No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a Server SSL Policy

Example for Configuring a Server SSL Policy

Networking Requirements

As shown in Figure 17-4, enterprise users use a web browser to connect to the Router. To prevent eavesdropping and tampering during data transmission, a network administrator requires users to use HTTPS to access the Router securely.

To meet this requirement, configure the Router as an HTTPS server and associate the HTTPS server with a server SSL policy so that users can securely access and manage the device through web pages.

Figure 17-4  Networking diagram of the server SSL policy configuration

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a PKI entity and a PKI domain.
  2. Configure a server SSL policy.
  3. Configure the Router as an HTTPS server.

Procedure

  1. Configure a PKI entity and a PKI domain.

    # Configure a PKI entity.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] pki entity users
    [Router-pki-entity-users] common-name hello
    [Router-pki-entity-users] country cn
    [Router-pki-entity-users] state jiangsu
    [Router-pki-entity-users] organization huawei
    [Router-pki-entity-users] organization-unit info
    [Router-pki-entity-users] quit
    
    NOTE:
    If the entity name and entity common name are not set to the Router's IP address 1.1.1.1, the system will display a message indicating that the certificate is invalid when the client opens a website. This does not affect HTTPS application.

    # Configure a PKI domain, and enable the automatic certificate enrollment and update function.

    [Router] pki realm users
    [Router-pki-realm-users] entity users
    [Router-pki-realm-users] ca id ca_root
    [Router-pki-realm-users] enrollment-url http://2.1.1.1:8080/certsrv/mscep/mscep.dll ra
    [Router-pki-realm-users] fingerprint sha2 7bb05ada0482273388ed4ec228d79f77309ea3f47bb05ada0482273388ed4ec2
    [Router-pki-realm-users] auto-enroll regenerate
    [Router-pki-realm-users] quit
    

  2. Configure a server SSL policy sslserver.

    # Create a server SSL policy and specify PKI domain users in the policy. This allows the Router to obtain a digital certificate from the CA specified in the PKI domain.

    [Router] ssl policy sslserver type server
    [Router-ssl-policy-sslserver] pki-realm users
    

    # Set the maximum number of sessions that can be saved and the timeout period of a session.

    [Router-ssl-policy-sslserver] session cachesize 40 timeout 7200
    [Router-ssl-policy-sslserver] quit

  3. Configure the Router as an HTTPS server.

    # Apply the SSL policy sslserver to the HTTPS service.

    [Router] http secure-server ssl-policy sslserver
    

    # Enable the HTTPS server function on the Router.

    [Router] http secure-server enable

    # Configure the port number of the HTTPS service.

    [Router] http secure-server port 1278

  4. Verify the configuration.

    # Run the display ssl policy sslserver command to view the configuration of the SSL policy sslserver.

    [Router] display ssl policy sslserver
      ------------------------------------------------------------------------------
      Policy name                             :   sslserver                             
      Policy ID                               :   1                                
      Policy type                             :   Server                            
      Cipher suite                            :   rsa_aes_128_cbc_sha               
      PKI realm                               :   users                                  
      Version                                 :   tls1.1
      Cache number                            :   40                                
      Time out(second)                        :   7200                              
      Server certificate load status          :   loaded                            
      CA certificate chain load status        :   loaded                            
      SSL renegotiation status                :   enable
      Bind number                             :   1                                 
      SSL connection number                   :   0                                 
      ------------------------------------------------------------------------------

    # Start the web browser on a PC, and enter https://1.1.1.1:1278 in the address box. The web management system of the Router is displayed, and you can manage the Router on the web pages.

Configuration Files

Router configuration file

#
 sysname Router
#
pki entity users
 country CN
 state jiangsu
 organization huawei
 organization-unit info
 common-name hello
#
pki realm users
 ca id ca_root
 enrollment-url http://2.1.1.1:8080/certsrv/mscep/mscep.dll ra 
 entity users
 auto-enroll regenerate
 fingerprint sha2 7bb05ada0482273388ed4ec228d79f77309ea3f47bb05ada0482273388ed4ec2
#
ssl policy sslserver type server
 pki-realm users
 session cachesize 40 timeout 7200
#
 http secure-server port 1278
 http secure-server ssl-policy sslserver
 http secure-server enable
#
return
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 112632

Downloads: 206

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next