No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples for SSL

Configuration Examples for SSL

Example for Configuring a Server SSL Policy

Networking Requirements

As shown in Figure 26-32, enterprise users use a web browser to connect to the AP. To prevent eavesdropping and tampering during data transmission, a network administrator requires users to use HTTPS to access the AP securely.

To meet this requirement, configure the AP as an HTTPS server and associate the HTTPS server with a server SSL policy so that users can securely access and manage the device through web pages.

Figure 26-32  Networking diagram of the server SSL policy configuration
Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a PKI entity and a PKI domain.
  2. Configure a server SSL policy.
  3. Configure the AP as an HTTPS server.
NOTE:

Ensure that there are reachable routes between the AP, PC, and CA server.

Procedure

  1. Configure a PKI entity and a PKI domain.

    # Configure a PKI entity.

    <Huawei> system-view
    [Huawei] sysname AP
    [AP] pki entity users
    [AP-pki-entity-users] common-name hello
    [AP-pki-entity-users] country cn
    [AP-pki-entity-users] state jiangsu
    [AP-pki-entity-users] organization huawei
    [AP-pki-entity-users] organization-unit info
    [AP-pki-entity-users] quit
    
    NOTE:
    If the entity name and entity common name are not set to the AP's IP address 11.1.1.1, the system will display a message indicating that the certificate is invalid when the client opens a website. This does not affect HTTPS application.

    # Configure a PKI domain, and enable the automatic certificate enrollment and update function.

    [AP] pki realm users
    [AP-pki-realm-users] entity users
    [AP-pki-realm-users] ca id ca_root
    [AP-pki-realm-users] enrollment-url http://11.137.145.158:8080/certsrv/mscep/mscep.dll ra
    [AP-pki-realm-users] fingerprint sha2 7bb05ada0482273388ed4ec228d79f77309ea3f47bb05ada0482273388ed4ec2
    [AP-pki-realm-users] auto-enroll regenerate
    [AP-pki-realm-users] quit
    

  2. Configure a server SSL policy sslserver.

    # Create a server SSL policy and specify PKI domain users in the policy. This allows the AP to obtain a digital certificate from the CA specified in the PKI domain.

    [AP] ssl policy sslserver type server
    [AP-ssl-policy-sslserver] pki-realm users
    

    # Set the maximum number of sessions that can be saved and the timeout period of a session.

    [AP-ssl-policy-sslserver] session cachesize 40 timeout 7200
    [AP-ssl-policy-sslserver] quit

  3. Configure the AP as an HTTPS server.

    # Apply the SSL policy sslserver to the HTTPS service.

    [AP] http secure-server ssl-policy sslserver
    

    # Enable the HTTPS server function on the AP.

    [AP] http secure-server enable

    # Configure the port number of the HTTPS service.

    [AP] http secure-server port 1278

  4. Verify the configuration.

    # Run the display ssl policy sslserver command to view the configuration of the SSL policy sslserver.

    [AP] display ssl policy sslserver
      ------------------------------------------------------------------------------
      Policy name                             :   sslserver                             
      Policy ID                               :   1                                
      Policy type                             :   Server                            
      Cipher suite                            :   rsa_aes_128_cbc_sha               
      PKI realm                               :   users                                  
       Cache number                            :   40                                
      Time out(second)                        :   7200                              
      Server certificate load status          :   loaded                            
      CA certificate chain load status        :   loaded                            
      Bind number                             :   1                                 
      SSL connection number                   :   0                                 
      ------------------------------------------------------------------------------

Configuration Files

AP configuration file

#
 sysname AP
#
pki entity users
 country CN
 state jiangsu
 organization huawei
 organization-unit info
 common-name hello
#
pki realm users
 ca id ca_root
 enrollment-url http://11.137.145.158:8080/certsrv/mscep/mscep.dll ra 
 entity users
 auto-enroll regenerate
 fingerprint sha2 7bb05ada0482273388ed4ec228d79f77309ea3f47bb05ada0482273388ed4ec2
#
ssl policy sslserver type server
 pki-realm users
 session cachesize 40 timeout 7200
#
 http secure-server port 1278
 http secure-server ssl-policy sslserver
#
return
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 118963

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next