No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Applying for the Local Certificate in Offline Mode

Example for Applying for the Local Certificate in Offline Mode

Networking Requirements

On an enterprise network shown in Figure 15-9, the Router is located at the edge to function as the egress gateway and a CA server is located on the public network. The network administrator manually applies for a local certificate from the CA server.

If you fail to apply for a local certificate using SCFP, you can use the offline (out-of-band) mode.

Figure 15-9  Applying for the local certificate in offline mode

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the PKI entity and related information to identify the PKI entity.
  2. Configure offline local certificate application for the PKI entity and generate a local certificate request file.
  3. Send the local certificate request file and download the local certificate in out-of-band mode.
  4. Install the local certificate so that the device can protect communication data.

Procedure

  1. Assign IP addresses to interfaces and configure static routes to the CA server.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] interface gigabitethernet 1/0/1
    [Router-GigabitEthernet1/0/1] ip address 10.2.0.2 255.255.255.0
    [Router-GigabitEthernet1/0/1] quit
    [Router] interface gigabitethernet 1/0/2
    [Router-GigabitEthernet1/0/2] ip address 10.1.0.2 255.255.255.0
    [Router-GigabitEthernet1/0/2] quit
    [Router] ip route-static 10.3.0.0 255.255.255.0 10.2.0.1

  2. Configure a PKI entity to identify a certificate applicant.

    # Configure the PKI entity user01.

    [Router] pki entity user01
    [Router-pki-entity-user01] common-name hello
    [Router-pki-entity-user01] country cn
    [Router-pki-entity-user01] fqdn test.abc.com
    [Router-pki-entity-user01] ip-address 10.2.0.2
    [Router-pki-entity-user01] state jiangsu
    [Router-pki-entity-user01] organization huawei
    [Router-pki-entity-user01] organization-unit info
    [Router-pki-entity-user01] quit
    

  3. Apply for the local certificate in offline mode.

    [Router] pki realm abc
    [Router-pki-realm-abc] entity user01
    [Router-pki-realm-abc] ca id test
    [Router-pki-realm-abc] quit
    [Router] pki enroll-certificate abc pkcs10 filename cer_req
     Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certif
    icate.
     For security reasons your password will not be saved in the configuration. Please make a note of it.
     Choice no password, please enter the enter-key.
     Please enter Password: huawei123
     Please re-enter Password: huawei123
     Write the file successful.

  4. Transfer the certificate request file to the CA server in out-of-band mode, for example, web, disk, and email, to apply for a local certificate.

    When the local certificate is successfully registered, download the local certificate abc_local.cer also in out-of-band mode. Transfer the certificate file to the device storage using a file transfer protocol.

    NOTE:

    If you apply for a local certificate through web, you can open the cer_req file, copy the content between BEGIN PKCS10 REQUEST and END PKCS10 REQUEST, and copy the content to the web page.

  5. Install the local certificate.

    [Router] pki import-certificate local abc pem 
     Please enter the name of certificate file <length 1-127>: abc_local.cer
     You are importing a local certificate,
     You can directly enter "Enter" only the local certificate getting by pkcs10 message in security realm
     Please enter the name of private key file <length 1-127>: 
     Successfully imported the certificate.
    

    Install the local certificate so that the device can protect communication data.

    NOTE:

    When importing a local certificate, you do not need to enter a private key file name.

    When obtaining a CA certificate, you can run the pki import-certificate ca command to import the CA certificate.

  6. Verify the configuration.

    Run the display pki certificate local command to view the content of the local certificate imported to memory.

    [Router] display  pki certificate local realm abc
     The x509 object type is certificate:                                           
    Certificate:                                                                    
        Data:                                                                       
            Version: 3 (0x2)                                                        
            Serial Number:                                                          
                48:65:aa:2a:00:00:00:00:3f:c6                                       
        Signature Algorithm: sha1WithRSAEncryption                                  
            Issuer: CN=test                                                      
            Validity                                                                
                Not Before: Dec 21 11:46:10 2015 GMT                                
                Not After : Dec 21 11:56:10 2016 GMT                                
            Subject: C=CN, ST=jiangsu, O=huawei, OU=info, CN=hello                  
            Subject Public Key Info:                                                
                Public Key Algorithm: rsaEncryption                                 
                    Public-Key: (2048 bit)                                          
                    Modulus:                                                        
                        00:94:6f:49:bd:6a:f3:d5:07:ee:10:ee:4f:d3:06:               
                        80:59:15:cb:a8:0a:b2:ba:c2:db:52:ec:e9:d1:a7:               
                        72:de:ac:35:df:bb:e0:72:62:08:3e:c5:54:c1:ba:               
                        4a:bb:1b:a9:d9:dc:e4:b6:4d:ca:b3:54:90:b6:8e:               
                        15:a3:6e:2d:b2:9e:9e:7a:33:b0:56:3f:ec:bc:67:               
                        1c:4c:59:c6:67:0f:a7:03:52:44:8c:53:72:42:bd:               
                        6e:0c:90:5b:88:9b:2c:95:f7:b8:89:d1:c2:37:3e:               
                        93:78:fa:cb:2c:20:22:5f:e5:9c:61:23:7b:c0:e9:               
                        fe:b7:e6:9c:a1:49:0b:99:ef:16:23:e9:44:40:6d:               
                        94:79:20:58:d7:e1:51:a1:a6:4b:67:44:f7:07:71:               
                        54:93:4e:32:ff:98:b4:2b:fa:5d:b2:3c:5b:df:3e:               
                        23:b2:8a:1a:75:7e:8f:82:58:66:be:b3:3c:4a:1c:               
                        2c:64:d0:3f:47:13:d0:5a:29:94:e2:97:dc:f2:d1:               
                        06:c9:7e:54:b3:42:2e:15:b8:40:f3:94:d3:76:a1:               
                        91:66:dd:40:29:c3:69:70:6d:5a:b7:6b:91:87:e8:               
                        bb:cb:a5:7e:ec:a5:31:11:f3:04:ab:1a:ef:10:e6:               
                        f1:bd:d9:76:42:6c:2e:bf:d9:91:39:1d:08:d7:b4:               
                        18:53                                                       
                    Exponent: 65537 (0x10001)                                       
            X509v3 extensions:                                                      
                X509v3 Subject Alternative Name:                                    
                    IP Address:10.2.0.2, DNS:test.abc.com
                X509v3 Subject Key Identifier:                                      
                    15:D1:F6:24:EB:6B:C0:26:19:58:88:91:8B:60:42:CE:BA:D5:4D:F3     
                X509v3 Authority Key Identifier:                                    
                    keyid:B8:63:72:A4:5E:19:F3:B1:1D:71:E1:37:26:E1:46:39:01:B6:82:C
    5                                                                               
                                                                                    
                X509v3 CRL Distribution Points:                                     
                                                                                    
                    Full Name:                                                      
                      URI:file://\\vasp-e6000-127.china.huawei.com\CertEnroll\ca_roo
    t.crl                                                                           
                      URI:http://10.3.0.1:8080/certenroll/ca_root.crl           
                                                                                    
                Authority Information Access:                                       
                    CA Issuers - URI:http://vasp-e6000-127.china.huawei.com/CertEnro
    ll/vasp-e6000-127.china.huawei.com_ca_root.crt                                  
                    OCSP - URI:file://\\vasp-e6000-127.china.huawei.com\CertEnroll\v
    asp-e6000-127.china.huawei.com_ca_root.crt                                      
                                                                                    
                1.3.6.1.4.1.311.20.2:                                               
                    .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e              
        Signature Algorithm: sha1WithRSAEncryption                                  
             d2:be:a8:52:6b:03:ce:89:f1:5b:49:d4:eb:2b:9f:fd:59:17:                 
             d4:3c:f1:db:4f:1b:d1:12:ac:bf:ae:59:b4:13:1b:8a:20:d0:                 
             52:6a:f8:a6:03:a6:72:06:41:d2:a7:7d:3f:51:64:9b:84:64:                 
             cf:ec:4c:23:0a:f1:57:41:53:eb:f6:3a:44:92:f3:ec:bd:09:                 
             75:db:02:42:ab:89:fa:c4:cd:cb:09:bf:83:1d:de:d5:4b:68:                 
             8a:a6:5f:7a:e8:b3:34:d3:e8:ec:24:37:2b:bd:3d:09:ed:88:                 
             d8:ed:a7:f8:66:aa:6f:b0:fe:44:92:d4:c9:29:21:1c:b3:7a:                 
             65:51:32:50:5a:90:fa:ae:e1:19:5f:c8:63:8d:a8:e7:c6:89:                 
             2e:6d:c8:5b:2c:0c:cd:41:48:bd:79:74:0e:b8:2f:48:69:df:                 
             02:89:bb:b3:59:91:7f:6b:46:29:7e:22:05:8c:bb:6a:7e:f3:                 
             11:5a:5f:fb:65:51:7d:35:ff:49:9e:ec:d1:2d:7e:73:e5:99:                 
             c6:41:84:0c:50:11:ed:97:ed:15:de:11:22:73:a1:78:11:2e:                 
             34:e6:f5:de:66:0c:ba:d5:32:af:b8:54:26:4f:5b:9e:89:89:                 
             2a:3f:b8:96:27:00:c3:08:3a:e9:e8:a6:ce:4b:5a:e3:97:9e:                 
             6b:dd:f0:72                                                            
                                                                                    
    Pki realm name: abc                                                             
    Certificate file name: abc_local.cer                                            
    Certificate peer name: - 

Configuration Files

Router configuration file

#
sysname Router
#
pki entity user01
 country CN
 state jiangsu
 organization huawei
 organization-unit info
 common-name hello
 fqdn test.abc.com
 ip-address 10.2.0.2
#
pki realm abc
 ca id test
 entity user01
#
interface GigabitEthernet1/0/1
 ip address 10.2.0.2 255.255.255.0
interface GigabitEthernet1/0/2
 ip address 10.1.0.2 255.255.255.0
#
ip route-static 10.3.0.0 255.255.255.0 10.2.0.1
#
return
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 14792

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next