Missing the HTTP Secure-Server Command?

Matthew Martin · ‎06-15-2017

Hello All,

Switch: Cisco Catalyst 4510R+E

IOS-XE Version 03.06.03.E
IOS Version 15.0(1r)SG5

I am adding some more commands to our 4500 for supporting client authentication through Cisco ISE (*RADIUS and AAA). And in the configuration guide found in Cisco ISE Administrator Guide V2.0 Chapter 33. It says to include the ip http secure-server command to enable https for URL-redirection. I already have the ip http server command enabled, and was trying to enable https. But, the command is not present on the switch?

Am I missing a feature on this switch that enables that command?

4510R-HQ(config)#ip http ?      
  access-class            Restrict http server access by access-class
  accounting              Set http server accounting parameters
  active-session-modules  Set up active http server session modules
  authentication          Set http server authentication method
  banner                  Enable http server banner
  banner-path             HTML Banner Path 
  client                  Set http client parameters
  help-path               HTML help root URL
  max-connections         Set maximum number of concurrent http server connections
  path                    Set base path for HTML
  port                    Set http server port
  server                  Enable http server
  session-idle-timeout    Set http server session idle timeout
  session-module-list     Set up a http(s) server session module list
  timeout-policy          Set http server time-out policy parameters

Or maybe there is a license that is required to enable this command/feature? It seems like I have all the other ip http commands, so why not that one?

Any help would be greatly appreciated!

Thanks in Advance,
Matt

Marvin Rhoads · ‎06-16-2017

Can you share the exact bin filename you are using as your boot image? It must be one with strong encryption support - e.g. "k9" in the image name.

Also, you must have a private RSA key (used for signing an SSL certificate as well as ssh) before the device can create the self-signed certificate that "ip http secure-server" will require.

Matthew Martin · ‎06-16-2017

Hey Marvin, thanks for the reply...

Here's the bin file. Doesn't look like it has "k9" in the name:

cat4500e-universal.SPA.03.06.03.E.152-2.E3.bin

I thought the Switch creates the key once you enter the "ip http secure-server" command. At least that's what I thought happened when I enabled this command on our ISR4321s with the following bin file, which as you can see, it has the "k9" in the name:

isr4300-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin

So I would need a different Image on our 4500 to enable this command?

Thanks Again,
Matt

Marvin Rhoads · ‎06-16-2017

You definitely need the k9 image. You can keep the exact same release - you just need the image with strong crypto.

The self-signed certificate will definitely auto-generate. I'm pretty sure you need the rsa key first. You should generally create a 2048-bit rsa key (default is 1024-bit).

Matthew Martin · ‎06-16-2017

Ok, thanks again for the reply Marvin!

I remember attempting the ISSU procedure before, but I don't think it worked at the time and we ended up experiencing a bit of downtime during the last upgrade...

Can you use ISSU to upgrade from a universal image type to a universalk9 image? I think a guide I was looking at said ISSU won't work when upgrading from different image types. For example, upgrading from an IPBASE to ENTSERVICES, and vice versa won't work. Also, I think I read it doesn't work when upgrading to or from a non-crypto to a crypto image, and the reverse... Is that what this would be, moving to a Crypto image type (*does k9 mean crypto?)..?

Thanks Again,
Matt

Marvin Rhoads · ‎06-17-2017

Changing from non-crypto to crypto (= "k9") images will require downtime.

This is confirmed in the configuration guide:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/15-1/XE_330SG/configuration/guide/config/issu.html#wp1072849

So plan on it and schedule a maintenance window.