Symptoms

HTTPS access on web tools UI can only be activated with a correct certificate.Instead of getting an official certificate from Certificate Authority (CA) or other companies, you can create a self-signed certificate for internal usage.There are two issues with higher code.1. There is a defect, as described in the article which prevents the use of the export and import function in Fabric OS 8.1.x.2. In 8.2.x code, the command secertutil is being deprecated and replaced using the command seccertmgmt. On how to set https in switches with fabric OS 8.1.x and higher see article:Connectrix Brocade B-Series: How to enable HTTPS web tools UI access on Brocade switches with self-signed certificates in Fabric OS 8.1.x and above.To keep it simple, use secertutil with FOS 8.0.x and below and secertmgmt in Fabric OS 8.1.2x and above.For explanation of secertmgmt in Fabric OS 8.1.x and above see article:"How to enable HTTPS web tools UI access on Brocade switches with self-signed certificates in Fabric OS 8.1.x and above."

Cause

The cause is being investigated.

Resolution

The principal of generating the self-signed certificate is to create the Privacy Enhanced Mail (PEM) file, which then is imported into the switch. There are several options on how to generate a self-signed certificate: a. We can use a Linux OS (a live image like Linux-Mint, or Ubuntu makes it easier) with openssl installed.b. We can use a third-party OpenSSL program installed on Windows, example OpenSSL light, version 1.0.2 32 bit from Shining Light Productions.c. Generate the private key by logging into the switch as root and using the in-built OpenSSL binary. In this example, we use the easiest solution and generate the key on the switch which needs root user access.Both files are located in directory: /etc/fabos/certs/sw0 This needs ROOT user access, CAUTION is advised, and wrong use of the root user access may render the switch unusable.The full example: Note: The IP addresses, Certificate-Signing Request (CSR), and PEM filename are for this example only and are switch-specific. Do not copy and paste.1. Log in the switch as root user and change the directory: switch_55:FID55:root> Changed directory to /etc/fabos/certs/sw0 :switch_55:FID55:root>switch_55:FID55:root> cd /etc/fabos/certs/sw0 2. Check if you are in the correct directory: switch_55:FID55:root> pwd/etc/fabos/certs/sw0switch_55:FID55:root> 3. Check if there is anything in the directory: switch_55:FID55:root> lsswitch_55:FID55:root> If there are, for example old CSR and pen files, they can be removed, if needed, with the rm <filename> command. 4. Generate the public-private key pair in interactive mode: switch_55:FID55:root>switch_55:FID55:root> seccertutil genkeyGenerating a new key pair automatically does the following:1. Delete all existing CSR files.2. Delete all existing certificates.3. Reset the certificate filename to none.4. Disable secure protocols.Continue (yes, y, no, n): [no] ySelect key size [1024 or 2048]: 2048Generating new rsa public/private key pairDone.switch_55:FID55:root> 5. Check if there is anything in the directory: switch_55:FID55:root>switch_55:FID55:root> lspvt_keyswitch_55:FID55:root> 6. Generate the CSR file in interactive mode: switch_55:FID55:root>switch_55:FID55:root> seccertutil gencsrInput hash type (sha1 or sha256): sha1Country Name (2 letter code, eg, US):USState or Province Name (full name, eg, California):CaliforniaLocality Name (eg, city name):San JoseOrganization Name (eg, company name):BrocadeOrganizational Unit Name (eg, department name):ITCommon Name (Fully qualified Domain Name, or IP address):192.yyy.zz.xx1 (IP address of the switch)Generating CSR, file name is: CSR_filename.csrDone.switch_55:FID55:root> 7. Check if the file is created and in the directory: switch_55:FID55:root>switch_55:FID55:root> lsCSR_filename.csr pvt_keyswitch_55:FID55:root> 8. Open openssl shell: switch_55:FID55:root>switch_55:FID55:root> opensslOpenSSL> 9. Generate the self-signed key and the PEM: OpenSSL> x509 -req -days 999 -sha1 -in /etc/fabos/certs/sw0/CSR_filename.csr -signkey /etc/fabos/certs/sw0/pvt_key -out /tmp/pem_filename.pemSignature oksubject=/C=US/ST=California/L=San Jose/O=Brocade/OU=IT/CN=192.yyy.zz.xx1Getting Private keyOpenSSL> Note:## This creates the file in the "/tmp" directory on the switch.## The x509 command might have different arguments in different versions of FOS, but the principal is the same. 10. Type exit to get out of the openssl shell. OpenSSL>OpenSSL> exitswitch_55:FID55:root> 11. To check if the file is in the /tmp directory; switch_55:FID55:root>switch_55:FID55:root> pwd/etc/fabos/certs/sw0switch_55:FID55:root>switch_55:FID55:root> ls /tmp | grep pem.__condbmm.0 pem_filename.pemswitch_55:FID55:root> 12. Import the PEM file with Secure Copy Protocol (SCP) from the tmp directory and enable HTTPS. switch_55:FID55:root>switch_55:FID55:root> seccertutil import -config swcert -enable httpsSelect protocol [ftp or scp]: scpEnter IP address: localhostEnter remote directory: /tmpEnter certificate name (must have ".crt" or ".cer" ".pem" or ".psk" suffix):pem_filename.pemEnter Login Name: rootroot@localhost's password:Success: imported certificate [192.yyy.zz.xx2.pem].Certificate file in configuration has been updated.Secure http has been enabled.switch_55:FID55:root> Test the HTTPS connection to the switch with Internet Explorer. 

Support Cases