No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Basic Configuration

S7700 and S9700 V200R010C00

This document describes methods to use command line interface and to log in to the device, file operations, and system startup configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Managing Files When the Device Functions as an FTPS Client

Managing Files When the Device Functions as an FTPS Client

Pre-configuration Tasks

Before connecting to a device as an FTPS client to manage files, complete the following tasks:

  • Ensure that routes are reachable between the current device and the FTPS server.
  • Load the digital certificate on the FTPS server.
  • Obtain the host name or IP address of the FTPS server, FTPS user name, and password.

Configuration Process

Table 7-54 describes the procedure for managing files when the device functions as an FTPS client.

Table 7-54  Procedure for managing files when the device functions as an FTPS client
No. Task Description Remarks
1 Upload the CA certificate and CRL file

Upload required files to the device.

After the FTPS connection is established, perform steps 4 and 5 in any sequence.
2 Configure the SSL policy and load the CA certificate and CRL file

-

3 Connect to the FTPS server

-

4 Run FTP commands to perform file-related operations

Run FTP commands to perform file-related operations including performing operations on directories and files, configuring the file transfer mode, and viewing the online help about FTP commands.

5 (Optional) Change the login user

-

6 Disconnect the FTP client from the FTP server

-

Procedure

  • Upload the CA certificate and CRL file.

    Upload the CA certificate and CRL file to the security directory on the device in FTP, SFTP, or SCP mode. If no security directory exists on the device, run the mkdir security command to create one.

    NOTE:
    • The FTPS client must obtain certificates from the CA to authenticate the digital certificate of the server.

    • The CRL is also issued by the CA. The CRL file lists serial numbers of certificates that are revoked. If the digital certificate is listed in the CRL file, the client cannot authenticate the server successfully and the FTPS connection fails.

    Digital certificates support the PEM, ASN1, and PFX formats.
    • A PEM digital certificate has a file name extension .pem and is applicable to text transmission between systems.

    • An ASN1 digital certificate has a file name extension .der and is the default format for most browsers.

    • A PFX digital certificate has a file name extension .pfx and is a binary format that can be converted into the PEM or ASN1 format.

    The CRL file supports the ASN1 and PEM formats.

    For details, see the description about uploading files in other modes.

  • Configure an SSL policy and load the CA certificate and CRL file.

    Table 7-55  Configuring an SSL policy and loading the CA certificate and CRL file
    Operation Command Description

    Enter the system view.

    system-view

    -

    (Optional) Customize SSL cipher suite.

    ssl cipher-suite-list customization-policy-name

    Customize an SSL cipher suite policy and enter the cipher suite policy view.

    By default, no customized SSL cipher suite policy is configured.

    set cipher-suite { tls1_ck_rsa_with_aes_256_sha | tls1_ck_rsa_with_aes_128_sha | tls1_ck_rsa_rc4_128_sha | tls1_ck_dhe_rsa_with_aes_256_sha | tls1_ck_dhe_dss_with_aes_256_sha | tls1_ck_dhe_rsa_with_aes_128_sha | tls1_ck_dhe_dss_with_aes_128_sha | tls12_ck_rsa_aes_256_cbc_sha256 }

    Configure the cipher suites for a customized SSL cipher suite policy.

    By default, no customized SSL cipher suite policy is configured.

    If a customized SSL cipher suite policy is being referenced by an SSL policy, the cipher suites in the customized cipher suite policy can be added, modified, or partially deleted. Deleting all of the cipher suites is not allowed.

    quit

    Return to the system view.

    Create the SSL policy and enter the SSL policy view.

    ssl policy policy-name

    -

    (Optional) Set a minimum version of an SSL policy.

    ssl minimum version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 }

    By default, the minimum version of an SSL policy is TLS1.1.

    (Optional) Bind a customized SSL cipher suite policy to an SSL policy.

    binding cipher-suite-customization customization-policy-name

    By default, no customized cipher suite policy is bound to an SSL policy. Each SSL policy uses a default cipher suite.

    After a customized cipher suite policy is unbound from an SSL policy, the SSL policy uses one of the following cipher suites supported by default:

    • tls1_ck_rsa_with_aes_256_sha
    • tls1_ck_rsa_with_aes_128_sha
    • tls1_ck_dhe_rsa_with_aes_256_sha
    • tls1_ck_dhe_dss_with_aes_256_sha
    • tls1_ck_dhe_rsa_with_aes_128_sha
    • tls1_ck_dhe_dss_with_aes_128_sha
    • tls12_ck_rsa_aes_256_cbc_sha256

    If the cipher suite in the customized cipher suite policy bound to an SSL policy contains only one type of algorithm (RSA or DSS), the corresponding certificate must be loaded for the SSL policy to ensure successful SSL negotiation.

    Load the CA certificate in the PEM format.

    trusted-ca load pem-ca ca-filename

    Load the CA certificate in the PEM, ASN1 or PFX format.

    A maximum of four CA certificates can be loaded in an SSL policy. The loaded CA certificates are added to the existing CA list.

    NOTE:

    Before rolling V200R008C00 or a later version back to an earlier version, back up the SSL private key file.

    Load the CA certificate in the ASN1 format.

    trusted-ca load asn1-ca ca-filename

    Load the CA certificate in the PFX format.

    trusted-ca load pfx-ca ca-filename auth-code cipher auth-code

    Load the CRL file.

    crl load { pem-crl | asn1-crl } crl-filename

    A maximum of two CRL files can be loaded in an SSL policy. The loaded CRL files are added to the existing CRL file list.

    NOTE:
    • If only one CA certificate exists on the FTPS server, configure all CA certificates of upper levels on the client.
    • If a certificate chain exists on the FTPS server, configure only the root certificate on the client.
    • If the CRL file is not loaded, the FTPS connection is not affected, but the client cannot authenticate the digital certificate of the server. You are advised to load the CRL file and update it periodically.

  • Connect to the FTPS server.

    Table 7-56  Connecting to the FTPS server
    Operation Command Description
    IPv4 address ftp ssl-policy policy-name [ -a source-ip-address | -i interface-type interface-number ] host [ port-number ] [ public-net | vpn-instance vpn-instance-name ]

    Select one of them based on the IP address type.

    IPv6 address ftp ssl-policy policy-name ipv6 host-ipv6-address [ port-number ]

    When connecting to the FTPS server, run the ftp command to enter the FTP client view and the open command to implement FTP connection.

    Users must enter the correct user name and password to enter the FTP client view and manage files on the server.

  • Run FTP commands to perform file-related operations.

    After connecting to the FTPS server, users can run FTP commands to perform file-related operations on the FTPS server.

    NOTE:

    User rights are configured on the FTP server.

    The file system has a restriction on the number of files in the root directory. Therefore, if more than 50 files exist in the root directory, creating new files in this directory may fail.

    Users can perform the following operations in any sequence.

    Table 7-57  Running FTP commands to perform file-related operations
    Operation Command Description
    Change the working directory on the server. cd remote-directory -
    Change the current working directory to its parent directory. cdup -
    Display the working directory on the server. pwd -
    Display or change the local working directory. lcd [ local-directory ]

    The lcd command displays the local working directory on the client, and the pwd command displays the working directory on the remote server.

    Create a directory on the server. mkdir remote-directory

    The directory name can consist of letters and digits. The following special characters are not supported: < > ? \ :

    Delete a directory from the server. rmdir remote-directory -
    Display information about the specified directory or file on the server. dir/ls [ remote-filename [ local-filename ] ]
    • The ls command displays only the directory or file name, and the dir command displays detailed directory or file information such as name, size, and date when the directory or file is created.
    • If no directory is specified in the command, the system searches for the file in user's authorized directories.
    Delete a file from the server. delete remote-filename -

    Upload one or more files.

    put local-filename [ remote-filename ]

    Or

    mput local-filenames

    • To upload a file, run the put command.
    • To upload multiple files, run the mput command.

    Download one or more files.

    get remote-filename [ local-filename ]

    Or

    mget remote-filenames

    • To download a file, run the get command.
    • To download multiple files, run the mget command.
    Set the file transfer mode to ASCII or Binary. ascii

    Or

    binary

    Select one of them.

    • The default file transfer mode is ASCII.

    • The ASCII mode is used to transfer text files, and the binary mode is used to transfer programs, system software(such as files with name extension .cc, .bin, and .pat.), and database files.

    Set the data transmission mode to passive or active. passive

    Or

    undo passive

    Select one of them.

    The default data transmission mode is active.

    View the online help about FTP commands. remotehelp [ command ] -
    Enable the system prompt function. prompt By default, the prompt function is disabled.
    Enable the verbose function. verbose

    After the verbose function is enabled, all FTP response messages are displayed on the FTP client.

  • (Optional) Change the login user.

    The current user can switch to another user in the FTP client view. The FTP connection between the new user and FTPS server is the same as that established by running the ftp ssl-policy command.

    Operation Command Description

    Change the current user in the FTP client view.

    user user-name [ password ]

    When the login user is switched to another user, the original user is disconnected from the FTP server.

  • Disconnect the FTPS client from the FTPS server.

    Users can run different commands in the FTP client view to disconnect the FTPS client from the FTPS server.

    Operation Command Description

    Disconnect the FTP client from the FTP server and return to the user view.

    bye or quit Select one of them.

    Disconnect the FTP client from the FTP server and return to the FTP client view.

    close or disconnect

Checking the Configurations

  • Run the display ssl policy command to check the SSL policy, CA certificate, and CRL file configured on the FTPS client.
Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141895

Views: 58294

Downloads: 215

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next