No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a Client SSL Policy

Example for Configuring a Client SSL Policy

Networking Requirements

As shown in Figure 17-5, the Router functions as a CPE to connect to phones, and fax machines. An ACS uses CWMP to manage and control the Router.

The ACS functions as an SSL server and has obtained a digital certificate from the CA. You need to configure the Router as an SSL client to authenticate the ACS. This ensures privacy and integrity of data exchanged between the Router and the ACS.

Figure 17-5  Networking diagram of the client SSL policy configuration

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a PKI entity and a PKI domain.
  2. Configure a client SSL policy on the Router and enable SSL server authentication in the policy.
  3. Apply the client SSL policy to the CWMP service so that the Router authenticates the ACS to ensure data privacy and integrity.
  4. Enable the Router to automatically initiate connections to the ACS and set the CWMP parameters. This enables the ACS to manage and control the Router using CWMP.

Procedure

  1. Configure an IP address for the GE1/0/0 interface

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] interface gigabitethernet 1/0/0
    [Router-GigabitEthernet1/0/0] ip address 1.1.1.1 24
    [Router-GigabitEthernet1/0/0] quit
    

  2. Configure a PKI entity and a PKI domain.

    # Configure a PKI entity.

    [Router] pki entity cwmp0
    [Router-pki-entity-cwmp0] common-name hello
    [Router-pki-entity-cwmp0] country cn
    [Router-pki-entity-cwmp0] state jiangsu
    [Router-pki-entity-cwmp0] organization huawei
    [Router-pki-entity-cwmp0] organization-unit info
    [Router-pki-entity-cwmp0] quit
    

    # Configure a PKI domain, and enable the automatic certificate enrollment and update function.

    [Router] pki realm cwmp0
    [Router-pki-realm-cwmp0] entity cwmp0
    [Router-pki-realm-cwmp0] ca id ca_root
    [Router-pki-realm-cwmp0] enrollment-url http://2.1.1.1:8080/certsrv/mscep/mscep.dll ra
    [Router-pki-realm-cwmp0] fingerprint sha2 7bb05ada0482273388ed4ec228d79f77309ea3f47bb05ada0482273388ed4ec2
    [Router-pki-realm-cwmp0] auto-enroll regenerate
    [Router-pki-realm-cwmp0] quit
    

  3. Configure a client SSL policy.

    # Enable SSL server authentication.

    [Router] ssl policy sslclient type client
    [Router-ssl-policy-sslclient] server-verify enable

    # Specify the PKI domain cwmp0 in the client SSL policy.

    [Router-ssl-policy-sslclient] pki-realm cwmp0
    [Router-ssl-policy-sslclient] quit

  4. Enable the CWMP function on the Router.

    [Router] cwmp
    [Router-cwmp] cwmp enable

  5. Apply the SSL policy to CWMP.

    [Router-cwmp] cwmp ssl-client ssl-policy sslclient

  6. Configure the Router to automatically initiate connections to the ACS.

    # Configure the URL used by the Router to connect to the ACS.

    [Router-cwmp] cwmp acs url https://www.acs.com:80/acs

    # Enable the Router to send Inform messages.

    [Router-cwmp] cwmp cpe inform interval enable

    # Set the interval at which the Router sends Inform messages to 1000 seconds.

    [Router-cwmp] cwmp cpe inform interval 1000

    # Configure the Router to send an Inform message at 2011-01-01 20:00:00.

    [Router-cwmp] cwmp cpe inform time 2011-01-01T20:00:00

  7. Set CWMP parameters on the Router.

    # Configure the interface that the Router uses to connect to the ACS.

    [Router-cwmp] cwmp cpe connect interface gigabitethernet 1/0/0

    # Set the user name and password that the Router uses for authentication by the ACS.

    [Router-cwmp] cwmp acs username newacsname
    [Router-cwmp] cwmp acs password cipher newacspsw

    # Configure the user name and password that the Router uses to authenticate the ACS.

    [Router-cwmp] cwmp cpe username newcpename
    [Router-cwmp] cwmp cpe password cipher newcpepsw

    # Set the maximum number of connection attempts to 5.

    [Router-cwmp] cwmp cpe connect retry 5

    # Set the close-wait timer of the Router to 100 seconds. If no data is transmitted within 100 seconds, the connection is torn down.

    [Router-cwmp] cwmp cpe wait timeout 100

  8. Verify the configuration.

    # Run the display current-configuration command. The command output shows that SSL has been successfully configured for CWMP.

    <Router> display current-configuration
    ...
    cwmp                                                                            
     cwmp cpe inform interval enable                                                
     cwmp acs url https://www.acs.com:80/acs                                         
     cwmp acs username newacsname                                                   
     cwmp acs password cipher %@%@"\~.1[)4MGN=d\4zy`$,"ne\%@%@                                                   
     cwmp cpe username newcpename                                                   
     cwmp cpe password cipher %@%@"\~.1[)4MGN=d\4zy`$,"ne\%@%@                                                    
     cwmp cpe inform interval 1000                                                  
     cwmp cpe connect retry 5                                                       
     cwmp cpe wait timeout 100                                                      
     cwmp cpe connect interface GigabitEthernet 1/0/0 
     cwmp ssl-client ssl-policy sslclient
    ...

    # Run the display cwmp configuration command. The command output shows that CWMP is enabled, and the Router is configured to send Inform packets at intervals.

    <Router> display cwmp configuration
      CWMP is enabled
      ACS URL:                              https://www.acs.com:80/acs
      ACS username:                         newacsname
      ACS password:                         %@%@"\~.1[)4MGN=d\4zy`$,"ne\%@%@
      Inform enable status:                 enabled
      Inform interval:                      1000s
      Inform time:                          2011-01-01T20:00:00
      Wait timeout:                         100s
      Reconnection times:                   5
    

    # Run the display cwmp status command. The command output shows that CWMP is enabled, and the CWMP connection status is connected.

    <Router> display cwmp status
     CWMP is enabled
     ACS URL:                              https://www.acs.com:80/acs
     Acs information is set by:            user
     ACS username:                         newacsname
     ACS password:                         %@%@.h(P;/FO7%q"9H6D1]/O"90'%@%@
     Connection status:                    connected
     Time of last successful connection:   2010-12-01T20:00:00
    

Configuration Files

Router configuration file

#
 sysname Router
#
interface GigabitEthernet 1/0/0
 ip address 1.1.1.1 255.255.255.0
#
cwmp                                                                            
 cwmp cpe inform interval enable                                                
 cwmp acs url https://www.acs.com:80/acs                                         
 cwmp acs username newacsname                                                   
 cwmp acs password cipher %@%@"\~.1[)4MGN=d\4zy`$,"ne\%@%@                                                    
 cwmp cpe username newcpename                                                   
 cwmp cpe password cipher %@%@"\~.1[)4MGN=d\4zy`$,"ne\%@%@                                                    
 cwmp cpe inform interval 1000                                                  
 cwmp cpe connect retry 5                                                       
 cwmp cpe wait timeout 100                                                      
 cwmp cpe connect interface GigabitEthernet 1/0/0 
 cwmp ssl-client ssl-policy sslclient
#
pki entity cwmp0
 country CN
 state jiangsu
 organization huawei
 organization-unit info
 common-name hello
#
pki realm cwmp0
 ca id ca_root 
 enrollment-url http://2.1.1.1:8080/certsrv/mscep/mscep.dll ra
 entity cwmp0
 auto-enroll regenerate 
 fingerprint sha2 7bb05ada0482273388ed4ec228d79f77309ea3f47bb05ada0482273388ed4ec2
#
ssl policy sslclient type client
 server-verify enable
 pki-realm cwmp0
#
return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 128721

Downloads: 231

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next