No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Basic Configuration

S1720, S2700, S5700, and S6720 V200R011C10

This document describes methods to use command line interface and to log in to the device, file operations, and system startup configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Managing Files When the Device Functions as an FTPS Server

Managing Files When the Device Functions as an FTPS Server

Pre-configuration Tasks

Before connecting to the FTPS server to manage files, complete the following tasks:

  • Ensure that routes are reachable between the terminal and the device.
  • Ensure that the FTP client software supporting SSL has been installed on the terminal.

Configuration Procedure

Table 8-27 describes the procedure for managing files when the device functions as an FTPS server.

Table 8-27  Managing files when the device functions as an FTPS server
No. Task Description Remarks
1 Upload the server digital certificate and private key Upload the digital certificate and private key to the device. Step 1 must be performed before step 2. The other steps can be performed in any sequence.
2 Configure the SSL policy and load the digital certificate Configure an SSL policy and load the digital certificate to the server.
3 Configure the FTPS server function and set FTP service parameters Configure an SSL policy for the FTPS server and set FTPS server parameters including the port number, source address, and timeout duration.
4 Configure local FTP user information Configure FTP local users including the service type and authorized directory.
5 Connect to the device using FTPS Connect to the device using FTPS on the terminal. -

Default Parameter Settings

Table 8-28  Default parameter settings
Parameter Default Setting
SSL policy No SSL policy is created for FTPS server.
FTPS server function Disabled
Listening port number 21
FTP user No local user is created.

Procedure

  • Upload the server digital certificate and private key.

    Upload the server digital certificate and private key file to the security directory on the device in SFTP or SCP mode. If no security directory exists on the device, run the mkdir directory command to create one.

    The server must obtain a digital certificate (including the private key file) from a CA. The client that connects to the server must obtain a digital certificate from the CA to authenticate the validity of the server digital certificate.

    NOTE:

    CA is an authority that issues and manages digital certificates. Digital certificates that are loaded to the FTPS server must be applied from a CA.

    The device does not support life-cycle management on the self-signed certificate generated by the device, such as updating the certificate or revoking the certificate. You are advised to use your own certificate to ensure device and certificate security.

    Digital certificates support the PEM, ASN1, and PFX formats.
    • A PEM digital certificate has a file name extension .pem and is applicable to text transmission between systems.

    • An ASN1 digital certificate has a file name extension .der and is the default format for most browsers.

    • A PFX digital certificate has a file name extension .pfx and is a binary format that can be converted into the PEM or ASN1 format.

    For details, see the description about uploading files in other modes.

  • Configure the SSL policy and load the digital certificate.

    Load the digital certificate and specify the private key.

    Table 8-29  Configuring the SSL policy and loading the digital certificate
    Operation Command Description

    Enter the system view.

    system-view

    -

    (Optional) Customize SSL cipher suite.

    ssl cipher-suite-list customization-policy-name

    Customize an SSL cipher suite policy and enter the cipher suite policy view.

    By default, no customized SSL cipher suite policy is configured.

    set cipher-suite { tls1_ck_rsa_with_aes_256_sha | tls1_ck_rsa_with_aes_128_sha | tls1_ck_rsa_rc4_128_sha | tls1_ck_dhe_rsa_with_aes_256_sha | tls1_ck_dhe_dss_with_aes_256_sha | tls1_ck_dhe_rsa_with_aes_128_sha | tls1_ck_dhe_dss_with_aes_128_sha | tls12_ck_rsa_aes_256_cbc_sha256 }

    Configure the cipher suites for a customized SSL cipher suite policy.

    By default, no customized SSL cipher suite policy is configured.

    If a customized SSL cipher suite policy is being referenced by an SSL policy, the cipher suites in the customized cipher suite policy can be added, modified, or partially deleted. Deleting all of the cipher suites is not allowed.

    quit

    Return to the system view.

    Create an SSL policy and enter the SSL policy view.

    ssl policy policy-name

    -

    (Optional) Set a minimum version of an SSL policy.

    ssl minimum version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 }

    By default, the minimum version of an SSL policy is TLS1.1.

    (Optional) Bind a customized SSL cipher suite policy to an SSL policy.

    binding cipher-suite-customization customization-policy-name

    By default, no customized cipher suite policy is bound to an SSL policy. Each SSL policy uses a default cipher suite.

    After a customized cipher suite policy is unbound from an SSL policy, the SSL policy uses one of the following cipher suites supported by default:

    • tls1_ck_rsa_with_aes_256_sha
    • tls1_ck_rsa_with_aes_128_sha
    • tls1_ck_dhe_rsa_with_aes_256_sha
    • tls1_ck_dhe_dss_with_aes_256_sha
    • tls1_ck_dhe_rsa_with_aes_128_sha
    • tls1_ck_dhe_dss_with_aes_128_sha
    • tls12_ck_rsa_aes_256_cbc_sha256

    If the cipher suite in the customized cipher suite policy bound to an SSL policy contains only one type of algorithm (RSA or DSS), the corresponding certificate must be loaded for the SSL policy to ensure successful SSL negotiation.

    Load the digital certificate in the PEM format.

    certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key-filename auth-code cipher auth-code

    Load the digital certificate in the PEM, ASN1, or PFX format.

    NOTE:
    • You can load a certificate or certificate chain for only one SSL policy. Before loading a certificate or certificate chain, you must unload the existing certificate or certificate chain.
    • When you configure an SSL policy to load a certificate or certificate chain, ensure that the maximum length of the key pair in the certificate or certificate chain is 2048 bits. If the length of the key pair exceeds 2048 bits, the certificate file or certificate chain file cannot be uploaded to the device.
    • Before rolling V200R008 or a later version back to an earlier version, back up the SSL private key file.

    Load the digital certificate in the ASN1 format.

    certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key-filename

    Load the digital certificate in the PFX format.

    certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac cipher mac-code | key-file key-filename } auth-code cipher auth-code

    Load the digital certificate chain in the PEM format.

    certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key-filename auth-code cipher auth-code

  • Configure the FTPS server function and set FTP service parameters.

    FTPS is based on the FTP protocol. You can enable the FTPS server function and set FTP service parameters.

    Table 8-30  Configuring the FTPS server function and setting FTP service parameters
    Operation Command Description

    Enter the system view.

    system-view -

    (Optional) Specify a port number for the FTP server.

    ftp [ ipv6 ] server port port-number

    The default port number is 21.

    If a new port number is configured, the FTP server disconnects from all FTP clients and uses this new port number to listen to connection requests. Attackers do not know the port number and cannot access the listening port of the FTP server.

    Configure the SSL policy on the FTPS server.

    ftp secure-server ssl-policy policy-name

    The SSL policy configured on the FTP server is the same as that is created in the last step.

    Enable the FTPS server function.

    ftp [ ipv6 ] secure-server enable

    By default, the FTPS server function is disabled.

    NOTE:

    To enable the security FTPS server function, you must disable the FTP server function.

    (Optional) Configure the source address of the FTP server.

    ftp server-source { -a source-ip-address | -i interface-type interface-number }

    After the source address of the FTP server is configured, incoming and outgoing packets are filtered, ensuring the device security.

    After the source address of the FTP server is configured, you must enter the source address to log in to the FTP server.

    (Optional) Configure the timeout duration of the FTP server.

    ftp [ ipv6 ] timeout minutes

    By default, the idle timeout duration is 10 minutes.

    If no operation is performed on the FTP server during the timeout duration, the FTP client automatically disconnects from the FTP server.

    NOTE:
    • If the FTPS service is enabled, the port number of the FTPS service cannot be changed. To change the port number, run the undo ftp [ ipv6 ] secure-server command to disable the FTPS service first.

    • After operations on files are complete, run the undo ftp [ ipv6 ] secure-server to disable the FTPS server function to ensure the device security.

  • Configure local FTP user information.

    Before performing operations on files using FTPS, configure the local user name and password, service type, and authorized directory on the FTPS server.

    Table 8-31  Configuring local FTP user information
    Operation Command Description

    Enter the system view.

    system-view -

    Enter the AAA view.

    aaa -

    Configure the local user name and password.

    local-user user-name password irreversible-cipher password -

    Configure the local user level.

    local-user user-name privilege level level
    NOTE:

    The user level must be set to 3 or higher to ensure successful connection establishment.

    Configure the service type for local users.

    local-user user-name service-type ftp

    By default, a local user can use any access type.

    Configure an authorized directory.

    local-user user-name ftp-directory directory

    By default, the FTP directory of a local user is empty.

    When multiple FTP users use the same authorized directory, you can use the set default ftp-directory directory command to configure a default directory for these FTP users. In this case, you do not need run the local-user user-name ftp-directory directory command to configure an authorized directory for each user.

  • Connect to the device using FTPS.

    The FTP client software supporting SSL must be installed on the terminal to ensure that the terminal can connect to the FTPS server using third-party software to manage files.

    NOTE:

    The file system has a restriction on the number of files in the root directory. Therefore, if more than 50 files exist in the root directory, creating new files in this directory may fail.

Verifying the Configuration

  • Run the display ssl policy command to view the SSL policy and digital certificate.
  • Run the display [ ipv6 ] ftp-server command to view the FTPS server status.
  • Run the display ftp-users command to view information about the FTP users who log in to the FTP server.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178166

Views: 270089

Downloads: 1989

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next