When configuring SSL, go to these sections
for information you are interested in:
l
SSL Overview
l
SSL Configuration Task List
l
Displaying and Maintaining
SSL
l
Troubleshooting SSL
1.1 SSL Overview
Secure Sockets Layer (SSL) is a
security protocol providing secure connection service for TCP-based application
layer protocols, for example, HTTP protocol. It is widely used in E-business
and online bank fields to provide secure data transmission over the Internet.
SSL provides these security services:
l
Confidentiality: SSL encrypts data using a symmetric
encryption algorithm and the key generated during the handshake phase.
l
Authentication: SSL supports authenticating both
the server and the client through certificates, with the authentication of the client
being optional.
l
Reliability: SSL uses key-based message
authentication code (MAC) to verify message integrity.
As shown in Figure 1-1, the SSL protocol consists of
two layers of protocols: the SSL record protocol at the lower layer and the SSL
handshake protocol, change cipher spec protocol, and alert protocol at the
upper layer.
Figure 1-1 SSL protocol stack
l
SSL handshake protocol: Responsible for establishing
a session between a client and the server. A session consists of a set of
parameters such as the session ID, peer certificate, cipher suite (including
key exchange algorithm, data encryption algorithm and MAC algorithm), compression
algorithm, and master key. An SSL session can be used to establish multiple
connections, reducing session negotiation cost.
l
SSL change cipher spec protocol: Used for
notification between a client and the server that the subsequent packets are to
be protected and transmitted based on the newly negotiated cipher suite and
key.
l
SSL alert protocol: Allowing a client and the
server to send alert messages to each other. An alert message contains the alert
severity level and a description.
l
SSL record protocol: Fragmenting and compressing
data to be transmitted, calculating and adding MAC to the data, and encrypting
the data before transmitting it to the peer end.
1.2 SSL Configuration Task List
Different parameters are required on the SSL
server and the SSL client.
Complete the following tasks to configure SSL:
An SSL server policy is a set of SSL
parameters for a server to use when booting up. An SSL server policy takes
effect only after it is associated with an application layer protocol, HTTP
protocol, for example.
Before configuring an SSL server policy,
you must configure a PKI (public key infrastructure) domain.
Follow these steps to configure an SSL
server policy:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Create an SSL server policy and enter its
view
|
ssl server-policy policy-name
|
Required
|
|
Specify a PKI domain for the SSL server
policy
|
pki-domain domain-name
|
Required
By default, no PKI domain is specified
for an SSL server policy.
|
|
Specify the cipher suite(s) for the SSL
server policy to support
|
ciphersuite [ rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5
| rsa_rc4_128_sha ] *
|
Optional
By default, an SSL server policy supports
all cipher suites.
|
|
Set the handshake timeout time for the
SSL server
|
handshake timeout time
|
Optional
3,600 seconds by default
|
|
Configure the SSL connection close mode
|
close-mode wait
|
Optional
Not wait by default
|
|
Set the maximum number of cached sessions
and the caching timeout time
|
session {
cachesize size | timeout time } *
|
Optional
The defaults are as follows:
500 for the maximum number of cached sessions,
3600 seconds for the caching timeout time.
|
|
Enable certificate-based SSL client
authentication
|
client-verify enable
|
Optional
Not enabled by default
|
If you enable
client authentication here, you must request a local certificate for the client.
1.3.3 SSL
Server Policy Configuration Example
I. Network requirements
l
A switch works as the HTTPS server.
l
A host works as the client and accesses the HTTPS
server through HTTP secured with SSL.
l
A certificate authentication (CA) issues a
certificate to the switch.
Caution:
In this instance,
Windows Server works as the CA and the Simple Certificate Enrollment Protocol (SCEP)
plug-in is installed on the CA.
II. Network diagram
Figure
1-2 Network diagram for SSL server policy
configuration
III. Configuration procedure
1)
Request a certificate for the switch
# Create a PKI entity named en and
configure it.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] common-name http-server1
[Sysname-pki-entity-en] fqdn ssl.security.com
[Sysname-pki-entity-en] quit
# Create a PKI domain and configure it.
[Sysname] pki domain 1
[Sysname-pki-domain-1] ca identifier ca1
[Sysname-pki-domain-1] certificate request
url http://10.1.2.2/certsrv/mscep/mscep.dll
[Sysname-pki-domain-1] certificate
request from ra
[Sysname-pki-domain-1] certificate
request entity en
[Sysname-pki-domain-1] quit
# Create a local key pair through RSA.
[Sysname] public-key local create rsa
# Retrieve the CA certificate.
[Sysname] pki retrieval-certificate
ca domain 1
# Request a local certificate.
[Sysname] pki request-certificate domain
1
2)
Configure an SSL server policy
# Create an SSL server policy named myssl.
[Sysname] ssl server-policy myssl
# Specify the PKI domain for the SSL server
policy as 1.
[Sysname-ssl-server-policy-myssl] pki-domain
1
# Enable client authentication.
[Sysname-ssl-server-policy-myssl]
client-verify enable
[Sysname-ssl-server-policy-myssl] quit
3)
Associate HTTPS service with the SSL server
policy and enable HTTPS service
# Configure HTTPS service to use SSL server
policy myssl.
[Sysname] ip https ssl-server-policy
myssl
# Enable HTTPS service.
[Sysname] ip https enable
4)
Verify your configuration
Launch IE on the host and enter
https://10.1.1.1 in the address bar. You should be able to log in to the switch
and manage it.
l
For details about PKI configuration commands,
refer to PKI Commands.
l
For details about the public-key local
create rsa command, refer to SSH Commands.
1.4 Configuring an SSL Client Policy
An SSL client policy is a set of SSL
parameters for a client to use when connecting to the server. An SSL client
policy takes effect only after it is associated with an application layer
protocol.
Before configuring an SSL client policy,
you must configure a PKI domain. For details about PKI domain configuration,
refer to PKI Configuration.
Follow these steps to configure an SSL
client policy:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Create an SSL client policy and enter its
view
|
ssl client-policy policy-name
|
Required
|
|
Specify a PKI domain for the SSL client
policy
|
pki-domain domain-name
|
Required
No PKI domain is configured by default.
|
|
Specify the preferred cipher suite for the
SSL client policy
|
prefer-cipher { rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5
| rsa_rc4_128_sha }
|
Optional
rsa_rc4_128_md5 by default
|
|
Specify the SSL protocol version for the SSL
client policy
|
version {
ssl3.0 | tls1.0 }
|
Optional
TLS 1.0 by default
|
If you enable
client authentication on the server, you must request a local certificate for
the client.
1.5 Displaying and Maintaining SSL
|
To do...
|
Use the command...
|
Remarks
|
|
Display SSL server policy information
|
display ssl server-policy { policy-name | all }
|
Available in any view
|
|
Display SSL client policy information
|
display ssl client-policy { policy-name | all }
|
1.6 Troubleshooting
SSL
I. Symptom
As the SSL server, the device fails to handshake
with the SSL client.
II. Analysis
SSL handshake failure may result from the following
causes:
l
No SSL server certificate exists, or the
certificate is not trusted.
l
The server is expected to authenticate the
client, but the SSL client has no certificate or the certificate is not
trusted.
l
The cipher suites used by the server and the client
do not match.
III. Solution
1)
You can issue the debugging ssl command and
view the debugging information to locate the problem:
l
If the SSL server has no certificate, request one
for it.
l
If the server certificate cannot be trusted,
install on the SSL client the root certificate of the CA that issues the local certificate
to the SSL server, or let the server requests a certificate from the CA that the
SSL client trusts.
l
If the SSL server is configured to authenticate
the client, but the certificate of the SSL client does not exist or cannot be
trusted, request and install a certificate for the client.
2)
You can use the display ssl server-policy
command to view the cipher suite used by the SSL server policy. If the cipher
suite used by the SSL server does not match that used by the client, use the ciphersuite
command to modify the cipher suite of the SSL server.
When configuring HTTPS, go to these
sections for information you are interested in:
l
HTTPS
Overview
l
HTTPS
Configuration Task List
l
Associating
the HTTPS Service with an SSL Server Policy
l
Enabling
the HTTPS Service
l
Associating
the HTTPS Service with a Certificate Attribute Access Control Policy
l
Associating
the HTTPS Service with an ACL
l
Displaying
and Maintaining HTTPS
l
HTTPS
Configuration Example
2.1 HTTPS Overview
The HTTP Security (HTTPS) refers to the
HTTP protocol that supports the Security Socket Layer (SSL) protocol.
The SSL protocol of HTTPS enhances the
security of the device in the following ways:
l
Uses the SSL protocol to ensure the legal
clients to access the device securely and prohibit the illegal clients;
l
Encrypts the data exchanged between the HTTPS
client and the device to ensure the data security and integrity, thus realizing
the security management of the device;
l
Defines certificate attribute-based access
control policy for the device to control the access right of the client, in
order to further avoid attacks from illegal clients.
The total number of
HTTP connections and HTTPS connections on a device cannot exceed five.
2.2 HTTPS Configuration Task List
Complete these tasks to configure HTTPS:
2.3 Associating the HTTPS Service with an
SSL Server Policy
You need to associate the HTTPS service
with a created SSL server policy before enabling the HTTPS service.
Follow these steps to associate the HTTPS
service with an SSL server policy:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Associate the HTTPS service with an SSL
server policy
|
ip https ssl-server-policy policy-name
|
Required
Not associated by default
|
l
If the ip https ssl-server-policy command
is executed repeatedly, the HTTPS service is only associated with the last
specified SSL server policy.
l
When the HTTPS service is disabled, the
association between the HTTPS service and the SSL server is automatically
removed. To enable it again, you need to re-associate the HTTPS service with an
SSL server policy.
l
When the HTTPS service is enabled, no
modification of its associated SSL server policy takes effect.
2.4 Enabling the HTTPS Service
Before configuring the HTTPS, make sure
that the HTTPS server is enabled. Otherwise, other related configurations
cannot take effect.
Follow these steps to enable the HTTPS
service:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable the HTTPS service
|
ip https enable
|
Required
Disabled by default.
|
l
After the HTTPS service is enabled, you can use
the display ip https command to view the state of the HTTPS service and
verify the configuration.
l
Enabling of the HTTPS service will trigger an
SSL handshake negotiation process. During the process, if the local certificate
of the device already exists, the SSL negotiation is successfully performed,
and the HTTPS service can be started normally. If no local certificate exists,
a certificate application process will be triggered by the SSL negotiation.
Since the application process takes much time, the SSL negotiation may fail and
the HTTPS service cannot be started normally. Therefore, the ip https enable
command must be executed for multiple times to ensure normal startup of the
HTTPS service.
2.5 Associating the HTTPS Service with a Certificate Attribute Access
Control Policy
Associating the HTTPS service with a
configured certificate access control policy helps control the access right of
the client, thus providing the device with enhanced security.
Follow these steps to associate the HTTPS service
with a certificate attribute access control policy:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Associate the HTTPS service with a
certificate attribute access control policy
|
ip https certificate
access-control-policy policy-name
|
Required
Not associated by default.
|
l If the ip https certificate access-control-policy command is
executed repeatedly, the HTTPS server is only associated with the last
specified certificate attribute access control policy.
l If the HTTPS service is associated with a certificate attribute
access control policy, the client-verify enable command must be
configured in the SSL server policy. Otherwise, the client cannot log onto the
device.
l If the HTTPS service is associated with a certificate attribute
access control policy, the latter must contain at least one permit rule.
Otherwise, no HTTPS client can log onto the device.
l For the configuration of an SSL server policy, refer to PKI
Configuration.
2.6 Associating the HTTPS Service with an
ACL
Associating
the HTTPS service with an ACL can filter out requests from some clients to let
pass only clients that pass the ACL filtering.
Follow these steps to associate the HTTPS
service with an ACL:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Associate the HTTPS service with an ACL
|
ip https acl acl-number
|
Required
Not associated by default.
|
If the ip https
acl command is executed repeatedly, the HTTPS service is only associated
with the last specified ACL.
2.7 Displaying and Maintaining HTTPS
|
To do…
|
Use the command…
|
Remarks
|
|
Display information about HTTPS
|
display ip https
|
Available in any view
|
2.8 HTTPS Configuration Example
I. Network requirements
l
Host acts as the HTTPS client and Switch acts as
the HTTPS server.
l
Host accesses Switch through Web to control
Switch.
l
CA (Certificate Authority) issues certificate to
Switch. The common name of CA is new-ca.
Caution:
In this
configuration example, Windows Server serves as CA and you need to install
Simple Certificate Enrollment Protocol (SCEP) component.
II. Network diagram
Figure
2-1 Network diagram for HTTPS configuration
III. Configuration procedure
Perform the following configurations on
Switch:
1)
Apply for a certificate for Switch
# Configure a PKI entity.
<Switch> system-view
[Switch] pki entity en
[Switch-pki-entity-en] common-name http-server1
[Switch-pki-entity-en] fqdn ssl.security.com
[Switch-pki-entity-en] quit
# Configure a PKI domain.
[Switch] pki domain 1
[Switch-pki-domain-1] ca identifier ca1
[Switch-pki-domain-1] certificate request
url http://10.1.2.2:8080/certsrv/mscep/mscep.dll
[Switch-pki-domain-1] certificate
request from ra
[Switch-pki-domain-1] certificate
request entity en
[Switch-pki-domain-1] quit
# Generate a key pair locally by using the
RSA algorithm.
[Switch] public-key local create rsa
# Obtain a server certificate from CA.
[Switch] pki retrieval-certificate ca
domain 1
# Apply for a local certificate.
[Switch] pki request-certificate domain
1
2)
Configure an SSL server policy associated with
the HTTPS service
# Configure SSL server policy.
[Switch] ssl server-policy myssl
[Switch-ssl-server-policy-myssl] pki-domain
1
[Switch-ssl-server-policy-myssl]
client-verify enable
[Switch-ssl-server-policy-myssl] quit
3)
Configure certificate access control policy
# Configure certificate attribute group.
[Switch] pki certificate
attribute-group mygroup1
[Switch-pki-cert-attribute-group-mygroup1]
attribute 1 issuer-name dn ctn new-ca
[Switch-pki-cert-attribute-group-mygroup1]
quit
# Configure certificate access control
policy myacp and create a control rule.
[Switch] pki certificate
access-control-policy myacp
[Switch-pki-cert-acp-myacp] rule 1
permit mygroup1
[Switch-pki-cert-acp-myacp] quit
4)
Reference an SSL server policy
# Associate the HTTPS service with the SSL
server policy myssl.
[Switch] ip https ssl-server-policy
myssl
5)
Associate the HTTPS service with a certificate
attribute access control policy
# Associate the HTTPS service with a
certificate attribute access control policy myacp.
[Switch] ip https certificate
access-control-policy myacp
6)
Enable the HTTPS service
# Enable the HTTPS service.
[Switch] ip https enable
7)
Verify the configuration
Launch the IE explorer on Host, and enter
https://10.1.1.1. You can log onto Switch and control it.
l
For details of PKI commands, refer to PKI
Commands.
l
For details of the public-key local create
rsa command, refer to SSH Commands.
