No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
SSL Configuration Commands

SSL Configuration Commands

ciphersuite

Function

Using the ciphersuite command, you can configure cipher suites in a server SSL policy.

Using the undo ciphersuite command, you can restore the default cipher suites supported by a server SSL policy.

By default, a server SSL policy supports all the cipher suites: rsa_aes_128_cbc_sha.

Format

ciphersuite { rsa_3des_cbc_sha | rsa_aes_128_cbc_sha | rsa_des_cbc_sha } *

undo ciphersuite

Parameters

Parameter

Description

Value

rsa_3des_cbc_sha

Indicates the rsa_3des_cbc_sha cipher suite. This cipher suite uses the RSA algorithm to compute the key, the 3DES_CBC algorithm to encrypt data, and the SHA algorithm to compute the MAC.

NOTE:

RSA: Rivest-Shamir-Adleman

DES: Data Encryption Standard

CBC: Cipher Block Chaining

SHA: Secure Hash Algorithm

-

rsa_aes_128_cbc_sha

Indicates the rsa_aes_128_cbc_sha cipher suite. This cipher suite uses the RSA algorithm to compute the key, the 128-bit AES_CBC to encrypt data, and the SHA algorithm to compute the message authentication code (MAC).

NOTE:

AES: Advanced Encryption Standard

-

rsa_des_cbc_sha

Indicates the rsa_des_cbc_sha cipher suite. This cipher suite uses the RSA algorithm to compute the key, the DES_CBC algorithm to encrypt data, and the SHA algorithm to compute the MAC.

-

Views

Server SSL policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A cipher suite consists of a data encryption algorithm, a key exchange algorithm, and a MAC algorithm. During an SSL handshake, an SSL client sends a Client Hello message to notify an SSL server of the SSL protocol version and cipher suites that it supports. The SSL server determines the SSL protocol version and cipher suite used for this communication and sends a Server Hello message to notify the client.

The ciphersuite command configures the cipher suite that the Router can use when it functions as an SSL server.

Configuration Impact

To ensure high security, you are advised to configure the cipher suite supported by the server SSL policy to rsa_aes_128_cbc_sha.

If you run the ciphersuite command multiple times in the same server SSL policy view, only the latest configuration takes effect.

Example

# Configure a server SSL policy to use the rsa_aes_128_cbc_sha cipher suite.

<Huawei> system-view
[Huawei] ssl policy users type server
[Huawei-ssl-policy-users] ciphersuite rsa_aes_128_cbc_sha
Related Topics

display ssl connection statistics

Function

The display ssl connection statistics command displays statistics on SSL connections.

Format

display ssl connection statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When a device sets up a connection with an SSL server or client, the device automatically counts and records the SSL connection.

This command displays the maximum number of SSL connections within a certain period so that the administrator can perform SSL fault diagnosis and troubleshooting quickly.

Example

# View statistics on SSL connections.

<Huawei> display ssl connection statistics
--------------------------------------------------------------------------------
Maximum of total connections in history           :   100
Begin time of total connections                   :   2013-09-26 12:19:11
Maximum time of total connections                 :   2013-09-26 12:19:11
--------------------------------------------------------------------------------
Table 14-110  Description of the display ssl connection statistics command output

Item

Description

Maximum of total connections in history

Maximum number of SSL connections in history.

Begin time of total connections

Time when the system starts to count SSL connections.

Maximum time of total connections

Time when the system records the maximum number of SSL connections.

display ssl policy

Function

Using the display ssl policy command, you can view information about an SSL policy.

Format

display ssl policy [ policy-name ]

Parameters

Parameter

Description

Value

policy-name

Specifies the name of an SSL policy. If this parameter is not specified, the system displays information about all SSL policies.

The SSL policy name must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command displays information about all SSL policies or a specified SSL policy.

Example

# Display information about all SSL policies.

<Huawei> display ssl policy
Policy number: 2                                                                
  ------------------------------------------------------------------------------
  policy ID   policy name                        policy type     bind number  
  ------------------------------------------------------------------------------
  1              client-users                       Client         0 
  2              server-users                       Server         0 
  ------------------------------------------------------------------------------

# Display information about the client SSL policy client-users.

<Huawei> display ssl policy client-users
  ------------------------------------------------------------------------------
  Policy name                             :   client-users                                 
  Policy ID                               :   1                                
  Policy type                             :   Client                            
  Cipher suite                            :   rsa_aes_128_cbc_sha               
  PKI realm                               :   abc                                  
  Version                                 :   tls1.0                            
  Server verify                           :   1                                 
  CA certificate chain load status        :   loaded                             
  CA certificate num                      :   1                                  
  SSL renegotiation status                :   enable
  Bind number                             :   0                   
  SSL connection number                   :   1                      
  ------------------------------------------------------------------------------

# Display information about server SSL policy server-users.

<Huawei> display ssl policy server-users
  ------------------------------------------------------------------------------
  Policy name                             :   server-users                             
  Policy ID                               :   2                                
  Policy type                             :   Server                            
  Cipher suite                            :   rsa_aes_128_cbc_sha               
  PKI realm                               :   ab                                  
  Cache number                            :   32                                
  Time out(second)                        :   3600                              
  Server certificate load status          :   loaded                            
  CA certificate chain load status        :   loaded                            
  SSL renegotiation status                :   enable
  Bind number                             :   1                                 
  SSL connection number                   :   0                                 
  ------------------------------------------------------------------------------
Table 14-111  Description of the display ssl policy command output

Item

Description

Policy name

Name of an SSL policy. To configure an SSL policy.

Policy ID

ID of an SSL policy.

Policy type

Type of an SSL policy: client SSL policy or server SSL policy.

To configure an SSL policy.

Cipher suite

Cipher suite used by the SSL policy.

PKI realm

PKI domain used by the SSL policy. To configure the PKI domain, run the pki-realm command.

Version

Version of the SSL protocol used by the client SSL policy.
  • ssl3.0
  • tls1.0
  • tls1.1
To specify the SSL version, run the version (Client SSL policy view) command.

Server verify

Whether the SSL client is enabled to authenticate an SSL server.

  • 1: enabled
  • 0: disabled

CA certificate chain load status

Whether the CA certificate chain has been loaded to the SSL client.

  • loaded: The certificate chain has been loaded to the SSL client.
  • unloaded: The certificate has not been loaded to the SSL client.
  • got but unloaded: The SSL client has obtained the certificate chain but has not loaded it.

CA certificate num

Number of CA certificates in the certificate chain.

SSL renegotiation status

SSL renegotiation status.

  • enable
  • disable

Bind number

Whether an SSL policy has been applied to an application layer protocol such as HTTP.

  • 1: yes
  • 0: no
To apply an SSL policy to HTTP.

SSL connection number

Number of SSL connections established by using an SSL policy.

Cache number

Maximum number of sessions that can be saved on the SSL server.

Time out(second)

Timeout period of a saved session.

Server certificate load status

Whether the digital certificate has been loaded to the SSL server.

  • loaded: yes
  • unloaded: no

pki-realm

Function

Using the pki-realm command, you can specify a public key infrastructure (PKI) domain in an SSL policy.

Using the undo pki-realm command, you can delete the PKI domain from the SSL policy.

By default, the PKI domain default exists on the device. This domain can be modified, but cannot be deleted.

Format

pki-realm realm-name

undo pki-realm

Parameters

Parameter

Description

Value

realm-name

Specifies the name of a PKI domain.

The PKI domain name must already exist.

Views

Client SSL policy view, server SSL policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

This command specifies a PKI domain in an SSL policy. A PKI domain has different functions when it is specified in a server SSL policy and a client SSL policy:

  • After a PKI domain is specified in the server SSL policy view, the Router functioning as an SSL server obtains a digital certificate from the certificate authority (CA) specified in the PKI domain. Then SSL clients authenticate the Router by checking the digital certificate.
  • After a PKI domain is specified in the client SSL policy view, the Router functioning as an SSL client obtains a CA certificate chain from the CA specified in the PKI domain. If SSL server authentication is enabled by using the server-verify enable command, the Router authenticates the SSL server using the CA certificate chain.

Prerequisites

A PKI domain has been created.

Precautions

If you run the pki-realm command multiple times in the same SSL policy view, only the latest configuration takes effect.

When functioning as an SSL server, the Router is authenticated by SSL clients, but it cannot authenticate SSL clients.

When functioning as an SSL client, the Router does not allow SSL servers to authenticate it, but it can authenticate SSL servers.

Example

# Configure a client SSL policy to use the PKI domain client-realm.

<Huawei> system-view
[Huawei] ssl policy users type client
[Huawei-ssl-policy-users] pki-realm client-realm

prefer-ciphersuite

Function

Using the prefer-ciphersuite command, you can specify a cipher suite in a client SSL policy.

Using the undo prefer-ciphersuite command, you can restore the default configuration.

By default, a client SSL policy uses all the cipher suites: rsa_aes_128_cbc_sha.

Format

prefer-ciphersuite { rsa_3des_cbc_sha | rsa_aes_128_cbc_sha | rsa_des_cbc_sha } *

undo prefer-ciphersuite

Parameters

Parameter

Description

Value

rsa_3des_cbc_sha

Indicates the rsa_3des_cbc_sha cipher suite. This cipher suite uses the RSA algorithm to compute the key, the 3DES_CBC algorithm to encrypt data, and the SHA algorithm to compute the MAC.

NOTE:

RSA: Rivest-Shamir-Adleman

DES: Data Encryption Standard

CBC: Cipher Block Chaining

SHA: Secure Hash Algorithm

-

rsa_aes_128_cbc_sha

Indicates the rsa_aes_128_cbc_sha cipher suite. This cipher suite uses the RSA algorithm to compute the key, the 128-bit AES_CBC to encrypt data, and the SHA algorithm to compute the message authentication code (MAC).

NOTE:

AES: Advanced Encryption Standard

-

rsa_des_cbc_sha

Indicates the rsa_des_cbc_sha cipher suite. This cipher suite uses the RSA algorithm to compute the key, the DES_CBC algorithm to encrypt data, and the SHA algorithm to compute the MAC.

-

Views

Client SSL policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A cipher suite consists of a data encryption algorithm, a key exchange algorithm, and a MAC algorithm. During an SSL handshake, an SSL client sends a Client Hello message to notify an SSL server of the SSL protocol version and cipher suites that it supports. The SSL server determines the SSL protocol version and cipher suite used for this communication and sends a Server Hello message to notify the client.

The prefer-ciphersuite command configures the cipher suite that the Router can use when it functions as an SSL client.

Configuration Impact

If you run the prefer-ciphersuite command multiple times in the same client SSL policy view, only the latest configuration takes effect.

Precautions

To ensure high security, you are advised to configure the cipher suite used by the client SSL policy to rsa_aes_128_cbc_sha.

Ensure that the cipher suite specified in this command is supported by the SSL server. Before running this command, check the cipher suites that the SSL server supports.

Example

# Configure a client SSL policy to use the rsa_aes_128_cbc_sha cipher suite.

<Huawei> system-view
[Huawei] ssl policy users type client
[Huawei-ssl-policy-users] prefer-ciphersuite rsa_aes_128_cbc_sha

renegotiation enable

Function

The renegotiation enable command enables re-negotiation of an SSL connection.

The undo renegotiation enable command disables re-negotiation of an SSL connection.

By default, re-negotiation of an SSL connection is enabled.

Format

renegotiation enable

undo renegotiation enable

Parameters

None

Views

SSL policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A client and a server negotiate session parameters by using the SSL handshake protocol to verify the identities of the two parties and negotiate the private key and cipher suite. Asymmetric cryptography is used to encrypt keys and authenticate peer identities when session parameters are being negotiated during the handshake. The computation workload is heavy, consuming a lot of system resources.

If an attacker sends re-negotiation requests continuously, the device consumes a lot of system resources processing these requests. To process re-negotiation requests, a server consumes 15 times the resources that is consumed by a client. This prevents the server from receiving requests from authorized users or suspends the server, affecting normal service operations.

You can run this command to disable re-negotiation of an SSL connection. The device then rejects re-negotiation requests, preventing the preceding problem.

Precautions

After re-negotiation of an SSL connection is disabled, the re-negotiation session will be interrupted.

Example

# Disable re-negotiation of an SSL connection on the server.

<Huawei> system-view
[Huawei] ssl policy server-users type server
[Huawei-ssl-policy-server-users] undo renegotiation enable

# Disable re-negotiation of an SSL connection on the client.

<Huawei> system-view
[Huawei] ssl policy client-users type client
[Huawei-ssl-policy-client-users] undo renegotiation enable
Related Topics

reset ssl connection statistics

Function

The reset ssl connection statistics command deletes statistics on SSL connections.

Format

reset ssl connection statistics

Parameters

None

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Before counting the maximum number of SSL connections within a certain period of time, delete the existing SSL statistics first.

Precautions

SSL statistics cannot be restored after you delete them. So, confirm the action before you use the command.

Example

# Delete statistics on SSL connections.

<Huawei> reset ssl connection statistics

server-verify enable

Function

Using the server-verify enable command, you can enable SSL server authentication in a client SSL policy.

Using the undo server-verify enable command, you can disable SSL server authentication in a client SSL policy.

By default, SSL server authentication is enabled in a client SSL policy.

Format

server-verify enable

undo server-verify enable

Parameters

None

Views

Client SSL policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An SSL server and an SSL client perform a handshake to negotiate session parameters and establish a session. During the handshake, the SSL client authenticates the SSL server by checking its digital certificate.

The server-verify enable command enables the Router to authenticate SSL servers when it functions as an SSL client.

Precautions

Exercise caution when running the undo server-verify enable command because communication becomes insecure after this command is executed.

Example

# Enable SSL server authentication.

<Huawei> system-view
[Huawei] ssl policy users type client
[Huawei-ssl-policy-users] server-verify enable
Related Topics

session

Function

Using the session command, you can set the maximum number of sessions that can be saved and the timeout period of a saved session.

Using the undo session command, you can restore the default configuration.

By default, a maximum of 3600 sessions can be saved, and the timeout period of a saved session is 32 except AR510 series. The timeout period of a saved session is 16 in AR510 series.

Format

session { cachesize size | timeout time } *

undo session { cachesize | timeout } *

Parameters

Parameter

Description

Value

cachesize size

Sets the maximum number of sessions that can be saved on the SSL server.

The value is an integer that varies according to different devices.

timeout time

Sets the timeout period of a saved session.

The value is an integer that ranges from 1800 to 72000, in seconds.

Views

Server SSL policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An SSL server and an SSL client carry out a complex SSL handshake to establish a session. To streamline the SSL handshake process, the SSL protocol allows the server and client to use the previously negotiated parameters to establish new sessions. Therefore, the SSL server must store session information. The session command configures the maximum number of sessions that can be saved and the timeout period of a saved session.

  • If the number of saved sessions reaches the maximum number, the SSL client stops saving new sessions.
  • When the timeout period of a session expires, the SSL server deletes the session.

Precautions

If you run the session command multiple times in the same server SSL policy view, only the latest configuration takes effect.

Example

# Set the maximum number of sessions that can be saved to 50, and the timeout period of a saved session to 7200s.

<Huawei> system-view
[Huawei] ssl policy users type server
[Huawei-ssl-policy-users] session cachesize 50 timeout 7200
Related Topics

ssl policy

Function

Using the ssl policy command, you can create an SSL policy and enter its view, or enter the view of an existing SSL policy.

Using the undo ssl policy command, you can delete an SSL policy.

By default, SSL policy is default_policy.

Format

ssl policy policy-name [ type { client | server } ]

undo ssl policy policy-name

Parameters

Parameter

Description

Value

policy-name

Specifies the name of an SSL policy.

The value is a string of 1 to 31 case-sensitive characters. It cannot contain any space or question mark (?).

type { client | server }

Specifies the type of an SSL policy: client SSL policy or server SSL policy.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The Secure Sockets Layer (SSL) protocol protects data privacy on the Internet. It allows a client and a server to communicate in a way designed to prevent eavesdropping.

You can use the ssl policy command to create a client or server SSL policy, and configure SSL parameters in the SSL policy view.

Precautions

You must set the SSL policy type when creating an SSL policy. To enter the SSL policy view, you only need to specify the policy name.

The device supports a maximum of 16 SSL policies.

To ensure that the functions referencing SSL policy, such as HTTPS, are available by default, a default server SSL policy exists on the Router. The default policy is bound to a default PKI domain.

Example

# Create a client SSL policy users.

<Huawei> system-view
[Huawei] ssl policy users type client

ssl renegotiation-rate

Function

The ssl renegotiation-rate command sets the SSL renegotiation rate.

The undo ssl renegotiation-rate command restores the SSL renegotiation rate to default value.

By default, the SSL renegotiation is performed once per second.

Format

ssl renegotiation-rate rate

undo ssl renegotiation-rate

Parameters

Parameter Description Value
rate

Specifies how many times SSL renegotiation is performed per second.

The value is an integer that ranges from 0 to 65535. By default, the SSL renegotiation is performed once per second. The value 0 indicates that the SSL renegotiation rate is not limited.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Disabling the renegotiation function on the device can protect the device against renegotiation attacks, but will interrupt services. Therefore, you can keep the renegotiation function enabled, and set the SSL renegotiation rate to minimize the impact of renegotiation attacks on services.

You can set the SSL renegotiation rate according to the CPU capability of the device.

Example

# Set the SSL renegotiation rate to 2.

<Huawei> system-view
[Huawei] ssl renegotiation-rate 2

version (Client SSL policy view)

Function

The version command specifies an SSL protocol version in a client SSL policy.

The undo version command restores the default SSL protocol version.

By default, a client SSL policy uses Transport Layer Security (TLS) version 1.0.

Format

version { ssl3.0 | tls1.0 | tls1.1 } *

undo version

Parameters

Parameter

Description

Value

ssl3.0

Indicates that the SSL client uses SSL3.0 to communicate with the SSL server.
NOTE:
SSL3.0 has potential security risks, and will be interdicted to use soon. TLS1.1 or a TLS higher version is recommended.

-

tls1.0

Indicates that the SSL client uses TLS1.0 to communicate with the SSL server.

-

tls1.1

Indicates that the SSL client uses TLS1.1 to communicate with the SSL server.

-

Views

Client SSL policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An SSL server and an SSL client perform a handshake to negotiate session parameters and establish a session. During an SSL handshake, the SSL client sends a Client Hello message to notify the SSL server of the SSL protocol version and cipher suites that it supports. The SSL server determines the SSL protocol version and cipher suite used for this communication and sends a Server Hello message to notify the client.

The version command configures the SSL version used by the SSL client. The SSL client sends a Client Hello message to the SSL server to notify the server of the configured SSL version, and the SSL server determines the SSL version used for this communication.

Precautions

If you run the version command multiple times in the same client SSL policy view, only the latest configuration takes effect.

Ensure that the SSL protocol version specified in this command is supported by the SSL server. Before running this command, check the SSL protocol versions that the SSL server supports.

Example

# Configure a client SSL policy to use TLS1.1.

<Huawei> system-view
[Huawei] ssl policy users type client
[Huawei-ssl-policy-users] version tls1.1
Related Topics

version (server SSL policy view)

Function

The version command specifies an SSL protocol version in a server SSL policy.

The undo version command restores the default SSL protocol versions of the server SSL policy.

By default, a server SSL policy uses Transport Layer Security (TLS) versions 1.0 and 1.1.

Format

version { ssl3.0 | tls1.0 | tls1.1 } *

undo version

Parameters

Parameter

Description

Value

ssl3.0

Indicates that the SSL server uses SSL3.0 to communicate with the SSL client.
NOTE:
SSL3.0 has potential security risks, and will be interdicted to use soon. TLS1.1 or a TLS higher version is recommended.

-

tls1.0

Indicates that the SSL server uses TLS1.0 to communicate with the SSL client.

-

tls1.1

Indicates that the SSL server uses TLS1.1 to communicate with the SSL client.

-

Views

Server SSL policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An SSL client and an SSL server perform a handshake to negotiate session parameters and establish a session. During an SSL handshake, an SSL client sends a Client Hello message to notify an SSL server of the SSL protocol version, encryption algorithm, key exchanging algorithm, and MAC algorithm that it supports. The SSL server determines the SSL protocol version and cipher suite used for this communication and sends a Server Hello message to the client.

The version command specifies the SSL protocol version used in the server SSL policy. Then a Server Hello message containing the configured SSL protocol version to the SSL client, and the SSL server determines the SSL protocol version used for this communication.

Precautions

If you run the version command multiple times in the same server SSL policy view, only the latest configuration takes effect.

Example

# Configure a server SSL policy to use TLS1.1.

<Huawei> system-view
[Huawei] ssl policy users type server
[Huawei-ssl-policy-users] version tls1.1
Related Topics
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 49369

Downloads: 102

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next