HTTPS Configuration Example

HTTPS Configuration Example

Keywords: HTTPS, SSL, PKI, CA, RA

Abstract: HTTPS uses SSL to improve the security of HTTP. It allows users to log in to devices and manage them securely through Web pages. This document describes HTTPS configuration procedures.

Acronyms:

Acronym

Full spelling

CA

Certificate Authority

HTTPS

Hypertext Transfer Protocol Secure

IIS

Internet Information Service

MAC

Message Authentication Code

PKI

Public Key Infrastructure

RA

Registration Authority

SCEP

Simple Certificate Enrollment Protocol

SSL

Secure Sockets Layer

 



Feature Overview

For a device supporting Web network management, if you enable HTTP service on it, it can function as a Web server, allowing users to access it through HTTP and control it through Web pages. However, the HTTP protocol itself does not support authenticating the identity of the Web server and cannot guarantee the confidentiality and security of the transferred data. HTTPS is introduced to address these problems.

HTTPS is a combination of HTTP and SSL. It enables the server and a client to authenticate each other and encrypt data exchanged between them, allowing the client to manage the device securely.

By SSL, HTTPS enhances the security:

l              Every client uses the digital certificate of the server to authenticate the server, ensuring that it is accessing the right server.

l              The server uses the digital certificate of a client to authenticate the identity of the client, ensuring that only legal clients can access it.

l              The server and a client encrypt the data transferred between them to ensure the security and integrity of exchanged data, allowing the client to manage the device where the server resides securely.

l           The server uses access control policies based on certificate attributes to control the access rights of clients, so as to avoid attacks from illegal clients further.

Application Scenarios

HTTPS is mainly used in scenarios where network administrators need to manage their devices remotely. As shown in Figure 1 , a company has two branch offices, which are located at Site A and Site B respectively. To mange Device B securely, the administrator logs in to Device B through HTTPS.

Figure 1  Typical application scenario of HTTPS

Configuration Example

3.1  Network Requirements

The network administrator of Company A, who is not in the same city as the R&D department of the company, wants to log in to and manage the gateway of the R&D department securely.

As shown in Figure 2 , the requirements include:

l              The administrator uses host Admin (1.1.1.2) to establish an HTTPS connection with Gateway and controls Gateway through Web pages.

l              The security mechanism of SSL is used for the HTTPS server (Gateway) and the HTTPS client (Admin) to authenticate each other.

l              For certificate-based identity authentication, a CA server is deployed to issue certificates to Gateway and Admin. This example assumes that the CA server is running Windows Server 2003.

Figure 2  Network diagram for HTTPS configuration

3.2  Configuration Considerations

To satisfy the network requirements, you need to complete these tasks:

Task

Remarks

Configuring the CA Server

Go to 3.2.1   for configuration considerations

Configuring the HTTPS Server

Go to 3.2.2   for configuration considerations

Configuring the HTTPS Client

Go to 3.2.3   for configuration considerations

 

3.2.1  CA Server Configuration Considerations

When using Windows Server 2003 as the CA server, you need to configure the CA server as follows:

1)            Install the Certificate Services component and set CA server parameters such as the type and name.
2)            Install the Simple Certification Enrollment Protocol (SCEP) add-on. This is because the Windows Server series does not support SCEP by default when used as the CA server. However, SCEP is the protocol for supporting communication between the certificate applicant and the CA and is required for the CA server to provide certificate registration and issuing services.
3)            Change the certificate issuing policy to auto. Otherwise, the tasks of certificate request reviewing and certificate issuing will have to be completed manually.
4)            Modify IIS attributes. You need to change the path of the default Web site to the path of the certificate services. To avoid conflicts with other service ports, you are recommended to specify a TCP port number rather than use the default one.

 

  Caution:

When using the Windows Server as the CA server, you need to install and start IIS on the CA server.

 

3.2.2  HTTPS Server Configuration Considerations

Configure the HTTPS server as follows:

1)            Configure the Public Key Infrastructure (PKI). PKI can ensure system information security through public key technologies and digital certificates and verify the identities of the digital certificate owners. SSL uses PKI for identity authentication of the HTTPS server and clients. Therefore, before configuring the HTTPS server, you need to complete PKI configurations:

l              Configure a PKI entity. The identity information of an entity is used for identifying the certificate applicant uniquely.

l              Configure a PKI domain. Before requesting a certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other applications.

l              Retrieve the CA certificate and save it locally. The CA certificate is to be used to verify the reality and legality of the local certificate.

l              Request a local certificate manually or automatically. The example uses the manual mode.

2)            Configure an SSL server policy. In the policy, you can specify the PKI domain to be referenced, the cipher suites to be used, and whether to authenticate the identity of a client. In this example, authentication of client identity is required.
3)            Configure HTTPS to use the SSL server policy and enable HTTPS service.
4)            Create a local user and specify the password to implement authentication of the client by username and password.

3.2.3  HTTPS Client Configuration Considerations

Configure the HTTPS client as follows:

1)            Request a certificate. As the HTTPS server is configured to authenticate its clients, every HTTPS client must request a certificate from the CA server.
2)            Log in to Gateway through HTTPS and then enter the username and password to log in to the Web configuration page of Gateway.

3.3  Configuration Procedures

 

&  Note:

Before performing the following configurations, ensure that there are routes available between the HTTPS server (Gateway), HTTPS client (Admin), and CA server.

 

3.3.1  Configuring the CA Server

I. Installing the Certificate Services component

1)            Open Control Panel and select Add or Remove Programs > Add/Remove Windows Components. Then, in the Windows Components Wizard window, select Certificate Services from the component list and click Next to begin the installation.

Figure 3  Install the Certificate Services component 1)

2)            Select Stand-alone root CA as the CA type, and then click Next.

Figure 4  Install the Certificate Services component 2)

3)            Enter CA server as the name of the CA server and then click Next.

Figure 5  Install the Certificate Services component 3)

4)            Select the directories for the CA certificate database, database log, and shared folder, and then click Next.

Figure 6  Install the Certificate Services component 4)

&  Note:

Displayed on the interface are the default directories for the CA certificate database, database log and shared folder, where ca is the host name of the CA server. This configuration example uses the default directories.

 

5)            After the installation process ends, click Finish to exit the Windows Components Wizard window.

II. Installing the SCEP add-on

1)            Double click the setup file of SCEP. Then, in the window popping up, click Next.

 

&  Note:

You can download the setup file of SCEP from the Microsoft Web site freely.

 

Figure 7  Install the SCEP add-on 1)

2)            Select Use the local system account and click Next.

Figure 8  Install the SCEP add-on 2)

3)            Deselect the Require SCEP Challenge Phrase to Enroll checkbox and click Next.

Figure 9  Install the SCEP add-on 3)

4)            Enter the registration authority (RA) identification information and other information to be used by the RA to register with the CA server and click Next. An RA can implement functions including identity authentication, CRL management, key pair generation and key pair backup. An RA can be an extended part of a CA.

Figure 10  Install the SCEP add-on 4)

5)            Click Finish to bring up the prompt box shown in Figure 11 , record the URL, and then click OK.

Figure 11  Install the SCEP add-on 5)

 

  Caution:

When configuring the HTTPS server (Gateway), you need to use the URL displayed in the prompt box as the address of the RA server, where the host name ca can be replaced with the IP address of the CA server.

 

III. Modifying the certificate service attributes

After installing the Certificate Services component and the SCEP add-on, open Control Panel and select Administrative Tools > Certification Authority. If the CA server and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA.

1)            Right click CA server in the navigation tree and select Properties.

Figure 12  Modify the certificate service attributes

2)            In the CA server Properties window, select the Policy Module tab and click Properties.

Figure 13  Certificate service attributes window

3)            In the Properties window that appears, select Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate and click OK.

Figure 14  Properties of the policy module

4)            Click the icons for stopping services and starting services in turn to restart certificate services, as shown in Figure 15  and Figure 16 .

Figure 15  Stop certificate services

Figure 16  Start certificate services

IV. Modifying the IIS attributes

1)            Open Control Panel, and select Administrative Tools > Internet Information Services (IIS) Manager. Then, select Web Sites from the navigation tree, right click Default Web Site, and select Properties.

Figure 17  IIS manager

2)            In the Default Web Site Properties window that appears, select the Home Directory tab, and type or browse to the path of the certificate services in the Local path text box.

Figure 18  Change the default home directory of the default Web site

3)            Select the Web Site tab, and change the TCP port to 8080.

 

  Caution:

To avoid conflict with existing services, you are recommended to specify a port number that is differrent from the ones for existing services (including the default port number 80) as the TCP port number of the default Web site.

 

Figure 19  Modify the TCP port number of the default Web site

3.3.2  Configuring the HTTPS Server

I. Configuration steps

1)            Configure Gateway to request a certificate from the CA server

l              Configure the entity distinguished name (DN)

# Configure a PKI entity, set the entity name as aaa and the common name as gateway.

<Gateway> system-view

[Gateway] pki entity aaa

[Gateway-pki-entity-aaa] common-name gateway

[Gateway-pki-entity-aaa] quit

l              Configure the PKI domain

# Create PKI domain ssl and enter its view.

[Gateway] pki domain ssl

# Configure the name of the trusted CA server as myca.

[Gateway-pki-domain-ssl] ca identifier ca server

# Configure the URL of the RA server as the URL displayed in the prompt box in Figure 11 . As the TCP port number of the default Web site on the CA server has been changed to 8080, you need to specify the port number as 8080 when configuring the URL of the RA server.

[Gateway-pki-domain-ssl] certificate request url http://5.5.5.1:8080/certsrv/mscep/mscep.dll

# Set the registration authority to RA.

[Gateway-pki-domain-ssl] certificate request from ra

# Specify the entity for certificate request as aaa.

[Gateway-pki-domain-ssl] certificate request entity aaa

[Gateway-pki-domain-ssl] quit

l              Generate local RSA key pairs

[Gateway] public-key local create rsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

..++++++++.++++++++++

...++..++...++....++...++...++..++...++...++..++...++...++..++...++...++...++..+

+...++...++..++....++..++...++...++..++...++...++...++..++..++...++...++..++..++

...++...++...++++++++.+++++++++.+

...++..++....++...++..++..++..++...++...++..++...++...++..++...++.++++++++++++++

+.+++++++

..++...++..++...++++++++++++++.++++++++++

l              Apply for certificates

 

  Caution:

A certificate has a lifetime. Before requesting a certificate for the gateway, you are recommended to synchronize the system time of the gateway and that of the CA server to avoid certificate requsting failure.

 

# Retrieve the CA certificate and save it locally.

[Gateway] pki retrieval-certificate ca domain ssl

Retrieving CA/RA certificates. Please wait a while......

The trusted CA's finger print is:

    MD5  fingerprint:9C7A 2FBA 9230 2BF5 F27D 5391 DCF7 9912

    SHA1 fingerprint:189A CC85 F030 F866 51B1 9DD7 6DA9 65BA 5B05 2596

 

Is the finger print correct?(Y/N):y

 

Saving CA/RA certificates chain, please wait a moment.........

CA certificates retrieval success.

# Request a local certificate manually.

[Gateway] pki request-certificate domain ssl

Certificate is being requested, please wait......

[Gateway]

Enrolling the local certificate,please wait a while......

Certificate request Successfully!

Saving the local certificate to device......

Done! 

2)            Configure an SSL server policy

# Create an SSL server policy named myssl.

[Gateway] ssl server-policy myssl

# Specify the PKI domain for the SSL server policy as ssl.

[Gateway-ssl-server-policy-myssl] pki-domain ssl

# Specify to authenticate the client. For information about requesting a local certificate for the client, refer to Configuring the HTTPS Client.

[Gateway-ssl-server-policy-myssl] client-verify enable

[Gateway-ssl-server-policy-myssl] quit

3)            Configure the HTTPS service

# Configure the HTTPS service to use SSL server policy myssl.

[Gateway] ip https ssl-server-policy myssl

# Enable HTTPS service.

[Gateway] ip https enable

4)            Create a local user

# Create local user abc, configure the password as 123, the service type as Telnet, and the command level as 3.

[Gateway] local-user abc

[Gateway-luser-abc] password simple 123

[Gateway-luser-abc] service-type telnet level 3

II. Configuration file

[Gateway] display current-configuration

#

 version 5.20, Test 5310

#

 sysname Gateway

#

 domain default enable system

#

 telnet server enable

#

domain system

 access-limit disable

 state active

 idle-cut disable

 self-service-url disable

#

pki entity aaa

  common-name gateway

#

pki domain ssl

  ca identifier ca server

  certificate request url http://5.5.5.1:8080/certsrv/mscep/mscep.dll

  certificate request from ra

  certificate request entity aaa

#

local-user abc

 password simple 123

 service-type telnet

 level 3

#

ssl server-policy myssl

 pki-domain ssl

 client-verify enable

#

interface Ethernet1/1

 port link-mode route

 ip address 5.5.5.2 255.255.255.0

#

interface Ethernet1/2

 port link-mode route

 ip address 1.1.1.1 255.255.255.0

#

 ip https ssl-server-policy myssl

 ip https enable

#

 load xml-configuration

#

user-interface aux 0

user-interface vty 0 4

 authentication-mode none

 user privilege level 3

#

return

3.3.3  Configuring the HTTPS Client

Follow these steps to request a certificate for Admin:

1)            On Admin, launch IE and enter http://5.5.5.1:8080/certsrv in the address bar. As the TCP port number of the default Web site on the CA server has been changed to 8080, you need to specify the port number as 8080 when entering the URL.

2)            In the Web page, click Request a certificate.

Figure 20  Request a certificate for Admin 1)

3)            Select the certificate type of Web Browser Certificate

Figure 21  Request a certificate for Admin 2)

4)            Enter the identification information of the certificate, as shown in Figure 22 .

Figure 22  Request a certificate for Admin 3)

5)            After the certification requesting process ends successfully, click Install the certificate.

Figure 23  Request a certificate for Admin 4)

After the certificate is installed, select Tools > Internet Options, and then select the Content tab and click Certificates… to view information about the certificate.

3.3.4  Verification

1)            On Admin, launch IE and enter https://1.1.1.1 in the address bar. Then, select the obtained certificate Admin.

2)            The system checks whether the server’s certificate is valid. If the certificate is valid, the Web management login page appears, as shown in Figure 24 . Otherwise, the system displays a security alarm, asking whether you want to continue to access the server. This helps prevent user information from being stolen. If you select to access the server anyway, you will enter the Web management login page.

3)            After entering the Web management user login page, input username abc and password 123 and then click Login.

Figure 24  Web management login page

 

Copyright ©2008-2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

The information in this document is subject to change without notice.