Configuring an access control policy, Displaying and maintaining pki – H3C Technologies H3C S3100 Series Switches User Manual
Page 1000
1-12
Configuring an Access Control Policy
By configuring a certificate attribute-based access control policy, you can further control access to the
server, providing additional security for the server.
Follow these steps to configure a certificate attribute-based access control policy:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Create a certificate attribute
group and enter its view
pki certificate attribute-group
group-name
Required
No certificate attribute group
exists by default.
Configure an attribute rule for
the certificate issuer name,
certificate subject name, or
alternative subject name
attribute id { alt-subject-name
{ fqdn | ip } | { issuer-name |
subject-name } { dn | fqdn |
ip } } { ctn | equ | nctn | nequ }
attribute-value
Optional
There is no restriction on the
issuer name, certificate subject
name and alternative subject
name by default.
Return to system view
quit
—
Create a certificate
attribute-based access control
policy and enter its view
pki certificate
access-control-policy
policy-name
Required
No access control policy exists
by default.
Configure a certificate
attribute-based access control
rule
rule [ id ] { deny | permit }
group-name
Required
No access control rule exists by
default.
A certificate attribute group must exist to be associated with a rule.
Displaying and Maintaining PKI
To do…
Use the command…
Remarks
Display the contents or request
status of a certificate
display pki certificate { { ca |
local } domain domain-name |
request-status }
Available in any view
Display CRLs
display pki crl domain
domain-name
Available in any view
Display information about one
or all certificate attribute groups
display pki certificate
attribute-group { group-name |
all }
Available in any view
Display information about one
or all certificate attribute-based
access control policies
display pki certificate
access-control-policy
{ policy-name | all }
Available in any view