No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Automatic Local Certificate Application Using SCEP

Example for Configuring Automatic Local Certificate Application Using SCEP

Networking Requirements

On an enterprise network shown in Figure 17-11, the Switch is located at the edge to function as the egress gateway and a CA server is located on the public network. The network administrator manually applies for a local certificate from the CA server in online mode.

The network administrator wants to use a simple and fast method to apply for a local certificate, and the certificate can be automatically imported to the memory. In addition, the certificate needs to be automatically updated before expiration. The automatic certificate application through SCEP can be configured to meet these requirements.

Figure 17-11  Automatic local certificate application using SCEP

NOTE:

This example provides only the configurations on Switch. For the configurations on the CA server, see the CA server product manual. In this example, the CA server runs Windows Server 2008 with the built-in Certification Services and with the SCEP plugin installed.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Assign IP addresses to interfaces and static routes to the CA server so that the Switch and CA server can communicate with each other.
  2. Create an RSA key pair so that the local certificate application request contains the public key.
  3. Configure the PKI entity and related information to identify the PKI entity.
  4. Configure certificate application through SCEP and automatic certificate update, automatic certificate installation, and automatic certificate update.

Data Preparation

Obtain the fingerprint and challenge password from the CA server in offline mode. In this example, the digital fingerprint is e71add0744360e91186b828412d279e06dcc15a4ab4bb3d13842820396b526a0 and challenge password is 6AE73F21E6D3571D.

For example, from a CA server running Windows Server 2008, you can obtain the digital fingerprint at http://host:port/certsrv/mscep_admin/, in which host indicates the server's IP address and port indicates the port number.

Procedure

  1. Assign IP addresses to interfaces and configure static routes to the CA server.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] vlan batch 100 200
    [Switch] interface vlanif 100
    [Switch-Vlanif100] ip address 10.2.0.2 255.255.255.0
    [Switch-Vlanif100] quit
    [Switch] interface vlanif 200
    [Switch-Vlanif200] ip address 10.1.0.2 255.255.255.0
    [Switch-Vlanif200] quit
    [Switch] interface gigabitethernet 0/0/1
    [Switch-GigabitEthernet0/0/1] port link-type trunk
    [Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
    [Switch-GigabitEthernet0/0/1] quit
    [Switch] interface gigabitethernet 0/0/2
    [Switch-GigabitEthernet0/0/2] port link-type trunk
    [Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
    [Switch-GigabitEthernet0/0/2] quit
    [Switch] ip route-static 10.3.0.0 255.255.255.0 10.2.0.1

  2. Create an RSA key pair.

    # Create a 2048-bit RSA key pair named rsa_scep and allow it to be exported.

    [Switch] pki rsa local-key-pair create rsa_scep exportable
     Info: The name of the new key-pair will be: rsa_scep 
     The size of the public key ranges from 2048 to 4096.
     Input the bits in the modules:2048
     Generating key-pairs...       ..................+++
    .......................+++ 
    

  3. Configure a PKI entity to identify a certificate applicant.

    # Configure the PKI entity user01.

    [Switch] pki entity user01
    [Switch-pki-entity-user01] common-name hello
    [Switch-pki-entity-user01] country cn
    [Switch-pki-entity-user01] email user@test.abc.com
    [Switch-pki-entity-user01] fqdn test.abc.com
    [Switch-pki-entity-user01] ip-address 10.2.0.2
    [Switch-pki-entity-user01] state jiangsu
    [Switch-pki-entity-user01] organization huawei
    [Switch-pki-entity-user01] organization-unit info
    [Switch-pki-entity-user01] quit
    

  4. Apply for and update the certificate using SCEP.

    [Switch] pki realm abc
    [Switch-pki-realm-abc] ca id ca_root
    [Switch-pki-realm-abc] entity user01
    [Switch-pki-realm-abc] fingerprint sha256 e71add0744360e91186b828412d279e06dcc15a4ab4bb3d13842820396b526a0
    [Switch-pki-realm-abc] enrollment-url http://10.3.0.1:80/certsrv/mscep/mscep.dll ra
    [Switch-pki-realm-abc] rsa local-key-pair rsa_scep
    [Switch-pki-realm-abc] enrollment-request signature message-digest-method sha-384
    [Switch-pki-realm-abc] password cipher 6AE73F21E6D3571D
    

  5. Enable automatic certificate enrollment and configure the certificate to be updated when 60% of the validity period is passed and the RSA key pair is updated together with the certificate.

    [Switch-pki-realm-abc] auto-enroll 60 regenerate 2048
    [Switch-pki-realm-abc] quit
    

    Before obtaining and installing a local certificate, the device obtains and installs a CA certificate first. The CA and local certificates are named abc_ca.cer and abc_local.cer.

  6. Verify the configuration.
    1. After a local certificate is obtained and imported to memory, run the display pki certificate local command to view content of the certificate.

      [Switch] display  pki certificate local realm abc
       The x509 object type is certificate:                                           
      Certificate:                                                                    
          Data:                                                                       
              Version: 3 (0x2)                                                        
              Serial Number:                                                          
                  48:65:aa:2a:00:00:00:00:3f:c6                                       
          Signature Algorithm: sha1WithRSAEncryption                                  
              Issuer: CN=ca_root                                                      
              Validity                                                                
                  Not Before: Dec 21 11:46:10 2015 GMT                                
                  Not After : Dec 21 11:56:10 2016 GMT                                
              Subject: C=CN, ST=jiangsu, O=huawei, OU=info, CN=hello                  
              Subject Public Key Info:                                                
                  Public Key Algorithm: rsaEncryption                                 
                      Public-Key: (2048 bit)                                          
                      Modulus:                                                        
                          00:94:6f:49:bd:6a:f3:d5:07:ee:10:ee:4f:d3:06:               
                          80:59:15:cb:a8:0a:b2:ba:c2:db:52:ec:e9:d1:a7:               
                          72:de:ac:35:df:bb:e0:72:62:08:3e:c5:54:c1:ba:               
                          4a:bb:1b:a9:d9:dc:e4:b6:4d:ca:b3:54:90:b6:8e:               
                          15:a3:6e:2d:b2:9e:9e:7a:33:b0:56:3f:ec:bc:67:               
                          1c:4c:59:c6:67:0f:a7:03:52:44:8c:53:72:42:bd:               
                          6e:0c:90:5b:88:9b:2c:95:f7:b8:89:d1:c2:37:3e:               
                          93:78:fa:cb:2c:20:22:5f:e5:9c:61:23:7b:c0:e9:               
                          fe:b7:e6:9c:a1:49:0b:99:ef:16:23:e9:44:40:6d:               
                          94:79:20:58:d7:e1:51:a1:a6:4b:67:44:f7:07:71:               
                          54:93:4e:32:ff:98:b4:2b:fa:5d:b2:3c:5b:df:3e:               
                          23:b2:8a:1a:75:7e:8f:82:58:66:be:b3:3c:4a:1c:               
                          2c:64:d0:3f:47:13:d0:5a:29:94:e2:97:dc:f2:d1:               
                          06:c9:7e:54:b3:42:2e:15:b8:40:f3:94:d3:76:a1:               
                          91:66:dd:40:29:c3:69:70:6d:5a:b7:6b:91:87:e8:               
                          bb:cb:a5:7e:ec:a5:31:11:f3:04:ab:1a:ef:10:e6:               
                          f1:bd:d9:76:42:6c:2e:bf:d9:91:39:1d:08:d7:b4:               
                          18:53                                                       
                      Exponent: 65537 (0x10001)                                       
              X509v3 extensions:
                  X509v3 Key Usage:
                      Digital Signature, Key Encipherment   
                  X509v3 Subject Alternative Name:                                    
                      IP Address:10.2.0.2, DNS:test.abc.com, email:user@test.abc.com  
                  X509v3 Subject Key Identifier:                                      
                      15:D1:F6:24:EB:6B:C0:26:19:58:88:91:8B:60:42:CE:BA:D5:4D:F3     
                  X509v3 Authority Key Identifier:                                    
                      keyid:B8:63:72:A4:5E:19:F3:B1:1D:71:E1:37:26:E1:46:39:01:B6:82:C
      5                                                                               
                                                                                      
                  X509v3 CRL Distribution Points:                                     
                                                                                      
                      Full Name:                                                      
                        URI:file://\\vasp-e6000-127.china.huawei.com\CertEnroll\ca_roo
      t.crl                                                                           
                        URI:http://10.3.0.1:8080/certenroll/ca_root.crl           
                                                                                      
                  Authority Information Access:                                       
                      CA Issuers - URI:http://vasp-e6000-127.china.huawei.com/CertEnro
      ll/vasp-e6000-127.china.huawei.com_ca_root.crt                                  
                                                                                      
                  1.3.6.1.4.1.311.20.2:                                               
                      .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e              
                  X509v3 Basic Constraints: critical                                  
                      CA:FALSE                                                        
                  X509v3 Extended Key Usage:                                          
                      1.3.6.1.5.5.8.2.2   
          Signature Algorithm: sha1WithRSAEncryption                                  
               d2:be:a8:52:6b:03:ce:89:f1:5b:49:d4:eb:2b:9f:fd:59:17:                 
               d4:3c:f1:db:4f:1b:d1:12:ac:bf:ae:59:b4:13:1b:8a:20:d0:                 
               52:6a:f8:a6:03:a6:72:06:41:d2:a7:7d:3f:51:64:9b:84:64:                 
               cf:ec:4c:23:0a:f1:57:41:53:eb:f6:3a:44:92:f3:ec:bd:09:                 
               75:db:02:42:ab:89:fa:c4:cd:cb:09:bf:83:1d:de:d5:4b:68:                 
               8a:a6:5f:7a:e8:b3:34:d3:e8:ec:24:37:2b:bd:3d:09:ed:88:                 
               d8:ed:a7:f8:66:aa:6f:b0:fe:44:92:d4:c9:29:21:1c:b3:7a:                 
               65:51:32:50:5a:90:fa:ae:e1:19:5f:c8:63:8d:a8:e7:c6:89:                 
               2e:6d:c8:5b:2c:0c:cd:41:48:bd:79:74:0e:b8:2f:48:69:df:                 
               02:89:bb:b3:59:91:7f:6b:46:29:7e:22:05:8c:bb:6a:7e:f3:                 
               11:5a:5f:fb:65:51:7d:35:ff:49:9e:ec:d1:2d:7e:73:e5:99:                 
               c6:41:84:0c:50:11:ed:97:ed:15:de:11:22:73:a1:78:11:2e:                 
               34:e6:f5:de:66:0c:ba:d5:32:af:b8:54:26:4f:5b:9e:89:89:                 
               2a:3f:b8:96:27:00:c3:08:3a:e9:e8:a6:ce:4b:5a:e3:97:9e:                 
               6b:dd:f0:72                                                            
                                                                                      
      Pki realm name: abc                                                             
      Certificate file name: abc_local.cer                                            
      Certificate peer name: - 

    2. After a CA certificate is obtained and imported to memory, run the display pki certificate ca command to view content of the certificate.

      [Switch] display  pki certificate ca realm abc
       The x509 object type is certificate:                                           
      Certificate:                                                                    
          Data:                                                                       
              Version: 3 (0x2)                                                        
              Serial Number:                                                          
                  0c:f0:1a:f3:67:21:44:9a:4a:eb:ec:63:75:5d:d7:5f                     
          Signature Algorithm: sha1WithRSAEncryption                                  
              Issuer: CN=ca_root                                                      
              Validity                                                                
                  Not Before: Jun  4 14:58:17 2015 GMT                                
                  Not After : Jun  4 15:07:10 2020 GMT                                
              Subject: CN=ca_root                                                     
              Subject Public Key Info:                                                
                  Public Key Algorithm: rsaEncryption                                 
                      Public-Key: (2048 bit)                                          
                      Modulus:                                                        
                          00:d9:5f:2a:93:cb:66:18:59:8c:26:80:db:cd:73:               
                          d5:68:92:1b:04:9d:cf:33:a2:73:64:3e:5f:fe:1a:               
                          53:78:0e:3d:e1:99:14:aa:86:9b:c3:b8:33:ab:bb:               
                          76:e9:82:f6:8f:05:cf:f6:83:8e:76:ca:ff:7d:f1:               
                          bc:22:74:5e:8f:4c:22:05:78:d5:d6:48:8d:82:a7:               
                          5d:e1:4c:a4:a9:98:ec:26:a1:21:07:42:e4:32:43:               
                          ff:b6:a4:bd:5e:4d:df:8d:02:49:5d:aa:cc:62:6c:               
                          34:ab:14:b0:f1:58:4a:40:20:ce:be:a5:7b:77:ce:               
                          a4:1d:52:14:11:fe:2a:d0:ac:ac:16:95:78:34:34:               
                          21:36:f2:c7:66:2a:14:31:28:dc:7f:7e:10:12:e5:               
                          6b:29:9a:e8:fb:73:b1:62:aa:7e:bd:05:e5:c6:78:               
                          6d:3c:08:4c:9c:3f:3b:e0:e9:f2:fd:cb:9a:d1:b7:               
                          de:1e:84:f4:4a:7d:e2:ac:08:15:09:cb:ee:82:4b:               
                          6b:bd:c6:68:da:7e:c8:29:78:13:26:e0:3c:6c:72:               
                          39:c5:f8:ad:99:e4:c3:dd:16:b5:2d:7f:17:e4:fd:               
                          e4:51:7a:e6:86:f0:e7:82:2f:55:d1:6f:08:cb:de:               
                          84:da:ce:ef:b3:b1:d6:b3:c0:56:50:d5:76:4d:c7:               
                          fb:75                                                       
                      Exponent: 65537 (0x10001)                                       
              X509v3 extensions:                                                      
                  1.3.6.1.4.1.311.20.2:                                               
                      ...C.A                                                          
                  X509v3 Key Usage: critical                                          
                      Digital Signature, Certificate Sign, CRL Sign                   
                  X509v3 Basic Constraints: critical                                  
                      CA:TRUE                                                         
                  X509v3 Subject Key Identifier:                                      
                      B8:63:72:A4:5E:19:F3:B1:1D:71:E1:37:26:E1:46:39:01:B6:82:C5     
                  X509v3 CRL Distribution Points:                                     
                                                                                      
                      Full Name:                                                      
                        URI:http://vasp-e6000-127.china.huawei.com/CertEnroll/ca_root.
      crl                                                                             
                        URI:file://\\vasp-e6000-127.china.huawei.com\CertEnroll\ca_roo
      t.crl                                                                           
                                                                                      
                  1.3.6.1.4.1.311.21.1:                                               
                      ...                                                             
          Signature Algorithm: sha1WithRSAEncryption                                  
               52:21:46:b8:67:c8:c3:4a:e7:f8:cd:e1:02:d4:24:a7:ce:50:                 
               be:33:af:8a:49:47:67:43:f9:7f:79:88:9c:99:f5:87:c9:ff:                 
               08:0f:f3:3b:de:f9:19:48:e5:43:0e:73:c7:0f:ef:96:ef:5a:                 
               5f:44:76:02:43:83:95:c4:4e:06:5e:11:27:69:65:97:90:4f:                 
               04:4a:1e:12:37:30:95:24:75:c6:a4:73:ee:9d:c2:de:ea:e9:                 
               05:c0:a4:fb:39:ec:5c:13:29:69:78:33:ed:d0:18:37:6e:99:                 
               bc:45:0e:a3:95:e9:2c:d8:50:fd:ca:c2:b3:5a:d8:45:82:6e:                 
               ec:cc:12:a2:35:f2:43:a5:ca:48:61:93:b9:6e:fe:7c:ac:41:                 
               bf:88:70:57:fc:bb:66:29:ae:73:9c:95:b9:bb:1d:16:f7:b4:                 
               6a:da:03:df:56:cf:c7:c7:8c:a9:19:23:61:5b:66:22:6f:7e:                 
               1d:26:92:69:53:c8:c6:0e:b3:00:ff:54:77:5e:8a:b5:07:54:                 
               fd:18:39:0a:03:ac:1d:9f:1f:a1:eb:b9:f8:0d:21:25:36:d5:                 
               06:de:33:fa:7b:c8:e9:60:f3:76:83:bf:63:c6:dc:c1:2c:e4:                 
               58:b9:cb:48:15:d2:a8:fa:42:72:15:43:ef:55:63:39:58:77:                 
               e8:ae:0f:34                                                            
                                                                                      
      Pki realm name: abc                                                             
      Certificate file name: abc_ca.cer                                               
      Certificate peer name: - 

    3. When 60% of the certificate validity period has elapsed, the device sends a certificate update request to the SCEP server.

      The regenerate parameter has been specified for auto-enroll, so the device generates a new RSA key pair to apply for a new certificate.

Configuration Files

Switch configuration file

#
sysname Switch
#
vlan batch 100 200
#
interface Vlanif100                                                             
 ip address 10.2.0.2 255.255.255.0
# 
interface Vlanif200                                                             
 ip address 10.1.0.2 255.255.255.0
# 
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100 
# 
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 200 
#
ip route-static 10.3.0.0 255.255.255.0 10.2.0.1
#
pki realm abc
 ca id ca_root                                                                  
 enrollment-url http://10.3.0.1:80/certsrv/mscep/mscep.dll ra
 entity user01                                                                  
 fingerprint sha256 e71add0744360e91186b828412d279e06dcc15a4ab4bb3d13842820396b526a0
 rsa local-key-pair rsa_scep                                                    
 password cipher %^%#\1HN-bn(k;^|O85OAtYF3(M4%^%#                               
 auto-enroll 60 regenerate 
 enrollment-request signature message-digest-method sha-384
#
pki entity user01
 country CN
 state jiangsu
 organization huawei
 organization-unit info
 common-name hello
 fqdn test.abc.com
 ip-address 10.2.0.2
 email user@test.abc.com
#
return
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 136066

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next