9-13
Configuring Secure Socket Layer (SSL)
Configuring the Switch for SSL Operation
 3. Enabling SSL on the Switch and Anticipating SSL
Browser Contact Behavior
The web-management ssl command enables SSL on the switch and modifies 
parameters the switch uses for transactions with clients. After you enable SSL, 
the switch can authenticate itself to SSL enabled browsers. If you want to 
disable SSL on the switch, use the no web-management ssl command. 
Note Before enabling SSL on the switch you must generate the switch’s host 
certificate and key. If you have not already done so, refer to “2. Generating the 
Switch’s Server Host Certificate” on page 9-6.
When configured for SSL, the switch uses its host certificate to authenticate 
itself to SSL clients, however unless you disable the standard HP WebAgent 
with the no web-management command it will be still available for unsecured 
transactions.
SSL Client Contact Behavior.  At the first contact between the switch and 
an SSL client, if you have not copied the switch’s host certificate into the 
browser’s certificate folder, your browser’s first connection to the switch will 
question the connection and, for security reasons, give you the option of 
accepting or refusing. If a CA-signed certificate is used on the switch, for which 
a root certificate exists on the client browser side, then the browser will NOT 
prompt the user to ensure the validity of the certificate. The browser will be 
able to verify the certificate chain of the switch server certificate up to the 
root certificate installed in the browser, thus authenticating the switch 
unequivocally. As long as you are confident that an unauthorized device is not 
using the switch’s IP address in an attempt to gain access to your data or 
network, you can accept the connection. 
Note When an SSL client connects to the switch for the first time, it is possible for 
a “man-in-the-middle” attack; that is, for an unauthorized device to pose 
undetected as the switch, and learn the usernames and passwords controlling 
access to the switch. When using self-signed certificates with the switch, there 
is a possibility for a “man-in-the-middle” attack when connecting for the first 
time; that is, an unauthorized device could pose undetected as a switch, and 
learn the usernames and passwords controlling access to the switch. Use 
caution when connecting for the first time to a switch using self-signed 
certificates. Before accepting the certificate, closely verify the contents of the 
certificate (see browser documentation for additional information on viewing 
contents of certificate).