No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CloudEC V600R019C00 Security Maintenance (Enterprise On-premises, Only Conference)

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Replacing the SC Security Certificate

Replacing the SC Security Certificate

The security certificate can provide encrypted transmission for confidential data of a website, ensuring confidentiality, integrity and non-repudiation of confidential information. To improve security, it is recommended that enterprises use their own security certificates to replace the SC built-in security certificate. It is recommended that enterprises replace the security certificate with the server certificate and private key issued by an authoritative CA in the industry. At the same time, ensure that the server certificate and private key file are not obtained by unauthorized users.

Prerequisites

Before importing a certificate, you need to create a folder named certificate and compress it into the certificate.zip package. SC security certificates include:
  • HTTPS certificate:

    • Root certificate: sc_root.der

    • Server certificate: sc_cert.der

    • Private key file: sc_key.der

    • Private key password file: sc_key_password.txt

  • TLS certificate:
    • Root certificate: sc_root.pem

    • Server certificate: sc_cert.pem

    • Private key file: sc_key.pem

    • Private key password file: sc_key_password.txt

  • LDAPS certificate: ladp_cert.pem
  • Root certificate: sc_root.pem

Background

  • Standalone SC: After the SC is installed, the HTTPS and TLS certificates coming with the SC are automatically installed.
  • Embedded SC: After the SMC2.0 is installed, HTTPS certificates and the TLS certificate coming with the SC is automatically installed .

The HTTPS certificate is used for the SiteCall service. The TLS certificate is used for the SIP registration service. The LDAP certificate is used for external authentication services.

NOTE:

If Verify the Certificate under System > Settings > Devices is selected on the SMC2.0 web interface, the corresponding HTTPS certificate must be uploaded.

Creating a Security Certificate

  1. Log in to the Linux operating system as the root user. The OpenSSL tool has been installed on the system.
  2. Go to a proper directory.
  3. Generate the key file serverkey.pem.

    The sc_key_password.txt file stores the encryption password Huawei@123 of the key. Change the value based on the site requirements.

    openssl genrsa -aes256 -out serverkey.pem 2048 -sha256

    Enter required information as prompted.
    Enter pass phrase for serverkey.pem:
     #Enter the encryption password Huawei@123. 
    Verifying - Enter pass phrase for serverkey.pem: 
    #Enter the encryption password Huawei@123 again. 

  4. Generate the CSR file server.csr.

    The key password Huawei@123 is the same as the previous encryption password.

    openssl req -new -key serverkey.pem -out server.csr

    Enter required information as prompted.
    Enter pass phrase for serverkey.pem: 
    #Enter the encryption password Huawei@123. 
    You are about to be asked to enter information that will be incorporated 
    into your certificate request. 
    What you are about to enter is what is called a Distinguished Name or a DN. 
    There are quite a few fields but you can leave some blank 
    For some fields there will be a default value, 
    If you enter '.', the field will be left blank.
    ----- 
    Country Name (2 letter code) [AU]:CN
    #Here, CN is used as an example. You can enter a name, for example, UK, based on the site information.
    State or Province Name (full name) [Some-State]:zhejiang
    #Here, zhejiang is used as an example. You can enter a name, for example, beijing, based on the site information.
    Locality Name (eg, city) []:hz
    #Here, hz is used as an example. You can enter a name, for example, Lundon, based on the site information.
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:huawei
    #Here, huawei is used as an example. You can enter a name, for example, bank, based on the site information.
    Organizational Unit Name (eg, section) []:huawei
    #Here, huawei is used as an example. You can enter a name, for example, bank, based on the site information.
    Common Name (eg, YOUR name) []:Joy
    #Here, Joy is used as an example. 
    Email Address []:111111.com
    #Email address. Here, 111111.com is used as an example. 
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    #Certificate password and authority name. Here, Huawei@123 and huawei are used as examples.
    A challenge password []:Huawei@123
    An optional company name []:huawei

  5. Set the server.csr file to a certification authority to apply for a public key certificate and name the obtained root certificate file root.pem and the public key certificate file servercert.pem.
  6. The obtained .pem files have been converted to the .der format according to Table 7-2.

Replacing the HTTPS and TLS Certificates

  1. Log in to the SMC2.0 web interface.
  2. Choose Device > SC and click the name of the SC for which you want to upload the certificate.
  3. Click Import Certificate in the upper right corner.
  4. Click Browse and select the certificate you want to upload. The certificate must be stored in the certificate folder and compressed as a*.zip file, which cannot exceed 1 MB.

    • The HTTPS certificate includes sc_cert.der, sc_key.der, sc_key_password.txt, and sc_root.der.
    • The TLS certificate includes sc_cert.pem, sc_key.pem, sc_key_password.txt, and sc_root.pem.

  5. Select a Certificate type and click Upload.

    A dialog box is displayed in the lower right corner, indicating the certificates are successfully uploaded.
    NOTE:
    • In the DR scenario, the active SMC2.0 does not synchronize the imported HTTPS certificate data to the standby SMC2.0.

      Therefore, import the HTTPS certificate into the active and standby SMC2.0s before configuring the DR relationship.

    • After the HTTPS certificate and TLS certificate are imported, the root certificate is accordingly imported and therefore you do not need to manually import the root certificate. If you need to import multiple root certificates, perform operations described in (Optional) Replacing a Root Certificate.

(Optional) Replacing the LDAP Certificate

If external LDAP authentication is used, replace the LDAP certificate.

  1. Log in to the SMC2.0 web interface.
  2. Choose Devices > Switch Centers. Select the SC for which the LDAP certificate will be uploaded.
  3. Click Edit in the upper right corner.
  4. On the Edit page that is displayed, import the LDAP certificate, as shown in Figure 7-1.

    Figure 7-1 Importing the LDAP certificate

  5. Click Import LDAP Certificate and select the certificate you want to upload. The certificate file to upload has been placed in a specific folder (certificate in this example) and decompressed in .zip format beforehand.

    • The LDAP certificate contains only one file named ldap_cert.pem.
    • LThe suffix of the LDAP certificate name must be .pem.

  6. After selecting the certificate to upload, click Upload.
  7. After the upload is complete, click Save. The message shown in Figure 7-2 is displayed.

    Figure 7-2 Confirm dialog box

  8. Click Yes to restart the SC for the imported LDAP certificate to take effect.

(Optional) Replacing a Root Certificate

  1. Log in to the SMC2.0 web interface.
  2. Choose Devices > Switch Centers and click the SC where the root certificate is to be uploaded.
  3. On the SC page, click Root Certificate.
  4. On the Root Certificate page, import the root certificate: scroot.pem, as shown in Figure 7-3 .

    NOTE:
    • The suffix of the root certificate name must be .pem.
    • The name of a root certificate can contain only English letters.

    Figure 7-3 Upload Root Certificate

  5. After the certificate is uploaded, click Upload. The Prompt dialog box is displayed, indicating that the root certificate is imported, as shown in Figure 7-4.

    Figure 7-4 Confirm dialog box

  6. Click Yes to restart the SC, making the imported root certificate take effect.

Verification

  • After the TLS certificate is replaced, TLS can be registered properly on the SMC2.0.
  • After the HTTPS certificate is replaced, import the matching client certificate to the SMC2.0. The SC goes online properly on the SMC2.0.
  • After the LDAP certificate is replaced, AD authentication can be registered properly on the SMC2.0.
  • After the root certificate is replaced, the message Certificate imported is displayed.
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100059091

Views: 16321

Downloads: 9

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next