Certificate attribute access control policy configuration example

Network requirements

The client accesses the remote HTTP Secure (HTTPS) server through the HTTPS protocol.

Configure SSL to make sure that only legal clients log into the HTTPS server, and create a certificate attribute access control policy to control access to the HTTPS server.

Figure 73: Network diagram

Configuration procedure

The configuration procedure involves SSL configuration and HTTPS configuration. For more information about SSL configuration, see "Configuring SSL." For more information about HTTPS configuration, see Fundamentals Configuration Guide.

The PKI domain to be referenced by the SSL policy must exist. For how to configure a PKI domain, see "Configure the PKI domain:."

The configuration procedure is as follows:

  • Configure the HTTPS server:

  • # Configure the SSL policy for the HTTPS server to use.

    <Device> system-view
    [Device] ssl server-policy myssl
    [Device-ssl-server-policy-myssl] pki-domain 1
    [Device-ssl-server-policy-myssl] client-verify enable
    [Device-ssl-server-policy-myssl] quit
    
  • Configure the certificate attribute group:

  • # Create certificate attribute group mygroup1 and add two attribute rules. The first rule defines that the DN of the subject name includes the string aabbcc, and the second rule defines that the IP address of the certificate issuer is 10.0.0.1.

    [Device] pki certificate attribute-group mygroup1
    [Device-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc
    [Device-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1
    [Device-pki-cert-attribute-group-mygroup1] quit
    

    # Create certificate attribute group mygroup2 and add two attribute rules. The first rule defines that the FQDN of the alternative subject name does not include the string of apple, and the second rule defines that the DN of the certificate issuer name includes the string aabbcc.

    [Device] pki certificate attribute-group mygroup2
    [Device-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn apple
    [Device-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc
    [Device-pki-cert-attribute-group-mygroup2] quit
    
  • Create a certificate attribute access control policy named myacp and add two access control rules.

  • [Device] pki certificate access-control-policy myacp
    [Device-pki-cert-acp-myacp] rule 1 deny mygroup1
    [Device-pki-cert-acp-myacp] rule 2 permit mygroup2
    [Device-pki-cert-acp-myacp] quit
    
  • Apply the SSL server policy and certificate attribute access control policy to HTTPS service and enable HTTPS service:

  • # Apply SSL server policy myssl to HTTPS service.

    [Device] ip https ssl-server-policy myssl
    

    # Apply the certificate attribute access control policy of myacp to HTTPS service.

    [Device] ip https certificate access-control-policy myacp
    

    # Enable HTTPS service.

    [Device] ip https enable