H3C S3610 Series Operating instructions

Type
Operating instructions

This manual is also suitable for

Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Table of Contents
i
Table of Contents
Chapter 1 SSL Configuration.......................................................................................................1-1
1.1 SSL Overview....................................................................................................................1-1
1.2 SSL Configuration Task List..............................................................................................1-2
1.3 Configuring an SSL Server Policy .....................................................................................1-2
1.3.1 Configuration Prerequisites.....................................................................................1-2
1.3.2 Configuration Procedure.........................................................................................1-2
1.3.3 SSL Server Policy Configuration Example..............................................................1-3
1.4 Configuring an SSL Client Policy.......................................................................................1-5
1.4.1 Configuration Prerequisites.....................................................................................1-5
1.4.2 Configuration Procedure.........................................................................................1-6
1.5 Displaying and Maintaining SSL........................................................................................1-6
1.6 Troubleshooting SSL .........................................................................................................1-6
1.6.1 SSL Handshake Failure..........................................................................................1-6
Chapter 2 HTTPS Configuration ..................................................................................................2-1
2.1 HTTPS Overview...............................................................................................................2-1
2.2 HTTPS Configuration Task List.........................................................................................2-1
2.3 Associating the HTTPS Service with an SSL Server Policy..............................................2-2
2.4 Enabling the HTTPS Service.............................................................................................2-2
2.5 Associating the HTTPS Service with a Certificate Attribute Access Control Policy..........2-3
2.6 Associating the HTTPS Service with an ACL....................................................................2-4
2.7 Displaying and Maintaining HTTPS...................................................................................2-4
2.8 HTTPS Configuration Example..........................................................................................2-5
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration
1-1
Chapter 1 SSL Configuration
When configuring SSL, go to these sections for information you are interested in:
z SSL Overview
z SSL Configuration Task List
z Displaying and Maintaining SSL
z Troubleshooting SSL
1.1 SSL Overview
Secure Sockets Layer (SSL) is a security protocol providing secure connection service
for TCP-based application layer protocols, for example, HTTP protocol. It is widely
used in E-business and online bank fields to provide secure data transmission over the
Internet.
SSL provides these security services:
z Confidentiality: SSL encrypts data using a symmetric encryption algorithm and the
key generated during the handshake phase.
z Authentication: SSL supports authenticating both the server and the client through
certificates, with the authentication of the client being optional.
z Reliability: SSL uses key-based message authentication code (MAC) to verify
message integrity.
As shown in
Figure 1-1, the SSL protocol consists of two layers of protocols: the SSL
record protocol at the lower layer and the SSL handshake protocol, change cipher spec
protocol, and alert protocol at the upper layer.
Figure 1-1 SSL protocol stack
z SSL handshake protocol: Responsible for establishing a session between a client
and the server. A session consists of a set of parameters such as the session ID,
peer certificate, cipher suite (including key exchange algorithm, data encryption
algorithm and MAC algorithm), compression algorithm, and master key. An SSL
session can be used to establish multiple connections, reducing session
negotiation cost.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration
1-2
z SSL change cipher spec protocol: Used for notification between a client and the
server that the subsequent packets are to be protected and transmitted based on
the newly negotiated cipher suite and key.
z SSL alert protocol: Allowing a client and the server to send alert messages to each
other. An alert message contains the alert severity level and a description.
z SSL record protocol: Fragmenting and compressing data to be transmitted,
calculating and adding MAC to the data, and encrypting the data before
transmitting it to the peer end.
1.2 SSL Configuration Task List
Different parameters are required on the SSL server and the SSL client.
Complete the following tasks to configure SSL:
Task Remarks
Configuring an SSL Server Policy Required
Configuring an SSL Client Policy Optional
1.3 Configuring an SSL Server Policy
An SSL server policy is a set of SSL parameters for a server to use when booting up. An
SSL server policy takes effect only after it is associated with an application layer
protocol, HTTP protocol, for example.
1.3.1 Configuration Prerequisites
Before configuring an SSL server policy, you must configure a PKI (public key
infrastructure) domain.
1.3.2 Configuration Procedure
Follow these steps to configure an SSL server policy:
To do... Use the command... Remarks
Enter system view
system-view
Create an SSL server
policy and enter its view
ssl server-policy
policy-name
Required
Specify a PKI domain for
the SSL server policy
pki-domain
domain-name
Required
By default, no PKI domain
is specified for an SSL
server policy.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration
1-3
To do... Use the command... Remarks
Specify the cipher suite(s)
for the SSL server policy
to support
ciphersuite
[ rsa_aes_128_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha ] *
Optional
By default, an SSL server
policy supports all cipher
suites.
Set the handshake
timeout time for the SSL
server
handshake timeout time
Optional
3,600 seconds by default
Configure the SSL
connection close mode
close-mode wait
Optional
Not wait by default
Set the maximum number
of cached sessions and
the caching timeout time
session { cachesize size
| timeout time } *
Optional
The defaults are as
follows:
500 for the maximum
number of cached
sessions,
3600 seconds for the
caching timeout time.
Enable certificate-based
SSL client authentication
client-verify enable
Optional
Not enabled by default
Note:
If you enable client authentication here, you must request a local certificate for the
client.
1.3.3 SSL Server Policy Configuration Example
I. Network requirements
z A switch works as the HTTPS server.
z A host works as the client and accesses the HTTPS server through HTTP secured
with SSL.
z A certificate authentication (CA) issues a certificate to the switch.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration
1-4
Caution:
In this instance, Windows Server works as the CA and the Simple Certificate
Enrollment Protocol (SCEP) plug-in is installed on the CA.
II. Network diagram
Figure 1-2 Network diagram for SSL server policy configuration
III. Configuration procedure
1) Request a certificate for the switch
# Create a PKI entity named en and configure it.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] common-name http-server1
[Sysname-pki-entity-en] fqdn ssl.security.com
[Sysname-pki-entity-en] quit
# Create a PKI domain and configure it.
[Sysname] pki domain 1
[Sysname-pki-domain-1] ca identifier ca1
[Sysname-pki-domain-1] certificate request url
http://10.1.2.2/certsrv/mscep/mscep.dll
[Sysname-pki-domain-1] certificate request from ra
[Sysname-pki-domain-1] certificate request entity en
[Sysname-pki-domain-1] quit
# Create a local key pair through RSA.
[Sysname] public-key local create rsa
# Retrieve the CA certificate.
[Sysname] pki retrieval-certificate ca domain 1
# Request a local certificate.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration
1-5
[Sysname] pki request-certificate domain 1
2) Configure an SSL server policy
# Create an SSL server policy named myssl.
[Sysname] ssl server-policy myssl
# Specify the PKI domain for the SSL server policy as 1.
[Sysname-ssl-server-policy-myssl] pki-domain 1
# Enable client authentication.
[Sysname-ssl-server-policy-myssl] client-verify enable
[Sysname-ssl-server-policy-myssl] quit
3) Associate HTTPS service with the SSL server policy and enable HTTPS service
# Configure HTTPS service to use SSL server policy myssl.
[Sysname] ip https ssl-server-policy myssl
# Enable HTTPS service.
[Sysname] ip https enable
4) Verify your configuration
Launch IE on the host and enter https://10.1.1.1 in the address bar. You should be able
to log in to the switch and manage it.
Note:
z For details about PKI configuration commands, refer to PKI Commands.
z For details about the public-key local create rsa command, refer to SSH
Commands.
1.4 Configuring an SSL Client Policy
An SSL client policy is a set of SSL parameters for a client to use when connecting to
the server. An SSL client policy takes effect only after it is associated with an application
layer protocol.
1.4.1 Configuration Prerequisites
Before configuring an SSL client policy, you must configure a PKI domain. For details
about PKI domain configuration, refer to PKI Configuration.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration
1-6
1.4.2 Configuration Procedure
Follow these steps to configure an SSL client policy:
To do... Use the command... Remarks
Enter system view
system-view
Create an SSL client
policy and enter its view
ssl client-policy
policy-name
Required
Specify a PKI domain for
the SSL client policy
pki-domain
domain-name
Required
No PKI domain is
configured by default.
Specify the preferred
cipher suite for the SSL
client policy
prefer-cipher
{ rsa_aes_128_cbc_sha
| rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha }
Optional
rsa_rc4_128_md5 by
default
Specify the SSL protocol
version for the SSL client
policy
version { ssl3.0 | tls1.0 }
Optional
TLS 1.0 by default
Note:
If you enable client authentication on the server, you must request a local certificate for
the client.
1.5 Displaying and Maintaining SSL
To do... Use the command... Remarks
Display SSL server policy
information
display ssl server-policy
{ policy-name | all }
Display SSL client policy
information
display ssl client-policy
{ policy-name | all }
Available in any
view
1.6 Troubleshooting SSL
1.6.1 SSL Handshake Failure
I. Symptom
As the SSL server, the device fails to handshake with the SSL client.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration
1-7
II. Analysis
SSL handshake failure may result from the following causes:
z No SSL server certificate exists, or the certificate is not trusted.
z The server is expected to authenticate the client, but the SSL client has no
certificate or the certificate is not trusted.
z The cipher suites used by the server and the client do not match.
III. Solution
1) You can issue the debugging ssl command and view the debugging information
to locate the problem:
z If the SSL server has no certificate, request one for it.
z If the server certificate cannot be trusted, install on the SSL client the root
certificate of the CA that issues the local certificate to the SSL server, or let the
server requests a certificate from the CA that the SSL client trusts.
z If the SSL server is configured to authenticate the client, but the certificate of the
SSL client does not exist or cannot be trusted, request and install a certificate for
the client.
2) You can use the display ssl server-policy command to view the cipher suite
used by the SSL server policy. If the cipher suite used by the SSL server does not
match that used by the client, use the ciphersuite command to modify the cipher
suite of the SSL server.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 2 HTTPS Configuration
2-1
Chapter 2 HTTPS Configuration
When configuring HTTPS, go to these sections for information you are interested in:
z HTTPS Overview
z HTTPS Configuration Task List
z Associating the HTTPS Service with an SSL Server Policy
z Enabling the HTTPS Service
z Associating the HTTPS Service with a Certificate Attribute Access Control Policy
z Associating the HTTPS Service with an ACL
z Displaying and Maintaining HTTPS
z HTTPS Configuration Example
2.1 HTTPS Overview
The HTTP Security (HTTPS) refers to the HTTP protocol that supports the Security
Socket Layer (SSL) protocol.
The SSL protocol of HTTPS enhances the security of the device in the following ways:
z Uses the SSL protocol to ensure the legal clients to access the device securely
and prohibit the illegal clients;
z Encrypts the data exchanged between the HTTPS client and the device to ensure
the data security and integrity, thus realizing the security management of the
device;
z Defines certificate attribute-based access control policy for the device to control
the access right of the client, in order to further avoid attacks from illegal clients.
Note:
The total number of HTTP connections and HTTPS connections on a device cannot
exceed ten.
2.2 HTTPS Configuration Task List
Complete these tasks to configure HTTPS:
Configuration task Remarks
Associating the HTTPS Service with an SSL Server Policy Required
Enabling the HTTPS Service Required
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 2 HTTPS Configuration
2-2
Configuration task Remarks
Associating the HTTPS Service with a Certificate Attribute
Access Control Policy
Optional
Associating the HTTPS Service with an ACL Optional
2.3 Associating the HTTPS Service with an SSL Server Policy
You need to associate the HTTPS service with a created SSL server policy before
enabling the HTTPS service.
Follow these steps to associate the HTTPS service with an SSL server policy:
To do… Use the command… Remarks
Enter system view
system-view
Associate the HTTPS
service with an SSL
server policy
ip https
ssl-server-policy
policy-name
Required
Not associated by default
Note:
z If the ip https ssl-server-policy command is executed repeatedly, the HTTPS
service is only associated with the last specified SSL server policy.
z When the HTTPS service is disabled, the association between the HTTPS service
and the SSL server is automatically removed. To enable it again, you need to
re-associate the HTTPS service with an SSL server policy.
z When the HTTPS service is enabled, no modification of its associated SSL server
policy takes effect.
2.4 Enabling the HTTPS Service
Before configuring the HTTPS, make sure that the HTTPS server is enabled.
Otherwise, other related configurations cannot take effect.
Follow these steps to enable the HTTPS service:
To do… Use the command… Remarks
Enter system view
system-view
Enable the HTTPS
service
ip https enable
Required
Disabled by default.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 2 HTTPS Configuration
2-3
Note:
z After the HTTPS service is enabled, you can use the display ip https command to
view the state of the HTTPS service and verify the configuration.
z Enabling of the HTTPS service will trigger an SSL handshake negotiation process.
During the process, if the local certificate of the device already exists, the SSL
negotiation is successfully performed, and the HTTPS service can be started
normally. If no local certificate exists, a certificate application process will be
triggered by the SSL negotiation. Since the application process takes much time,
the SSL negotiation may fail and the HTTPS service cannot be started normally.
Therefore, the ip https enable command must be executed for multiple times to
ensure normal startup of the HTTPS service.
2.5 Associating the HTTPS Service with a Certificate
Attribute Access Control Policy
Associating the HTTPS service with a configured certificate access control policy helps
control the access right of the client, thus providing the device with enhanced security.
Follow these steps to associate the HTTPS service with a certificate attribute access
control policy:
To do… Use the command… Remarks
Enter system view
system-view
Associate the HTTPS
service with a certificate
attribute access control
policy
ip https certificate
access-control-policy
policy-name
Required
Not associated by default.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 2 HTTPS Configuration
2-4
Note:
z If the ip https certificate access-control-policy command is executed repeatedly,
the HTTPS server is only associated with the last specified certificate attribute
access control policy.
z If the HTTPS service is associated with a certificate attribute access control policy,
the client-verify enable command must be configured in the SSL server policy.
Otherwise, the client cannot log onto the device.
z If the HTTPS service is associated with a certificate attribute access control policy,
the latter must contain at least one permit rule. Otherwise, no HTTPS client can log
onto the device.
z For the configuration of an SSL server policy, refer to PKI Configuration.
2.6 Associating the HTTPS Service with an ACL
Associating the HTTPS service with an ACL can filter out requests from some clients to
let pass only clients that pass the ACL filtering.
Follow these steps to associate the HTTPS service with an ACL:
To do… Use the command… Remarks
Enter system view
system-view
Associate the HTTPS
service with an ACL
ip https acl acl-number
Required
Not associated by default.
Note:
If the ip https acl command is executed repeatedly, the HTTPS service is only
associated with the last specified ACL.
2.7 Displaying and Maintaining HTTPS
To do… Use the command… Remarks
Display information about
HTTPS
display ip https
Available in any view
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 2 HTTPS Configuration
2-5
2.8 HTTPS Configuration Example
I. Network requirements
z Host acts as the HTTPS client and Switch acts as the HTTPS server.
z Host accesses Switch through Web to control Switch.
z CA (Certificate Authority) issues certificate to Switch. The common name of CA is
new-ca.
Caution:
In this configuration example, Windows Server serves as CA and you need to install
Simple Certificate Enrollment Protocol (SCEP) component.
II. Network diagram
Figure 2-1 Network diagram for HTTPS configuration
III. Configuration procedure
Perform the following configurations on Switch:
1) Apply for a certificate for Switch
# Configure a PKI entity.
<Switch> system-view
[Switch] pki entity en
[Switch-pki-entity-en] common-name http-server1
[Switch-pki-entity-en] fqdn ssl.security.com
[Switch-pki-entity-en] quit
# Configure a PKI domain.
[Switch] pki domain 1
[Switch-pki-domain-1] ca identifier ca1
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 2 HTTPS Configuration
2-6
[Switch-pki-domain-1] certificate request url
http://10.1.2.2:8080/certsrv/mscep/mscep.dll
[Switch-pki-domain-1] certificate request from ra
[Switch-pki-domain-1] certificate request entity en
[Switch-pki-domain-1] quit
# Generate a key pair locally by using the RSA algorithm.
[Switch] public-key local create rsa
# Obtain a server certificate from CA.
[Switch] pki retrieval-certificate ca domain 1
# Apply for a local certificate.
[Switch] pki request-certificate domain 1
2) Configure an SSL server policy associated with the HTTPS service
# Configure SSL server policy.
[Switch] ssl server-policy myssl
[Switch-ssl-server-policy-myssl] pki-domain 1
[Switch-ssl-server-policy-myssl] client-verify enable
[Switch-ssl-server-policy-myssl] quit
3) Configure certificate access control policy
# Configure certificate attribute group.
[Switch] pki certificate attribute-group mygroup1
[Switch-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn
new-ca
[Switch-pki-cert-attribute-group-mygroup1] quit
# Configure certificate access control policy myacp and create a control rule.
[Switch] pki certificate access-control-policy myacp
[Switch-pki-cert-acp-myacp] rule 1 permit mygroup1
[Switch-pki-cert-acp-myacp] quit
4) Reference an SSL server policy
# Associate the HTTPS service with the SSL server policy myssl.
[Switch] ip https ssl-server-policy myssl
5) Associate the HTTPS service with a certificate attribute access control policy
# Associate the HTTPS service with a certificate attribute access control policy myacp.
[Switch] ip https certificate access-control-policy myacp
6) Enable the HTTPS service
# Enable the HTTPS service.
[Switch] ip https enable
7) Verify the configuration
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 2 HTTPS Configuration
2-7
Launch the IE explorer on Host, and enter https://10.1.1.1. You can log onto Switch and
control it.
Note:
z For details of PKI commands, refer to PKI Commands.
z For details of the public-key local create rsa command, refer to SSH Commands.
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15

H3C S3610 Series Operating instructions

Type
Operating instructions
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI