Configuration procedure – H3C Technologies H3C SecBlade LB Cards User Manual

Page 51

Advertising
background image

41

Configuration procedure

This example assumes that the CA is named new-ca, runs Windows Server, and is installed with the

SCEP add-on. This example also assumes that LB, host, and CA can reach one other.

1.

Configure LB (HTTPS server):
# Configure a PKI entity, configure the common name of the entity as http-server1, and the FQDN
of the entity as ssl.security.com.

<LB> system-view

[LB] pki entity en

[LB-pki-entity-en] common-name http-server1

[LB-pki-entity-en] fqdn ssl.security.com

[LB-pki-entity-en] quit

# Create a PKI domain, specify the trusted CA as new-ca, the URL of the server for certificate
request as http://10.1.2.2/certsrv/mscep/mscep.dll, authority for certificate request as RA, and

the entity for certificate request as en.

[LB] pki domain 1

[LB-pki-domain-1] ca identifier new-ca

[LB-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll

[LB-pki-domain-1] certificate request from ra

[LB-pki-domain-1] certificate request entity en

[LB-pki-domain-1] quit

# Create RSA local key pairs.

[LB] public-key local create rsa

# Retrieve the CA certificate from the certificate issuing server.

[LB] pki retrieval-certificate ca domain 1

# Request a local certificate from a CA through SCEP for LB.

[LB] pki request-certificate domain 1

# Create an SSL server policy myssl, specify PKI domain 1 for the SSL server policy, and enable
certificate-based SSL client authentication.

[LB] ssl server-policy myssl

[LB-ssl-server-policy-myssl] pki-domain 1

[LB-ssl-server-policy-myssl] client-verify enable

[LB-ssl-server-policy-myssl] quit

# Create a certificate attribute group mygroup1, and configure a certificate attribute rule,

specifying that the distinguished name in the subject name includes the string of new-ca.

[LB] pki certificate attribute-group mygroup1

[LB-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca

[LB-pki-cert-attribute-group-mygroup1] quit

# Create a certificate attribute-based access control policy myacp. Configure a certificate
attribute-based access control rule, specifying that a certificate is considered valid when it matches

an attribute rule in certificate attribute group myacp.

[LB] pki certificate access-control-policy myacp

[LB-pki-cert-acp-myacp] rule 1 permit mygroup1

[LB-pki-cert-acp-myacp] quit

# Associate the HTTPS service with SSL server policy myssl.

[LB] ip https ssl-server-policy myssl

Advertising
This manual is related to the following products:

H3C SecPath L1000-A Load Balancer

Popular Brands
Popular manuals