HTTPS Configuration Example
Keywords: HTTPS, SSL, PKI, CA, RA
Abstract: HTTPS uses SSL to improve the security of HTTP. It allows users to log in to devices and manage them securely through Web pages. This document describes HTTPS configuration procedures.
Hypertext Transfer Protocol Secure
Internet Information Service
Message Authentication Code
Public Key Infrastructure
Simple Certificate Enrollment Protocol
Secure Sockets Layer
Table of Contents
For a device supporting Web network management, if you enable HTTP service on it, it can function as a Web server, allowing users to access it through HTTP and control it through Web pages. However, the HTTP protocol itself does not support authenticating the identity of the Web server and cannot guarantee the confidentiality and security of the transferred data. HTTPS is introduced to address these problems.
HTTPS is a combination of HTTP and SSL. It enables the server and a client to authenticate each other and encrypt data exchanged between them, allowing the client to manage the device securely.
By SSL, HTTPS enhances the security:
l Every client uses the digital certificate of the server to authenticate the server, ensuring that it is accessing the right server.
l The server uses the digital certificate of a client to authenticate the identity of the client, ensuring that only legal clients can access it.
l The server and a client encrypt the data transferred between them to ensure the security and integrity of exchanged data, allowing the client to manage the device where the server resides securely.
l The server uses access control policies based on certificate attributes to control the access rights of clients, so as to avoid attacks from illegal clients further.
HTTPS is mainly used in scenarios where network administrators need to manage their devices remotely. As shown in Figure 1 , a company has two branch offices, which are located at Site A and Site B respectively. To mange Device B securely, the administrator logs in to Device B through HTTPS.
The network administrator of Company A, who is not in the same city as the R&D department of the company, wants to log in to and manage the gateway of the R&D department securely.
As shown in Figure 2 , the requirements include:
l The administrator uses host Admin (220.127.116.11) to establish an HTTPS connection with Gateway and controls Gateway through Web pages.
l The security mechanism of SSL is used for the HTTPS server (Gateway) and the HTTPS client (Admin) to authenticate each other.
l For certificate-based identity authentication, a CA server is deployed to issue certificates to Gateway and Admin. This example assumes that the CA server is running Windows Server 2003.
Figure 2 Network diagram for HTTPS configuration
To satisfy the network requirements, you need to complete these tasks:
Configuring the CA Server
Go to 3.2.1 for configuration considerations
Configuring the HTTPS Server
Go to 3.2.2 for configuration considerations
Configuring the HTTPS Client
Go to 3.2.3 for configuration considerations
When using Windows Server 2003 as the CA server, you need to configure the CA server as follows:1) Install the Certificate Services component and set CA server parameters such as the type and name.
2) Install the Simple Certification Enrollment Protocol (SCEP) add-on. This is because the Windows Server series does not support SCEP by default when used as the CA server. However, SCEP is the protocol for supporting communication between the certificate applicant and the CA and is required for the CA server to provide certificate registration and issuing services.
3) Change the certificate issuing policy to auto. Otherwise, the tasks of certificate request reviewing and certificate issuing will have to be completed manually.
4) Modify IIS attributes. You need to change the path of the default Web site to the path of the certificate services. To avoid conflicts with other service ports, you are recommended to specify a TCP port number rather than use the default one.
When using the Windows Server as the CA server, you need to install and start IIS on the CA server.
3.2.2 HTTPS Server Configuration Considerations
Configure the HTTPS server as follows:1) Configure the Public Key Infrastructure (PKI). PKI can ensure system information security through public key technologies and digital certificates and verify the identities of the digital certificate owners. SSL uses PKI for identity authentication of the HTTPS server and clients. Therefore, before configuring the HTTPS server, you need to complete PKI configurations:
l Configure a PKI entity. The identity information of an entity is used for identifying the certificate applicant uniquely.
l Configure a PKI domain. Before requesting a certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other applications.
l Retrieve the CA certificate and save it locally. The CA certificate is to be used to verify the reality and legality of the local certificate.
l Request a local certificate manually or automatically. The example uses the manual mode.2) Configure an SSL server policy. In the policy, you can specify the PKI domain to be referenced, the cipher suites to be used, and whether to authenticate the identity of a client. In this example, authentication of client identity is required.
3) Configure HTTPS to use the SSL server policy and enable HTTPS service.
4) Create a local user and specify the password to implement authentication of the client by username and password.
Configure the HTTPS client as follows:1) Request a certificate. As the HTTPS server is configured to authenticate its clients, every HTTPS client must request a certificate from the CA server.
2) Log in to Gateway through HTTPS and then enter the username and password to log in to the Web configuration page of Gateway.
Before performing the following configurations, ensure that there are routes available between the HTTPS server (Gateway), HTTPS client (Admin), and CA server.
I. Installing the Certificate Services component1) Open Control Panel and select Add or Remove Programs > Add/Remove Windows Components. Then, in the Windows Components Wizard window, select Certificate Services from the component list and click Next to begin the installation.
2) Select Stand-alone root CA as the CA type, and then click Next.
3) Enter CA server as the name of the CA server and then click Next.
4) Select the directories for the CA certificate database, database log, and shared folder, and then click Next.
Displayed on the interface are the default directories for the CA certificate database, database log and shared folder, where ca is the host name of the CA server. This configuration example uses the default directories.
5) After the installation process ends, click Finish to exit the Windows Components Wizard window.
II. Installing the SCEP add-on1) Double click the setup file of SCEP. Then, in the window popping up, click Next.
You can download the setup file of SCEP from the Microsoft Web site freely.
Figure 7 Install the SCEP add-on 1)2) Select Use the local system account and click Next.
Figure 8 Install the SCEP add-on 2)3) Deselect the Require SCEP Challenge Phrase to Enroll checkbox and click Next.
Figure 9 Install the SCEP add-on 3)4) Enter the registration authority (RA) identification information and other information to be used by the RA to register with the CA server and click Next. An RA can implement functions including identity authentication, CRL management, key pair generation and key pair backup. An RA can be an extended part of a CA.
Figure 10 Install the SCEP add-on 4)5) Click Finish to bring up the prompt box shown in Figure 11 , record the URL, and then click OK.
When configuring the HTTPS server (Gateway), you need to use the URL displayed in the prompt box as the address of the RA server, where the host name ca can be replaced with the IP address of the CA server.
III. Modifying the certificate service attributes
After installing the Certificate Services component and the SCEP add-on, open Control Panel and select Administrative Tools > Certification Authority. If the CA server and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA.1) Right click CA server in the navigation tree and select Properties.
Figure 12 Modify the certificate service attributes2) In the CA server Properties window, select the Policy Module tab and click Properties.
Figure 13 Certificate service attributes window3) In the Properties window that appears, select Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate and click OK.
Figure 14 Properties of the policy module4) Click the icons for stopping services and starting services in turn to restart certificate services, as shown in Figure 15 and Figure 16 .
1) Open Control Panel, and select Administrative Tools > Internet Information Services (IIS) Manager. Then, select Web Sites from the navigation tree, right click Default Web Site, and select Properties.
Figure 17 IIS manager2) In the Default Web Site Properties window that appears, select the Home Directory tab, and type or browse to the path of the certificate services in the Local path text box.
Figure 18 Change the default home directory of the default Web site3) Select the Web Site tab, and change the TCP port to 8080.
To avoid conflict with existing services, you are recommended to specify a port number that is differrent from the ones for existing services (including the default port number 80) as the TCP port number of the default Web site.
Figure 19 Modify the TCP port number of the default Web site
I. Configuration steps1) Configure Gateway to request a certificate from the CA server
l Configure the entity distinguished name (DN)
# Configure a PKI entity, set the entity name as aaa and the common name as gateway.
[Gateway] pki entity aaa
[Gateway-pki-entity-aaa] common-name gateway
l Configure the PKI domain
# Create PKI domain ssl and enter its view.
[Gateway] pki domain ssl
# Configure the name of the trusted CA server as myca.
[Gateway-pki-domain-ssl] ca identifier ca server
# Configure the URL of the RA server as the URL displayed in the prompt box in Figure 11 . As the TCP port number of the default Web site on the CA server has been changed to 8080, you need to specify the port number as 8080 when configuring the URL of the RA server.
[Gateway-pki-domain-ssl] certificate request url http://18.104.22.168:8080/certsrv/mscep/mscep.dll
# Set the registration authority to RA.
[Gateway-pki-domain-ssl] certificate request from ra
# Specify the entity for certificate request as aaa.
[Gateway-pki-domain-ssl] certificate request entity aaa
l Generate local RSA key pairs
[Gateway] public-key local create rsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
l Apply for certificates
A certificate has a lifetime. Before requesting a certificate for the gateway, you are recommended to synchronize the system time of the gateway and that of the CA server to avoid certificate requsting failure.
# Retrieve the CA certificate and save it locally.
[Gateway] pki retrieval-certificate ca domain ssl
Retrieving CA/RA certificates. Please wait a while......
The trusted CA's finger print is:
MD5 fingerprint:9C7A 2FBA 9230 2BF5 F27D 5391 DCF7 9912
SHA1 fingerprint:189A CC85 F030 F866 51B1 9DD7 6DA9 65BA 5B05 2596
Is the finger print correct?(Y/N):y
Saving CA/RA certificates chain, please wait a moment.........
CA certificates retrieval success.
# Request a local certificate manually.
[Gateway] pki request-certificate domain ssl
Certificate is being requested, please wait......
Enrolling the local certificate,please wait a while......
Certificate request Successfully!
Saving the local certificate to device......
Done!2) Configure an SSL server policy
# Create an SSL server policy named myssl.
[Gateway] ssl server-policy myssl
# Specify the PKI domain for the SSL server policy as ssl.
[Gateway-ssl-server-policy-myssl] pki-domain ssl
# Specify to authenticate the client. For information about requesting a local certificate for the client, refer to Configuring the HTTPS Client.
[Gateway-ssl-server-policy-myssl] client-verify enable
[Gateway-ssl-server-policy-myssl] quit3) Configure the HTTPS service
# Configure the HTTPS service to use SSL server policy myssl.
[Gateway] ip https ssl-server-policy myssl
# Enable HTTPS service.
[Gateway] ip https enable4) Create a local user
# Create local user abc, configure the password as 123, the service type as Telnet, and the command level as 3.
[Gateway] local-user abc
[Gateway-luser-abc] password simple 123
[Gateway-luser-abc] service-type telnet level 3
II. Configuration file
[Gateway] display current-configuration
version 5.20, Test 5310
domain default enable system
telnet server enable
pki entity aaa
pki domain ssl
ca identifier ca server
certificate request url http://22.214.171.124:8080/certsrv/mscep/mscep.dll
certificate request from ra
certificate request entity aaa
password simple 123
ssl server-policy myssl
port link-mode route
ip address 126.96.36.199 255.255.255.0
port link-mode route
ip address 188.8.131.52 255.255.255.0
ip https ssl-server-policy myssl
ip https enable
user-interface aux 0
user-interface vty 0 4
user privilege level 3
1) On Admin, launch IE and enter http://184.108.40.206:8080/certsrv in the address bar. As the TCP port number of the default Web site on the CA server has been changed to 8080, you need to specify the port number as 8080 when entering the URL.
2) In the Web page, click Request a certificate.
Figure 20 Request a certificate for Admin 1)3) Select the certificate type of Web Browser Certificate
Figure 21 Request a certificate for Admin 2)4) Enter the identification information of the certificate, as shown in Figure 22 .
5) After the certification requesting process ends successfully, click Install the certificate.
After the certificate is installed, select Tools > Internet Options, and then select the Content tab and click Certificates… to view information about the certificate.
1) On Admin, launch IE and enter https://220.127.116.11 in the address bar. Then, select the obtained certificate Admin.
2) The system checks whether the server’s certificate is valid. If the certificate is valid, the Web management login page appears, as shown in Figure 24 . Otherwise, the system displays a security alarm, asking whether you want to continue to access the server. This helps prevent user information from being stolen. If you select to access the server anyway, you will enter the Web management login page.
3) After entering the Web management user login page, input username abc and password 123 and then click Login.
Copyright ©2008-2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.
The information in this document is subject to change without notice.