Table of Contents

Chapter 1 SSL Configuration. 1-1

1.1 SSL Overview. 1-1

1.2 SSL Configuration Task List 1-2

1.3 Configuring an SSL Server Policy. 1-2

1.3.1 Configuration Prerequisites. 1-2

1.3.2 Configuration Procedure. 1-2

1.3.3 SSL Server Policy Configuration Example. 1-3

1.4 Configuring an SSL Client Policy. 1-5

1.4.1 Configuration Prerequisites. 1-5

1.4.2 Configuration Procedure. 1-5

1.5 Displaying and Maintaining SSL. 1-6

1.6 Troubleshooting SSL. 1-6

1.6.1 SSL Handshake Failure. 1-6

Chapter 2 HTTPS Configuration. 2-1

2.1 HTTPS Overview. 2-1

2.2 HTTPS Configuration Task List 2-1

2.3 Associating the HTTPS Service with an SSL Server Policy. 2-2

2.4 Enabling the HTTPS Service. 2-2

2.5 Associating the HTTPS Service with a Certificate Attribute Access Control Policy. 2-3

2.6 Associating the HTTPS Service with an ACL. 2-4

2.7 Displaying and Maintaining HTTPS. 2-4

2.8 HTTPS Configuration Example. 2-4

 

Chapter 1  SSL Configuration

When configuring SSL, go to these sections for information you are interested in:

l           SSL Overview

l           SSL Configuration Task List

l           Displaying and Maintaining SSL

l           Troubleshooting SSL

1.1  SSL Overview

Secure Sockets Layer (SSL) is a security protocol providing secure connection service for TCP-based application layer protocols, for example, HTTP protocol. It is widely used in E-business and online bank fields to provide secure data transmission over the Internet.

SSL provides these security services:

l           Confidentiality: SSL encrypts data using a symmetric encryption algorithm and the key generated during the handshake phase.

l           Authentication: SSL supports authenticating both the server and the client through certificates, with the authentication of the client being optional.

l           Reliability: SSL uses key-based message authentication code (MAC) to verify message integrity.

As shown in Figure 1-1, the SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer.

Figure 1-1 SSL protocol stack

l           SSL handshake protocol: Responsible for establishing a session between a client and the server. A session consists of a set of parameters such as the session ID, peer certificate, cipher suite (including key exchange algorithm, data encryption algorithm and MAC algorithm), compression algorithm, and master key. An SSL session can be used to establish multiple connections, reducing session negotiation cost.

l           SSL change cipher spec protocol: Used for notification between a client and the server that the subsequent packets are to be protected and transmitted based on the newly negotiated cipher suite and key.

l           SSL alert protocol: Allowing a client and the server to send alert messages to each other. An alert message contains the alert severity level and a description.

l           SSL record protocol: Fragmenting and compressing data to be transmitted, calculating and adding MAC to the data, and encrypting the data before transmitting it to the peer end.

1.2  SSL Configuration Task List

Different parameters are required on the SSL server and the SSL client.

Complete the following tasks to configure SSL:

Task	Remarks
Configuring an SSL Server Policy	Required
Configuring an SSL Client Policy	Optional

 

1.3  Configuring an SSL Server Policy

An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy takes effect only after it is associated with an application layer protocol, HTTP protocol, for example.

1.3.1  Configuration Prerequisites

Before configuring an SSL server policy, you must configure a PKI (public key infrastructure) domain.

1.3.2  Configuration Procedure

Follow these steps to configure an SSL server policy:

To do...	Use the command...	Remarks
Enter system view	system-view	—
Create an SSL server policy and enter its view	ssl server-policy policy-name	Required
Specify a PKI domain for the SSL server policy	pki-domain domain-name	Required By default, no PKI domain is specified for an SSL server policy.
Specify the cipher suite(s) for the SSL server policy to support	ciphersuite [ rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] *	Optional By default, an SSL server policy supports all cipher suites.
Set the handshake timeout time for the SSL server	handshake timeout time	Optional 3,600 seconds by default
Configure the SSL connection close mode	close-mode wait	Optional Not wait by default
Set the maximum number of cached sessions and the caching timeout time	session { cachesize size | timeout time } *	Optional The defaults are as follows: 500 for the maximum number of cached sessions, 3600 seconds for the caching timeout time.
Enable certificate-based SSL client authentication	client-verify enable	Optional Not enabled by default

 

 

1.3.3  SSL Server Policy Configuration Example

I. Network requirements

l           A switch works as the HTTPS server.

l           A host works as the client and accesses the HTTPS server through HTTP secured with SSL.

l           A certificate authentication (CA) issues a certificate to the switch.

 

 

II. Network diagram

Figure 1-2 Network diagram for SSL server policy configuration

III. Configuration procedure

1)         Request a certificate for the switch

# Create a PKI entity named en and configure it.

<Sysname> system-view

[Sysname] pki entity en

[Sysname-pki-entity-en] common-name http-server1

[Sysname-pki-entity-en] fqdn ssl.security.com

[Sysname-pki-entity-en] quit

# Create a PKI domain and configure it.

[Sysname] pki domain 1

[Sysname-pki-domain-1] ca identifier ca1

[Sysname-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll

[Sysname-pki-domain-1] certificate request from ra

[Sysname-pki-domain-1] certificate request entity en

[Sysname-pki-domain-1] quit

# Create a local key pair through RSA.

[Sysname] public-key local create rsa

# Retrieve the CA certificate.

[Sysname] pki retrieval-certificate ca domain 1

# Request a local certificate.

[Sysname] pki request-certificate domain 1

2)         Configure an SSL server policy

# Create an SSL server policy named myssl.

[Sysname] ssl server-policy myssl

# Specify the PKI domain for the SSL server policy as 1.

[Sysname-ssl-server-policy-myssl] pki-domain 1

# Enable client authentication.

[Sysname-ssl-server-policy-myssl] client-verify enable

[Sysname-ssl-server-policy-myssl] quit

3)         Associate HTTPS service with the SSL server policy and enable HTTPS service

# Configure HTTPS service to use SSL server policy myssl.

[Sysname] ip https ssl-server-policy myssl

# Enable HTTPS service.

[Sysname] ip https enable

4)         Verify your configuration

Launch IE on the host and enter https://10.1.1.1 in the address bar. You should be able to log in to the switch and manage it.

 

 

1.4  Configuring an SSL Client Policy

An SSL client policy is a set of SSL parameters for a client to use when connecting to the server. An SSL client policy takes effect only after it is associated with an application layer protocol.

1.4.1  Configuration Prerequisites

Before configuring an SSL client policy, you must configure a PKI domain. For details about PKI domain configuration, refer to PKI Configuration.

1.4.2  Configuration Procedure

Follow these steps to configure an SSL client policy:

To do...	Use the command...	Remarks
Enter system view	system-view	—
Create an SSL client policy and enter its view	ssl client-policy policy-name	Required
Specify a PKI domain for the SSL client policy	pki-domain domain-name	Required No PKI domain is configured by default.
Specify the preferred cipher suite for the SSL client policy	prefer-cipher { rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }	Optional rsa_rc4_128_md5 by default
Specify the SSL protocol version for the SSL client policy	version { ssl3.0 | tls1.0 }	Optional TLS 1.0 by default

 

 

1.5  Displaying and Maintaining SSL

To do...	Use the command...	Remarks
Display SSL server policy information	display ssl server-policy { policy-name | all }	Available in any view
Display SSL client policy information	display ssl client-policy { policy-name | all }

 

1.6  Troubleshooting SSL

1.6.1  SSL Handshake Failure

I. Symptom

As the SSL server, the device fails to handshake with the SSL client.

II. Analysis

SSL handshake failure may result from the following causes:

l           No SSL server certificate exists, or the certificate is not trusted.

l           The server is expected to authenticate the client, but the SSL client has no certificate or the certificate is not trusted.

l           The cipher suites used by the server and the client do not match.

III. Solution

1)         You can issue the debugging ssl command and view the debugging information to locate the problem:

l           If the SSL server has no certificate, request one for it.

l           If the server certificate cannot be trusted, install on the SSL client the root certificate of the CA that issues the local certificate to the SSL server, or let the server requests a certificate from the CA that the SSL client trusts.

l           If the SSL server is configured to authenticate the client, but the certificate of the SSL client does not exist or cannot be trusted, request and install a certificate for the client.

2)         You can use the display ssl server-policy command to view the cipher suite used by the SSL server policy. If the cipher suite used by the SSL server does not match that used by the client, use the ciphersuite command to modify the cipher suite of the SSL server.

 

Chapter 2  HTTPS Configuration

When configuring HTTPS, go to these sections for information you are interested in:

l           HTTPS Overview

l           HTTPS Configuration Task List

l           Associating the HTTPS Service with an SSL Server Policy

l           Enabling the HTTPS Service

l           Associating the HTTPS Service with a Certificate Attribute Access Control Policy

l           Associating the HTTPS Service with an ACL

l           Displaying and Maintaining HTTPS

l           HTTPS Configuration Example

2.1  HTTPS Overview

The HTTP Security (HTTPS) refers to the HTTP protocol that supports the Security Socket Layer (SSL) protocol.

The SSL protocol of HTTPS enhances the security of the device in the following ways:

l           Uses the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal clients;

l           Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity, thus realizing the security management of the device;

l           Defines certificate attribute-based access control policy for the device to control the access right of the client, in order to further avoid attacks from illegal clients.

 

 

2.2  HTTPS Configuration Task List

Complete these tasks to configure HTTPS:

Configuration task	Remarks
Associating the HTTPS Service with an SSL Server Policy	Required
Enabling the HTTPS Service	Required
Associating the HTTPS Service with a Certificate Attribute Access Control Policy	Optional
Associating the HTTPS Service with an ACL	Optional

 

2.3  Associating the HTTPS Service with an SSL Server Policy

You need to associate the HTTPS service with a created SSL server policy before enabling the HTTPS service.

 Follow these steps to associate the HTTPS service with an SSL server policy:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Associate the HTTPS service with an SSL server policy	ip https ssl-server-policy policy-name	Required Not associated by default

 

 

2.4  Enabling the HTTPS Service

Before configuring the HTTPS, make sure that the HTTPS server is enabled. Otherwise, other related configurations cannot take effect.

Follow these steps to enable the HTTPS service:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable the HTTPS service	ip https enable	Required Disabled by default.

 

 

2.5  Associating the HTTPS Service with a Certificate Attribute Access Control Policy

Associating the HTTPS service with a configured certificate access control policy helps control the access right of the client, thus providing the device with enhanced security.

Follow these steps to associate the HTTPS service with a certificate attribute access control policy:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Associate the HTTPS service with a certificate attribute access control policy	ip https certificate access-control-policy policy-name	Required Not associated by default.

 

 

2.6  Associating the HTTPS Service with an ACL

Associating the HTTPS service with an ACL can filter out requests from some clients to let pass only clients that pass the ACL filtering.

Follow these steps to associate the HTTPS service with an ACL:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Associate the HTTPS service with an ACL	ip https acl acl-number	Required Not associated by default.

 

 

2.7  Displaying and Maintaining HTTPS

To do…	Use the command…	Remarks
Display information about HTTPS	display ip https	Available in any view

 

2.8  HTTPS Configuration Example

I. Network requirements

l           Host acts as the HTTPS client and Switch acts as the HTTPS server.

l           Host accesses Switch through Web to control Switch.

l           CA (Certificate Authority) issues certificate to Switch. The common name of CA is new-ca.

 

 

II. Network diagram

Figure 2-1 Network diagram for HTTPS configuration

III. Configuration procedure

Perform the following configurations on Switch:

1)         Apply for a certificate for Switch

# Configure a PKI entity.

<Switch> system-view

[Switch] pki entity en

[Switch-pki-entity-en] common-name http-server1

[Switch-pki-entity-en] fqdn ssl.security.com

[Switch-pki-entity-en] quit

# Configure a PKI domain.

[Switch] pki domain 1

[Switch-pki-domain-1] ca identifier ca1

[Switch-pki-domain-1] certificate request url http://10.1.2.2:8080/certsrv/mscep/mscep.dll

[Switch-pki-domain-1] certificate request from ra

[Switch-pki-domain-1] certificate request entity en

[Switch-pki-domain-1] quit

# Generate a key pair locally by using the RSA algorithm.

[Switch] public-key local create rsa

# Obtain a server certificate from CA.

[Switch] pki retrieval-certificate ca domain 1

# Apply for a local certificate.

[Switch] pki request-certificate domain 1

2)         Configure an SSL server policy associated with the HTTPS service

# Configure SSL server policy.

[Switch] ssl server-policy myssl

[Switch-ssl-server-policy-myssl] pki-domain 1

[Switch-ssl-server-policy-myssl] client-verify enable

[Switch-ssl-server-policy-myssl] quit

3)         Configure certificate access control policy

# Configure certificate attribute group.

[Switch] pki certificate attribute-group mygroup1

[Switch-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca

[Switch-pki-cert-attribute-group-mygroup1] quit

# Configure certificate access control policy myacp and create a control rule.

[Switch] pki certificate access-control-policy myacp

[Switch-pki-cert-acp-myacp] rule 1 permit mygroup1

[Switch-pki-cert-acp-myacp] quit

4)         Reference an SSL server policy

# Associate the HTTPS service with the SSL server policy myssl.

[Switch] ip https ssl-server-policy myssl

5)         Associate the HTTPS service with a certificate attribute access control policy

# Associate the HTTPS service with a certificate attribute access control policy myacp.

[Switch] ip https certificate access-control-policy myacp

6)         Enable the HTTPS service

# Enable the HTTPS service.

[Switch] ip https enable

7)         Verify the configuration

Launch the IE explorer on Host, and enter https://10.1.1.1. You can log onto Switch and control it.