No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Configuration Guide - Basic Configuration

This document describes the configurations of Basic, including CLI Overview, EasyDeploy Configuration, USB-based Deployment Configuration, Logging In to a Device for the First Time, CLI Login Configuration, Web System Login Configuration, File Management, Configuring System Startup, ISSU Configuration, BootLoad Menu Operation.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Managing Files When the Device Functions as an FTPS Server

Managing Files When the Device Functions as an FTPS Server

Pre-configuration Tasks

Before connecting to the FTPS server to manage files, complete the following tasks:

  • Ensure that routes are reachable between the terminal and the device.
  • Ensure that the FTP client software supporting SSL has been installed on the terminal.

Configuration Procedure

Table 8-28 describes the procedure for managing files when the device functions as an FTPS server.

Table 8-28  Managing files when the device functions as an FTPS server
No. Task Description Remarks
1 Upload the server digital certificate and private key Upload the digital certificate and private key to the device. Task 1 must be performed before task 2. The other tasks can be performed in any sequence.
2 Configure the SSL policy and load the digital certificate Configure an SSL policy and load the digital certificate to the server.
3 Configure the FTPS server function and set FTP service parameters Configure an SSL policy for the FTPS server and set FTPS server parameters including the port number, source address, and timeout duration.
4 Configure local FTP user information Configure FTP local users including the service type and authorized directory.
5 Connect to the device using FTPS Connect to the device using FTPS on the terminal. -

Default Parameter Settings

Table 8-29  Default parameter settings
Parameter Default Setting
SSL policy No SSL policy is created for an FTPS server.
FTPS server function Disabled
Listening port number 21
FTP user No local user is created.

Procedure

  • Upload the server digital certificate and private key.

    Upload the server digital certificate and private key file to the security directory on the device in SFTP or SCP mode. If no security directory exists on the device, run the mkdir directory command to create one.

    The server must obtain a digital certificate (including the private key file) from a CA. Clients that connect to the server must obtain a digital certificate from the CA to authenticate the validity of the server digital certificate.

    NOTE:

    A certificate authority (CA) is an entity that issues and manages digital certificates. Digital certificates used on the FTPS server must be issued by a CA.

    The device does not support lifecycle management on self-signed certificates generated by the device. For example, self-signed certificates cannot be updated or revoked. You are advised to use your own certificate to ensure device and certificate security.

    Digital certificates support the PEM, ASN1, and PFX formats.
    • A PEM digital certificate has a file name extension .pem and is applicable to text transmission between systems.

    • An ASN1 digital certificate has a file name extension .der and is the default format for most browsers.

    • A PFX digital certificate has a file name extension .pfx and is a binary format that can be converted into the PEM or ASN1 format.

    For details, see the description about uploading files in other modes.

  • Configure the SSL policy and load the digital certificate.

    Load the digital certificate and specify the private key.

    Table 8-30  Configuring the SSL policy and loading the digital certificate
    Operation Command Description

    Enter the system view.

    system-view

    -

    (Optional) Customize the SSL cipher suite.

    ssl cipher-suite-list customization-policy-name

    Customize an SSL cipher suite policy and enter the cipher suite policy view.

    By default, no customized SSL cipher suite policy is configured.

    set cipher-suite { tls1_ck_rsa_with_aes_256_sha | tls1_ck_rsa_with_aes_128_sha | tls1_ck_rsa_rc4_128_sha | tls1_ck_dhe_rsa_with_aes_256_sha | tls1_ck_dhe_dss_with_aes_256_sha | tls1_ck_dhe_rsa_with_aes_128_sha | tls1_ck_dhe_dss_with_aes_128_sha | tls12_ck_rsa_aes_256_cbc_sha256 }

    Configure the cipher suites for a customized SSL cipher suite policy.

    By default, no customized SSL cipher suite policy is configured.

    If a customized SSL cipher suite policy is being referenced by an SSL policy, the cipher suites in the customized cipher suite policy can be added, modified, or partially deleted. Deleting all of the cipher suites is not supported.

    quit

    Return to the system view.

    Create an SSL policy and enter the SSL policy view.

    ssl policy policy-name

    -

    (Optional) Set a minimum version of an SSL policy.

    ssl minimum version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 }

    By default, the minimum version of an SSL policy is TLS1.1.

    (Optional) Bind a customized SSL cipher suite policy to an SSL policy.

    binding cipher-suite-customization customization-policy-name

    By default, no customized cipher suite policy is bound to an SSL policy. Each SSL policy uses a default cipher suite.

    After a customized cipher suite policy is unbound from an SSL policy, the SSL policy uses one of the following cipher suites supported by default:

    • tls1_ck_rsa_with_aes_256_sha
    • tls1_ck_rsa_with_aes_128_sha
    • tls1_ck_dhe_rsa_with_aes_256_sha
    • tls1_ck_dhe_dss_with_aes_256_sha
    • tls1_ck_dhe_rsa_with_aes_128_sha
    • tls1_ck_dhe_dss_with_aes_128_sha
    • tls12_ck_rsa_aes_256_cbc_sha256

    If the cipher suite in the customized cipher suite policy bound to an SSL policy contains only one type of algorithm (RSA or DSS), the corresponding certificate must be loaded for the SSL policy to ensure successful SSL negotiation.

    Load the digital certificate in the PEM format.

    certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key-filename auth-code cipher auth-code

    Load the digital certificate in the PEM, ASN1, or PFX format.

    NOTE:
    • You can load a certificate or certificate chain for only one SSL policy. Before loading a certificate or certificate chain, you must unload any existing certificate or certificate chain.
    • When you configure an SSL policy to load a certificate or certificate chain, ensure that the maximum length of the key pair in the certificate or certificate chain is 2048 bits. If the length of the key pair exceeds 2048 bits, the certificate file or certificate chain file cannot be uploaded to the device.
    • Before rolling V200R008 or a later version back to an earlier version, back up the SSL private key file.

    Load the digital certificate in the ASN1 format.

    certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key-filename

    Load the digital certificate in the PFX format.

    certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac cipher mac-code | key-file key-filename } auth-code cipher auth-code

    Load the digital certificate chain in the PEM format.

    certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key-filename auth-code cipher auth-code

  • Configure the FTPS server function and set FTP service parameters.

    FTPS is based on the FTP protocol. You can enable the FTPS server function and set FTP service parameters.

    Table 8-31  Configuring the FTPS server function and setting FTP service parameters
    Operation Command Description

    Enter the system view.

    system-view -

    (Optional) Specify a port number for the FTP server.

    ftp [ ipv6 ] server port port-number

    The default port number is 21.

    If a new port number is configured, the FTP server disconnects all FTP clients and uses this new port number to listen for connection requests. Attackers do not know the port number and cannot access the listening port of the FTP server.

    Configure the SSL policy on the FTPS server.

    ftp secure-server ssl-policy policy-name

    The SSL policy configured on the FTP server is the same as that created in the last step.

    Enable the FTPS server function.

    ftp [ ipv6 ] secure-server enable

    By default, the FTPS server function is disabled.

    NOTE:

    To enable the security FTPS server function, you must disable the FTP server function.

    (Optional) Configure the source address of the FTP server.

    ftp server-source { -a source-ip-address | -i interface-type interface-number }

    This configuration helps to improve device security by filtering both incoming and outgoing packets.

    After the source address of the FTP server is configured, you must enter this address to log in to the FTP server.

    (Optional) Configure the timeout duration of the FTP server.

    ftp [ ipv6 ] timeout minutes

    By default, the idle timeout duration is 10 minutes.

    If no operation is performed on the FTP server during the timeout duration, the FTP client automatically disconnects from the FTP server.

    NOTE:
    • If the FTPS service is enabled, the port number of the FTPS service cannot be changed. To change the port number, run the undo ftp [ ipv6 ] secure-server command to disable the FTPS service first.

    • After operations on files are complete, run the undo ftp [ ipv6 ] secure-server to disable the FTPS server function to ensure the device security.

  • Configure local FTP user information.

    Before performing operations on files using FTPS, configure the local user name and password, service type, and authorized directory on the FTPS server.

    Table 8-32  Configuring local FTP user information
    Operation Command Description

    Enter the system view.

    system-view -

    Enter the AAA view.

    aaa -

    Configure the local user name and password.

    local-user user-name password irreversible-cipher password -

    Configure the local user level.

    local-user user-name privilege level level
    NOTE:

    The user level must be set to 3 or higher to ensure successful connection establishment.

    Configure the service type for local users.

    local-user user-name service-type ftp

    By default, a local user can use any access type.

    Configure an authorized directory.

    local-user user-name ftp-directory directory

    By default, the FTP directory of a local user is empty.

    When multiple FTP users use the same authorized directory, you can use the set default ftp-directory directory command to configure a default directory for these FTP users. In this case, you do not need run the local-user user-name ftp-directory directory command to configure an authorized directory for each user.

  • Connect to the device using FTPS.

    The FTP client software supporting SSL must be installed on the terminal to ensure that the terminal can connect to the FTPS server using third-party software to manage files.

    NOTE:

    The file system limits the number of files in the root directory to 50. Creation of files in excess of this limit in the root directory may fail.

Verifying the Configuration

  • Run the display ssl policy command to view the SSL policy and digital certificate.
  • Run the display [ ipv6 ] ftp-server command to view the FTPS server status.
  • Run the display ftp-users command to view information about the FTP users who log in to the FTP server.

Translation
Download
Updated: 2019-04-08

Document ID: EDOC1100065643

Views: 10809

Downloads: 33

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next