No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an SSL Policy

Configuring an SSL Policy

Prerequisites

The client or server has applied for a certificate file from a certificate authority (CA) and loaded the certificate to the sub-directory security of the system directory.

Context

The Secure Sockets Layer (SSL) protocol uses data encryption, identity authentication, and message integrity check to ensure security of TCP-based application layer protocols. TCP is short for Transmission Control Protocol. An SSL policy can be applied to application layer protocols to provide secure connections.

The device can function as an SSL client or an SSL server. The SSL policy configuration differs when the device functions as different roles. Perform the SSL policy configuration based on the device role.

Procedure

  • Device Functioning as an SSL Client
    1. Run system-view

      The system view is displayed.

    2. Run ssl policy policy-name

      An SSL policy is configured and the SSL policy view is displayed.

    3. (Optional) Run ssl minimum version { tls1.1 | tls1.2 }

      A minimum SSL version used for an SSL policy is displayed.

      By default, the minimum SSL version used for an SSL policy is TLS1.1.

      NOTE:

      SSL policies support three SSL versions: TLS1.1, and TLS1.2. TLS1.2 ensures the highest security, followed by TLS1.1. TLS1.2 is recommended.

    4. (Optional) Run ssl verify { basic-constrain | key-usage | version { cert-version3 | crl-version2 } } enable command to enable digital certificate verification.

      By default, digital certificate verification is disabled.

    5. (Optional) Run ssl verify certificate-chain minimum-path-length path-length command to configure the minimum path length for a digital certificate chain.

      By default, the minimum path length for a digital certificate chain is 1.

    6. (Optional) Run certificate load

      A digital certificate is loaded.

      This step is required only when the server needs to authenticate the client.

      Currently, the device supports certificates in PEM, and PFX formats and certificate chains in PEM format. Load a certificate or certificate chain as required.

    7. (Optional) Run crl load { pem-crl | asn1-crl } crl-filename

      A Certificate Revocation List (CRL) is loaded.

      CRL is issued by a CA and lists all the invalid digital certificates that are still in the validity period but are revoked. After a CRL is loaded to the client, the client determines validity of the certificate received from the server by checking whether the certificate is in the CRL.

      A maximum of two CRL files can be loaded to an SSL policy. By default, no CRL is loaded to an SSL policy.

    8. Run trusted-ca load

      A trusted-CA file is loaded.

      The trusted-CA file is used to verify validity of the digital certificate sent by the server. A maximum of four trusted-CA files can be loaded to an SSL policy. By default, no trusted-CA file is loaded to an SSL policy.

    9. Run commit

      The configuration is committed.

  • Device Functioning as an SSL Server
    1. Run system-view

      The system view is displayed.

    2. Run ssl policy policy-name

      An SSL policy is configured and the SSL policy view is displayed.

    3. (Optional) Run ssl minimum version { tls1.1 | tls1.2 }

      A minimum SSL version used for an SSL policy is displayed.

      By default, the minimum SSL version used for an SSL policy is TLS1.1.

      NOTE:

      SSL policies support three SSL versions: TLS1.1, and TLS1.2. TLS1.2 ensures the highest security, followed by TLS1.1. TLS1.2 is recommended.

    4. (Optional) Run ssl verify { basic-constrain | key-usage | version { cert-version3 | crl-version2 } } enable command to enable digital certificate verification.

      By default, digital certificate verification is disabled.

    5. (Optional) Run ssl verify certificate-chain minimum-path-length path-length command to configure the minimum path length for a digital certificate chain.

      By default, the minimum path length for a digital certificate chain is 1.

    6. Run certificate load

      A digital certificate is loaded.

      Currently, the device supports certificates in PEM, and PFX formats and certificate chains in PEM format. Load a certificate or certificate chain as required.

    7. (Optional) Run crl load { pem-crl | asn1-crl } crl-filename

      A Certificate Revocation List (CRL) is loaded.

      CRL is issued by a CA and lists all the invalid digital certificates that are still in the validity period but are revoked. After a CRL is loaded to the server, the server determines validity of the certificate received from the client by checking whether the certificate is in the CRL.

      A maximum of two CRL files can be loaded to an SSL policy. By default, no CRL is loaded to an SSL policy.

    8. (Optional) Run trusted-ca load

      A trusted-CA file is loaded.

      This step is required only when the server needs to authenticate the client.

      The trusted-CA file is used to verify validity of the digital certificate sent by the client. A maximum of four trusted-CA files can be loaded to an SSL policy. By default, no trusted-CA file is loaded to an SSL policy.

    9. Run commit

      The configuration is committed.

Verifying the Configuration

Run the display ssl policy policy-name command to check the SSL policy configuration.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 22922

Downloads: 93

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next