Black Box Value-Line and Advanced Console Servers Server User Manual


 
The console server includes OpenSSL. The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL
v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose
cryptography library. The project is managed by a worldwide community of volunteers that use the
Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.
OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The
OpenSSL toolkit is licensed under an Apache-style licence, which basically means that you are free to get
and use it for commercial and non-commercial purposes subject to some simple license conditions. In
the console server, OpenSSL is used primarily in conjunction with ‘http’ to have secure browser access to
the GUI management console across insecure networks.
More documentation on OpenSSL is available from:
http://www.openssl.org/docs/apps/openssl.html
http://www.openssl.org/docs/HOWTO/certificates.txt
15.8 HTTPS
The Management Console can be served using HTTPS by running the webserver via sslwrap. The server
can be launched on request using inetd.
The HTTP server provided is a slightly modified version of the fnord-httpd from
http://www.fefe.de/fnord/
The SSL implementation is provided by the sslwrap application compiled with OpenSSL support. You can
find more detailed documentation at http://www.rickk.com/sslwrap/
If your default network address is changed or the unit is to be accessed via a known Domain Name, you
can use the following steps to replace the default SSL Certificate and Private Key with ones tailored for
your new address.
15.8.1 Generating an encryption key
To create a 1024 bit RSA key with a password, issue the following command on the command line of a
linux host with the openssl utility installed:
openssl genrsa -des3 -out ssl_key.pem 1024
15.8.2 Generating a self-signed certificate with OpenSSL
This example shows how to use OpenSSL to create a self-signed certificate. OpenSSL is available for most
Linux distributions via the default package management mechanism. (Windows users can check
http://www.openssl.org/related/binaries.html)
To create a 1024 bit RSA key and a self-signed certificate, issue the following openssl command from the
host you have openssl installed on:
openssl req -x509 -nodes -days 1000 \
-newkey rsa:1024 -keyout ssl_key.pem -out ssl_cert.pem
You will be prompted to enter a lot of information. Most of it doesn’t matter, but the "Common Name"
should be the domain name of your computer (e.g. test.Black Box.com). When you have entered
everything, the certificate will be created in a file called ssl_cert.pem.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 261