Security Guide for ProCurve 9300/9400 Series Routing Switches
ProCurveRS(config)# ip ssl certificate-data-file tftp 192.168.9.210 certfile
Syntax: [no] ip ssl certificate-data-file tftp <ip-addr> <certificate-filename>
NOTE: If you import a digital certificate from a client, it can be no larger than 2048 bytes.
To import an RSA private key from a client using TFTP, enter a command such as the following:
ProCurveRS(config)# ip ssl private-key-file tftp 192.168.9.210 keyfile
Syntax: [no] ip ssl private-key-file tftp <ip-addr> <key-filename>
The <ip-addr> is the IP address of a TFTP server that contains the digital certificate or private key.
Generating an SSL Certificate
After you have imported the digital certificate, generate the SSL certificate by entering the following command:
ProCurveRS(config)# crypto-ssl certificate generate
Syntax: [no] crypto-ssl certificate generate
If you did not already import a digital certificate from a client, the device can create a default certificate. To do this,
enter the following command:
ProCurveRS(config)# crypto-ssl certificate generate default
Syntax: [no] crypto-ssl certificate generate default
Deleting the SSL Certificate
To delete the SSL certificate, enter the following command:
ProCurveRS(config)# crypto-ssl certificate zeroize
Syntax: [no] crypto-ssl certificate zeroize
Configuring TACACS/TACACS+ Security
You can use the security protocol Terminal Access Controller Access Control System (TACACS) or TACACS+ to
authenticate the following kinds of access to the HP device
•
Telnet access
•
SSH access
•
Web management access
•
Access to the Privileged EXEC level and CONFIG levels of the CLI
The TACACS and TACACS+ protocols define how authentication, authorization, and accounting information is
sent between an HP device and an authentication database on a TACACS/TACACS+ server. TACACS/TACACS+
services are maintained in a database, typically on a UNIX workstation or PC with a TACACS/TACACS+ server
running.
How TACACS+ Differs from TACACS
TACACS is a simple UDP-based access control protocol originally developed by BBN for MILNET. TACACS+ is an
enhancement to TACACS and uses TCP to ensure reliable delivery.
TACACS+ is an enhancement to the TACACS security protocol. TACACS+ improves on TACACS by separating
the functions of authentication, authorization, and accounting (AAA) and by encrypting all traffic between the HP
device and the TACACS+ server. TACACS+ allows for arbitrary length and content authentication exchanges,
which allow any authentication mechanism to be utilized with the HP device. TACACS+ is extensible to provide for
site customization and future development features. The protocol allows the HP device to request very precise
access control and allows the TACACS+ server to respond to each component of that request.
2 - 20
June 2005