CertificationCiscoHow to

How to Enabling Secure HTTP (HTTPS) Access to a Cisco Router

Enabling Secure HTTP (HTTPS) Access to a Cisco Router:

Problem

You want to configure and monitor your router using an encrypted browser interface.

Solution

To enable secure HTTP (HTTPS) access to a router, use the ip http secure-server command:

Core#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Core(config)#ip http secure-server
Core(config)#end
Core#

Cisco introduced secure HTTP access feature in IOS Version 12.2(14)S.

Discussion

The Secure HTTP feature provides you with a secure and encrypted method to access the router via a web browser using Secure Sockets Layer and Transport Layer Security. This prevents HTTP sessions from being intercepted or attacked.

By default, the router creates a self-signed digital certificate that is required for secure access. The router adds the digital certificate to its configuration:

Router2#show running-config | section crypto
crypto pki trustpoint TP-self-signed-2618906780
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2618906780
 revocation-check none
 rsakeypair TP-self-signed-2618906780
crypto pki certificate chain TP-self-signed-2618906780
 certificate self-signed 01
  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32363138 39303637 3830301E 170D3036 30313235 31373031
  32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36313839
  30363738 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100E12C BF2F0F2D 3FA6AAEC 6538D47B FF4A4129 2BE28AFE F1880962 659D06DC
  82992F38 4DDBC544 A071D74F AF503DC7 14C0EF28 7D03D6BA 4AD3D122 184034FF
  FBDE5616 0246528A 83B8E0BA 70C2FC46 605DA522 BC85B1F3 AD47E133 6C2CE562
  669048DB 7378B44A 5999D087 CDA95F74 9E073880 975FEA58 8B0B75EA AA62F996
  CDEB0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
  551D1104 17301582 13526F75 74657232 2E696A62 726F776E 2E636F6D 301F0603
  551D2304 18301680 1475B543 CAC80FB1 63018DD7 4A81D46A 03DF023B 35301D06
  03551D0E 04160414 75B543CA C80FB163 018DD74A 81D46A03 DF023B35 300D0609
  2A864886 F70D0101 04050003 81810070 5D025E22 B4120D0A BD1D2E33 904B198F
  D9E57BB0 55C90C11 8882A727 9DC42D5F 86619446 1AF7BA53 5DDEDCB5 3B32B70D
  0AFCBCE0 77EC5A50 B0428E89 656C641B F2A6A0E9 CEA331EE 9404F527 40BD66FB
  D30791B9 92BAB053 465FB50C 8C7D8B74 9926ED58 5881A515 7199D397 B69D385F
  329EC47B 9850E063 B4AC318D 76DC9D
  quit
Router2#

If this command doesn’t show any self-signed certificates, you can generate them using the command crypto key generate rsa.

It is a good idea to explicitly disable the HTTP server to ensure that only encrypted HTTP sessions are permitted once secure HTTP is enabled. To do so, use the no ip http server command to disable the HTTP server:

Router2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#ip http secure-server
Router2(config)#no ip http server
Router2(config)#end
Router2#

By default, the secure HTTP server uses port 443. To change the secure server port, use the following command:

Router2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#ip http secure-port 8080 
Router2(config)#end 
Router2#

In this example, we changed the secure HTTP port from 443, the default, to port 8080. You can set the secure port to most any unused port number; however, the HTTP and secure HTTP servers cannot be configured to use the same port.

If you do change the secure HTTP port number, then you need to explicitly specify the new port number in the browser’s URL. For example: https://router1.ITcapsula.com:8080, where 8080 is the new port number of the secure server.

To view the secure HTTP configuration status, use the show ip server command:

Router2#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 8080
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL
Router2#

As you can see from the output of the show command, the secure server is enabled and is configured to use port 8080. Also, notice that client authentication is currently disabled. Secure HTTP client authentication is enabled by using the same method as the HTTP server.

Related Articles

2 Comments

  1. I dont know what to say. This blog is fantastic. Thats not really a really huge statement, but its all I could come up with after reading this. You know so much about this subject. So much so that you made me want to learn more about it. Your blog is my stepping stone, my friend. Thanks for the heads up on this subject.
    http://www.KneeNeckBackPain.com/

  2. I just couldn’t depart your web site before suggesting that I really enjoyed the standard information a person provide for your visitors? Is gonna be back often to check up on new posts

Leave a Reply

Your email address will not be published. Required fields are marked *

BaC9Od

Please type the text above:

Close
Close