Secure Logins

You can access the PacketWise browser and command-line interfaces (CLI) with a secure connection, if desired. Each time you log in, you can choose whether or not you want to use a secure connection. If you want to prevent non-secure logins, see Specify Security Settings.

The browser interface uses HTTPS (HTTP over Secure Sockets Layer) protocol and the CLI uses SSH (Secure Shell) protocol.

Browser Interface

For a secure login to the browser interface, choose one of the following methods:

• Select the Secure Login checkbox when logging into the browser interface. The URL will subsequently be changed to https://<ip address>.
  
  
• Type the URL https://<ip address>. When the Login screen appears, the Secure Login checkbox will be selected automatically.

Logging in Securely the First Time

The first time you access PacketWise with a secure connection, a security alert will appear (for example, in Internet Explorer you will see this screen). In addition, you may see this type of message after you generate a new digital certificate or if the certificate gets corrupted. This message appears because the security certificate was generated by Packeteer, not a Certificate Authority (a trusted third-party organization that issues digital certificates) that is already preconfigured in your browser. If you are willing to accept this certificate:

In Internet Explorer

1. Click Yes.

In Netscape

1. In the Website Certified by an Unknown Authority window, choose Accept this certificate permanently and click OK.
   
   
2. Follow the onscreen prompts.

If you are not willing to accept the certificate without proof, see the next section, "Verifying the Certificate."

Verifying the Certificate

If you want to verify that the certificate presented by the browser is indeed from Packeteer (and is not a man-in-the-middle attack), you should compare the thumbprint (Internet Explorer) or fingerprint (Netscape browsers) in the presented digital certificate to the one on the PacketShaper.

1. Connect directly to the unit's CONSOLE port.
   
   
2. Use the setup https show command to view the certificate information. Write down the thumbprint (Internet Explorer) or fingerprint (Netscape).
   
   Note: While you still have the direct console connection, you can look up the SSH fingerprints, too. See Command-Line Interface.
   
   
3. Disconnect the console connection.
   
   
4. Log into the browser with a secure connection, using one of the two methods described above (see Browser Interface).
   
   Note: Assuming this is the first time you have logged into this browser with a secure connection, a message window will appear.
   
   
5. Follow the appropriate set of steps below, according to the browser you are using.
   
   Internet Explorer:
   • In the Security Alert window  show screen, click View Certificate.
     
     
   • Click the Details tab.  show screen
     
     
   • Scroll down until you see the thumbprint information and click the Thumbprint field to view the entire thumbprint.
     
     
   • Compare the thumbprint you wrote down in step 2 above with the displayed thumbprint.
     
     If the codes are identical, you can be assured that you are communicating with your PacketShaper. Close the Certificate window and choose Yes in the Security Alert window.
     
     If the codes don't match, you may be a victim of a man-in-the-middle attack.
     
     
   Netscape:
   
   
   • In the Website Certified by an Unknown Authority window  show screen , click Examine Certificate.
     
     The Certificate Viewer window  show screen displays the fingerprint.
     
     
   • Compare the fingerprint you wrote down in step 2 above with the displayed fingerprint.
     
     If the codes are identical, you can be assured that you are communicating with your PacketShaper. Click Close.
     
     
   • Choose Accept this certificate permanently and click OK.
     
     If the codes don't match, you may be a victim of a man-in-the-middle attack.
     

Command-Line Interface

For a secure login to the CLI, use any SSH client, such as SecureCRT for Windows or OpenSSH for UNIX operating systems.

Logging in Securely the First Time

The first time you access PacketWise with a secure connection, you will see a message that the authenticity of the host couldn't be established. For example:

>ssh 10.7.5.12

The authenticity of host '10.7.5.12 (10.7.5.12)' can't be established.
RSA key fingerprint is 88:e5:bb:13:88:28:14:28:dc:89:42:e8:bb:7f:94:2e.
Are you sure you want to continue connecting (yes/no)?

In addition, you may see this type of message after you generate new SSH key pairs or if the keys get corrupted. If you are willing to accept the key, answer yes to continue with the connection.

If you are not willing to accept the keys without proof, see the next section, "Verifying the Keys."

Verifying the Keys

If you want to verify that you are indeed communicating with your Packeteer unit (and not a malicious user trying to hijack your connection), you should compare the keys presented by the SSH client to the ones on the unit.

1. Connect directly to the unit's CONSOLE port.
   
   
2. Use the setup ssh show to view the fingerprints. Write down the appropriate fingerprint. (SSHv1 uses the RSA1 key fingerprint; SSHv2 uses the RSA and DSA keys.)
   
   
3. Disconnect the console connection.
   
   
4. Log into the CLI with a secure connection, using an SSH client.
   
   The alert, along with the key fingerprint(s), will be displayed.
   
   
5. Compare the fingerprints you wrote down in step 2 above with the displayed fingerprint(s).
   
   If the codes are identical, you can be assured that you are communicating with your PacketShaper. Type Yes to proceed with the connection.
   
   If the codes don't match, you may be a victim of a man-in-the-middle attack.

See also:

Log Out of PacketWise

PacketGuide™ for PacketWise® 8.3