Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Abstract: HTTPS uses SSL to improve the security of HTTP. It allows users to log in to devices
and manage them securely through Web pages. This document describes HTTPS
configuration procedures.
Acronyms:
Table of Contents
1 Feature Overview
For a device supporting Web network management, if you enable HTTP service on it,
it can function as a Web server, allowing users to access it through HTTP and control
it through Web pages. However, the HTTP protocol itself does not support
authenticating the identity of the Web server and cannot guarantee the confidentiality
and security of the transferred data. HTTPS is introduced to address these problems.
HTTPS is a combination of HTTP and SSL. It enables the server and a client to
authenticate each other and encrypt data exchanged between them, allowing the
client to manage the device securely.
z Every client uses the digital certificate of the server to authenticate the server,
ensuring that it is accessing the right server.
z The server uses the digital certificate of a client to authenticate the identity of
the client, ensuring that only legal clients can access it.
z The server and a client encrypt the data transferred between them to ensure the
security and integrity of exchanged data, allowing the client to manage the
device where the server resides securely.
z The server uses access control policies based on certificate attributes to control
the access rights of clients, so as to avoid attacks from illegal clients further.
2 Application Scenarios
HTTPS is mainly used in scenarios where network administrators need to manage
their devices remotely. As shown in Figure 1 , a company has two branch offices,
which are located at Site A and Site B respectively. To mange Device B securely, the
administrator logs in to Device B through HTTPS.
3 Configuration Example
The network administrator of Company A, who is not in the same city as the R&D
department of the company, wants to log in to and manage the gateway of the R&D
department securely.
Task Remarks
Configuring the CA Server Go to 3.2.1 for configuration considerations
Configuring the HTTPS Server Go to 3.2.2 for configuration considerations
Configuring the HTTPS Client Go to 3.2.3 for configuration considerations
When using Windows Server 2003 as the CA server, you need to configure the CA
server as follows:
1) Install the Certificate Services component and set CA server parameters such
as the type and name.
2) Install the Simple Certification Enrollment Protocol (SCEP) add-on. This is
because the Windows Server series does not support SCEP by default when
used as the CA server. However, SCEP is the protocol for supporting
communication between the certificate applicant and the CA and is required for
the CA server to provide certificate registration and issuing services.
3) Change the certificate issuing policy to auto. Otherwise, the tasks of certificate
request reviewing and certificate issuing will have to be completed manually.
4) Modify IIS attributes. You need to change the path of the default Web site to the
path of the certificate services. To avoid conflicts with other service ports, you
are recommended to specify a TCP port number rather than use the default one.
Caution:
When using the Windows Server as the CA server, you need to install and start IIS on
the CA server.
1) Configure the Public Key Infrastructure (PKI). PKI can ensure system
information security through public key technologies and digital certificates and
verify the identities of the digital certificate owners. SSL uses PKI for identity
authentication of the HTTPS server and clients. Therefore, before configuring
the HTTPS server, you need to complete PKI configurations:
z Configure a PKI entity. The identity information of an entity is used for
identifying the certificate applicant uniquely.
z Configure a PKI domain. Before requesting a certificate, an entity needs to be
configured with some enrollment information, which is referred to as a PKI
domain. A PKI domain is intended only for convenience of reference by other
applications.
z Retrieve the CA certificate and save it locally. The CA certificate is to be used to
verify the reality and legality of the local certificate.
z Request a local certificate manually or automatically. The example uses the
manual mode.
2) Configure an SSL server policy. In the policy, you can specify the PKI domain to
be referenced, the cipher suites to be used, and whether to authenticate the
identity of a client. In this example, authentication of client identity is required.
3) Configure HTTPS to use the SSL server policy and enable HTTPS service.
4) Create a local user and specify the password to implement authentication of the
client by username and password.
Note:
Before performing the following configurations, ensure that there are routes available
between the HTTPS server (Gateway), HTTPS client (Admin), and CA server.
1) Open Control Panel and select Add or Remove Programs > Add/Remove
Windows Components. Then, in the Windows Components Wizard window,
select Certificate Services from the component list and click Next to begin the
installation.
3) Enter CA server as the name of the CA server and then click Next.
4) Select the directories for the CA certificate database, database log, and shared
folder, and then click Next.
Note:
Displayed on the interface are the default directories for the CA certificate database,
database log and shared folder, where ca is the host name of the CA server. This
configuration example uses the default directories.
5) After the installation process ends, click Finish to exit the Windows
Components Wizard window.
1) Double click the setup file of SCEP. Then, in the window popping up, click Next.
Note:
You can download the setup file of SCEP from the Microsoft Web site freely.
3) Deselect the Require SCEP Challenge Phrase to Enroll checkbox and click
Next.
5) Click Finish to bring up the prompt box shown in Figure 11 , record the URL,
and then click OK.
Caution:
When configuring the HTTPS server (Gateway), you need to use the URL displayed
in the prompt box as the address of the RA server, where the host name ca can be
replaced with the IP address of the CA server.
After installing the Certificate Services component and the SCEP add-on, open
Control Panel and select Administrative Tools > Certification Authority. If the CA
server and SCEP add-on have been installed successfully, there should be two
certificates issued by the CA to the RA.
2) In the CA server Properties window, select the Policy Module tab and click
Properties.
3) In the Properties window that appears, select Follow the settings in the
certificate template, if applicable. Otherwise, automatically issue the
certificate and click OK.
4) Click the icons for stopping services and starting services in turn to restart
certificate services, as shown in Figure 15 and Figure 16 .
1) Open Control Panel, and select Administrative Tools > Internet Information
Services (IIS) Manager. Then, select Web Sites from the navigation tree, right
click Default Web Site, and select Properties.
2) In the Default Web Site Properties window that appears, select the Home
Directory tab, and type or browse to the path of the certificate services in the
Local path text box.
Figure 18 Change the default home directory of the default Web site
3) Select the Web Site tab, and change the TCP port to 8080.
Caution:
To avoid conflict with existing services, you are recommended to specify a port
number that is differrent from the ones for existing services (including the default port
number 80) as the TCP port number of the default Web site.
Figure 19 Modify the TCP port number of the default Web site
I. Configuration steps
# Configure a PKI entity, set the entity name as aaa and the common name as
gateway.
<Gateway> system-view
[Gateway] pki entity aaa
[Gateway-pki-entity-aaa] common-name gateway
[Gateway-pki-entity-aaa] quit
# Configure the URL of the RA server as the URL displayed in the prompt box in
Figure 11 . As the TCP port number of the default Web site on the CA server has
been changed to 8080, you need to specify the port number as 8080 when
configuring the URL of the RA server.
Caution:
A certificate has a lifetime. Before requesting a certificate for the gateway, you are
recommended to synchronize the system time of the gateway and that of the CA
server to avoid certificate requsting failure.
# Specify the PKI domain for the SSL server policy as ssl.
# Create local user abc, configure the password as 123, the service type as Telnet,
and the command level as 3.
Hangzhou H3C Technologies Co., Ltd. 20/25
HTTPS Configuration Example
#
interface Ethernet1/2
port link-mode route
ip address 1.1.1.1 255.255.255.0
#
ip https ssl-server-policy myssl
ip https enable
#
load xml-configuration
#
user-interface aux 0
user-interface vty 0 4
authentication-mode none
user privilege level 3
#
return
5) After the certification requesting process ends successfully, click Install the
certificate.
After the certificate is installed, select Tools > Internet Options, and then select the
Content tab and click Certificates to view information about the certificate.
3.3.4 Verification
1) On Admin, launch IE and enter https://1.1.1.1 in the address bar. Then, select
the obtained certificate Admin.
2) The system checks whether the servers certificate is valid. If the certificate is
valid, the Web management login page appears, as shown in Figure 24 .
Otherwise, the system displays a security alarm, asking whether you want to
continue to access the server. This helps prevent user information from being
stolen. If you select to access the server anyway, you will enter the Web
management login page.
3) After entering the Web management user login page, input username abc and
password 123 and then click Login.
Copyright 2008-2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou