No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Verifying the CA and Local Certificates

Verifying the CA and Local Certificates

Prerequisites

The task of (Optional) Installing the Local Certificate is complete.

Configuration Procedure

Perform the following operations in sequence:

Configuring Local Certificate Check

Context

The PKI entity periodically validates the peer certificate, for example, whether the peer certificate expires and whether it is added to CRL. There are three ways to check certificate status: CRL, OCSP, and None.

  • CRL

    If the CA server can function as a CRL distribution point (CDP), the certificate issued by CA contains the CDP information about obtaining the certificate CRL. The PKI entity then uses the specified method (HTTP or LDAP) to find out the CRL from the specified location and download the CRL.

    If the CDP URL is configured for a PKI entity, the PKI entity obtains the CRL from the specified URL. If the CA server cannot function as a CDP, the PKI entity uses SCEP to download the CRL.

    When the PKI entity authenticates the local certificate, the PKI entity searches for the certificate in the CRL stored in local memory. If the certificate is included in the CRL, it indicates that the certificate has been revoked. If no CRL is available in local memory, the CRL needs to be downloaded and installed.

  • OCSP

    When two PKI entities use certificates to perform IPSec negotiation, they check the peer certificate status through OCSP in real time.

    OCSP does not require the PKI entity frequently download CRL. When a PKI entity accesses an OCSP server, the entity requests the certificate status. The OCSP server replies with a valid, expired, or unknown state.

    • Valid indicates that the certificate has not been revoked.

    • Expired indicates that the certificate has been revoked.

    • Unknown indicates that the OCSP server does not know the certificate status.

  • None

    If no CRL or OCSP server is available to the PKI entity or the PKI entity does not need to check the local certificate status, this mode can be used. In this mode, the PKI entity does not check certificate revocation.

Procedure
  1. Run system-view

    The system view is displayed.

  2. Run pki realm realm-name

    A PKI realm is created and its view is displayed, or the view of an existing PKI realm is displayed.

    By default, the device has a PKI realm named default. This realm can only be modified but cannot be deleted.

  3. Run certificate-check { { crl | ocsp } * [ none ] | none }

    The method to check whether certificate revocation is configured in the PKI realm.

    By default, the system checks using CRLs whether a certificate in the PKI realm is revoked.

    If multiple certificate status check methods are configured, these methods are used in the configuration sequence. The later method is used only when the previous method is unavailable because, for example, the server cannot be connected. If None is configured, a certificate is considered valid when all the previous methods are unavailable. For example, after the certificate-check crl ocsp none command is executed, the PKI entity uses CRL to check certificate status first. If the CRL method is unavailable, the PKI entity uses OCSP. If neither CRL nor OCSP is available, the certificate is considered valid.

  4. Select a method to check peer certificate status according to the service types provided by the CA:

Automatic CRL Update
  1. Run quit

    Return to the system view.

  2. (Optional) Run pki file-format { der | pem }

    The format of saved CRL is set.

    By default, CRL is saved in PEM format.

  3. Run pki realm realm-name

    The view of an existing PKI realm is displayed.

  4. Run crl auto-update enable

    Automatic CRL update is enabled.

    By default, automatic CRL update is enabled.

  5. Run crl update-period interval

    The interval for automatic CRL update is set.

    By default, the automatic CRL update interval is 8 hours.

  6. Select an automatic CRL update method according to the service types provided by the CA.

    • SCEP

      1. Run crl scep

        The CRL is automatically updated using SCEP.

        By default, CRL is automatically updated using HTTP.

      2. Run cdp-url [ esc ] url-addr

        The CDP URL is configured

        By default, no CDP URL is configured.

    • HTTP

      1. Run crl http

        The CRL is automatically updated using HTTP.

        By default, CRL is automatically updated using HTTP.

      2. Run cdp-url [ esc ] url-addr

        The CDP URL is configured.

        Or run cdp-url from-ca

        The device is configured to obtain CDP URL from the CA certificate.

        By default, no CDP URL is configured.

    • LDAP

      1. Run crl ldap

        The CRL is automatically updated using LDAP.

        By default, CRL is automatically updated using HTTP.

      2. Run ldap-server { authentication ldap-dn ldap-password | ip ip-address [ port port | version version ] * }

        The CRL is automatically updated using LDAP.

        By default, no LDAP server is configured.

      3. Run crl ldap [ attribute attr-value ] dn dn-value

        The attributes and identifier used to obtain CRL from the LDAP server are configured.

        By default, no attributes and identifier used to obtain CRL from the LDAP server are configured.

    • LDAPv3

      1. Run quit

        Return to the system view.

      2. Run ldap-server template template-name

        By default, no LDAP server template exists on the device.

      3. Run ldap-server authentication ip-address [ port-number ]

        An LDAP authentication server is created.

        By default, no LDAP authentication server is configured.

      4. Run ldap-server authentication manager manager-dn password [ repassword ]

        The administrator DN and password of an LDAP authentication server are configured.

        By default, no administrator DN and password of an LDAP authentication server is configured.

        After the configuration is complete, run the ldap-server authentication manager-password password [ repassword ] to change the administrator password of the LDAP authentication server.

      5. Run quit

        Return to the system view.

      6. Run pki realm realm-name

        The view of an existing PKI realm is displayed.

      7. Run crl ldap

        The CRL is automatically updated using LDAP.

        By default, CRL is automatically updated using HTTP.

      8. Run ldap-server-template attr-value

        An LDAP server template is bound to a PKI realm.

        By default, no LDAP server template is bound to a PKI realm.

        The attr-value value is specified in the ldap-server template command.

  7. Run crl cache

    The PKI realm is allowed to use the CRL in cache.

    By default, the PKI realm is allowed to use cached CRLs.

  8. (Optional) Update the CRL immediately.

    1. Run quit

      Return to the system view.

    2. Run pki get-crl realm realm-name

      The CRL is immediately updated.

      After this command is executed, the new CRL replaces the old CRL in the storage, and is automatically imported to the memory to replace the old one.

Manual CRL Update
  1. Run quit

    Return to the system view.

  2. (Optional) Run pki file-format { der | pem }

    The format of saved CRL is set.

    By default, CRL is saved in PEM format.

  3. Select a manual CRL update method according to the service types provided by the CA.

    • To download the CRL using HTTP, run the pki http [ esc ] url-address save-name command.

      The value of url-address must contain the certificate file name plus the file name extension, for example, http://10.1.1.1:8080/cert.cer cert.cer. If url-address specifies a domain name, ensure that the domain name can be resolved.

    • To download the CRL using LDAP, run the pki ldap ip ip-address port port version version [ attribute attr-value ] [ authentication ldap-dn ldap-password ] save-name dn dn-value command.

  4. Run pki import-crl realm realm-name filename file-name

    The CRL is imported to the memory.

OCSP
  1. (Optional) Run source interface interface-type interface-number

    The source interface used in TCP connection setup is specified.

    By default, the source interface used in TCP connection setup is the egress interface.

    The source interface must be a Layer 3 interface with an IP address configured.

  2. Run ocsp url [ esc ] url-address

    The OCSP server's URL is configured.

    Or run ocsp-url from-ca

    The device is configured to obtain OCSP server's URL from the CA certificate's AIA option.

    By default, an OCSP server does not have a URL address.

  3. (Optional) Run ocsp nonce enable

    The nonce extension is added to the OCSP requests sent by the PKI entity.

    By default, the OCSP requests sent by the PKI entity contain the nonce extension.

    The nonce extension improves security and reliability for communication between the PKI entity and OCSP server. The content of a nonce extension is randomly generated by the system. The response packets sent by the OCSP server may contain or not contain the nonce extension. If the response packets contain a nonce extension, it must be the same as that configured for OCSP requests.

  4. (Optional) Run ocsp signature enable

    Signature for OCSP requests is enabled.

    By default, signature for OCSP requests is disabled.

    This command is required when the OCSP server requests signature for OCSP requests.

  5. Run quit

    Return to the system view.

  6. Run pki import-certificate ocsp realm realm-name { der | pkcs12 | pem } [ filename filename ]

    Or run pki import-certificate ocsp realm realm-name pkcs12 filename filename password password

    The OCSP server certificate is imported to memory.

  7. Run pki validate ocsp-server-certificate enable

    The function that uses the OCSP server certificate to verify OCSP server packets is enabled.

    By default, the function that uses the OCSP server certificate to verify OCSP server packets is disabled.

  8. Run pki ocsp response cache enable

    The OCSP response cache function is enabled.

    By default, the OCSP response cache function is disabled.

    After this command is executed, the PKI entity searches the cache first in checking the certificate status using OCSP. If the cache searching fails, the PKI entity sends a request to the OCSP server. In addition, the PKI entity caches valid OCSP responses for next search.

    An OCSP response has a validity period. After the OCSP response cache function is enabled, the PKI entity updates cached OCSP responses every one minute and deletes the expired responses.

  9. (Optional) Run pki ocsp response cache number number

    The maximum number of OCSP responses in the cache is set.

    By default, a PKI entity can cache 2 OCSP responses.

  10. (Optional) Run pki ocsp response cache refresh interval interval

    The interval at which the PKI entity updates the OCSP response cache is set.

    By default, the PKI entity updates the OCSP response cache every five minutes.

Follow-up Procedure
  • If you want to copy an OCSP server certificate from the local device to another device, run the pki export-certificate ocsp realm realm-name { der | pem | pkcs12 } command to export the certificate file to the local device memory first, and then transfer the certificate file to another device using a file transferring protocol.

  • To delete an expired or unused OCSP server certificate from memory, run the pki delete-certificate ocsp realm realm-name command.

  • To delete an expired or unused CRL from memory, run the pki delete-crl realm realm-name command.

Checking the CA and Local Certificates

Context

Before a certificate is used, it must be authenticated. In a certificate, the issuing date, issuer information, and certificate validity need to be authenticated. The key to authenticate a certificate is to check the signature of CA and check whether the certificate is expired or revoked.

In certificate authentication, the local device must obtain the peer certificate and the following information: CA certificate, CRL, local certificate and its private key, and certificate authentication information.

The local device authenticates a local certificate as follows:

  1. Uses the public key of the CA certificate to authenticate its signature.

    To authenticate a certificate, a PKI entity must obtain the public key of the CA that issued the certificate from the CA's certificate, so that the PKI entity can check the signature of the CA on the certificate. An upper-level CA authenticates the certificates of lower-level CAs. The authentication is performed along the certificate chain, and terminated at the trustpoint (the root CA holding a self-signed certificate or a subordinate CA trusted by the PKI entity).

    PKI entities sharing the same root or subordinate CA and having CA certificates can authenticate certificates of each other (peer certificates). Authentication of a peer certificate chain ends at the first trusted certificate or CA.

    In a word, certificate chain authentication starts at an entities certificate and ends at a trustpoint.

  2. Checks whether the certificate has expired.

  3. Checks whether the certificate has been revoked in CRL or None mode.

To check validity of the CA and local certificates of the local device, perform the following steps.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki validate-certificate { ca | local } realm realm-name

    The validity of CA or local certificate is checked.

    The pki validate-certificate ca command allows you to verify only the root CA certificate, but not subordinate CA certificates. When multiple CA certificates are imported on a device, you can use only the pki validate-certificate local command to verify the validity of subordinate certificates.

  3. (Optional) Run pki realm realm-name

    A PKI realm is created and its view is displayed, or the view of an existing PKI realm is displayed.

  4. (Optional) Run validate time disable

    The time check in PKI certificate validation is ignored.

    By default, time is checked in PKI certificate authentication.

    NOTE:

    Among the AR500 series, only AR502EGRb-L, AR502EGRc-Lc, AR502EGRz-L, AR502EGRz-Lc do not support this command.

    Among the AR510 series, only AR511EGW-LcAV2, AR515CGW-L, AR515GW-LM9-D do not support this command.

    Among the AR510 series, only AR550-8FE-D-H, AR550-24FE-D-H, AR550E do not support this command.

    AR530&AR1500&AR2500 series do not support this command.

Verifying the CA and Local Certificate Configuration

Prerequisites

Configuring the validity check for the CA and local certificates has been completed.

Procedure

  • Run the display pki realm [ realm-name ] command to check the PKI realm configuration.
  • Run the display pki crl { realm realm-name | filename filename } command to check the CRL in the device.
  • Run the display pki certificate ocsp realm realm-name command to check the OCSP server certificate loaded to the device.
  • Run the display pki ocsp cache statistics command to check the OCSP response cache information.
  • Run the display pki ocsp server down-information command to check the OCSP server Down records.
  • Run the display ldap-server template [ template-name ] command to check the configurations of the LDAP server template.
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 95762

Downloads: 58

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next