Ssl For Web Browser Clients; Dns Name And Web Browser Clients - Alcatel OmniSwitch 6624 Network Configuration Manual

Configuring Authenticated VLANs

SSL for Web Browser Clients

A Secure Socket Layer (SSL) is used to authenticate Web browser clients. A certificate from a Certifica-
tion Authority (CA) or a self-signed (private) certificate must be installed on the switch. A self-signed
certificate is provided by Alcatel (wv-cert.pem). If you are using a well-known certificate or some other
self-signed certificate, you should replace the wv-cert.pem file with the relevant file.
Web browser clients will automatically recognize well-known SSL certificates, but if a self-signed certifi-
cate (such as the wv-cert.pem file) is used, the client will not automatically recognize the certificate.
Windows, Linux, and Mac OS 9 Clients
If you are using the wv-cert.pem file or another self-signed certificate, the client will not recognize the
certificate, and a warning message will display on the client; however, the client will be allowed to
authenticate.
Mac OSX.1 Clients
On Mac OSX.1, if you are using the wv-cert.pem file or another self-signed certificate, the certificate file
must be FTP'd to the workstation and installed with the keytool command as follows:
1 FTP the wv-cert.pem file (or the relevant certificate file) from the /flash/switch directory on the switch
to the workstation.
2 On the Mac workstation, open a Terminal application at the root (see the previous section for informa-
tion about enabling root access). Enter the following command:
keytool -import -keystore <path to JDK installation>/lib/security/cacerts -alias ALCATEL_AVLAN
- file <path to certificate file>
For example:
keytool -import -keystore /System/Library/Frameworks/JavaVM.framework/Versions/
1.3.1/Home/lib/security/cacerts -alias ALCATEL_AVLAN - file/Users/endalat/
Destop/wv-cert.pem
Note. The keytool command requires a password. By default, the password is changeit.

DNS Name and Web Browser Clients

For Mac OSX.1 clients, the DNS name in the certificate must match the DNS name configured on the
switch through the aaa avlan dns command. If the DNS names do not match, the Java applet in the client
cannot be loaded and the client cannot authenticate. (For other clients, if the DNS names do not match, a
warning will display when the client attempts to authenticate; however, the client is still allowed to
authenticate.)
The wv-cert.pem certificate contains a default DNS name (webview). To configure the DNS name on the
switch, enter the aaa avlan dns command with the DNS name matching the one in the certificate. For
example:
-> aaa dns avlan webview
On the browser workstation, the authentication user must enter the DNS name in the browser command
line to display the authentication page.
For more information about configuring a DNS name, see
OmniSwitch 6624/6648 Network Configuration Guide
"Setting Up a DNS Path" on page
April 2004
Setting Up Authentication Clients
18-29.
page 18-11