Certificate attribute-based access control policy configuration

Network requirements

The client accesses the remote Hypertext Transfer Protocol Secure (HTTPS) server through the HTTPS protocol.

Configure SSL to make sure only legal clients log into the HTTPS server. Create a certificate attribute-based access control policy to control access to the HTTPS server.

Figure 83: Network diagram

Configuration procedure

For more information about SSL configuration, see "Configuring SSL."

For more information about HTTPS configuration, see Fundamentals Configuration Guide.


[NOTE: ]

NOTE:

The PKI domain to be referenced by the SSL policy must be created in advance. For how to configure a PKI domain, see "Configuring a PKI domain."


  • Configure the SSL policy for the HTTPS server to use.

  • <Device> system-view
    [Device] ssl server-policy myssl
    [Device-ssl-server-policy-myssl] pki-domain 1
    [Device-ssl-server-policy-myssl] client-verify enable
    [Device-ssl-server-policy-myssl] quit
    
  • Configure the certificate attribute group.

  • # Create certificate attribute group mygroup1 and add two attribute rules. The first rule defines that the DN of the subject name includes the string aabbcc. The second rule defines that the IP address of the certificate issuer is 10.0.0.1.

    [Device] pki certificate attribute-group mygroup1
    [Device-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc
    [Device-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1
    [Device-pki-cert-attribute-group-mygroup1] quit
    

    # Create certificate attribute group mygroup2 and add two attribute rules. The first rule defines that the FQDN of the alternative subject name does not include the string of apple. The second rule defines that the DN of the certificate issuer name includes the string aabbcc.

    [Device] pki certificate attribute-group mygroup2
    [Device-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn apple
    [Device-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc
    [Device-pki-cert-attribute-group-mygroup2] quit
    
  • Create the certificate attribute-based access control policy of myacp and add two access control rules.

  • [Device] pki certificate access-control-policy myacp
    [Device-pki-cert-acp-myacp] rule 1 deny mygroup1
    [Device-pki-cert-acp-myacp] rule 2 permit mygroup2
    [Device-pki-cert-acp-myacp] quit
    
  • Apply the SSL server policy and certificate attribute-based access control policy to HTTPS service and enable HTTPS service.

  • # Apply SSL server policy myssl to HTTPS service.

    [Device] ip https ssl-server-policy myssl
    

    # Apply the certificate attribute-based access control policy of myacp to HTTPS service.

    [Device] ip https certificate access-control-policy myacp
    

    # Enable HTTPS service.

    [Device] ip https enable