Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 09-SSL Configuration | 100.01 KB |
Table of Contents
Configuring an SSL Server Policy
SSL Server Policy Configuration Example (for WA2600 Series APs)
Configuring an SSL Client Policy
Displaying and Maintaining SSL
l Support of the H3C WA series WLAN access points (APs) for features may vary by AP model. For more information, see Feature Matrix.
l The interface types and the number of interfaces vary by AP model.
l The term AP in this document refers to common APs, wireless bridges, and mesh APs.
l The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your region.
This chapter includes these sections:
l Displaying and Maintaining SSL
SSL Overview
Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols, for example, HTTP protocol. It is widely used in E-business and online bank fields to ensure secure data transmission over the Internet.
SSL Security Mechanism
SSL provides these security services:
l Confidentiality: SSL uses a symmetric encryption algorithm to encrypt data and uses the asymmetric key algorithm of Rivest, Shamir, and Adelman (RSA) to encrypt the key to be used by the symmetric encryption algorithm.
l Authentication: SSL supports certificate-based identity authentication of the server and client by using the digital signatures, with the authentication of the client being optional. The SSL server and client obtain certificates from a certificate authority (CA) through the Public Key Infrastructure (PKI).
l Reliability: SSL uses the key-based message authentication code (MAC) to verify message integrity. A MAC algorithm transforms a message of any length to a fixed-length message. Figure 1-1 illustrates how SSL uses a MAC algorithm to verify message integrity. With the key, the sender uses the MAC algorithm to compute the MAC value of a message. Then, the sender suffixes the MAC value to the message and sends the result to the receiver. The receiver uses the same key and MAC algorithm to compute the MAC value of the received message, and compares the locally computed MAC value with that received. If the two matches, the receiver considers the message intact; otherwise, the receiver considers that the message has been tampered with in transit and discards the message.
Figure 1-1 Message integrity verification by a MAC algorithm
l For more information about symmetric key algorithms, asymmetric key algorithm RSA and digital signature, see Public Key in the Security Configuration Guide.
l For more information about PKI, certificate, and CA, see PKI in the Security Configuration Guide.
SSL Protocol Stack
As shown in Figure 1-2, the SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer.
l SSL handshake protocol: As a very important part of the SSL protocol stack, it is responsible for negotiating the cipher suite to be used during communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), exchanging the key between the server and client, and implementing identity authentication of the server and client. Through the SSL handshake protocol, a session is established between a client and the server. A session consists of a set of parameters, including the session ID, peer certificate, cipher suite, and master secret.
l SSL change cipher spec protocol: Used for notification between a client and the server that the subsequent packets are to be protected and transmitted based on the newly negotiated cipher suite and key.
l SSL alert protocol: Allowing a client and the server to send alert messages to each other. An alert message contains the alert severity level and a description.
l SSL record protocol: Fragmenting data to be transmitted, computing and adding MAC to the data, and encrypting the data before transmitting it to the peer end.
SSL Configuration Task List
Different parameters are required on the SSL server and the SSL client.
Complete the following tasks to configure SSL:
|
Task |
Remarks |
|
Required |
|
|
Optional |
Configuring an SSL Server Policy
An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy takes effect only after it is associated with an application layer protocol, HTTP protocol, for example.
Configuration Prerequisites
When configuring an SSL server policy, you need to specify the PKI domain to be used for obtaining the server side certificate. Therefore, before configuring an SSL server policy, you must configure a PKI domain. For more information about PKI domain configuration, see PKI in the Security Configuration Guide.
Configuration Procedure
Follow these steps to configure an SSL server policy:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Create an SSL server policy and enter its view |
ssl server-policy policy-name |
Required |
|
Specify a PKI domain for the SSL server policy |
pki-domain domain-name |
Required By default, no PKI domain is specified for an SSL server policy. |
|
Specify the cipher suite(s) for the SSL server policy to support |
ciphersuite [ rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] * |
Optional By default, an SSL server policy supports all cipher suites. |
|
Set the handshake timeout time for the SSL server |
handshake timeout time |
Optional 3,600 seconds by default |
|
Configure the SSL connection close mode |
close-mode wait |
Optional Not wait by default |
|
Set the maximum number of cached sessions and the caching timeout time |
session { cachesize size | timeout time } * |
Optional The defaults are as follows: 500 for the maximum number of cached sessions, 3600 seconds for the caching timeout time. |
|
Enable certificate-based SSL client authentication |
client-verify enable |
Optional Not enabled by default |
l If you enable client authentication here, you must request a local certificate for the client.
l Currently, SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds to SSL 3.1. When the AP acts as an SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify Hello packets from clients running SSL 2.0. If a client running SSL 2.0 also supports SSL 3.0 or TLS 1.0 (information about supported versions is carried in the packet that the client sends to the server), the server will notify the client to use SSL 3.0 or TLS 1.0 to communicate with the server.
SSL Server Policy Configuration Example (for WA2600 Series APs)
Network requirements
l AP works as the HTTPS server.
l A host works as the client and accesses the HTTPS server through HTTP secured with SSL.
l A CA issues a certificate to AP.
In this instance, Windows Server works as the CA and the Simple Certificate Enrollment Protocol (SCEP) plug-in is installed on the CA.
Figure 1-3 Network diagram for SSL server policy configuration
Configuration procedure
1) Request a certificate for AP
# Create a PKI entity named en and configure it.
<AP> system-view
[AP] pki entity en
[AP-pki-entity-en] common-name http-server1
[AP-pki-entity-en] fqdn ssl.security.com
[AP-pki-entity-en] quit
# Create a PKI domain and configure it.
[AP] pki domain 1
[AP-pki-domain-1] ca identifier ca1
[AP-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll
[AP-pki-domain-1] certificate request from ra
[AP-pki-domain-1] certificate request entity en
[AP-pki-domain-1] quit
# Create the local RSA key pairs.
[AP] public-key local create rsa
# Retrieve the CA certificate.
[AP] pki retrieval-certificate ca domain 1
# Request a local certificate.
[AP] pki request-certificate domain 1
2) Configure an SSL server policy
# Create an SSL server policy named myssl.
[AP] ssl server-policy myssl
# Specify the PKI domain for the SSL server policy as 1.
[AP-ssl-server-policy-myssl] pki-domain 1
# Enable client authentication.
[AP-ssl-server-policy-myssl] client-verify enable
[AP-ssl-server-policy-myssl] quit
3) Associate HTTPS service with the SSL server policy and enable HTTPS service
# Configure HTTPS service to use SSL server policy myssl.
[AP] ip https ssl-server-policy myssl
# Enable HTTPS service.
[AP] ip https enable
4) Verify your configuration
Launch IE on the host and enter https://10.1.1.1 in the address bar. You should be able to log in to AP and manage it.
l For more information about PKI configuration commands, see PKI in the Security Command Reference.
l For more information about the public-key local create rsa command, see Public Key in the Security Command Reference.
l For more information about HTTPS, see HTTP in the Fundamentals Configuration Guide.
Configuring an SSL Client Policy
An SSL client policy is a set of SSL parameters for a client to use when connecting to the server. An SSL client policy takes effect only after it is associated with an application layer protocol.
Configuration Prerequisites
If the SSL server is configured to authenticate the SSL client, when configuring the SSL client policy, you need to specify the PKI domain to be used for obtaining the certificate of the client. Therefore, before configuring an SSL client policy, you must configure a PKI domain. For more information about PKI domain configuration, see PKI in the Security Configuration Guide.
Configuration Procedure
Follow these steps to configure an SSL client policy:
|
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
Create an SSL client policy and enter its view |
ssl client-policy policy-name |
Required |
|
Specify a PKI domain for the SSL client policy |
pki-domain domain-name |
Optional No PKI domain is configured by default. |
|
Specify the preferred cipher suite for the SSL client policy |
prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } |
Optional rsa_rc4_128_md5 by default |
|
Specify the SSL protocol version for the SSL client policy |
version { ssl3.0 | tls1.0 } |
Optional TLS 1.0 by default |
If you enable client authentication on the server, you must request a local certificate for the client.
Displaying and Maintaining SSL
|
To do… |
Use the command… |
Remarks |
|
Display SSL server policy information |
display ssl server-policy { policy-name | all } |
Available in any view |
|
Display SSL client policy information |
display ssl client-policy { policy-name | all } |
Troubleshooting SSL
SSL Handshake Failure
Symptom
As the SSL server, the AP fails to handshake with the SSL client.
Analysis
SSL handshake failure may result from the following causes:
l No SSL server certificate exists, or the certificate is not trusted.
l The server is expected to authenticate the client, but the SSL client has no certificate or the certificate is not trusted.
l The cipher suites used by the server and the client do not match.
Solution
1) You can issue the debugging ssl command and view the debugging information to locate the problem:
l If the SSL server has no certificate, request one for it.
l If the server certificate cannot be trusted, install on the SSL client the root certificate of the CA that issues the local certificate to the SSL server, or let the server requests a certificate from the CA that the SSL client trusts.
l If the SSL server is configured to authenticate the client, but the certificate of the SSL client does not exist or cannot be trusted, request and install a certificate for the client.
2) You can use the display ssl server-policy command to view the cipher suite used by the SSL server policy. If the cipher suite used by the SSL server does not match that used by the client, use the ciphersuite command to modify the cipher suite of the SSL server.
