No relevant resource is found in the selected language.
Your browser version is too early. Some functions of the website may be unavailable. To obtain better user experience, upgrade the browser to the latest version.
CloudEngine 12800 and 12800E V200R005C10 Configuration Guide - Security
This document describes the configurations of Security, including AAA, 802.1x Authentication, ACL, TCAM ACL Customization, local attack defense, Microsegmentation, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, MACsec, DHCP snooping, IPSG, URPF, SSL, Keychain and FIPS.
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an SSL Policy
Configuring an SSL Policy
Prerequisites
The client or server has applied for a certificate file from a certificate authority (CA) and loaded the certificate to the sub-directory security of the system directory.
Context
The Secure Sockets Layer (SSL) protocol uses data encryption, identity authentication, and message integrity check to ensure security of TCP-based application layer protocols. TCP is short for Transmission Control Protocol. An SSL policy can be applied to application layer protocols to provide secure connections.
The device can function as an SSL client or an SSL server. The SSL policy configuration differs when the device functions as different roles. Perform the SSL policy configuration based on the device role.
Procedure
Device Functioning as an SSL Client
Run system-view
The system view is displayed.
Run ssl policypolicy-name
An SSL policy is configured and the SSL policy view is displayed.
(Optional) Run ssl minimum version { tls1.1 | tls1.2 }
A minimum SSL version used for an SSL policy is displayed.
By default, the minimum SSL version used for an SSL policy is TLS1.2.
SSL policies support three SSL versions: TLS1.1, and TLS1.2. TLS1.2 ensures the highest security, followed by TLS1.1. TLS1.2 is recommended.
(Optional) Run ssl verify { basic-constrain | key-usage | version { cert-version3 | crl-version2 } } enable
Digital certificate verification is enabled.
By default, digital certificate verification is disabled.
(Optional) Run ssl verify certificate-chain minimum-path-lengthpath-length
The minimum path length for a digital certificate chain is configured.
By default, the minimum path length for a digital certificate chain is 1.
(Optional) Run certificate load
A digital certificate is loaded.
This step is required only when the server needs to authenticate the client.
Currently, the device supports certificates in PEM, and PFX formats and certificate chains in PEM format. Load a certificate or certificate chain as required.
(Optional) Run crl load { pem-crl | asn1-crl } crl-filename
A Certificate Revocation List (CRL) is loaded.
CRL is issued by a CA and lists all the invalid digital certificates that are still in the validity period but are revoked. After a CRL is loaded to the client, the client determines validity of the certificate received from the server by checking whether the certificate is in the CRL.
A maximum of two CRL files can be loaded to an SSL policy. By default, no CRL is loaded to an SSL policy.
Run trusted-ca load
A trusted-CA file is loaded.
The trusted-CA file is used to verify validity of the digital certificate sent by the server. A maximum of four trusted-CA files can be loaded to an SSL policy. By default, no trusted-CA file is loaded to an SSL policy.
Run commit
The configuration is committed.
Device Functioning as an SSL Server
Run system-view
The system view is displayed.
Run ssl policypolicy-name
An SSL policy is configured and the SSL policy view is displayed.
(Optional) Run ssl minimum version { tls1.1 | tls1.2 }
A minimum SSL version used for an SSL policy is displayed.
By default, the minimum SSL version used for an SSL policy is TLS1.2.
SSL policies support three SSL versions: TLS1.1, and TLS1.2. TLS1.2 ensures the highest security, followed by TLS1.1. TLS1.2 is recommended.
(Optional) Run ssl verify { basic-constrain | key-usage | version { cert-version3 | crl-version2 } } enable
Digital certificate verification is enabled.
By default, digital certificate verification is disabled.
(Optional) Run ssl verify certificate-chain minimum-path-lengthpath-length
The minimum path length for a digital certificate chain is configured.
By default, the minimum path length for a digital certificate chain is 1.
Run certificate load
A digital certificate is loaded.
Currently, the device supports certificates in PEM, and PFX formats and certificate chains in PEM format. Load a certificate or certificate chain as required.
(Optional) Run crl load { pem-crl | asn1-crl } crl-filename
A Certificate Revocation List (CRL) is loaded.
CRL is issued by a CA and lists all the invalid digital certificates that are still in the validity period but are revoked. After a CRL is loaded to the server, the server determines validity of the certificate received from the client by checking whether the certificate is in the CRL.
A maximum of two CRL files can be loaded to an SSL policy. By default, no CRL is loaded to an SSL policy.
(Optional) Run trusted-ca load
A trusted-CA file is loaded.
This step is required only when the server needs to authenticate the client.
The trusted-CA file is used to verify validity of the digital certificate sent by the client. A maximum of four trusted-CA files can be loaded to an SSL policy. By default, no trusted-CA file is loaded to an SSL policy.
Run commit
The configuration is committed.
Verifying the Configuration
Run the display ssl policypolicy-name command to check the SSL policy configuration.
