. When it operates in HTTPS, management
packets are sent encrypted.

The web server on an AT-8500 Series switch, and also an AT-8400 Series
switch, can operate in either mode. Enhanced stacking switches that do
not support SSL, such as the AT-8000 Series switches, use HTTP
exclusively.

A web browser management session of the switches in an enhanced
stack cannot change its security mode during a session. The
management session assumes that the web server mode that the master
switch is using is the same for all the switches in the stack.

As an example, if the master switch is using HTTPS, a web browser
management session assumes that all the other switches in the stack are
also using HTTPS, and it will not allow you to manage any switches
running HTTP.

For those networks that consist of enhanced stacking switches where
some switches support SSL and others do not, there are two approaches
you can take. One is to create different enhanced stacks for the different
switches. You could create one enhanced stack for those switches that
support SSL and another stack for those that do not. You create different
enhanced stacks by assigning switches to different Management VLANs,
as explained in Specifying a Management VLAN on page 546.

Another approach is to leave the switches in one enhanced stack, but
designate two master switches. One master switch could be using HTTP
and the other HTTPS. When you want to use your web browser to
manage those switches that support SSL, you would start the
management session on the master switch whose server mode is set to
HTTPS. To manage those switch not supporting SSL, you would start the
management session on the master switch whose web server is set to
HTTP.

In order to implement SSL in an enhanced stack, each switch in the stack
must be given its own encryption key pair and certificate. Switches
cannot share keys and certificates. When you start a web browser
management session on the master switch of an enhanced stack, the
management session uses the certificate and key pair on the master
switch. When you change to another switch in the stack, the
management session starts to use the certificate and key pair on that
switch, and so forth.