No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Basic Configuration

S7700 and S9700 V200R010C00

This document describes methods to use command line interface and to log in to the device, file operations, and system startup configurations.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview

Overview

Definition

The web system can be used to manage devices. The device has an internal web server which provides a GUI for users. Before using the web system to manage and maintain a device, you need to log in to the device through HTTPS from a terminal.

Purpose

You can manage a device using a web system or a command line interface (CLI). On a CLI, you must use commands to manage and maintain the device. The CLI method allows you to implement fine-grained device management, but you have to be familiar with required commands. In comparison, the web system is easier to operate and allows you to manage and maintain the device on a GUI. However, the web system provides only basic routine maintenance and management functions. You can select a proper management method based on actual needs.

To use the CLI, you must log in to the device through a console port or using Telnet or STelnet. To use the web system, you must log in to the device through HTTPS.

For details on how to log in to a device through the console port or using Telnet or STelnet, see CLI Login Configuration.

Concepts

Before configuring web system login, familiarize yourself with the following concepts:
  • HTTP

    Hypertext Transfer Protocol (HTTP) is used to transfer web page files over the Internet. It runs at the application layer of the TCP/IP protocol stack. The transport layer uses the connection-oriented TCP protocol. HTTP has security vulnerabilities. To avoid potential security risks, the device allows you to log in to the web system only through the more secure Hypertext Transfer Protocol Secure (HTTPS).

  • HTTPS

    HTTPS uses secure sockets layer (SSL) to encrypt data exchanged between the client and device and defines access control policies based on certificate attributes. HTTPS enhances data integrity and transmission security, ensuring that only authorized clients can log in to the device.

  • SSL policy

    An SSL policy defines parameters that the device uses during startup, and is implemented during configuration of HTTPS. During configuration, the corresponding digital certificate on the device is loaded. The SSL policy takes effect only after it is applied to application layer protocols, such as HTTP.

  • Digital certificate

    A digital certificate is issued by a certificate authority (CA) and uses a digital signature to bind a public key with an identity (applicant who possesses the certificate). The digital certificate includes information such as the applicant name, public key, digital signature of the CA, and validity period of the digital certificate. A digital certificate validates the identities of two communicating parties to improve communication reliability.

  • Certificate Authority (CA)

    A CA issues, manages, and revokes digital certificates by checking the validity of digital certificate owners, issuing digital certificates to prevent eavesdropping and tampering, and managing certificates and keys. A globally trusted CA is called a root CA. The root CA can authorize other CAs as subordinate. A CA's identity needs to be verified and is described in a trusted-CA file.

    For example, CA1 is the root CA and issues a certificate for CA2, and CA2 then issues a certificate for CA3. This process proceeds until the final server certificate is issued.

    Assume that CA3 issues the server certificate. A certificate authentication process on the client starts from server certificate authentication:
    • The client first verifies validity of the server certificate based on the CA3 certificate.
    • The client then checks CA2 certificate to verify validity of the CA3 certificate.
    • The client then checks CA1 certificate to verify validity of the CA2 certificate.
    • The server certificate passes the authentication only when the CA2 certificate is verified valid by the CA1 certificate.

    Figure 6-1 shows the certificate issuing and authentication processes.

    Figure 6-1  Certificate issuing and authentication
  • Certificate Revocation List (CRL)

    A CRL is issued by a CA and specifies a list of certificates that have been revoked. Therefore, it should not be relied upon.

    Each digital certificate has a limited lifetime and a CA can revoke a digital certificate to shorten its lifetime. The validity period of a certificate specified in the CRL is shorter than the original validity period of the certificate. If a CA revokes a digital certificate, the key pair defined in the certificate can no longer be used even if the digital certificate does not expire. When a certificate in a CRL expires, the certificate is deleted from the CRL to shorten the CRL.

You can load the CRL and a certificate (trust certificate) with a higher level than the digital certificate on your PC. If they are not loaded, you are prompted to determine whether to trust the server when you attempt to establish a connection with a web server. If you choose to not trust the server, the connection cannot be established. If you choose to trust the server, the connection is established successfully, and the PC cannot verify the digital certificate on the server. However, the confidentiality of data transmitted between the PC and server is ensured. To ensure that you are connecting to a valid web server, you can load a trust certificate and CRL on the PC. For details on how to load trust certificates, refer to the help information in the operating system.
Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000141895

Views: 51453

Downloads: 208

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next