HTTPS Configuration Example

HTTPS Configuration Example

Keywords: HTTPS, SSL, PKI, CA, RA

Abstract: HTTPS uses SSL to improve the security of HTTP. It allows users to log in to devices
and manage them securely through Web pages. This document describes HTTPS
configuration procedures.

Acronyms:

Acronym Full spelling

CA Certificate Authority

HTTPS Hypertext Transfer Protocol Secure

IIS Internet Information Service
MAC Message Authentication Code

PKI Public Key Infrastructure

RA Registration Authority
SCEP Simple Certificate Enrollment Protocol

SSL Secure Sockets Layer

Hangzhou H3C Technologies Co., Ltd. 1/25

 HTTPS Configuration Example

Table of Contents

1 Feature Overview ........................................................................................................................... 3

2 Application Scenarios ..................................................................................................................... 3

3 Configuration Example ................................................................................................................... 4

3.1 Network Requirements ........................................................................................................ 4
3.2 Configuration Considerations .............................................................................................. 5
3.2.1 CA Server Configuration Considerations .................................................................. 5
3.2.2 HTTPS Server Configuration Considerations ........................................................... 5
3.2.3 HTTPS Client Configuration Considerations............................................................. 6
3.3 Configuration Procedures .................................................................................................... 6
3.3.1 Configuring the CA Server ........................................................................................ 7
3.3.2 Configuring the HTTPS Server ............................................................................... 18
3.3.3 Configuring the HTTPS Client................................................................................. 22
3.3.4 Verification............................................................................................................... 25

Hangzhou H3C Technologies Co., Ltd. 2/25

 HTTPS Configuration Example

1 Feature Overview
For a device supporting Web network management, if you enable HTTP service on it,
it can function as a Web server, allowing users to access it through HTTP and control
it through Web pages. However, the HTTP protocol itself does not support
authenticating the identity of the Web server and cannot guarantee the confidentiality
and security of the transferred data. HTTPS is introduced to address these problems.

HTTPS is a combination of HTTP and SSL. It enables the server and a client to
authenticate each other and encrypt data exchanged between them, allowing the
client to manage the device securely.

By SSL, HTTPS enhances the security:

z Every client uses the digital certificate of the server to authenticate the server,
ensuring that it is accessing the right server.
z The server uses the digital certificate of a client to authenticate the identity of
the client, ensuring that only legal clients can access it.
z The server and a client encrypt the data transferred between them to ensure the
security and integrity of exchanged data, allowing the client to manage the
device where the server resides securely.
z The server uses access control policies based on certificate attributes to control
the access rights of clients, so as to avoid attacks from illegal clients further.

2 Application Scenarios
HTTPS is mainly used in scenarios where network administrators need to manage
their devices remotely. As shown in Figure 1 , a company has two branch offices,
which are located at Site A and Site B respectively. To mange Device B securely, the
administrator logs in to Device B through HTTPS.

Hangzhou H3C Technologies Co., Ltd. 3/25

 HTTPS Configuration Example

Figure 1 Typical application scenario of HTTPS

3 Configuration Example

3.1 Network Requirements

The network administrator of Company A, who is not in the same city as the R&D
department of the company, wants to log in to and manage the gateway of the R&D
department securely.

As shown in Figure 2 , the requirements include:

z The administrator uses host Admin (1.1.1.2) to establish an HTTPS connection

with Gateway and controls Gateway through Web pages.
z The security mechanism of SSL is used for the HTTPS server (Gateway) and
the HTTPS client (Admin) to authenticate each other.
z For certificate-based identity authentication, a CA server is deployed to issue
certificates to Gateway and Admin. This example assumes that the CA server is
running Windows Server 2003.

Figure 2 Network diagram for HTTPS configuration

Hangzhou H3C Technologies Co., Ltd. 4/25

 HTTPS Configuration Example

3.2 Configuration Considerations

To satisfy the network requirements, you need to complete these tasks:

Task Remarks
Configuring the CA Server Go to 3.2.1 for configuration considerations
Configuring the HTTPS Server Go to 3.2.2 for configuration considerations
Configuring the HTTPS Client Go to 3.2.3 for configuration considerations

3.2.1 CA Server Configuration Considerations

When using Windows Server 2003 as the CA server, you need to configure the CA
server as follows:

1) Install the Certificate Services component and set CA server parameters such
as the type and name.
2) Install the Simple Certification Enrollment Protocol (SCEP) add-on. This is
because the Windows Server series does not support SCEP by default when
used as the CA server. However, SCEP is the protocol for supporting
communication between the certificate applicant and the CA and is required for
the CA server to provide certificate registration and issuing services.
3) Change the certificate issuing policy to auto. Otherwise, the tasks of certificate
request reviewing and certificate issuing will have to be completed manually.
4) Modify IIS attributes. You need to change the path of the default Web site to the
path of the certificate services. To avoid conflicts with other service ports, you
are recommended to specify a TCP port number rather than use the default one.

Caution:
When using the Windows Server as the CA server, you need to install and start IIS on
the CA server.

3.2.2 HTTPS Server Configuration Considerations

Configure the HTTPS server as follows:

Hangzhou H3C Technologies Co., Ltd. 5/25

 HTTPS Configuration Example

1) Configure the Public Key Infrastructure (PKI). PKI can ensure system
information security through public key technologies and digital certificates and
verify the identities of the digital certificate owners. SSL uses PKI for identity
authentication of the HTTPS server and clients. Therefore, before configuring
the HTTPS server, you need to complete PKI configurations:
z Configure a PKI entity. The identity information of an entity is used for
identifying the certificate applicant uniquely.
z Configure a PKI domain. Before requesting a certificate, an entity needs to be
configured with some enrollment information, which is referred to as a PKI
domain. A PKI domain is intended only for convenience of reference by other
applications.
z Retrieve the CA certificate and save it locally. The CA certificate is to be used to
verify the reality and legality of the local certificate.
z Request a local certificate manually or automatically. The example uses the
manual mode.
2) Configure an SSL server policy. In the policy, you can specify the PKI domain to
be referenced, the cipher suites to be used, and whether to authenticate the
identity of a client. In this example, authentication of client identity is required.
3) Configure HTTPS to use the SSL server policy and enable HTTPS service.
4) Create a local user and specify the password to implement authentication of the
client by username and password.

3.2.3 HTTPS Client Configuration Considerations

Configure the HTTPS client as follows:

1) Request a certificate. As the HTTPS server is configured to authenticate its

clients, every HTTPS client must request a certificate from the CA server.
2) Log in to Gateway through HTTPS and then enter the username and password
to log in to the Web configuration page of Gateway.

3.3 Configuration Procedures

Hangzhou H3C Technologies Co., Ltd. 6/25

 HTTPS Configuration Example

Note:
Before performing the following configurations, ensure that there are routes available
between the HTTPS server (Gateway), HTTPS client (Admin), and CA server.

3.3.1 Configuring the CA Server

I. Installing the Certificate Services component

1) Open Control Panel and select Add or Remove Programs > Add/Remove
Windows Components. Then, in the Windows Components Wizard window,
select Certificate Services from the component list and click Next to begin the
installation.

Figure 3 Install the Certificate Services component 1)

2) Select Stand-alone root CA as the CA type, and then click Next.

Hangzhou H3C Technologies Co., Ltd. 7/25

 HTTPS Configuration Example

Figure 4 Install the Certificate Services component 2)

3) Enter CA server as the name of the CA server and then click Next.

Figure 5 Install the Certificate Services component 3)

Hangzhou H3C Technologies Co., Ltd. 8/25

 HTTPS Configuration Example

4) Select the directories for the CA certificate database, database log, and shared
folder, and then click Next.

Figure 6 Install the Certificate Services component 4)

Note:
Displayed on the interface are the default directories for the CA certificate database,
database log and shared folder, where ca is the host name of the CA server. This
configuration example uses the default directories.

5) After the installation process ends, click Finish to exit the Windows
Components Wizard window.

II. Installing the SCEP add-on

1) Double click the setup file of SCEP. Then, in the window popping up, click Next.

Note:
You can download the setup file of SCEP from the Microsoft Web site freely.

Hangzhou H3C Technologies Co., Ltd. 9/25

 HTTPS Configuration Example

Figure 7 Install the SCEP add-on 1)

2) Select Use the local system account and click Next.

Figure 8 Install the SCEP add-on 2)

Hangzhou H3C Technologies Co., Ltd. 10/25

 HTTPS Configuration Example

3) Deselect the Require SCEP Challenge Phrase to Enroll checkbox and click
Next.

Figure 9 Install the SCEP add-on 3)

4) Enter the registration authority (RA) identification information and other

information to be used by the RA to register with the CA server and click Next.
An RA can implement functions including identity authentication, CRL
management, key pair generation and key pair backup. An RA can be an
extended part of a CA.

Hangzhou H3C Technologies Co., Ltd. 11/25

 HTTPS Configuration Example

Figure 10 Install the SCEP add-on 4)

5) Click Finish to bring up the prompt box shown in Figure 11 , record the URL,
and then click OK.

Figure 11 Install the SCEP add-on 5)

Caution:
When configuring the HTTPS server (Gateway), you need to use the URL displayed
in the prompt box as the address of the RA server, where the host name ca can be
replaced with the IP address of the CA server.

Hangzhou H3C Technologies Co., Ltd. 12/25

 HTTPS Configuration Example

III. Modifying the certificate service attributes

After installing the Certificate Services component and the SCEP add-on, open
Control Panel and select Administrative Tools > Certification Authority. If the CA
server and SCEP add-on have been installed successfully, there should be two
certificates issued by the CA to the RA.

1) Right click CA server in the navigation tree and select Properties.

Figure 12 Modify the certificate service attributes

2) In the CA server Properties window, select the Policy Module tab and click
Properties.

Hangzhou H3C Technologies Co., Ltd. 13/25

 HTTPS Configuration Example

Figure 13 Certificate service attributes window

3) In the Properties window that appears, select Follow the settings in the
certificate template, if applicable. Otherwise, automatically issue the
certificate and click OK.

Hangzhou H3C Technologies Co., Ltd. 14/25

 HTTPS Configuration Example

Figure 14 Properties of the policy module

4) Click the icons for stopping services and starting services in turn to restart
certificate services, as shown in Figure 15 and Figure 16 .

Figure 15 Stop certificate services

Hangzhou H3C Technologies Co., Ltd. 15/25

 HTTPS Configuration Example

Figure 16 Start certificate services

IV. Modifying the IIS attributes

1) Open Control Panel, and select Administrative Tools > Internet Information
Services (IIS) Manager. Then, select Web Sites from the navigation tree, right
click Default Web Site, and select Properties.

Figure 17 IIS manager

Hangzhou H3C Technologies Co., Ltd. 16/25

 HTTPS Configuration Example

2) In the Default Web Site Properties window that appears, select the Home
Directory tab, and type or browse to the path of the certificate services in the
Local path text box.

Figure 18 Change the default home directory of the default Web site

3) Select the Web Site tab, and change the TCP port to 8080.

Caution:
To avoid conflict with existing services, you are recommended to specify a port
number that is differrent from the ones for existing services (including the default port
number 80) as the TCP port number of the default Web site.

Hangzhou H3C Technologies Co., Ltd. 17/25

 HTTPS Configuration Example

Figure 19 Modify the TCP port number of the default Web site

3.3.2 Configuring the HTTPS Server

I. Configuration steps

1) Configure Gateway to request a certificate from the CA server

z Configure the entity distinguished name (DN)

# Configure a PKI entity, set the entity name as aaa and the common name as
gateway.

<Gateway> system-view
[Gateway] pki entity aaa
[Gateway-pki-entity-aaa] common-name gateway
[Gateway-pki-entity-aaa] quit

z Configure the PKI domain

# Create PKI domain ssl and enter its view.

[Gateway] pki domain ssl

# Configure the name of the trusted CA server as myca.

[Gateway-pki-domain-ssl] ca identifier ca server

Hangzhou H3C Technologies Co., Ltd. 18/25

 HTTPS Configuration Example

# Configure the URL of the RA server as the URL displayed in the prompt box in
Figure 11 . As the TCP port number of the default Web site on the CA server has
been changed to 8080, you need to specify the port number as 8080 when
configuring the URL of the RA server.

[Gateway-pki-domain-ssl] certificate request url

http://5.5.5.1:8080/certsrv/mscep/mscep.dll

# Set the registration authority to RA.

[Gateway-pki-domain-ssl] certificate request from ra

# Specify the entity for certificate request as aaa.

[Gateway-pki-domain-ssl] certificate request entity aaa

[Gateway-pki-domain-ssl] quit

z Generate local RSA key pairs

[Gateway] public-key local create rsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
Generating Keys...
..++++++++.++++++++++
...++..++...++....++...++...++..++...++...++..++...++...++..++...++...++..
.++..+
+...++...++..++....++..++...++...++..++...++...++...++..++..++...++...++..
++..++
...++...++...++++++++.+++++++++.+
...++..++....++...++..++..++..++...++...++..++...++...++..++...++.++++++++
++++++
+.+++++++
..++...++..++...++++++++++++++.++++++++++

z Apply for certificates

Caution:
A certificate has a lifetime. Before requesting a certificate for the gateway, you are
recommended to synchronize the system time of the gateway and that of the CA
server to avoid certificate requsting failure.

Hangzhou H3C Technologies Co., Ltd. 19/25

 HTTPS Configuration Example

# Retrieve the CA certificate and save it locally.

[Gateway] pki retrieval-certificate ca domain ssl

Retrieving CA/RA certificates. Please wait a while......
The trusted CA's finger print is:
MD5 fingerprint:9C7A 2FBA 9230 2BF5 F27D 5391 DCF7 9912
SHA1 fingerprint:189A CC85 F030 F866 51B1 9DD7 6DA9 65BA 5B05 2596

Is the finger print correct?(Y/N):y

Saving CA/RA certificates chain, please wait a moment.........

CA certificates retrieval success.

# Request a local certificate manually.

[Gateway] pki request-certificate domain ssl

Certificate is being requested, please wait......
[Gateway]
Enrolling the local certificate,please wait a while......
Certificate request Successfully!
Saving the local certificate to device......
Done!

2) Configure an SSL server policy

# Create an SSL server policy named myssl.

[Gateway] ssl server-policy myssl

# Specify the PKI domain for the SSL server policy as ssl.

[Gateway-ssl-server-policy-myssl] pki-domain ssl

# Specify to authenticate the client. For information about requesting a local

certificate for the client, refer to Configuring the HTTPS Client.

[Gateway-ssl-server-policy-myssl] client-verify enable

[Gateway-ssl-server-policy-myssl] quit

3) Configure the HTTPS service

# Configure the HTTPS service to use SSL server policy myssl.

[Gateway] ip https ssl-server-policy myssl

# Enable HTTPS service.

[Gateway] ip https enable

4) Create a local user

# Create local user abc, configure the password as 123, the service type as Telnet,
and the command level as 3.
Hangzhou H3C Technologies Co., Ltd. 20/25
 HTTPS Configuration Example

[Gateway] local-user abc

[Gateway-luser-abc] password simple 123
[Gateway-luser-abc] service-type telnet level 3

II. Configuration file

[Gateway] display current-configuration

#
version 5.20, Test 5310
#
sysname Gateway
#
domain default enable system
#
telnet server enable
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
pki entity aaa
common-name gateway
#
pki domain ssl
ca identifier ca server
certificate request url http://5.5.5.1:8080/certsrv/mscep/mscep.dll
certificate request from ra
certificate request entity aaa
#
local-user abc
password simple 123
service-type telnet
level 3
#
ssl server-policy myssl
pki-domain ssl
client-verify enable
#
interface Ethernet1/1
port link-mode route
ip address 5.5.5.2 255.255.255.0

Hangzhou H3C Technologies Co., Ltd. 21/25

 HTTPS Configuration Example

#
interface Ethernet1/2
port link-mode route
ip address 1.1.1.1 255.255.255.0
#
ip https ssl-server-policy myssl
ip https enable
#
load xml-configuration
#
user-interface aux 0
user-interface vty 0 4
authentication-mode none
user privilege level 3
#
return

3.3.3 Configuring the HTTPS Client

Follow these steps to request a certificate for Admin:

1) On Admin, launch IE and enter http://5.5.5.1:8080/certsrv in the address bar. As

the TCP port number of the default Web site on the CA server has been
changed to 8080, you need to specify the port number as 8080 when entering
the URL.
2) In the Web page, click Request a certificate.

Hangzhou H3C Technologies Co., Ltd. 22/25

 HTTPS Configuration Example

Figure 20 Request a certificate for Admin 1)

3) Select the certificate type of Web Browser Certificate

Figure 21 Request a certificate for Admin 2)

4) Enter the identification information of the certificate, as shown in Figure 22 .

Hangzhou H3C Technologies Co., Ltd. 23/25

 HTTPS Configuration Example

Figure 22 Request a certificate for Admin 3)

5) After the certification requesting process ends successfully, click Install the
certificate.

Figure 23 Request a certificate for Admin 4)

After the certificate is installed, select Tools > Internet Options, and then select the
Content tab and click Certificates to view information about the certificate.

Hangzhou H3C Technologies Co., Ltd. 24/25

 HTTPS Configuration Example

3.3.4 Verification
1) On Admin, launch IE and enter https://1.1.1.1 in the address bar. Then, select
the obtained certificate Admin.
2) The system checks whether the servers certificate is valid. If the certificate is
valid, the Web management login page appears, as shown in Figure 24 .
Otherwise, the system displays a security alarm, asking whether you want to
continue to access the server. This helps prevent user information from being
stolen. If you select to access the server anyway, you will enter the Web
management login page.
3) After entering the Web management user login page, input username abc and
password 123 and then click Login.

Figure 24 Web management login page

Copyright 2008-2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou

H3C Technologies Co., Ltd.

The information in this document is subject to change without notice.

Hangzhou H3C Technologies Co., Ltd. 25/25