Procedure

1. Configure a certificate.
   1. Generate a certificate request file on DeviceA and send the file to the CA server using methods such as the web UI, disks and emails. After the application is approved, the CA server will generate certificates. You can use HTTP, LDAP, or other methods to download the CA certificate and local certificate from the CA server to DeviceA and install them for them to take effect. For details, see "PKI Configuration" in CLI Configuration Guide > Security Protection.

      In the local certificate, the value of Subject Alternative Name must be the same as the IP address for logging in to the web UI of the device. If a domain name is used to access the web UI, set Subject Alternative Name to the domain name.

      Assume that the CA certificate and local certificate are cep_ca.cer and cep_local.cer, respectively.

   2. Obtain the CA certificate of the CA server that issues certificates to the device and import it to the browser of the PC (client) used for web UI login.

      If the CA certificate is not imported to the browser, the client can still log in to the device through HTTPS. In this case, the client cannot verify the validity of the server's certificate and is vulnerable to attacks.

   3. Configure the certificate sent by the device to the client during the client's login to the device through HTTPS.

      <HUAWEI> system-view 
      [HUAWEI] sysname DeviceA
      [DeviceA] web-manager security server-certificate cep_local.cer

2. Configure all interfaces to be used to access the web UI.

   [DeviceA] web-manager server-source all-interface

3. Configure a login interface for the device.
   1. Configure an IP address for the interface.

      [DeviceA] interface vlanif 10 
      [DeviceA-Vlanif10] ip address 10.3.0.1 255.255.255.0
      [DeviceA-Vlanif10] quit

4. Create a web user account.

   [DeviceA] aaa
   [DeviceA-aaa] local-user admin123 password irreversible-cipher YsHsjx_202206
   [DeviceA-aaa] local-user admin123 service-type http
   [DeviceA-aaa] local-user admin123 privilege level 3
   [DeviceA-aaa] quit

5. Enable the web service function.
   1. Enable the HTTPS service.

      [DeviceA] web-manager enable port 8443

      By default, the HTTPS service is enabled and the corresponding port number is 8443.

   2. Enable forcible redirection from HTTP to HTTPS.

      [DeviceA] web-manager http forward enable

      By default, this function is enabled. When this function is enabled, HTTPS is used even if you use HTTP to access the web UI.

6. Log in to the web UI of the device.
   1. Set the IP address of the PC used for web UI login to 10.3.0.10/24.
   2. Open a browser and enter https://10.3.0.1:8443.
   3. Enter the created web user account (user name: admin123; password: YsHsjx_202206) and click Login.