Web Interface (UI)

After the Apstra server is deployed, you can design, build, deploy, operate and validate the network from the web interface.

Accessing Web Interface

  1. From the latest web browser version of Google Chrome or Mozilla FireFox, enter the URL https://<apstra_server_ip> where <apstra_server_ip> is the IP address of the Apstra server, or a DNS name that resolves to the IP address of the Apstra server.

  2. If a security warning appears, click Advanced and Proceed to … the site. The warning occurs because the SSL certificate that was generated during installation is self-signed.

    Important

    For security, please replace the default self-signed SSL certificate with one from your own certificate authority.

  3. From the login page, enter username admin and password admin to go to the main screen.

    _images/blueprint_first_screen_330.png

Important

For security, please change the web interface password for admin after you first log in.

We recommend that you also change the operating system (OS) password.

  1. Log into the configuration tool: admin@aos-server:~$ aos_config.
  2. Choose Local credentials and change the OS password. (You can also change the webUI credentials password from here.)

For guidance on designing and building the network, see Getting Started.

Resetting Admin Password

To recover a forgotten or lost admin password for the web interface, log into the Apstra server as the default admin user via ssh, and type the command aos_reset_admin_password.

admin@aos-server:~$ aos_reset_admin_password
Resetting UI "admin" user password to default "admin"
Successfully reset admin's password
admin@aos-server:~$

Important

For security, please change the admin password after resetting it to the default.

Replacing SSL Certificate

A unique self-signed certificate is automatically generated on each Apstra server at first boot. The default certificate files are stored on the Apstra server at `/etc/aos/nginx.conf.d.

The HTTPS certificate is not retained in system backups. Backups of the /etc/aos folder must be performed manually when performing system backups.

  • nginx.crt - public key for webserver
  • nginx.key - private key for webserver

Replacing Existing Certificate with Signed Certificate

  1. Back up the existing OpenSSL keys.
admin@aos-server:/$ sudo -s
[sudo] password for admin:

root@aos-server:/# cd /etc/aos/nginx.conf.d
root@aos-server:/etc/aos/nginx.conf.d# cp nginx.crt nginx.crt.old
root@aos-server:/etc/aos/nginx.conf.d# cp nginx.key nginx.key.old
  1. Create a new OpenSSL private key with the built-in openssl command.

    root@aos-server:/etc/aos/nginx.conf.d# openssl genrsa -out nginx.key 2048
    Generating RSA private key, 2048 bit long modulus
    .............+++
    ......+++
    e is 65537 (0x10001)
    

    Warning

    Do not attempt to modify the default nginx.crt or nginx.key filenames. These values are referenced from nginx’s configuration file. These files could be replaced as part of a subsequent service upgrade, so the filenames must be predictable. Moreover, do not make configuration changes to nginx.conf, as this file may be replaced during Apstra server upgrade.

  2. Create a certificate signing request.

    If your certificate requires Subject Alternative Name (SAN), you will need your own OpenSSL template, which is beyond the scope of this document. If you need more advanced certificate support please contact support.

    Warning

    If you have created custom OpenSSL configuration files for advanced certificate requests, do not leave them in the nginx configuration folder, as nginx will attempt to load them (*.conf) on service startup, causing a service failure.

    root@aos-server:/etc/aos/nginx.conf.d# openssl req -new -sha256 -key nginx.key -out nginx.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:California
    Locality Name (eg, city) []:Menlo Park
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Apstra, Inc
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:aos-server.apstra.com
    Email Address []:support@apstra.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    
  3. Submit your Certificate Signing Request (nginx.csr) to your Certificate Authority.

    The required steps are outside the scope of this document - CA instructions differ per implementation. Any valid SSL certificate will work.

    The example below is of self-signing the certificate.

    root@aos-server:/etc/aos/nginx.conf.d# openssl req -x509 -sha256 -days 3650 -key nginx.key -in nginx.csr -out nginx.crt
    root@aos-server:/etc/aos/nginx.conf.d#
    
  4. Verify that the SSL certificates match: private key, public key, and CSR.

    root@aos-server:/etc/aos/nginx.conf.d# openssl rsa -noout -modulus -in nginx.key | openssl md5
    (stdin)= 60ac4532a708c98d70fee0dbcaab1e75
    
    root@aos-server:/etc/aos/nginx.conf.d# openssl req -noout -modulus -in nginx.csr | openssl md5
    (stdin)= 60ac4532a708c98d70fee0dbcaab1e75
    
    root@aos-server:/etc/aos/nginx.conf.d# openssl x509 -noout -modulus -in nginx.crt | openssl md5
    (stdin)= 60ac4532a708c98d70fee0dbcaab1e75
    
  5. Restart the nginx container to load the new certificate.

    root@aos-server:/etc/aos/nginx.conf.d# docker restart aos_nginx_1
    aos_nginx_1
    root@aos-server:/etc/aos/nginx.conf.d
    

    Confirm that the new certificate is in your web browser. You can check that the new certificate common name matches ‘aos-server.apstra.com’

Replacing Existing Certificate with Self-Signed Certificate

Users on versions 3.1.0 and earlier that use macOS Catalina and Google Chrome cannot accept the default self-signed HTTPS/SSL certificate that is provided by Google Chrome. The self-signed certificate must be replaced. (AOS bug AOS-14708).

  1. Back up the existing OpenSSL keys.

    admin@aos-server:/$ sudo -s
    [sudo] password for admin:
    
    root@aos-server:/# cd /etc/aos/nginx.conf.d
    root@aos-server:/etc/aos/nginx.conf.d# cp nginx.crt nginx.crt.old
    root@aos-server:/etc/aos/nginx.conf.d# cp nginx.key nginx.key.old
    
  2. Verify a Random Number Generator seed file .rnd exists in /home/admin. If not, create one.

    root@aos-server:~# touch /home/admin/.rnd
    root@aos-server:~#
    
  3. Generate a new OpenSSL private key and self-signed certificate.

    root@aos-server:/etc/aos/nginx.conf.d# openssl req -newkey rsa:2048 -nodes -keyout nginx.key -x509 -days 824 -out nginx.crt -addext extendedKeyUsage=serverAuth -addext subjectAltName=DNS:apstra.com
    Generating a RSA private key
    ...........................................+++++
    .....................................................................................+++++
    writing new private key to 'nginx.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:California
    Locality Name (eg, city) []:Menlo Park
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Apstra, Inc
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:aos-server.apstra.com
    Email Address []:support@apstra.com
    root@aos-server:/etc/aos/nginx.conf.d#
    
  4. Restart the nginx container to load the new certificate.

    root@aos-server:/etc/aos/nginx.conf.d# docker restart aos_nginx_1
    aos_nginx_1
    root@aos-server:/etc/aos/nginx.conf.d
    

Checking Web Interface Version

From the web interface, navigate to Platform > About.

Updating Web Interface Version

You can install an optional Apstra server UI update to add additional web interface functionality. This is independent of the Apstra server backend and does not affect the state of the Apstra server or the established configuration.

  1. Upload the Apstra server UI update file to the Apstra server. For this example, the file is named aos-web-ui_2.2.0-67.run.

  2. Change to the root user and run the following file.

    admin@aos-server:~$ sudo -s
    [sudo] password for admin:
    root@aos-server:~# bash aos-web-ui_2.2.0-67.run
    Verifying archive integrity... All good.
    Uncompressing AOS WebUI installer  100%
    ### Backing up existing AOS WebUI into /opt/aos/frontend/snapshot/2018-02-25_20-34-15 ...
    ### Copying AOS WebUI file into aos_controller_1 ...
    ### Initializing new AOS WebUI ...
    ### Done!
    root@aos-server:~#
    
  3. During update, the current UI is copied to the /opt/aos/frontend/snapshot/ snapshot directory.

  4. From the web interface, navigate to Platform > About to confirm that the UI version has been updated.

Restoring Web Interface Version

  1. You can restore the previous web interface version at any time without affecting the state of the Apstra server. From the snapshot directory, run the webui_restore file.

    root@aos-server:~# cd /opt/aos/frontend/snapshot/2018-02-25_20-34-15
    root@aos-server:/opt/aos/frontend/snapshot/2018-02-25_20-34-15# ls
    aos-web-ui.zip  webui_restore
    root@aos-server:/opt/aos/frontend/snapshot/2018-02-25_20-34-15# ./webui_restore
    ### Copying AOS WebUI file into aos_controller_1...
    ### Initializing AOS WebUI...
    ### Done!
    root@aos-server:/opt/aos/frontend/snapshot/2018-02-25_20-34-15#
    
  2. From the web interface, navigate to Platform > About to confirm that the UI version has been rolled back.