No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 13

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring SSL

Configuring SSL

This section describes the procedure for configuring SSL.

Configuring an SSL Policy

Prerequisites

The client or server has applied for a certificate file from a certificate authority (CA) and loaded the certificate to the sub-directory security of the system directory.

Context

The Secure Sockets Layer (SSL) protocol uses data encryption, identity authentication, and message integrity check to ensure security of TCP-based application layer protocols. TCP is short for Transmission Control Protocol. An SSL policy can be applied to application layer protocols to provide secure connections.

The device can function as an SSL client or an SSL server. The SSL policy configuration differs when the device functions as different roles. Perform the SSL policy configuration based on the device role.

Procedure

  • Device Functioning as an SSL Client
    1. Run:

      ssl policy policy-name

      An SSL policy is configured and the SSL policy view is displayed.

    2. (Optional) Run:

      certificate load

      A digital certificate is loaded.

      This step is required only when the server needs to authenticate the client.

      Currently, the device supports certificates in PEM, ASN1, and PFX formats and certificate chains in PEM format. Load a certificate or certificate chain as required.

    3. (Optional) Run:

      crl load { pem-crl | asn1-crl } crl-filename

      A Certificate Revocation List (CRL) is loaded.

      CRL is issued by a CA and lists all the invalid digital certificates that are still in the validity period but are revoked. After a CRL is loaded to the client, the client determines validity of the certificate received from the server by checking whether the certificate is in the CRL.

      A maximum of two CRL files can be loaded to an SSL policy. By default, no CRL is loaded to an SSL policy.

    4. Run:

      trusted-ca load

      A trusted-CA file is loaded.

      The trusted-CA file is used to verify validity of the digital certificate sent by the server. A maximum of four trusted-CA files can be loaded to an SSL policy. By default, no trusted-CA file is loaded to an SSL policy.

  • Device Functioning as an SSL Server
    1. Run:

      ssl policy policy-name

      An SSL policy is configured and the SSL policy view is displayed.

    2. Run:

      certificate load

      A digital certificate is loaded.

      Currently, the device supports certificates in PEM, ASN1, and PFX formats and certificate chains in PEM format. Load a certificate or certificate chain as required.

    3. (Optional) Run:

      crl load { pem-crl | asn1-crl } crl-filename

      A Certificate Revocation List (CRL) is loaded.

      CRL is issued by a CA and lists all the invalid digital certificates that are still in the validity period but are revoked. After a CRL is loaded to the server, the server determines validity of the certificate received from the client by checking whether the certificate is in the CRL.

      A maximum of two CRL files can be loaded to an SSL policy. By default, no CRL is loaded to an SSL policy.

    4. (Optional) Run:

      trusted-ca load

      A trusted-CA file is loaded.

      This step is required only when the server needs to authenticate the client.

      The trusted-CA file is used to verify validity of the digital certificate sent by the client. A maximum of four trusted-CA files can be loaded to an SSL policy. By default, no trusted-CA file is loaded to an SSL policy.

Checking the Configuration

Run the display ssl policy policy-name command to check the SSL policy configuration.

Applying an SSL Policy

Context

SSL is a security protocol, and an SSL policy takes effect only when it is associated with an application.

Procedure

  1. Apply an SSL policy.

    Currently, you can only apply an SSL policy to the Information Center on the device. For details, see "Information Center Configuration" in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide - Device Management.

Translation
Download
Updated: 2019-12-13

Document ID: EDOC1000041694

Views: 59917

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next