No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Enabling PKI Whitelist Check

Enabling PKI Whitelist Check

In LTE scenarios, a security gateway and base stations use certificates to negotiate IPsec tunnels. The PKI whitelist on the security gateway can be used to uniformly manage certificates of base stations.

Context

If PKI whitelist check is enabled on the security gateway using the pki whitelist enable command, the common names in the certificate subjects of base stations must be imported to the security gateway's PKI whitelist using the pki import whitelist file-name filename command for certificate verification of the base stations.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Enable PKI whitelist check globally or for an IKE peer.

    • Enable global PKI whitelist check.

      Run pki whitelist enable

      Global PKI whitelist check is enabled.

    • Enable PKI whitelist check for an IKE peer.

      1. Run ike peer peer-name

        The IKE peer view is displayed.

      2. Run pki whitelist enable

        The PKI whitelist check function is enabled for an IKE peer.

        After PKI whitelist check is enabled for an IKE peer using the pki whitelist enable command and the IKE peer receives certificate authentication packets from a remote device, the IKE peer checks whether the common names in the remote certificate subjects match the PKI whitelist. If not, the authentication fails.

    NOTE:
    If the pki whitelist enable or pki whitelist disable command has been run in the IKE peer view, the configuration in the IKE peer view takes effect, regardless of whether global PKI whitelist check is enabled.

  3. Run pki import whitelist file-name filename

    The PKI whitelist in an XML file is imported to a device.

  4. (Optional) Run pki whitelist filter enable

    The suffix filtering function is enabled to filter suffixes of whitelists imported to the device and common name suffixes of the certificates received from the peer end during whitelist-based IPsec certificate negotiation.

    In whitelist-based IPsec certificate authentication scenarios, when the names of whitelists imported into a device or common names of the certificates received from the peer end are redundant, run the pki whitelist filter enable command to simplify the imported whitelists. For example, after the common name of a base station certificate on the live network is imported into a whitelist, a record carrying different suffixes may be generated, causing one base station in the whitelist to consume multiple whitelist resources. To resolve this problem, run the pki whitelist filter enable command.

  5. Run pki whitelist capacity warning-threshold threshold-value

    An alarm threshold is configured for the number of imported whitelists.

  6. Run pki whitelist { add | delete } common-name common-name filename file-name

    The IPsec PKI whitelist data is dynamically modified.

  7. Run pki whitelist update { filename filename | all }

    The modified IPsec PKI whitelist data is updated.

  8. Run commit

    The configuration is committed.

Follow-up Procedure

To check the PKI whitelists on a device, run the display pki whitelist command. The command output helps fault locating and analyzing.

To check the whitelist data dynamically modified by users through the pki whitelist command, run the display pki whitelist update { filename file-name | all } command.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19636

Downloads: 39

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next