Configuring an access control policy

By configuring a certificate attribute-based access control policy, you can further control access to the server, providing additional security for the server.

To configure a certificate attribute-based access control policy:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create a certificate attribute group and enter its view.

pki certificate attribute-group group-name

No certificate attribute group exists by default.

3. Configure an attribute rule for the certificate issuer name, certificate subject name, or alternative subject name.

attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ } attribute-value

Optional.

No restriction exists on the issuer name, certificate subject name and alternative subject name by default.

4. Return to system view.

quit

N/A

5. Create a certificate attribute-based access control policy and enter its view.

pki certificate access-control-policy policy-name

No access control policy exists by default.

6. Configure a certificate attribute-based access control rule.

rule [ id ] { deny | permit } group-name

No access control rule exists by default.

A certificate attribute group must exist to be associated with a rule.