When configuring SSL, go to these sections
for information you are interested in:
l
SSL Overview
l
Configuring an SSL Server
Policy
l
Configuring an SSL Client
Policy
l
Displaying and Maintaining
SSL
l
Troubleshooting SSL Configuration
1.1 SSL Overview
SSL (Secure Sockets Layer) is a
security protocol providing secure connection for TCP-based application layer
protocols, for example, SSL can provide secure connection for HTTP protocol. The
secure connection provided by SSL can implement the following:
l
Confidentiality: SSL encrypts data using symmetric
encryption algorithm with the key generated during handshake phase.
l
Authentication: SSL performs certificate-based
authentication on both the server and the client, and the authentication on the
client is optional.
l
Reliability: SSL uses key-based MAC (message
authentication code) to verify the integrity of messages.
SSL protocol includes two layers: SSL
record protocol at the lower layer and handshake protocol, SSL password change
protocol and SSL alert protocol at the upper layer.
l
SSL record protocol: It fragments, compresses
and computes data from the upper layer and then adds MAC to the data and
encrypts the data, and in turn transmits the records to the peer end.
l
SSL handshake protocol: A session is initiated
between the client and the server with the handshake protocol. The session
includes a group of parameters as session ID, peer certificate, cipher suite (including
key exchange algorithm, data encryption algorithm and MAC algorithm), compression
algorithm and main key. An SSL session can be shared by multiple connections to
reduce session negotiation cost.
l
SSL password change protocol: The client and the
server inform each other of the password change through password change
protocol. The packets will be protected and transmitted with the newly
negotiated encryption suite and key pair.
l
SSL alert protocol: Permits one entity to report
alert message containing the alert level and description to the other.
1.2 Configuring an SSL Server Policy
SSL server policy is SSL parameters used
when the server is started, which can be valid only when associated with an
application layer protocol (for example, HTTP protocol).
Before configuring the SSL server policy
you should configure PKI (public key infrastructure) domain. For the details of
PKI domain configuration.
Follow these steps to configure an SSL
server policy
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Create an SSL server policy and enter its
view
|
ssl server-policy policy-name
|
Required
|
|
Configure the PKI domain used for SSL
server policy
|
pki-domain domain-name
|
Required
No PKI domain is configured by default.
|
|
Configure the cipher suite supported by the
SSL server policy
|
ciphersuite [ rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha
| rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] *
|
Optional
An SSL server policy supports total of six
cipher suites by default.
|
|
Configure handshake timeout time for the
SSL server
|
handshake timeout time
|
Optional
3600 seconds by default.
|
|
Configure close mode for SSL connection
|
close-mode wait
|
Optional
The close mode for SSL connection is non wait
by default.
|
|
Configure the maximum number and timeout
time of buffered sessions
|
session {
cachesize size | timeout time } *
|
Optional
The maximum number is 500 and the timeout
time is 3600 seconds by default.
|
|
Enable certificate-based SSL client
authentication
|
client-verify enable
|
Optional
Not enabled by default
|
It will take a long
time to fully launch the GUI if the close mode for SSL connection is wait.
1.2.3 SSL Server Policy Configuration
Example
I. Network
requirements
l
A device works as the HTTPS server.
l
A host works as the client interacting with the HTTP
server through SSL-based HTTP protocol.
II. Network
diagram
Figure 1-1 Network diagram for SSL
server policy
III. Configuration
procedure
# Configure SSL server policy.
<Sysname> system
[Sysname] ssl server-policy myssl
[Sysname-ssl-server-policy-myssl] pki-domain
1
[Sysname-ssl-server-policy-myssl] client-verify
enable
[Sysname-ssl-server-policy-myssl] quit
# Configure the SSL policy adopted by HTTPS
service as myssl.
[Sysname] ip https ssl-server-policy
myssl
# Enable HTTPS service.
[Sysname] ip https enable
1.3 Configuring an SSL Client Policy
SSL client policy is SSL parameters used by
the client being connected with the server, which can be valid only when
associated with an application layer protocol (for example, HTTP protocol).
Before configuring the SSL client policy
you should configure PKI domain first.
Follow these steps to configure an SSL client
policy:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Create an SSL client policy and enter its
view
|
ssl client -policy policy-name
|
Required
|
|
Configure the PKI domain used for the SSL
client policy
|
pki-domain domain-name
|
Required
No PKI domain is configured by default.
|
|
Configure the preferred encryption suite
for the SSL client policy
|
prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha
| rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }
|
Optional
The preferred encryption suite is rsa_rc4_128_md5
by default.
|
|
Configure the SSL protocol version
adopted by the SSL client policy
|
version {
ssl3.0 | tls1.0 }
|
Optional
The SSL protocol version is TLS1.0 by default.
|
If the server needs
to perform certificate-based authentication to the client, a local certificate
for the SSL client must be acquired in the client’s PKI domain.
1.4 Displaying and Maintaining SSL
|
To do...
|
Use the command...
|
Remarks
|
|
Display SSL server policy information
|
display ssl server-policy { policy-name | all }
|
Available in any view
|
|
Display SSL client policy information
|
display ssl client-policy { policy-name | all }
|
1.5 Troubleshooting SSL Configuration
I. Symptom
When the device works as the SSL server,
its handshake with the SSL client fails.
II. Analysis
SSL handshake failure may result from the following:
l
SSL server certificate does not exist, or the
certificate cannot be trusted.
l
The server is configured as that it must
authenticate the client, but the certificate of the SSL client does not exist
or cannot be trusted.
l
The encryption suite supported by the SSL server
and client does not match.
III. Solution
1)
Use the debugging ssl command to view the
debugging information:
l
If the SSL server certificate does not exist,
apply one for it.
l
If the server certificate cannot be trusted, on
the SSL client install a CA server root certificate that issues the certificate
to the SSL server, or enable the server to reapply a certificate from the CA
server trusted by the SSL client.
l
If the server is configured as that it must
authenticate the client, but the certificate of the SSL client does not exist
or cannot be trusted, apply and install a certificate for the client.
2)
Use the display ssl server-policy command
to view the encryption suite supported by the SSL server policy. If the
encryption suite supported by the SSL server does not match that by the client,
use the ciphersuite command to modify the encryption suite supported by
the SSL server.
2.1 HTTPS
Overview
The HTTP Security (HTTPS) refers to the
HTTP protocol that supports the Security Socket Layer (SSL) protocol.
The SSL protocol of HTTPS enhances the
security of the device in the following ways:
l
Use the SSL protocol to ensure that the legal
clients to access the device securely and prohibit the illegal clients;
l
Encrypt the data exchanged between the HTTPS
client and the device to ensure the data security and integrity, thus realizing
the security management of the device;
l
Defines certificate attribute-based access
control policy for the device to control the access right of the client, in
order to further avoid attacks from illegal clients.
The total number of
HTTP connections and HTTPS connections on a device cannot exceed ten.
2.2 Introduction to HTTPS Configuration Tasks
Table 2-1 HTTPS configuration tasks
2.3 Associating the HTTPS Service with an SSL Server Policy
You need to associate the HTTPS service
with a created SSL server policy before enabling the HTTPS service.
Follow these steps to associate the HTTPS
service with an SSL server policy:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Associate the HTTPS service with an SSL
server policy
|
ip https ssl-server-policy policy-name
|
Required
Not associated by default
|
l
If the ip https ssl-server-policy command
is executed repeatedly, the HTTPS service is only associated with the last
specified SSL server policy.
l
When the HTTPS service is disabled, the
association between the HTTPS service and the SSL server is automatically
removed. To enable it again, you need to re-associate the HTTPS service with an
SSL server policy.
l
When the HTTPS service is enabled, any
modification of its associated SSL server policy will not take effect.
2.4 Enabling the HTTPS Service
Before configuring the HTTPS, make sure
that the HTTPS server is enabled. Otherwise, other related configurations
cannot take effect.
Follow these steps to enable the HTTPS
service:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable the HTTPS service
|
ip https enable
|
Required
Disabled by default.
|
l
After the HTTPS service is enabled, you can use
the display ip https command to view the state of the HTTPS service and
verify the configuration.
l
To enable the HTTPS service will trigger an SSL
handshake negotiation process. During the process, if the local certificate of
the device already exists, the SSL negotiation is successfully performed, and
the HTTPS service can be started normally. If no local certificate exists, a
certificate application process will be triggered by the SSL negotiation. Since
the application process takes much time, the SSL negotiation may fail and the
HTTPS service cannot be started normally. Therefore, the ip https enable command
must be executed for multiple times to ensure normal startup of the HTTPS
service.
2.5 Associating the HTTPS Service with a Certificate Attribute Access
Control Policy
Associating the HTTPS service with a
configured certificate access control policy helps control the access right of
the client, thus to provide the devicewith enhanced security.
Follow these steps to associate the HTTPS service
with a certificate attribute access control policy:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Associate the HTTPS service with a
certificate attribute access control policy
|
ip https certificate
access-control-policy policy-name
|
Required
Not associated by default.
|
l
If the ip https certificate
access-control-policy command is executed repeatedly, the HTTPS server is
only associated with the last specified certificate attribute access control
policy.
l
If the HTTPS service is associated with a
certificate attribute access control policy, the client-verify enable
command must be configured in the SSL server policy. Otherwise, the client
cannot log onto the device. For the configuration of an SSL server policy,
refer to PKI Configuration .
2.6 Associating the HTTPS Service with an ACL
Associating the HTTPS service with an ACL
can filter out requests from some clients to let pass only clients that pass
the ACL filtering.
Follow these steps to associate the HTTPS
service with an ACL:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Associate the HTTPS service with an ACL
|
ip https acl acl-number
|
Required
Not associated by default.
|
If the ip https acl
command is executed repeatedly, the HTTPS servcie is only associated with the
last specified ACL.
2.7 Displaying and Maintaining HTTPS
|
To do…
|
Use the command…
|
Remarks
|
|
Display information about HTTPS
|
display ip https
|
Available in any view
|
2.8 HTTPS Configuration Examples
l
When a server running Windows operating system
is used as the CA, the Simple Certificate Enrollment Protocol plugin is
required. In this case, you need to specify the entity to apply for the
certificate from RA by using the certificate request from ra command
when configuring the PKI domain.
l
The Simple Certificate Enrollment Protocol plugin
is not needed when RSA Keon software is used. In this case, you need to specify
the entity to apply for the certificate from CA by using the certificate
request from ca command when configuring the PKI domain.
l
This section assumes Windows operating system is
used on the CA server.
I. Network
requirements
l
Host acts as the HTTPS client and Device acts as
HTTPS server.
l
Host accesses Device through Web to control
Device.
l
CA (Certificate Authority) issues certificate to
Device.
II. Network
diagram
Figure 2-1 Network diagram for HTTPS
configuration
III. Configuration
procedure
Perform the following configurations on
Device:
1)
Apply for a certificate for Device.
# Configure a PKI entity.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] common-name http-server1
[Sysname-pki-entity-en] fqdn ssl.security.com
[Sysname-pki-entity-en] quit
# Configure a PKI domain.
[Sysname] pki domain 1
[Sysname-pki-domain-1] ca identifier ca1
[Sysname-pki-domain-1] certificate request
url http://10.1.2.2/certsrv/mscep/mscep.dll
[Sysname-pki-domain-1] certificate
request from ra
[Sysname-pki-domain-1] certificate
request entity en
[Sysname-pki-domain-1] quit
# Generate a key pair locally by using the
RSA algorithm.
[Sysname] rsa local-key-pair create
# Obtain a server certificate from CA.
[Sysname] pki retrieval-certificate
ca domain 1
# Request a local certificate.
[Sysname] pki request-certificate domain
1
2)
Configure an SSL server policy associated with
the HTTPS service.
# Create an SSL server policy named “myssl”.
[Sysname] ssl server-policy myssl
# Configure the name of the PKI domain at
the SSL server end as 1.
[Sysname-ssl-server-policy-myssl] pki-domain
1
# Configure that the server requires client
authentication.
[Sysname-ssl-server-policy-myssl]
client-verify enable
[Sysname-ssl-server-policy-myssl]
quit
3)
Reference the SSL server policy.
[Sysname] ip https ssl-server-policy
myssl
4)
Enable the HTTPS service.
[Sysname] ip https enable
5)
Verify the configuration
Open the IE explorer on Host, and enter https://10.1.1.1.
You can log on to Device and control it.
l
For details of PKI commands, refer to PKI Commands
.
l
For details of the rsa local-key-pair create
command, refer to SSH Ternimal Service Commands.
