No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Server SSL Policy

Configuring a Server SSL Policy

Prerequisites

The PKI domain has been configured.

Context

The SSL protocol uses data encryption, identity authentication, and message integrity check to ensure security of TCP-based application layer protocols. To use an AP as an SSL server, configure a server SSL policy on the AP. A server SSL policy can be applied to application layer protocols to provide secure connections.

Figure 26-30  AP functions as an SSL server

As shown in Figure 26-30, the AP functions as an SSL server and has a server SSL policy configured. During an SSL handshake, the AP uses the SSL parameters in the server SSL policy to negotiate session parameters with an SSL client. After the handshake is complete, the AP establishes a session with the client.

When functioning as an SSL server, the AP is authenticated by the SSL client, but it cannot authenticate the client.

NOTE:

When functioning as an SSL server, the AP can communicate with SSL clients running SSL3.0, TLS1.0, TLS1.1 and TLS1.2.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ssl policy policy-name type server

    A server SSL policy is created, and the server SSL policy view is displayed.

  3. Run pki-realm realm-name

    A PKI domain is specified for the server SSL policy.

    By default, no PKI domain is specified for a server SSL policy on the AP.

    NOTE:

    The AP obtains a digital certificate from a CA in the specified PKI domain. SSL clients can then authenticate the AP by checking the digital certificate.

    The AP can also generate self-signed certificates. However, the device does not provide life cycle management for self-signed certificates. For example, self-signed certificates cannot be updated, or revoked on the device. To ensure security of the device and certificates, it is recommended the user's certificate be used.

  4. (Optional) Run version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 } *

    The SSL protocol version is specified.

    By default, a server SSL policy uses Transport Layer Security (TLS) version 1.2.

    NOTE:

    TLS1.2 version is recommended, other protocol version has potential security risks.

  5. (Optional) Run session { cachesize size | timeout time } *

    The maximum number of sessions that can be saved and the timeout period of a saved session are set.

    By default, a maximum of 3600 sessions can be saved, and the timeout period of a saved session is 128.

  6. (Optional) Run ciphersuite { rsa_3des_cbc_sha | rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_aes_128_sha256 | rsa_aes_256_sha256 } *

    A cipher suite is specified.

    By default, a server SSL policy supports the cipher suites: rsa_aes_128_sha256 and rsa_aes_256_sha256.

  7. (Optional) Set the SSL renegotiation rate.

    When a device encounters a renegotiation attack, set the renegotiation rate of the SSL connections to reduce the impact of renegotiation on the device.

    1. Run the quit command to return to the system view.
    2. Run the ssl renegotiation-rate rate command to set the SSL renegotiation rate.

      By default, the SSL renegotiation is performed once per second. You can set the rate according to the CPU capability of the device.

      This configuration applies to all SSL policies.

      NOTE:

      Before an STA performs renegotiation, ensure that the STA supports secure renegotiation; otherwise, the STA renegotiation may fail.

Verifying the Configuration

Run the display ssl policy [ policy-name ] command to view the configuration of the SSL policy.

Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 116493

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next