No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Certificate Check Mode

Configuring the Certificate Check Mode

Context

When an end entity verifies a peer certificate, it checks the status of the peer certificate. For example, the end entity checks whether the peer certificate expires and whether the certificate is in a CRL. An end entity uses any of the following methods to check the peer certificate status:
  • CRL

    If the CA server can function as a CRL distribution point (CDP), the certificate issued by CA contains the CDP information about obtaining the certificate CRL. The commonly used CDP information includes HTTP URL and LDAP URL.
    • HTTP URL: The CDP information contains the URL of the HTTP server where the CRL is located. When the device connects to the HTTP server through the URL, the device can obtain the CRL from the HTTP server.

      If a CDP URL is configured in a PKI domain, the end entity bound to the PKI domain obtains the CRL from the CDP URL.

    • LDAP URL: The CDP information contains the information required to obtain the CRL from the LDAP server. After the device obtains the management rights according to the LDAP server template, the device sends a CRL query request containing the management rights to obtain the CRL from the LDAP server. Figure 15-5 shows the process of obtaining the CRL from the LDAP server.

      Figure 15-5  Obtaining CRL

  • OCSP

    If a certificate does not specify any CDP and no CDP URL is configured in the PKI domain, an end entity can use the Online Certificate Status Protocol (OCSP) to check the certificate status.

  • None

    This mode is used when no CRL or OCSP server is available to an end entity or the end entity does not need to check the peer certificate status. In this mode, an end entity does not check whether a certificate has been revoked.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    pki realm realm-name

    The PKI domain view is displayed.

  3. Run:

    certificate-check { crl | none | ocsp }

    The certificate check mode is configured.

    By default, the device checks certificates using CRLs.

    • When the CRL mode is used:

    1. Select a method to obtain CRL:

      LDAP method:
      1. Run the quit command to return to the system view.
      2. Run the ldap-server-template template-name command to create an LDAP server template and enter the LDAP server template view.

        By default, no LDAP server template exists on the device.

      3. Run the authentication-server ip-address [ port-number ] command to configure the IP address and port number of the LDAP server.

        By default, the IP address and port number of the LDAP server are not configured on the device.

      4. Run the admin-dn dn-string command to configure the administrator distinguished name (DN) for the LDAP server.

        By default, the administrator DN of the LDAP server is not configured on the device.

      5. Run the admin-password password command to configure the administrator password for the LDAP server.

        By default, the administrator password of the LDAP server is not configured on the device.

        NOTE:

        The administrator DN and password of the LDAP server configured on the device must be the same as those configured on the LDAP server. If the server supports anonymous access, the configurations of administrator DN and password are optional.

      6. Run the quit command to return to the system view.
      7. Run the pki realm realm-name command to enter the PKI domain view.

      HTTP method:

      1. Run the cdp-url cdp-url command to configure the CDP URL.

        By default, the CDR URL is not configured.

    2. Run the crl update-period hours command to configure the interval for an PKI entity to download CRLs from a CRL server.

      By default, the CRLs are updated at the next update time that is specified in the certificate.

    3. (Optional) Run the crl cache command to permit PKI domains to use cached CRLs.

      By default, the PKI domain is permitted to use the cached CRLs.

    4. Run the quit command to go back to the system view.
    5. (Optional) Run the pki get-crl pki-realm-name command to configure the device to download CRLs form CA servers.

      NOTE:

      When suspecting that the local CRLs are outdated, users can run the command to download the latest CRLs from CA servers.

    • When the OCSP mode is used:

    1. Run the ocsp-url ocsp-url command to configure the URL of the OCSP server.

      This URL overrides the OCSP server's address in the certificate.

Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13292

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next