Downloads |
Table Of Contents
Connecting Securely to the Cisco IOS HTTPS Server
Related Features and Technologies
Supported Standards, MIBs, and RFCs
Changing the HTTPS Port Number
Configuring HTTPS Authentication
Changing the HTTPS Port Number Example
Secure HTTP (HTTPS)
Feature History
12.1(11b)E
This feature was introduced on 7100 series routers and 7200 series routers.
12.2(14)S
This feature was integrated into Cisco IOS Release 12.2(14)S.
This document describes the Secure HTTP (HTTPS) feature in Cisco IOS release 12.1(11b)E. It contains the following sections:
•
Supported Standards, MIBs, and RFCs
Feature Overview
The Cisco IOS HTTP server provides authentication, but not encryption, for client connections. The data that the client and server transmit to each other is not encrypted. This leaves communication between clients and servers vulnerable to interception and attack.
The Secure HTTP (HTTPS) feature provides the capability to connect to the Cisco IOS HTTPS server securely. It uses Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to provide device authentication and data encryption (see the "Benefits" section).
The HTTP and HTTPS servers can be enabled and disabled separately.
Connecting Securely to the Cisco IOS HTTPS Server
When the Secure HTTP (HTTPS) feature is enabled (see the "Enabling HTTPS" section for instructions), you can connect to the device securely by connecting to the following URL with a web browser that supports SSL:
https://device:[port_number]
where device is the IP address of the device (or its DNS name if the device is registered in DNS) and port_number is the HTTPS port number. You can omit port_number if HTTPS is configured to use the default port. The default HTTPS port is 443, but you can change it.
Note
When you connect to the secure port, the following happens automatically:
•
•
•
•
If authentication fails or the client and server cannot negotiate a cipher suite, the session ends.
Benefits
The Secure HTTP (HTTPS) feature provides the following benefits:
Encrypted Communication with Cisco IOS HTTPS Server
HTTPS encrypts communications among connected clients and servers to provide data confidentiality. It supports the following encryption algorithms:
•
•
Authenticated Communication Between Client and Server
HTTPS authenticates the client and the server with each other before establishing a connection. It supports the following authentication algorithms and standards:
•
–
–
•
–
–
–
•
Restrictions
Client systems must meet the requirements described in the "Client System Requirements" section.
Related Features and Technologies
•
•
•
•
Related Documents
•
•
•
Supported Platforms
The Secure HTTP (HTTPS) feature is supported in Cisco IOS images whose filenames contain the characters "k2" or "56i". The Secure HTTP (HTTPS) feature is supported on these platforms:
•
•
•
Platform Support Through Feature Navigator
Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Feature Navigator. Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image.
To access Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, e-mail the Contact Database Administration group at cdbadmin@cisco.com. If you want to establish an account on Cisco.com, go to http://www.cisco.com/register and follow the directions to establish an account.
Feature Navigator is updated when major Cisco IOS software releases and technology releases occur. As of May 2001, Feature Navigator supports M, T, E, S, and ST releases. You can access Feature Navigator at the following URL:
http://www.cisco.com/go/fn
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
No new or modified RFCs are supported by this feature.
Prerequisites
Complete the following prerequisites before using the Secure HTTP (HTTPS) feature.
RSA Key Pair
You should generate an RSA usage key pair with a length of 1024 bits or greater for the device (as described in the "IP Security and Encryption" chapter of Cisco IOS Security Configuration Guide, Release 12.2). The following is an example of a command that generates a suitable RSA key pair:
crypto key generate rsa usage 1024
Note
RSA key pairs generated by a version of IOS that does not include the Secure HTTP (HTTPS) feature will not work with HTTPS. If you upgrade the IOS version on your device from a version that does not include the Secure HTTP (HTTPS) feature to a version that does include it, and you intend to connect to the device using HTTPS, you must delete existing RSA keys and generate new RSA usage keys using the new IOS version (as described in the "IP Security and Encryption" chapter of Cisco IOS Security Configuration Guide, Release 12.2).
If you do not generate an RSA usage key pair manually, an RSA usage key pair with a length of 768 bits will be generated automatically when you connect to the HTTPS server for the first time. These automatically generated RSA keys are not saved to the startup configuration, therefore they will be lost when the device is rebooted unless you save the configuration manually.
Digital Certificate
You should obtain an X.509 digital certificate with digital signature capabilities for the device from a certification authority (CA) (as described in the "IP Security and Encryption" chapter of Cisco IOS Security Configuration Guide, Release 12.2).
Digital certificates obtained by a version of IOS that does not include the Secure HTTP (HTTPS) feature will not work with HTTPS. If you upgrade the IOS version on your device from a version that does not include the Secure HTTP (HTTPS) feature to a version that does include it, and you intend to connect to the device using HTTPS, you must delete the existing device digital certificate and obtain a new device digital certificate from a CA using the new IOS version (as described in the "IP Security and Encryption" chapter of Cisco IOS Security Configuration Guide, Release 12.2).
If you do not obtain a digital certificate in advance, the device creates a self-signed digital certificate to authenticate itself.
If you change the device hostname after obtaining ia device digital certificate, HTTPS connections to the device fail because the hostname does not match the hostname specified in the digital certificate. Obtain a new device digital certificate using the new hostname to fix this problem.
Client System Requirements
Client systems must have a web browser that supports SSL to connect to the Cisco IOS HTTPS server securely.
The following client operating system and browser combinations have been tested:
Configuration Tasks
See the following sections for configuration tasks for the Secure HTTP (HTTPS) feature. Each task is identified as required or optional.
•
•
•
•
•
Enabling HTTPS
To enable HTTPS, enter the following command in global configuration mode:
Disabling HTTPS
To disable HTTPS, enter the following command in global configuration mode:
Changing the HTTPS Port Number
The default HTTPS port number is 443. To change the HTTPS port number, enter the following command in global configuration mode:
Router(config)# ip http secure-port port_number
Changes the secure HTTPS port number. The acceptable range is 1-65535.
You cannot configure the HTTP and HTTPS servers to use the same port. If you try to do so, the following error message appears:
% Port port_number in use by HTTP.where port_number is the port number that is already assigned to the HTTP server.
If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format:
https://device:port_number
where port_number is the HTTPS port number.
Configuring HTTPS Authentication
The HTTPS server uses the same authentication configuration settings as the HTTP server. Configuring HTTP authentication using the ip http authentication command also configures authentication for HTTPS. Configuring authentication for the HTTP and HTTPS servers adds additional security to communication between clients and the HTTP and HTTPS servers on the device.
Refer to the "Cisco IOS User Interfaces" chapter of the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2, for information about configuring HTTP (and HTTPS) authentication.
Verifying HTTPS Configuration
Follow these steps to verify that HTTPS is configured correctly:
Step 1
a.
ip http secure-serverb.
ip http secure-port port_numberwhere port_number is the port number you configured as the HTTPS port.
Step 2
a.
https://device:[port_number]
where device is the IP address of the device (or its DNS name if the device is registered in DNS) and port_number is the HTTPS port number. You can omit port_number if HTTPS is configured to use the default port. The default secure HTTPS port number is 443, but you can change it.
Note
b.
c.
The device home page should appear in the web browser.
d.
•
•
•
Troubleshooting Tips
If any of the following Syslog error messages appear (Syslog messages appear on the console only), verify that the device has an RSA key pair and a valid router digital certificate and that the device hostname was not changed after a digital certificate was obtained from a certification authority (CA):
01:28:02: %OPENSSL-3-SSLERR: No router certificate for HOSTNAME01:28:02: %OPENSSL-3-SSLERR: Unable to load router certificate for HOSTNAME01:28:02: %OPENSSL-3-SSLERR: Unable to load self-signed certificate for HOSTNAMEwhere hostname is the device hostname.
Configuration Examples
This section provides the following configuration examples:
•
Enabling HTTPS Example
The following command enables HTTPS:
ip http secure-serverDisabling HTTPS Example
The following command disables HTTPS:
no ip http secure-serverChanging the HTTPS Port Number Example
The following command changes the secure HTTPS port number to 1000:
ip http secure-port 1000You cannot configure the HTTP and HTTPS servers to use the same port. If you try to do so, the following error message appears:
% Port port_number in use by HTTP.where port_number is the port number that is already assigned to the HTTP server.
If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format:
https://device:port_number
where port_number is the HTTPS port number.
Command Reference
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.1(11b)E command reference publications.
debug ip http secure-all
Use the debug ip http secure-all command in privileged EXEC mode to generate the following:
•
•
•
To disable this debugging, use the no form of this command.
debug ip http secure-allno debug ip http secure-allSyntax Description
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
12.1(11b)E
This command was introduced.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
Usage Guidelines
This command generates the following:
•
•
•
Examples
The following example generates the following:
•
•
•
debug ip http secure-allRelated Commands
debug ip http secure-session
To generate debugging information about each new secure HTTPS session when it is created, use the debug ip http secure-session command in privileged EXEC mode. To disable this debugging, use the no form of this command.
debug ip http secure-sessionno debug ip http secure-sessionSyntax Description
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
12.1(11b)E
This command was introduced.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
Usage Guidelines
This command generates debugging information about each new HTTPS session when it is created. When a new HTTPS session is created, debugging information is generated in the following format:
HTTPS SSL Session Established/Handshake done - Peer 10.0.0.1state = SSL negotiation finished successfullySessionInfo: Digest=RC4-MD5 SSLVer=SSLv3 KeyEx=RSA Auth=RSA Cipher=RC4(128) Mac=MD5The SessionInfo fields provide the following information about the session:
•
•
•
•
•
•
Examples
The following example generates debugging information about each new HTTPS session when it is created:
debug ip http secure-sessionRelated Commands
debug ip http secure-state
To generate debugging output each time the Secure HTTP (HTTPS) feature changes state, use the debug ip http secure-state command in privileged EXEC mode. To disable this debugging, use the no form of this command.
debug ip http secure-stateno debug ip http secure-stateSyntax Description
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
12.1(11b)E
This command was introduced.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
Usage Guidelines
This command generates debugging information each time the Secure HTTP (HTTPS) feature changes state. When the Secure HTTP (HTTPS) feature changes state, debugging information is generated in the following format:
HTTPS SSL State Change - Peer 10.0.0.1Old State = SSLv3 read finished A, New State = SSL negotiation finished successfullyExamples
The following example generates debugging information each time the Secure HTTP (HTTPS) feature changes state:
debug ip http secure-stateRelated Commands
ip http secure-port
To change the HTTPS port number, use the ip http secure-port command in global configuration mode.
ip http secure-port port_numberSyntax Description
Defaults
There is no default value for port_number.
Command Modes
global configuration
Command History
12.1(11b)E
This command was introduced.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
Usage Guidelines
Enabling HTTPS using the ip http secure-server command enables port 443 as the default HTTPS port. Use the ip http secure-port command only if you want to change the secure port number from the default.
You cannot configure the HTTP and HTTPS servers to use the same port. If you try to do so, the following error message appears:
% Port port_number in use by HTTP.where port_number is the port number that is already assigned to the HTTP server.
If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format:
https://device:port_number
where port_number is the HTTPS port number.
Examples
The following example changes the HTTPS port number to 1000:
ip http secure-port 1000Related Commands
ip http secure-server
To enable HTTPS, use the ip http secure-server command in global configuration mode. To disable HTTPS, use the no form of this command.
ip http secure-serverno ip http secure-serverSyntax Description
Defaults
By default, HTTPS is disabled. The default HTTPS port number is 443.
Command Modes
global configuration
Command History
12.1(11b)E
This command was introduced.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
Examples
The following example enables HTTPS:
ip http secure-serverThe following example disables HTTPS:
no ip http secure-serverRelated Commands
