Ssl and enhanced stacking – Allied Telesis AT-S63 User Manual

Chapter 34: PKI Certificates and SSL

788

Section VIII: Management Security

This distinguished name omits the common name, but includes everything
else:

ou=Network Support,o=XYZ Inc.,st=CA,c=US

So what would be a good distinguished name for a certificate for an
AT-9400 Series switch? If the switch has an IP address, such as a master
switch, you could use its address as the name. The following example is a
distinguished name for a certificate for a master switch with the IP address
149.11.11.11:

cn=149.11.11.11

If your network has a Domain Name System and you mapped a name to
the IP address of a switch, you can specify the switch’s name instead of
the IP address as the distinguished name.

For those switches that do not have an IP address, such as slave
switches, you could assign their certificates a distinguished name using
the IP address of the master switch of the enhanced stack.

There is a benefit to giving a certificate a distinguished name equivalent to
a master switch’s IP address or domain name. This relates to what
happens when you start a web browser management session with a
switch using SSL. The web browser on your management station checks
to see if the name to whom the certificate was issued matches the name of
the web site. In the case of a master or slave AT-9400 Series switch, the
web site’s name is the master switch’s IP address or domain name. If the
names do not match, the web browser displays a security warning. Of
course, even if you see the security warning, you can close the warning
prompt and still configure the switch using your web browser.

Note

If the certificate will be issued by a private or public CA, you should
check with the CA to see if they have any rules or guidelines on
distinguished names for the certificates they issue.

SSL and

Enhanced

Stacking

Secure Sockets Layer (SSL) is supported in an enhanced stack, but only
when all switches in the stack are using the feature.

When a switch’s web server is operating in HTTP, management packets
are transmitted in plaintext. When it operates in HTTPS, management
packets are sent encrypted. The web server on an AT-9400 Series switch,
can operate in either mode. Enhanced stacking switches that do not
support SSL, such as the AT-8000 Series switches, use HTTP exclusively.

A web browser management session of the switches in an enhanced
stack cannot alternate between the different security modes during a
session. The management session assumes that the web server mode