No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
Atlas 900 Compute Node iBMC (V3.01.00.00 or Later) User Guide 09
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Two-Factor Authentication

Two-Factor Authentication

Function Description

Two-factor authentication allows user access only after both the client certificate and password are correct. It provides more security than the conventional authentication of only the account password.

You can upload the root and client certificates issued by the CA to the iBMC to implement secure connection between the client and the iBMC WebUI.

GUI

Choose User & Security > Two-Factor Authentication.

The Two-Factor Authentication page is displayed, as shown in Figure 3-40.
Figure 3-40 Two-Factor Authentication

Parameter Description

Table 3-49 Two-Factor Authentication

Parameter

Description

Two-Factor Authentication

Two-factor authentication allows users to log in to the iBMC WebUI only after the certificate and password are correct.

  • : enables two-factor authentication.
  • : disables two factor authentication.
NOTE:
  • Before two-factor authentication is enabled, you must import a valid root certificate and a client certificate. Ensure that at least one set of valid certificates exist. Otherwise, authentication failures may occur in subsequent logins.
  • After two-factor authentication is enabled, the SSH service will be automatically disabled and cannot be enabled manually.

  • After the two-factor authentication is enabled and then disabled, the SSH service is not automatically enabled. If you need to use the SSH service, manually enable it.

  • If only TLS 1.3 is enabled, two-factor authentication cannot be enabled.

OCSP Check
NOTICE:
  • The check uses OCSP. Before enabling the OCSP check, ensure that communication between the iBMC and the OCSP server is normal. Otherwise, the web service may become unavailable.
  • Ensure that the OCSP address information has been written into the root certificate. Otherwise, the dual-factor authentication may fail after the OCSP check is enabled.

Online Certificate Status Protocol (OCSP) check verifies the validity of the client certificate during authentication. If the client certificate is invalid, the user cannot log in to the iBMC WebUI.

  • : enables OCSP check.
  • : disables OCSP check.

CRL Check

The certificate revocation list (CRL) check verifies whether the certificate has been revoked during the authentication. After this function is enabled, the system checks whether the current client certificate has been revoked during the login to the iBMC WebUI. If the certificate has been revoked, the authentication fails and you cannot log in to the iBMC WebUI.

NOTE:

Ensure that the CRL has been imported. Otherwise, the dual-factor authentication may fail after the CRL check is enabled.

Root Certificate

List of the root certificates existing on the iBMC and information about the issuer, user, validity period, CRL, and CRL validity period of each root certificate.

The iBMC supports a maximum of 16 root certificates.

NOTE:
  • Certificate revocation status.
    • Configured: The certificate revocation file has been uploaded, and a certificate revocation verification will be performed when a TLS connection is set up.
    • Unconfigured: The certificate revocation file is not uploaded.
  • If the CRL expires, the corresponding authentication function will be unavailable.

Client Certificate

List of the client certificates existing on the iBMC and information about the user, role, root certificate status, revocation status and time, and client certificate fingerprint (hash value of the client).

The iBMC supports client certificates of a maximum of 16 users.

NOTE:
Certificate revocation status.
  • Revoked
  • Unrevoked
  • No key uploaded

Enabling Two-Factor Authentication and Uploading Certificates to the iBMC

  • Before the operation, apply for the root and client certificates (including the public key certificate and private key certificate) from a formal CA.
    • Private key certificates are in .pem, .p12, or .pdx format. For details about the operations, see the operation description of the CA.
    • For security purposes, periodically update the certificate.
  • Base64-coded root certificate and client certificate (public key certificate) can be uploaded. Valid root and client certificate formats include *.cer, *.crt, and *.pem.
  1. Click .

    Select the certificate to be uploaded. Upload the root certificate on the Root Certificate page. Upload the client public key certificate for the specified user on the Client Certificate page.

  2. Click Open.

    "Operation successful" is displayed.

  3. Set Two-Factor Authentication to.

Uploading a CRL

The certificate revocation file is Base64-encoded and in *.crl format. It cannot exceed 100 KB.

  1. Obtain a certificate revocation file from the CA.
  2. Locate the target certificate, and click in the CRL column.
  3. Select the certificate revocation file.

Enabling Certificate Authentication

After uploading certificates, perform the following operations to enable certificate authentication for users who attempt to log in to the iBMC WebUI.

  1. On the client, open your browser, for example, Google Chrome 81.0.4044.138.

    The operations may vary depending on the type and version of the browser.

  2. Click at the upper right corner and select Settings, select Privacy and security.
  3. Click Manage certificates.
  4. Import the client private key certificate.

    If you are required to enter an password, enter the password that is set when you apply for the certificate.

  5. Enter the iBMC login address in the address box of the browser.
  6. Select the client certificate as instructed.

    Login to the iBMC WebUI is successful.

Deleting a Root Certificate

Root certificates can be deleted only when the two-factor authentication function is disabled.

  1. On the Root Certificate tab page, click next to the root certificate to be deleted.

    A confirmation dialog box is displayed.

  2. Click Yes.

Deleting a Client Certificate

  1. On the Client Certificate page, click next to the user whose client certificate is to be deleted.

    A confirmation dialog box is displayed.

  2. Click Yes.
Translation
简体中文
Download
Updated: 2023-08-04

Document ID: EDOC1100152759

Views: 270137

Downloads: 100

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :