Login
- Table of Contents
-
- H3C S5500-SI Series Ethernet Switches Operation Manual(V1.01)
- 00-1Cover
- 00-2Overview
- 01-Login Configuration
- 02-VLAN Configuration
- 03-IP Addressing and IP Performance Configuration
- 04-QinQ-BPDU TUNNEL Configuration
- 05-Port Correlation Configuration
- 06-Link Aggregation Configuration
- 07-MAC Address Table Management Configuration
- 08-Port Security Configuration
- 09-MSTP Configuration
- 10-IPv6 Configuration
- 11-IP Routing Overview Configuration
- 12-IPv4 Routing Configuration
- 13-IPv6 Routing Configuration
- 14-Multicast Configuration
- 15-802.1x-HABP-MAC Authentication Configuration
- 16-AAA-RADIUS-HWTACACS Configuration
- 17-ARP Configuration
- 18-DHCP Configuration
- 19-ACL Configuration
- 20-QoS Configuration
- 21-Port Mirroring Configuration
- 22-UDP Helper Configuration
- 23-Cluster Management Configuration
- 24-SNMP-RMON Configuration
- 25-NTP Configuration
- 26-DNS Configuration
- 27-File System Management Configuration
- 28-Information Center Configuration
- 29-System Maintaining and Debugging Configuration
- 30-NQA Configuration
- 31-SSH Configuration
- 32-Track Configuration
- 33-PoE Configuration
- 34-SSL-HTTPS Configuration
- 35-PKI Configuration
- 36-Stack Management Configuration
- 37-Appendix
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 34-SSL-HTTPS Configuration | 145 KB |
Table of Contents
1.2 SSL Configuration Task List
1.3 Configuring an SSL Server Policy
1.3.1 Configuration Prerequisites
1.3.3 SSL Server Policy Configuration Example
1.4 Configuring an SSL Client Policy
1.4.1 Configuration Prerequisites
1.5 Displaying and Maintaining SSL
2.2 HTTPS Configuration Task List
2.3 Associating the HTTPS Service with an SSL Server Policy
2.4 Enabling the HTTPS Service
2.5 Associating the HTTPS Service with a Certificate Attribute Access Control Policy
2.6 Associating the HTTPS Service with an ACL
2.7 Displaying and Maintaining HTTPS
2.8 HTTPS Configuration Example
Chapter 1 SSL Configuration
When configuring SSL, go to these sections for information you are interested in:
l Displaying and Maintaining SSL
1.1 SSL Overview
Secure Sockets Layer (SSL) is a security protocol providing secure connection service for TCP-based application layer protocols, for example, HTTP protocol. It is widely used in E-business and online bank fields to provide secure data transmission over the Internet.
SSL provides these security services:
l Confidentiality: SSL encrypts data using a symmetric encryption algorithm and the key generated during the handshake phase.
l Authentication: SSL supports authenticating both the server and the client through certificates, with the authentication of the client being optional.
l Reliability: SSL uses key-based message authentication code (MAC) to verify message integrity.
As shown in Figure 1-1, the SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer.
l SSL handshake protocol: Responsible for establishing a session between a client and the server. A session consists of a set of parameters such as the session ID, peer certificate, cipher suite (including key exchange algorithm, data encryption algorithm and MAC algorithm), compression algorithm, and master key. An SSL session can be used to establish multiple connections, reducing session negotiation cost.
l SSL change cipher spec protocol: Used for notification between a client and the server that the subsequent packets are to be protected and transmitted based on the newly negotiated cipher suite and key.
l SSL alert protocol: Allowing a client and the server to send alert messages to each other. An alert message contains the alert severity level and a description.
l SSL record protocol: Fragmenting and compressing data to be transmitted, calculating and adding MAC to the data, and encrypting the data before transmitting it to the peer end.
1.2 SSL Configuration Task List
Different parameters are required on the SSL server and the SSL client.
Complete the following tasks to configure SSL:
|
Task |
Remarks |
|
Required |
|
|
Optional |
1.3 Configuring an SSL Server Policy
An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy takes effect only after it is associated with an application layer protocol, HTTP protocol, for example.
1.3.1 Configuration Prerequisites
Before configuring an SSL server policy, you must configure a PKI (public key infrastructure) domain.
1.3.2 Configuration Procedure
Follow these steps to configure an SSL server policy:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Create an SSL server policy and enter its view |
ssl server-policy policy-name |
Required |
|
Specify a PKI domain for the SSL server policy |
pki-domain domain-name |
Required By default, no PKI domain is specified for an SSL server policy. |
|
Specify the cipher suite(s) for the SSL server policy to support |
ciphersuite [ rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] * |
Optional By default, an SSL server policy supports all cipher suites. |
|
Set the handshake timeout time for the SSL server |
handshake timeout time |
Optional 3,600 seconds by default |
|
Configure the SSL connection close mode |
close-mode wait |
Optional Not wait by default |
|
Set the maximum number of cached sessions and the caching timeout time |
session { cachesize size | timeout time } * |
Optional The defaults are as follows: 500 for the maximum number of cached sessions, 3600 seconds for the caching timeout time. |
|
Enable certificate-based SSL client authentication |
client-verify enable |
Optional Not enabled by default |
& Note:
If you enable client authentication here, you must request a local certificate for the client.
1.3.3 SSL Server Policy Configuration Example
I. Network requirements
l A switch works as the HTTPS server.
l A host works as the client and accesses the HTTPS server through HTTP secured with SSL.
l A certificate authentication (CA) issues a certificate to the switch.
Caution:
In this instance, Windows Server works as the CA and the Simple Certificate Enrollment Protocol (SCEP) plug-in is installed on the CA.
II. Network diagram
Figure 1-2 Network diagram for SSL server policy configuration
III. Configuration procedure
1) Request a certificate for the switch
# Create a PKI entity named en and configure it.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] common-name http-server1
[Sysname-pki-entity-en] fqdn ssl.security.com
[Sysname-pki-entity-en] quit
# Create a PKI domain and configure it.
[Sysname] pki domain 1
[Sysname-pki-domain-1] ca identifier ca1
[Sysname-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll
[Sysname-pki-domain-1] certificate request from ra
[Sysname-pki-domain-1] certificate request entity en
[Sysname-pki-domain-1] quit
# Create a local key pair through RSA.
[Sysname] public-key local create rsa
# Retrieve the CA certificate.
[Sysname] pki retrieval-certificate ca domain 1
# Request a local certificate.
[Sysname] pki request-certificate domain 1
2) Configure an SSL server policy
# Create an SSL server policy named myssl.
[Sysname] ssl server-policy myssl
# Specify the PKI domain for the SSL server policy as 1.
[Sysname-ssl-server-policy-myssl] pki-domain 1
# Enable client authentication.
[Sysname-ssl-server-policy-myssl] client-verify enable
[Sysname-ssl-server-policy-myssl] quit
3) Associate HTTPS service with the SSL server policy and enable HTTPS service
# Configure HTTPS service to use SSL server policy myssl.
[Sysname] ip https ssl-server-policy myssl
# Enable HTTPS service.
[Sysname] ip https enable
4) Verify your configuration
Launch IE on the host and enter https://10.1.1.1 in the address bar. You should be able to log in to the switch and manage it.
& Note:
l For details about PKI configuration commands, refer to PKI Commands.
l For details about the public-key local create rsa command, refer to SSH Commands.
1.4 Configuring an SSL Client Policy
An SSL client policy is a set of SSL parameters for a client to use when connecting to the server. An SSL client policy takes effect only after it is associated with an application layer protocol.
1.4.1 Configuration Prerequisites
Before configuring an SSL client policy, you must configure a PKI domain. For details about PKI domain configuration, refer to PKI Configuration.
1.4.2 Configuration Procedure
Follow these steps to configure an SSL client policy:
|
Use the command... |
Remarks |
|
|
Enter system view |
system-view |
— |
|
Create an SSL client policy and enter its view |
ssl client-policy policy-name |
Required |
|
Specify a PKI domain for the SSL client policy |
pki-domain domain-name |
Required No PKI domain is configured by default. |
|
Specify the preferred cipher suite for the SSL client policy |
prefer-cipher { rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } |
Optional rsa_rc4_128_md5 by default |
|
Specify the SSL protocol version for the SSL client policy |
version { ssl3.0 | tls1.0 } |
Optional TLS 1.0 by default |
& Note:
If you enable client authentication on the server, you must request a local certificate for the client.
1.5 Displaying and Maintaining SSL
|
To do... |
Use the command... |
Remarks |
|
Display SSL server policy information |
display ssl server-policy { policy-name | all } |
Available in any view |
|
Display SSL client policy information |
display ssl client-policy { policy-name | all } |
1.6 Troubleshooting SSL
1.6.1 SSL Handshake Failure
I. Symptom
As the SSL server, the device fails to handshake with the SSL client.
II. Analysis
SSL handshake failure may result from the following causes:
l No SSL server certificate exists, or the certificate is not trusted.
l The server is expected to authenticate the client, but the SSL client has no certificate or the certificate is not trusted.
l The cipher suites used by the server and the client do not match.
III. Solution
1) You can issue the debugging ssl command and view the debugging information to locate the problem:
l If the SSL server has no certificate, request one for it.
l If the server certificate cannot be trusted, install on the SSL client the root certificate of the CA that issues the local certificate to the SSL server, or let the server requests a certificate from the CA that the SSL client trusts.
l If the SSL server is configured to authenticate the client, but the certificate of the SSL client does not exist or cannot be trusted, request and install a certificate for the client.
2) You can use the display ssl server-policy command to view the cipher suite used by the SSL server policy. If the cipher suite used by the SSL server does not match that used by the client, use the ciphersuite command to modify the cipher suite of the SSL server.
Chapter 2 HTTPS Configuration
When configuring HTTPS, go to these sections for information you are interested in:
l HTTPS Configuration Task List
l Associating the HTTPS Service with an SSL Server Policy
l Associating the HTTPS Service with a Certificate Attribute Access Control Policy
l Associating the HTTPS Service with an ACL
l Displaying and Maintaining HTTPS
2.1 HTTPS Overview
The HTTP Security (HTTPS) refers to the HTTP protocol that supports the Security Socket Layer (SSL) protocol.
The SSL protocol of HTTPS enhances the security of the device in the following ways:
l Uses the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal clients;
l Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity, thus realizing the security management of the device;
l Defines certificate attribute-based access control policy for the device to control the access right of the client, in order to further avoid attacks from illegal clients.
& Note:
The total number of HTTP connections and HTTPS connections on a device cannot exceed five.
2.2 HTTPS Configuration Task List
Complete these tasks to configure HTTPS:
|
Configuration task |
Remarks |
|
Required |
|
|
Required |
|
|
Associating the HTTPS Service with a Certificate Attribute Access Control Policy |
Optional |
|
Optional |
2.3 Associating the HTTPS Service with an SSL Server Policy
You need to associate the HTTPS service with a created SSL server policy before enabling the HTTPS service.
Follow these steps to associate the HTTPS service with an SSL server policy:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Associate the HTTPS service with an SSL server policy |
ip https ssl-server-policy policy-name |
Required Not associated by default |
& Note:
l If the ip https ssl-server-policy command is executed repeatedly, the HTTPS service is only associated with the last specified SSL server policy.
l When the HTTPS service is disabled, the association between the HTTPS service and the SSL server is automatically removed. To enable it again, you need to re-associate the HTTPS service with an SSL server policy.
l When the HTTPS service is enabled, no modification of its associated SSL server policy takes effect.
2.4 Enabling the HTTPS Service
Before configuring the HTTPS, make sure that the HTTPS server is enabled. Otherwise, other related configurations cannot take effect.
Follow these steps to enable the HTTPS service:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable the HTTPS service |
ip https enable |
Required Disabled by default. |
& Note:
l After the HTTPS service is enabled, you can use the display ip https command to view the state of the HTTPS service and verify the configuration.
l Enabling of the HTTPS service will trigger an SSL handshake negotiation process. During the process, if the local certificate of the device already exists, the SSL negotiation is successfully performed, and the HTTPS service can be started normally. If no local certificate exists, a certificate application process will be triggered by the SSL negotiation. Since the application process takes much time, the SSL negotiation may fail and the HTTPS service cannot be started normally. Therefore, the ip https enable command must be executed for multiple times to ensure normal startup of the HTTPS service.
2.5 Associating the HTTPS Service with a Certificate Attribute Access Control Policy
Associating the HTTPS service with a configured certificate access control policy helps control the access right of the client, thus providing the device with enhanced security.
Follow these steps to associate the HTTPS service with a certificate attribute access control policy:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Associate the HTTPS service with a certificate attribute access control policy |
ip https certificate access-control-policy policy-name |
Required Not associated by default. |
& Note:
l If the ip https certificate access-control-policy command is executed repeatedly, the HTTPS server is only associated with the last specified certificate attribute access control policy.
l If the HTTPS service is associated with a certificate attribute access control policy, the client-verify enable command must be configured in the SSL server policy. Otherwise, the client cannot log onto the device.
l If the HTTPS service is associated with a certificate attribute access control policy, the latter must contain at least one permit rule. Otherwise, no HTTPS client can log onto the device.
l For the configuration of an SSL server policy, refer to PKI Configuration.
2.6 Associating the HTTPS Service with an ACL
Associating the HTTPS service with an ACL can filter out requests from some clients to let pass only clients that pass the ACL filtering.
Follow these steps to associate the HTTPS service with an ACL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Associate the HTTPS service with an ACL |
ip https acl acl-number |
Required Not associated by default. |
& Note:
If the ip https acl command is executed repeatedly, the HTTPS service is only associated with the last specified ACL.
2.7 Displaying and Maintaining HTTPS
|
To do… |
Use the command… |
Remarks |
|
Display information about HTTPS |
display ip https |
Available in any view |
2.8 HTTPS Configuration Example
I. Network requirements
l Host acts as the HTTPS client and Switch acts as the HTTPS server.
l Host accesses Switch through Web to control Switch.
l CA (Certificate Authority) issues certificate to Switch. The common name of CA is new-ca.
Caution:
In this configuration example, Windows Server serves as CA and you need to install Simple Certificate Enrollment Protocol (SCEP) component.
II. Network diagram
Figure 2-1 Network diagram for HTTPS configuration
III. Configuration procedure
Perform the following configurations on Switch:
1) Apply for a certificate for Switch
# Configure a PKI entity.
<Switch> system-view
[Switch] pki entity en
[Switch-pki-entity-en] common-name http-server1
[Switch-pki-entity-en] fqdn ssl.security.com
[Switch-pki-entity-en] quit
# Configure a PKI domain.
[Switch] pki domain 1
[Switch-pki-domain-1] ca identifier ca1
[Switch-pki-domain-1] certificate request url http://10.1.2.2:8080/certsrv/mscep/mscep.dll
[Switch-pki-domain-1] certificate request from ra
[Switch-pki-domain-1] certificate request entity en
[Switch-pki-domain-1] quit
# Generate a key pair locally by using the RSA algorithm.
[Switch] public-key local create rsa
# Obtain a server certificate from CA.
[Switch] pki retrieval-certificate ca domain 1
# Apply for a local certificate.
[Switch] pki request-certificate domain 1
2) Configure an SSL server policy associated with the HTTPS service
# Configure SSL server policy.
[Switch] ssl server-policy myssl
[Switch-ssl-server-policy-myssl] pki-domain 1
[Switch-ssl-server-policy-myssl] client-verify enable
[Switch-ssl-server-policy-myssl] quit
3) Configure certificate access control policy
# Configure certificate attribute group.
[Switch] pki certificate attribute-group mygroup1
[Switch-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca
[Switch-pki-cert-attribute-group-mygroup1] quit
# Configure certificate access control policy myacp and create a control rule.
[Switch] pki certificate access-control-policy myacp
[Switch-pki-cert-acp-myacp] rule 1 permit mygroup1
[Switch-pki-cert-acp-myacp] quit
4) Reference an SSL server policy
# Associate the HTTPS service with the SSL server policy myssl.
[Switch] ip https ssl-server-policy myssl
5) Associate the HTTPS service with a certificate attribute access control policy
# Associate the HTTPS service with a certificate attribute access control policy myacp.
[Switch] ip https certificate access-control-policy myacp
6) Enable the HTTPS service
# Enable the HTTPS service.
[Switch] ip https enable
7) Verify the configuration
Launch the IE explorer on Host, and enter https://10.1.1.1. You can log onto Switch and control it.
& Note:
l For details of PKI commands, refer to PKI Commands.
l For details of the public-key local create rsa command, refer to SSH Commands.
