No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CloudEC V600R019C00 Security Maintenance (Enterprise On-premises, Only Conference)

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Replacing the CloudMCU Security Certificate

Replacing the CloudMCU Security Certificate

Prerequisites

  • The certificate contains the root certificate (root.pem), server certificate (servercert.pem), private key (serverkey.pem), and private key password. The private key password must be set when the certificate is imported.
    NOTE:

    If the obtained certificate files include the signed certificate (level-2 root certificate), such as root_CA.pem, merge the root certificate root.pem and signed certificate root_CA.pem into one .pem file and rename the file root.pem.

  • SSH has been enabled. For details, see 2.a. Enabling SSH brings security risks. Disable SSH after performing the following configuration operations.
  • The HTTPS certificate verification function has been disabled on terminals.

Context

Generally, each web browser has a root CA certificate. When you replace the built-in certificate with a CA certificate, you do not need to load the root CA certificate.

  • The CloudMCU has a built-in security certificate. To enhance the system security, it is recommended that an enterprise replace the security certificate with the server certificate and private key issued by an authoritative CA in the industry. At the same time, ensure that the server certificate and private are not obtained by unauthorized users.
  • To enhance security, periodically update the system certificate.

Creating a Security Certificate

You can replace the digital certificate for the CloudMCU with one created by yourself or issued by an official authority.

Before applying for a certificate, you must create a certificate store file. Then, you can use the certificate store file to apply for a certificate from an official authority.

NOTE:
  • For details about how to upload files to a server, see Using the PuTTY to Upload Software Installation Packages. For details about how to download files from a server, see Using the PuTTY to Upload Software Installation Packages.

  • By default, the operation logs for the virtual machine (VM) running standard OSs are stored in the $HOME/.bash_history file and the /var/log/messages file. If a user logs in to a VM and then runs commands with sensitive information-related parameters specified, such as passwords, the user must manually delete related logs from the operation logs after these commands are executed.

  1. Log in to the CloudMCU console as the cgpexpert user (default password: mt2013@HW). Run the su - root command to switch to the root user (default password: cnp200@HW).
  2. Go to the root directory.

    cd /

  3. Run the following command to generate the private key file serverkey.pem. The default encryption password for the private key is Huawei@123. Replace the password based on the site requirements.

    openssl genrsa -aes256 -out serverkey.pem 2048

    Set the following information as prompted:

    Enter pass phrase for serverkey.pem:  
    #Enter the private key encryption password Huawei@123.  
    Verifying - Enter pass phrase for serverkey.pem:  
    #Enter the private key encryption password Huawei@123 again. 

  4. Run the following command to generate the certificate request file server.csr.

    Here, use the same private key encryption password Huawei@123 that you have set.

    openssl req -new -key serverkey.pem -out server.csr-sha256

    Set the following information as prompted:

    Enter pass phrase for serverkey.pem:
    #Enter the private key encryption password Huawei@123.
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    # Here, CN is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to UK.
    State or Province Name (full name) [Some-State]:zhejiang
    # Here, zhejiang is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to beijing.
    Locality Name (eg, city) []:hz
    # Here, hz is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to London.
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:huawei
    # Here, huawei is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to bank.
    Organizational Unit Name (eg, section) []:huawei
    # Here, huawei is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to bank.
    Common Name (eg, YOUR name) []:10.6.1.150
    # Enter the IP address or domain name. Here 10.6.1.150 is used as an example.
    Email Address []:111111.com
    # Enter an email address. Here, 111111.com is used as an example.
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    # Enter the certificate password and the name of the company that issues the certificate. Here Huawei@123 and huawei are used as examples.
    A challenge password []:Huawei@123
    An optional company name []:huawei

  5. Send the certificate request file server.csr to a certificate maker to apply for a public key certificate. Name the obtained root certificate file root.pem and name the obtained public key certificate file servercert.pem.
  6. Compress the root.pem, servercert.pem, and serverkey.pem files into a ZIP package.

Procedure

  1. Log in to the CloudMCU web interface.
  2. Choose Maintenance > Import.

    The page is displayed, as shown in Figure 7-14.

    Figure 7-14 Importing System certificate

    NOTE:
    • To secure its certificate, its private key must meet complexity requirements.
    • The certificate password entered for import is the private key password entered in step 3th.

  3. Input Certificate password, click Select File, upload the ZIP package, and click Import.
  4. After the certificate is imported, restart the CloudMCU as prompted.

Verification

After all the preceding operations are completed, TLS connections with the SMC and SIP server can be set up.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100059091

Views: 20446

Downloads: 11

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next