HTTPS login example

Network requirements

As shown in Figure 27, to prevent unauthorized users from accessing the Device, configure HTTPS login as follows:

In this example, Windows Server acts as the CA. Install Simple Certificate Enrollment Protocol (SCEP) add-on on the CA. The name of the CA that issues certificates to the Device and Host is new-ca.

Before performing the following configuration, make sure that the Device, Host, and CA can reach each other.

Figure 27: Network diagram for configuring HTTPS login

Configuration procedure

  1. Configure the device that acts as the HTTPS server

# Configure a PKI entity, configure the common name of the entity as http-server1, and the FQDN of the entity as ssl.security.com.

<Device> system-view
[Device] pki entity en
[Device-pki-entity-en] common-name http-server1
[Device-pki-entity-en] fqdn ssl.security.com
[Device-pki-entity-en] quit

# Create a PKI domain, specify the trusted CA as new-ca, the URL of the server for certificate request as http://10.1.2.2/certsrv/mscep/mscep.dll, authority for certificate request as RA, and the entity for certificate request as en.

[Device] pki domain 1
[Device-pki-domain-1] ca identifier new-ca
[Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll
[Device-pki-domain-1] certificate request from ra
[Device-pki-domain-1] certificate request entity en
[Device-pki-domain-1] quit

# Create RSA local key pairs.

[Device] public-key local create rsa

# Retrieve the CA certificate from the certificate issuing server.

[Device] pki retrieval-certificate ca domain 1

# Request a local certificate from a CA through SCEP for the device.

[Device] pki request-certificate domain 1

# Create an SSL server policy myssl, specify PKI domain 1 for the SSL server policy, and enable certificate-based SSL client authentication.

[Device] ssl server-policy myssl
[Device-ssl-server-policy-myssl] pki-domain 1
[Device-ssl-server-policy-myssl] client-verify enable
[Device-ssl-server-policy-myssl] quit

# Create a certificate attribute group mygroup1, and configure a certificate attribute rule, specifying that the Distinguished Name (DN) in the subject name includes the string of new-ca.

[Device] pki certificate attribute-group mygroup1
[Device-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca
[Device-pki-cert-attribute-group-mygroup1] quit

# Create a certificate attribute-based access control policy myacp. Configure a certificate attribute-based access control rule, specifying that a certificate is considered valid when it matches an attribute rule in certificate attribute group myacp.

[Device] pki certificate access-control-policy myacp
[Device-pki-cert-acp-myacp] rule 1 permit mygroup1
[Device-pki-cert-acp-myacp] quit

# Associate the HTTPS service with SSL server policy myssl.

[Device] ip https ssl-server-policy myssl

# Associate the HTTPS service with certificate attribute-based access control policy myacp.

[Device] ip https certificate access-control-policy myacp

# Enable the HTTPS service.

[Device] ip https enable

# Create a local user named usera, set the password to 123 for the user, and specify the telnet service type for the local user.

[Device] local-user usera
[Device-luser-usera] password simple 123
[Device-luser-usera] service-type telnet
  1. Configure the host that acts as the HTTPS client

On the host, run the IE browser. In the address bar, enter http://10.1.2.2/certsrv and request a certificate for the host as prompted.

  1. Verify the configuration

Enter https://10.1.1.1 in the address bar, and select the certificate issued by new-ca. Then the web login page of the Device appears. On the login page, type the username usera, and password 123 to enter the web management page.


[NOTE: ]

NOTE:

  • To log in to the web interface through HTTPS, enter the URL address starting with https://. To log in to the web interface through HTTP, enter the URL address starting with http://.

  • For more information about PKI configuration commands, see the Security Command Reference.

  • For more information about the public-key local create rsa command, see the Security Command Reference.

  • For more information about SSL configuration commands, see the Security Command Reference.