SSL server policy configuration example

Network requirements

As shown in Figure 96, users need to access and control the device through web pages.

For security of the device and to make sure that data is not eavesdropped or tampered with, configure the device so that users must use HTTPS (Hypertext Transfer Protocol Secure, which uses SSL) to log in to the web interface of the device.

Figure 96: Network diagram

Configuration considerations

To achieve the goal, perform the following configurations:

Configuration procedure

In this example, Windows Server works as the CA server and the Simple Certificate Enrollment Protocol (SCEP) plug-in is installed on the CA server.

Before performing the following configurations, make sure the switch, the host, and the CA server can reach each other.

  • Configure the HTTPS server (Device):

  • # Create a PKI entity named en, and configure the common name as http-server1 and the FQDN as ssl.security.com.

    <Device> system-view
    [Device] pki entity en
    [Device-pki-entity-en] common-name http-server1
    [Device-pki-entity-en] fqdn ssl.security.com
    [Device-pki-entity-en] quit
    

    # Create PKI domain 1, specify the trusted CA as ca server, the URL of the registration server as http://10.1.2.2/certsrv/mscep/mscep.dll, the authority for certificate request as RA, and the entity for certificate request as en.

    [Device] pki domain 1
    [Device-pki-domain-1] ca identifier ca server
    [Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll
    [Device-pki-domain-1] certificate request from ra
    [Device-pki-domain-1] certificate request entity en
    [Device-pki-domain-1] quit
    

    # Create the local RSA key pairs.

    [Device] public-key local create rsa
    

    # Retrieve the CA certificate.

    [Device] pki retrieval-certificate ca domain 1
    

    # Request a local certificate for Device.

    [Device] pki request-certificate domain 1
    

    # Create an SSL server policy named myssl.

    [Device] ssl server-policy myssl
    

    # Specify the PKI domain for the SSL server policy as 1.

    [Device-ssl-server-policy-myssl] pki-domain 1
    

    # Enable client authentication.

    [Device-ssl-server-policy-myssl] client-verify enable
    [Device-ssl-server-policy-myssl] quit
    

    # Configure HTTPS service to use SSL server policy myssl.

    [Device] ip https ssl-server-policy myssl
    

    # Enable HTTPS service.

    [Device] ip https enable
    

    # Create a local user named usera, and set the password to 123 and service type to web.

    [Device] local-user usera
    [Device-luser-usera] password simple 123
    [Device-luser-usera] service-type web
    
  • Configure the HTTPS client (Host):

  • On Host, launch IE, enter http://10.1.2.2/certsrv in the address bar and request a certificate for Host as prompted.

  • Verify your configuration:

  • Launch IE on the host, enter https://10.1.1.1 in the address bar, and select the certificate issued by the CA server. The web interface of the switch should appear. After entering username usera and password 123, you should be able to log in to the web interface to access and manage the switch.

    For more information about PKI configuration commands, see "Configuring PKI."

    For more information about the public-key local create rsa command, see Security Command Reference.

    For more information about HTTPS, see Fundamentals Configuration Guide.