No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Server SSL Policy

Configuring a Server SSL Policy

When the device functions as an SSL server, you need to configure a server SSL policy.


The PKI domain has been configured.


The SSL protocol uses data encryption, identity authentication, and message integrity check to ensure security of TCP-based application layer protocols. To use an Router as an SSL server, configure a server SSL policy on the Router. A server SSL policy can be applied to application layer protocols such as HTTP to provide secure connections.

Figure 16-2  Router functions as an SSL server

As shown in Figure 16-2, the Router functions as an SSL server and has a server SSL policy configured. During an SSL handshake, the Router uses the SSL parameters in the server SSL policy to negotiate session parameters with an SSL client. After the handshake is complete, the Router establishes a session with the client.

When functioning as an SSL server, the Router is authenticated by the SSL client, but it cannot authenticate the client.


When functioning as an SSL server, the Router can communicate with SSL clients running SSL3.0, TLS1.0, or TLS1.1.


  1. Run:


    The system view is displayed.

  2. Run:

    ssl policy policy-name type server

    A server SSL policy is created, and the server SSL policy view is displayed.

  3. Run:

    pki-realm realm-name

    A PKI domain is specified for the server SSL policy.

    By default, the PKI domain default exists on the device. This domain can be modified, but cannot be deleted.


    The Router obtains a digital certificate from a CA in the specified PKI domain. SSL clients can then authenticate the Router by checking the digital certificate.

    The Router can also generate self-signed certificates. However, the device does not provide life cycle management for self-signed certificates. For example, self-signed certificates cannot be updated, or revoked on the device. To ensure security of the device and certificates, it is recommended the user's certificate be used.

  4. (Optional) Run:

    version { ssl3.0 | tls1.0 | tls1.1 } *

    The SSL protocol version is specified.

    By default, a server SSL policy uses Transport Layer Security (TLS) version 1.0 and 1.1.


    SSL3.0 has potential security risks, and will be interdicted to use soon. TLS1.1 or a TLS higher version is recommended.

  5. (Optional) Run:

    session { cachesize size | timeout time } *

    The maximum number of sessions that can be saved and the timeout period of a saved session are set.

    By default, a maximum of 3600 sessions can be saved, and the timeout period of a saved session is 32 except AR510 series. The timeout period of a saved session is 16 in AR510 series.

  6. (Optional) Run:

    ciphersuite { rsa_3des_cbc_sha | rsa_aes_128_cbc_sha | rsa_des_cbc_sha } *

    A cipher suite is specified.

    By default, a server SSL policy supports all the cipher suites: rsa_aes_128_cbc_sha.

  7. (Optional) Configure the SSL renegotiation function.

    Disabling the renegotiation function on the device can protect the device against renegotiation attacks, but will interrupt services. Therefore, you can keep the renegotiation function enabled, and set the SSL renegotiation rate to minimize the impact of renegotiation attacks on services. Choose either of the following tasks:

    • Disable renegotiation.

      Run the undo renegotiation enable command to disable SSL renegotiation.

      By default, SSL renegotiation is enabled.

    • Set the renegotiation rate.
      1. Run the quit command to return to the system view.
      2. Run the ssl renegotiation-rate rate command to set the SSL renegotiation rate.

        By default, the SSL renegotiation is performed once per second. You can set the rate according to the CPU capability of the device.

        This configuration applies to all SSL policies.

Checking the Configuration

Run the display ssl policy [ policy-name ] command to view the configuration of the SSL policy.

Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 14688

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next