Configuring an access control policy
By configuring a certificate attribute-based access control policy, you can further control access to the server, providing additional security for the server.
To configure a certificate attribute-based access control policy:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a certificate attribute group and enter its view. | pki certificate attribute-group group-name | No certificate attribute group exists by default. |
3. Configure an attribute rule for the certificate issuer name, certificate subject name, or alternative subject name. | attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ } attribute-value | Optional. No restriction exists on the issuer name, certificate subject name and alternative subject name by default. |
4. Return to system view. | quit | N/A |
5. Create a certificate attribute-based access control policy and enter its view. | pki certificate access-control-policy policy-name | No access control policy exists by default. |
6. Configure a certificate attribute-based access control rule. | rule [ id ] { deny | permit } group-name | No access control rule exists by default. A certificate attribute group must exist to be associated with a rule. |