SSL server policy configuration example
Network requirements
As shown in Figure 170, users need to access and manage the device through the Web page.
To protect the device and prevent data from being eavesdropped or tampered with, configure the device to be accessible through HTTPS only.
In this example, the CA server runs Windows Server and has the SCEP plug-in installed.
Figure 165: Network diagram
Configuration considerations
To meet the network requirements, perform the following tasks:
Configure the device as the HTTPS server and request a server certificate for the device. For more information about HTTPS, see Fundamentals Configuration Guide.
Request a client certificate for the host so that the device can authenticate the identity of the host.
Configuration procedure
Make sure the device, the host, and the CA server can reach each other. (Details not shown.)
Configure the HTTPS server on the device:
# Create a PKI entity named en. Set the common name and FQDN for the entity.
<Device> system-view [Device] pki entity en [Device-pki-entity-en] common-name http-server1 [Device-pki-entity-en] fqdn ssl.security.com [Device-pki-entity-en] quit
# Create PKI domain 1 and specify the name of the trusted CA as CA server. Set the URL of the registration server to http://10.1.2.2/certsrv/mscep/mscep.dll, the authority for certificate request to RA, and the entity for certificate request to en. Set the URL of the CRL repository to http://10.1.2.2/CertEnroll/caserver.crl.
[Device] pki domain 1 [Device-pki-domain-1] ca identifier CA server [Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll [Device-pki-domain-1] certificate request from ra [Device-pki-domain-1] certificate request entity en [Device-pki-domain-1] crl url http://10.1.2.2/CertEnroll/caserver.crl
# Configure a general-purpose RSA key pair named abc and set the key modulus length to 1024 bits.
[Device-pki-domain-1] public-key rsa general name abc length 1024 [Device-pki-domain-1] quit
# Generate RSA key pair abc.
[Device] public-key local create rsa name abc The range of public key size is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ..........................++++++ .....................................++++++ Create the key pair successfully.
# Obtain the CA certificate.
[Device] pki retrieve-certificate domain 1 ca The trusted CA's finger print is: MD5 fingerprint:7682 5865 ACC2 7B16 6F52 D60F D998 4484 SHA1 fingerprint:DF6B C53A E645 5C81 D6FC 09B0 3459 DFD1 94F6 3DDE Is the finger print correct?(Y/N):y Retrieved the certificates successfully.# Request a server certificate for the device.
[Device] pki request-certificate domain 1 Start to request general certificate ... Certificate requested successfully.
# Create an SSL server policy named myssl.
[Device] ssl server-policy myssl
# Specify PKI domain 1 for the SSL server policy.
[Device-ssl-server-policy-myssl] pki-domain 1
# Enable client authentication.
[Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit
# Configure the HTTPS service to use SSL server policy myssl.
[Device] ip https ssl-server-policy myssl
# Enable the HTTPS service.
[Device] ip https enable
# Create a local user named usera. Set the password to 123, service type to https, and user role to network-admin.
[Device] local-user usera [Device-luser-usera] password simple 123 [Device-luser-usera] service-type https [Device-luser-usera] authorization-attribute user-role network-admin
Request a client certificate for the host:
Launch IE on the host, and then enter http://10.1.2.2/certsrv in the address bar.
Request a client certificate for the host. (Details not shown.)
Verifying the configuration
Perform the following tasks on the host:
Launch IE and enter https://10.1.1.1 in the address bar.
Select the certificate issued by the CA server to the host.
The login page of the device should appear.
Enter username usera and password 123.
Verify that now you can log in to the Web interface to access and manage the device.