No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Basic Configuration

S9300, S9300E, and S9300X V200R011C10

This document describes methods to use command line interface and to log in to the device, file operations, and system startup configurations.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Device Login Through the Web System (Secure Mode)

Example for Configuring Device Login Through the Web System (Secure Mode)

Networking Requirements

As shown in Figure 6-10, the device functions as an HTTPS server (an HTTPS IPv4 server is used as an example here) and is reachable to the PC. The management IP address of the HTTPS server is 192.168.0.1/24.

Users want to manage and maintain the device through the web system and have high security requirements. They have obtained the server digital certificate 1_servercert_pem_dsa.pem and private key file 1_serverkey_pem_dsa.pem from the CA.

Figure 6-10  Networking diagram for configuring device login through the web system (secure mode)

Configuration Roadmap

Loading an independent web page file is used as an example here. The configuration roadmap is as follows:

  1. Securely upload necessary files to the server through SFTP, including the web page file, server digital certificate, and private key file.

  2. Load the web page file and digital certificate.

  3. Bind an SSL policy and enable the HTTPS service.

  4. Configure a web user and enter the web login page.

Procedure

  1. Upload files to the device through SFTP.

    # Generate a local key pair on the server and enable the SFTP server function.

    <Quidway> system-view
    [Quidway] sysname HTTPS-Server
    [HTTPS-Server] dsa local-key-pair create
    Info: The key name will be: HTTPS-Server_Host_DSA.
    Info: The key modulus can be any one of the following : 1024, 2048.
    Info: If the key modulus is greater than 512, it may take a few minutes.
    Please input the modulus [default=2048]:2048
    Info: Generating keys...
    Info: Succeeded in creating the DSA host keys. 
    [HTTPS-Server] sftp server enable

    # Configure the VTY user interface on the server.

    [HTTPS-Server] user-interface vty 0 4
    [HTTPS-Server-ui-vty0-4] authentication-mode aaa
    [HTTPS-Server-ui-vty0-4] protocol inbound ssh
    [HTTPS-Server-ui-vty0-4] quit

    # Configure an SSH user, including its authentication mode, service type, service authorized directory and password, user level, and access type.

    [HTTPS-Server] ssh user client001 authentication-type password
    [HTTPS-Server] ssh user client001 service-type sftp
    [HTTPS-Server] ssh user client001 sftp-directory cfcard:
    [HTTPS-Server] aaa
    [HTTPS-Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789
    [HTTPS-Server-aaa] local-user client001 privilege level 15
    [HTTPS-Server-aaa] local-user client001 service-type ssh
    [HTTPS-Server-aaa] quit
    [HTTPS-Server] quit

    # Log in to the HTTPS server through SFTP from the terminal and upload the digital certificate and web page file to the server.

    The SSH client software must be installed on the terminal before login. Third-party software OpenSSH and Windows Command Prompt window are used as examples here.

    NOTE:
    • Ensure that the OpenSSH version you use is compatible with the terminal's operating system; otherwise, you may fail to log in to the switch through SFTP.
    • For details on how to install OpenSSH, see the instruction of the software.

    • You need to use OpenSSH commands for login through OpenSSH. For details on how to use the OpenSSH commands, see the help document of the software.

    • OpenSSH commands can be used in the Windows Command Prompt window only after the OpenSSH software is installed.

    Open the Windows Command Prompt window and run the sftp client001@192.168.0.1 command to enter the working directory of the SFTP server. You can access the device through SFTP. (The following information is for reference only.)

    C:\Documents and Settings\Administrator> sftp client001@192.168.0.1
    Connecting to 192.168.0.1...
    The authenticity of host '192.168.0.1 (192.168.0.1)' can't be established.
    DSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '192.168.0.1' (DSA) to the list of known hosts.
    User Authentication
    Password:
    sftp>

    Upload the digital certificate and web page file from the terminal to the server.

    sftp> put web.7z
    Uploading web.7z to /web.7z 
    web.7z                              100%   1308478   4.6KB/s   00:11
    sftp> put 1_servercert_pem_dsa.pem
    Uploading 1_servercert_pem_dsa.pem to /1_servercert_pem_dsa.pem 
    1_servercert_pem_dsa.pem            100%   1302      4.6KB/s   00:02
    
    sftp> put 1_serverkey_pem_dsa.pem
    Uploading 1_serverkey_pem_dsa.pem to /1_serverkey_pem_dsa.pem 
    1_serverkey_pem_dsa.pem             100%   951       4.6KB/s   00:01
    # Run the dir command on the device to check whether the digital certificate and web page file exist in the current storage directory.
    NOTE:

    If the sizes of the digital certificate and web page file in the current storage directory are different from sizes of those on the server, an error may have occurred during file transfer. Upload the files again.

    # Create the subdirectory security on the server and copy the digital certificate and private key file to the subdirectory.

    <HTTPS-Server> mkdir security
    <HTTPS-Server> copy 1_servercert_pem_dsa.pem security
    <HTTPS-Server> copy 1_serverkey_pem_dsa.pem security

    # Run the dir command in the security subdirectory to check the digital certificate.

    <HTTPS-Server> cd security
    <HTTPS-Server> dir
    Directory of cfcard:/security/
    
      Idx  Attr     Size(Byte)  Date        Time       FileName
        0  -rw-          1,302  Apr 13 2011 14:29:31   1_servercert_pem_dsa.pem
        1  -rw-            951  Apr 13 2011 14:29:49   1_serverkey_pem_dsa.pem
    
    509,256 KB total (52,750 KB free)

  2. Load the web page file and digital certificate.

    # Load the web page file.

    <HTTPS-Server> system-view
    [HTTPS-Server] http server load web.7z

    # Create an SSL policy and load the PEM digital certificate.

    [HTTPS-Server] ssl policy http_server
    [HTTPS-Server-ssl-policy-http_server] certificate load pem-cert 1_servercert_pem_dsa.pem key-pair dsa key-file 1_serverkey_pem_dsa.pem auth-code cipher 123456
    [HTTPS-Server-ssl-policy-http_server] quit

    # After the preceding configurations are complete, run the display ssl policy command on the HTTPS server to check detailed information about the loaded certificate.

    [HTTPS-Server] display ssl policy
    
           SSL Policy Name: http_server
         Policy Applicants: Config-Webs
             Key-pair Type: DSA
     Certificate File Type: PEM
          Certificate Type: certificate
      Certificate Filename: 1_servercert_pem_dsa.pem
         Key-file Filename: 1_serverkey_pem_dsa.pem
                 Auth-code: ******
                       MAC:
                  CRL File:
           Trusted-CA File:
               Issuer Name:
       Validity Not Before:
        Validity Not After:

  3. Bind an SSL policy to the device and enable the HTTPS service.

    # Bind an SSL policy to the device.

    [HTTPS-Server] http secure-server ssl-policy http_server

    # Enable the HTTPS service.

    [HTTPS-Server] http secure-server enable

  4. Configure a web user and enter the web login page.

    # Configure a web user.

    [HTTPS-Server] aaa
    [HTTPS-Server-aaa] local-user admin password irreversible-cipher Helloworld@6789
    [HTTPS-Server-aaa] local-user admin privilege level 15
    [HTTPS-Server-aaa] local-user admin service-type http
    [HTTPS-Server-aaa] quit
    NOTE:

    Before configuring a web user, you can run the display this command in the AAA view to check user names of local users. Ensure that the user name of the configured web user does not conflict with that of an existing local user; otherwise, the new web user will overwrite the existing local user.

    # Enter the web login page.

    Open the web browser on the PC, enter https://192.168.0.1 in the address box, and press Enter to enter the web login page, as shown in Figure 6-11.

    Enter the web user name and password and click GO or press Enter to enter the web system home page.

    Figure 6-11  Web system login page

  5. Verify the configuration.

    After the configurations are complete, you can log in to the device through the web system.

    Run the display http server command on the device to check the SSL policy name and the HTTPS server status.

    [HTTPS-Server] display http server
       HTTP Server Status              : enabled
       HTTP Server Port                : 80(80)
       HTTP Timeout Interval           : 20
       Current Online Users            : 1
       Maximum Users Allowed           : 5
       HTTP Secure-server Status       : enabled
       HTTP Secure-server Port         : 443(443)
       HTTP SSL Policy                 : http_server
       HTTP IPv6 Server Status         : disabled
       HTTP IPv6 Server Port           : 80(80)
       HTTP IPv6 Secure-server Status  : disabled
       HTTP IPv6 Secure-server Port    : 443(443)
       HTTP server source address      : 0.0.0.0

Configuration File

HTTPS-Server configuration file

#
sysname HTTPS-Server
#
http server load web.7z
http secure-server ssl-policy http_server
#
aaa
 local-user admin password irreversible-cipher $1a$#R!d3>ji-.u1+N2gSK>3&2P1AM6jfU:"x/3g[5U,lvqP+sf=70+%^E7,,SF7$
 local-user admin privilege level 15
 local-user admin service-type http
 local-user client001 password irreversible-cipher $1a$L@[C7B11%"H&\fS;qETS`zGI#RyJ%+A2KzP'.k[0tQ{=Cq5s43s&f^L\In6K$
 local-user client001 privilege level 15
 local-user client001 service-type ssh
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory cfcard:
#
user-interface vty 0 4
 authentication-mode aaa
#
ssl policy http_server
 certificate load pem-cert 1_servercert_pem_dsa.pem key-pair dsa key-file 1_serverkey_pem_dsa.pem auth-code cipher %^%#0|:yF=]P~Afis516)rO,3Yu<@/3e]
KFg.q@LG50%%^%# 
#
return
Translation
Download
Updated: 2019-04-17

Document ID: EDOC1000178413

Views: 68187

Downloads: 109

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next