No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CloudEC V600R019C00 Security Maintenance (Enterprise On-premises, Only Conference)

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Replacing the SMC2.0 Security Certificate

Replacing the SMC2.0 Security Certificate

Prerequisites

After the SMC2.0 is installed, a root certificate is automatically saved on the SMC2.0 server. To improve security, an enterprise is advised to replace the certificate with a server certificate and private key file issued by an authoritative CA and ensure that unauthorized personnel cannot obtain the server certificate or private key file.

If you need to install a purchased commercial certificate, the key encryption password must meet the password complexity requirements. Before installing the certificate, check whether the system environment and certificate signature encryption algorithm meet the following conditions:

  1. The signature algorithm of the purchased commercial certificate is SHA512.

  2. The operating system of the SMC2.0 server is Windows 2012, and the KB2975719 patches are not installed.

    If so, you need to log in to https://www.microsoft.com/en-us/download/details.aspx?id=44051 and install the KB2975719 patches. You are advised to install the KB2975719 patches in the following sequence: 2993651, 2975719, 2993100, 2979582, 2990532, and 2995004.

NOTE:

To check the certificate signature encryption algorithm, double-click Certificate and view information in Details.

Background

SMC2.0 security certificates include:
  • HTTPS certificate: smc_root.der
  • TLS certificate: smc.pfx

Creating a Security Certificate

  1. Log in to the Linux operating system as the root user. The OpenSSL tool has been installed on the system.
  2. Go to a proper directory.
  3. Generate the key file serverkey.pem.

    The key_password.txt file stores the encryption password Huawei@123 of the key. Change the value based on the site requirements.

    openssl genrsa -aes256 -out serverkey.pem 2048 -sha256

    Enter required information as prompted.
    Enter pass phrase for serverkey.pem:
     #Enter the encryption password Huawei@123. 
    Verifying - Enter pass phrase for serverkey.pem: 
    #Enter the encryption password Huawei@123 again. 

  4. Generate the CSR file server.csr.

    The key password Huawei@123 is the same as the previous encryption password.

    openssl req -new -key serverkey.pem -out server.csr

    Enter required information as prompted.
    Enter pass phrase for serverkey.pem: 
    #Enter the encryption password Huawei@123. 
    You are about to be asked to enter information that will be incorporated 
    into your certificate request. 
    What you are about to enter is what is called a Distinguished Name or a DN. 
    There are quite a few fields but you can leave some blank 
    For some fields there will be a default value, 
    If you enter '.', the field will be left blank.
    ----- 
    Country Name (2 letter code) [AU]:CN
    #Here, CN is used as an example. You can enter a name, for example, UK, based on the site information.
    State or Province Name (full name) [Some-State]:zhejiang
    #Here, zhejiang is used as an example. You can enter a name, for example, beijing, based on the site information.
    Locality Name (eg, city) []:hz
    #Here, hz is used as an example. You can enter a name, for example, Lundon, based on the site information.
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:huawei
    #Here, huawei is used as an example. You can enter a name, for example, bank, based on the site information.
    Organizational Unit Name (eg, section) []:huawei
    #Here, huawei is used as an example. You can enter a name, for example, bank, based on the site information.
    Common Name (eg, YOUR name) []:Joy
    #Here, Joy is used as an example. 
    Email Address []:111111.com
    #Email address. Here, 111111.com is used as an example. 
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    #Certificate password and authority name. Here, Huawei@123 and huawei are used as examples.
    A challenge password []:Huawei@123
    An optional company name []:huawei

  5. Set the server.csr file to a certification authority to apply for a public key certificate and name the obtained root certificate file root.pem and the public key certificate file servercert.pem.
  6. See Table 7-2 to convert the obtained servercert.pem, serverkey.pem, and key_password.txt files into the PFX format, .

Installing the Client Root Certificate

NOTE:

Before importing the client root certificate into the SMC2.0, import the SC server certificate. If the client root certificate is imported but the corresponding server certificate is not, the SC will go offline and then the server certificate cannot be imported through the SMC2.0 web interface.

  1. Log in to the SMC2.0 server as the SMC2.0 administrator.
  2. Add a certificate manager to the console(If a certificate manager is already added, skip this step.).

    1. Choose Start > Run, enter MMC, and press Enter.
    2. In the Console1 window, choose File > Add/Remove Snap-in....
    3. In the Add or Remove Snap-ins window, select Certificates from the Available snap-ins area and click Add to move it to the Selected snap-ins area, as shown in Figure 7-5.
      Figure 7-5 Adding a snap-in
    4. In the Certificates snap-in window, select Computer account and click Finish.
    5. In the Add/Remove Snap-ins window, click OK.

  3. In the Console1 window, choose Console Root > Certificates > Trusted Root Certification Authorities > Certificates, as shown in Figure 7-6.

    Figure 7-6 Certificate list

  4. Right-click the Certificate node, as shown in Figure 7-7. Then choose All Tasks > Import and select the root certificate to be imported. (Specify All Files(*.*) as the file type when selecting a certificate.) The root certificate name must be in the format of smc_root.der.

    Figure 7-7 Certificate node

Installing the Server Certificate

Installing the Server Certificate
  1. Log in to the SMC2.0 server as the SMC2.0 administrator.
  2. Enter IIS in the Windows search box and select Internet Information Services(IIS) Manager among the results.
  3. In the Internet Information Services(IIS) Manager window, choose the root directory from the navigation tree on the left. Under IIS in the middle pane, double-click Server Certificates, as shown in Figure 7-8.
    Figure 7-8 Internet Information Services(IIS) Manager
  4. Click Import in the operation list on the right, as shown in Figure 7-9.
    Figure 7-9 Server Certificates
  5. Upload the purchased certificate file : smc.pfx, enter the password, select Allow this certificate to be export based on the certificate requirements, and click OK, as shown in Figure 7-10.
    NOTE:
    • The password entered here is the password entered3.
    • After the certificate is imported, the certificate name is not displayed. Ensure that the information about the imported certificate is correct. This certificate is bound after you complete the Bind Server Certificate task.
    Figure 7-10 Import Certificate
Binding the Server Certificate
  1. Enter Internet Information Services (IIS) Manager.
  2. Bind the certificate to the SmcSite.
    1. From the navigation tree on the left, choose WIN-XXXXXX > Sites > SmcSite, right-click SmcSite and choose Edit bindings....
    2. In the Site Binding window, select https and click Edit....
    3. Select the certificate issued by the corresponding authority from the SSL certificate drop-down list box, and click OK, Figure 7-11 uses a preset certificate as an example.
      Figure 7-11 Edit Site Binding
  3. In the SmcFileSrv site, bind the commercial certificate by following the method in 2.
  4. Bind the certificate to the SmcFtp site.
    1. From the navigation tree on the left, choose WIN-XXXXXX > Sites > SmcFtp.
    2. Double-click FTP SSL Settings on the SmcFtp homepage.
    3. From the SSL certificate drop-down list, choose the certificate to be bound, as shown in Figure 7-12.
      Figure 7-12 FTP SSL Settings
    4. Click Apply on the right. A dialog box is displayed, indicating the change is saved.
Verification
  1. Open Internet Explorer, enter https://IP address of the SMC2.0 in the address box, and press Enter.
  2. The "There is a problem with this website's security certificate" message is no longer displayed, indicating that the certificate is successfully installed.
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100059091

Views: 16592

Downloads: 9

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next