CloudEC V600R019C00 Security Maintenance (Enterprise On-premises, Only Conference)

Prerequisites

A server certificate and private key file that are issued by a CA in the industry are available, and ensure that the server certificate and private key will not be obtained by unauthorized personnel.

NOTE:

VP9600 series MCUs communicate with the FTP server through File Transfer Protocol over SSL (FTPS). It is recommended that you apply for and import the FTPS security certificate.

Background

FTP Server Settings

1. Set the IP address of the computer where the FTP server is deployed and the IP address of the VP9600 series MCU to be in the same network segment.
2. Install the FTPS server on the computer (use the FileZilla_Server-0_9_43.exe as an example).
3. Double-click to start the FTPS server.

   The dialog box shown in Figure 6-8 is displayed.

   Figure 6-8 Connect to Server dialog box
   
   

4. Keep the default values, and click OK.
5. Choose Edit > Settings.
6. In the dialog box that is displayed, click SSL/TLS settings in the left pane and select Enable FTP over SSL/TLS support (FTPS).
7. Click Browse to import the private key and certificate file, respectively.
   NOTE:

   • After importing the certificate, skip 8 and 9 and perform 10.
   • If lower security requirements are required and no FTPS certificate is available, skip this step and perform 8 through 10.

8. (Optional) Click Generate new certificate.

   The dialog box shown in Figure 6-9 is displayed.

   Figure 6-9 Generating a certificate
   
   

9. (Optional) In 2–Digit country code, enter the 2-digit country code. Click Browse to set the path for storing the certificate, and click Generate certificate.

   The FileZilla Server Options dialog box is displayed, and the certificate file and private key file have been imported.

10. Click OK.

    The main page is displayed.

11. Choose Edit > Users.

    The Users dialog box is displayed, as shown in Figure 6-10.

    Figure 6-10 Users
    
    

12. Click Add to create a user name, for example, MCU, select Enable account and Password, and set the password to mcu.
13. In the Users dialog box, choose Shared folders > Add, specify the save path for the upgrade software, and select Read, Write, Delete, and List, as shown in Figure 6-11.
    Figure 6-11 Specifying the save path for the upgrade software
    
    

    The upgrade software must be stored in a home directory; otherwise, the installation will fail. In Figure 6-11, H is displayed next to the upgrade software storage directory, which indicates that the directory is a home directory. If the directory is not a home directory, click Set as home dir to set it as a home directory.

14. Click OK.

MCU Settings

1. Log in to the MCU from PuTTY.
2. At the <HUAWEI VP9650> prompt, enter system-view ftp-server and press Enter.
3. At the ftp server ip addr[192.168.1.200]: prompt, enter the IP address of the FTP server and press Enter.
4. At the user name{max len:32}[y]: prompt, enter the user name, for example, mcu, and press Enter.
5. At the user password{string, max len:32}[******]: prompt, enter the password, for example, mcu, and press Enter.
6. At the <HUAWEI VP9650> prompt, enter system-view ftp-enable-tls-check and press Enter.
7. At the ftp enable tls check{0: disable; 1:enable}[1]: prompt, enter 1 and press Enter.
   NOTE:

   It is recommended that you enable TLS verification to ensure communication security. After enabling TLS verification, import the FTPS certificate. For details about how to import the certificate, see Replacing the VP9600 Series MCU Security Certificate(V500R002C10).

   If lower security requirements are required and no FTPS certificate is available, set this parameter to 0.

8. At the <HUAWEI VP9650> prompt, enter save and press Enter.

   The following information is displayed:

   are you sure to save config?(y/n)

9. Enter y and press Enter.