H3C S3610 Series User manual

Operation Manual – SSL-HTTPS

H3C S3610&S5510 Series Ethernet Switches Table of Contents

Table of Contents

Chapter 1 SSL Configuration.......................................................................................................1-1

1.1 SSL Overview....................................................................................................................1-1

1.2 SSL Configuration Task List..............................................................................................1-2

1.3 Configuring an SSL Server Policy .....................................................................................1-2

1.3.1 Configuration Prerequisites.....................................................................................1-2

1.3.2 Configuration Procedure.........................................................................................1-2

1.3.3 SSL Server Policy Configuration Example..............................................................1-3

1.4 Configuring an SSL Client Policy.......................................................................................1-5

1.4.1 Configuration Prerequisites.....................................................................................1-5

1.4.2 Configuration Procedure.........................................................................................1-6

1.5 Displaying and Maintaining SSL........................................................................................1-6

1.6 Troubleshooting SSL .........................................................................................................1-6

1.6.1 SSL Handshake Failure..........................................................................................1-6

Chapter 2 HTTPS Configuration ..................................................................................................2-1

2.1 HTTPS Overview...............................................................................................................2-1

2.2 HTTPS Configuration Task List.........................................................................................2-1

2.3 Associating the HTTPS Service with an SSL Server Policy..............................................2-2

2.4 Enabling the HTTPS Service.............................................................................................2-2

2.5 Associating the HTTPS Service with a Certificate Attribute Access Control Policy..........2-3

2.6 Associating the HTTPS Service with an ACL....................................................................2-4

2.7 Displaying and Maintaining HTTPS...................................................................................2-4

2.8 HTTPS Configuration Example..........................................................................................2-5

Operation Manual – SSL-HTTPS

H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration

1-1

Chapter 1 SSL Configuration

When configuring SSL, go to these sections for information you are interested in:

zSSL Overview

zSSL Configuration Task List

zDisplaying and Maintaining SSL

zTroubleshooting SSL

1.1 SSL Overview

Secure Sockets Layer (SSL) is a security protocol providing secure connection service

for TCP-based application layer protocols, for example, HTTP protocol. It is widely

used in E-business and online bank fields to provide secure data transmission over the

Internet.

SSL provides these security services:

zConfidentiality: SSL encrypts datausing a symmetric encryption algorithm andthe

key generated during the handshake phase.

zAuthentication: SSL supports authenticating both the server and the client through

certificates, with the authentication of the client being optional.

zReliability: SSL uses key-based message authentication code (MAC) to verify

message integrity.

As shown in Figure 1-1, the SSL protocol consists of two layers of protocols: the SSL

record protocol at the lower layer and the SSLhandshake protocol, change cipher spec

protocol, and alert protocol at the upper layer.

Figure 1-1 SSL protocol stack

zSSL handshake protocol: Responsible for establishing a session between a client

and the server. A session consists of a set of parameters such as the session ID,

peer certificate, cipher suite (including key exchange algorithm, data encryption

algorithm and MAC algorithm), compression algorithm, and master key. An SSL

session can be used to establish multiple connections, reducing session

negotiation cost.

Operation Manual – SSL-HTTPS

H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration

1-2

zSSL change cipher spec protocol: Used for notification between a client and the

server that the subsequent packets are to be protected and transmitted based on

the newly negotiated cipher suite and key.

zSSL alert protocol: Allowing a client and the server to send alert messages to each

other. An alert message contains the alert severity level and a description.

zSSL record protocol: Fragmenting and compressing data to be transmitted,

calculating and adding MAC to the data, and encrypting the data before

transmitting it to the peer end.

1.2 SSL Configuration Task List

Different parameters are required on the SSL server and the SSL client.

Complete the following tasks to configure SSL:

Task Remarks

Configuring an SSL Server Policy Required

Configuring an SSL Client Policy Optional

1.3 Configuring an SSL Server Policy

An SSLserver policy is a set of SSLparameters for a server to use when booting up. An

SSL server policy takes effect only after it is associated with an application layer

protocol, HTTP protocol, for example.

1.3.1 Configuration Prerequisites

Before configuring an SSL server policy, you must configure a PKI (public key

infrastructure) domain.

1.3.2 Configuration Procedure

Follow these steps to configure an SSL server policy:

To do... Use the command... Remarks

Enter system view system-view —

Create an SSL server

policy and enter its view ssl server-policy

policy-name Required

Specify a PKI domain for

the SSL server policy pki-domain

domain-name

Required

By default, no PKI domain

is specified for an SSL

server policy.

Operation Manual – SSL-HTTPS

H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration

1-3

To do... Use the command... Remarks

Specify the cipher suite(s)

for the SSL server policy

to support

ciphersuite

[ rsa_aes_128_cbc_sha |

rsa_des_cbc_sha |

rsa_rc4_128_md5 |

rsa_rc4_128_sha ] *

Optional

By default, an SSL server

policy supports all cipher

suites.

Set the handshake

timeout time for the SSL

server handshake timeout time Optional

3,600 seconds by default

Configure the SSL

connection close mode close-mode wait Optional

Not wait by default

Set the maximum number

of cached sessions and

the caching timeout time

session {cachesize size

| timeout time } *

Optional

The defaults are as

follows:

500 for the maximum

number of cached

sessions,

3600 seconds for the

caching timeout time.

Enable certificate-based

SSL client authentication client-verify enable Optional

Not enabled by default

Note:

If you enable client authentication here, you must request a local certificate for the

client.

1.3.3 SSL Server Policy Configuration Example

I. Network requirements

zA switch works as the HTTPS server.

zA host works as the client and accesses the HTTPS server through HTTP secured

with SSL.

zA certificate authentication (CA) issues a certificate to the switch.

Operation Manual – SSL-HTTPS

H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration

1-4

Caution:

In this instance, Windows Server works as the CA and the Simple Certificate

Enrollment Protocol (SCEP) plug-in is installed on the CA.

II. Network diagram

Figure 1-2 Network diagram for SSL server policy configuration

III. Configuration procedure

1) Request a certificate for the switch

# Create a PKI entity named en and configure it.

<Sysname> system-view

[Sysname] pki entity en

[Sysname-pki-entity-en] common-name http-server1

[Sysname-pki-entity-en] fqdn ssl.security.com

[Sysname-pki-entity-en] quit

# Create a PKI domain and configure it.

[Sysname] pki domain 1

[Sysname-pki-domain-1] ca identifier ca1

[Sysname-pki-domain-1] certificate request url

http://10.1.2.2/certsrv/mscep/mscep.dll

[Sysname-pki-domain-1] certificate request from ra

[Sysname-pki-domain-1] certificate request entity en

[Sysname-pki-domain-1] quit

# Create a local key pair through RSA.

[Sysname] public-key local create rsa

# Retrieve the CA certificate.

[Sysname] pki retrieval-certificate ca domain 1

# Request a local certificate.

Operation Manual – SSL-HTTPS

H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration

1-5

[Sysname] pki request-certificate domain 1

2) Configure an SSL server policy

# Create an SSL server policy named myssl.

[Sysname] ssl server-policy myssl

# Specify the PKI domain for the SSL server policy as 1.

[Sysname-ssl-server-policy-myssl] pki-domain 1

# Enable client authentication.

[Sysname-ssl-server-policy-myssl] client-verify enable

[Sysname-ssl-server-policy-myssl] quit

3) Associate HTTPS service with the SSL server policy and enable HTTPS service

# Configure HTTPS service to use SSL server policy myssl.

[Sysname] ip https ssl-server-policy myssl

# Enable HTTPS service.

[Sysname] ip https enable

4) Verify your configuration

Launch IE on the host and enter https://10.1.1.1 in the address bar. You should be able

to log in to the switch and manage it.

Note:

zFor details about PKI configuration commands, refer to PKI Commands.

zFor details about the public-key local create rsa command, refer to SSH

Commands.

1.4 Configuring an SSL Client Policy

An SSL client policy is a set of SSL parameters for a client to use when connecting to

the server. An SSLclient policy takes effect only after it is associated with an application

layer protocol.

1.4.1 Configuration Prerequisites

Before configuring an SSL client policy, you must configure a PKI domain. For details

about PKI domain configuration, refer to PKI Configuration.

Operation Manual – SSL-HTTPS

H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration

1-6

1.4.2 Configuration Procedure

Follow these steps to configure an SSL client policy:

To do... Use the command... Remarks

Enter system view system-view —

Create an SSL client

policy and enter its view ssl client-policy

policy-name Required

Specify a PKI domain for

the SSL client policy pki-domain

domain-name

Required

No PKI domain is

configured by default.

Specify the preferred

cipher suite for the SSL

client policy

prefer-cipher

{rsa_aes_128_cbc_sha

| rsa_des_cbc_sha |

rsa_rc4_128_md5 |

rsa_rc4_128_sha }

Optional

rsa_rc4_128_md5 by

default

Specify the SSL protocol

version for the SSL client

policy version { ssl3.0 | tls1.0 } Optional

TLS 1.0 by default

Note:

If you enable client authentication on the server, you must request a local certificate for

the client.

1.5 Displaying and Maintaining SSL

To do... Use the command... Remarks

Display SSL server policy

information display ssl server-policy

{policy-name | all }

Display SSL client policy

information display ssl client-policy

{policy-name |all }

Available in any

view

1.6 Troubleshooting SSL

1.6.1 SSL Handshake Failure

I. Symptom

As the SSL server, the device fails to handshake with the SSL client.

Operation Manual – SSL-HTTPS

H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration

1-7

II. Analysis

SSL handshake failure may result from the following causes:

zNo SSL server certificate exists, or the certificate is not trusted.

zThe server is expected to authenticate the client, but the SSL client has no

certificate or the certificate is not trusted.

zThe cipher suites used by the server and the client do not match.

III. Solution

1) You can issue the debugging ssl command and view the debugging information

to locate the problem:

zIf the SSL server has no certificate, request one for it.

zIf the server certificate cannot be trusted, install on the SSL client the root

certificate of the CA that issues the local certificate to the SSL server, or let the

server requests a certificate from the CA that the SSL client trusts.

zIf the SSL server is configured to authenticate the client, but the certificate of the

SSL client does not exist or cannot be trusted, request and install a certificate for

the client.

2) You can use the display ssl server-policy command to view the cipher suite

used by the SSL server policy. If the cipher suite used by the SSL server does not

match that used by the client, use the ciphersuite command to modify the cipher

suite of the SSL server.

Operation Manual – SSL-HTTPS

H3C S3610&S5510 Series Ethernet Switches Chapter 2 HTTPS Configuration

2-1

Chapter 2 HTTPS Configuration

When configuring HTTPS, go to these sections for information you are interested in:

zHTTPS Overview

zHTTPS Configuration Task List

zAssociating the HTTPS Service with an SSL Server Policy

zEnabling the HTTPS Service

zAssociating the HTTPS Service with a Certificate Attribute Access Control Policy

zAssociating the HTTPS Service with an ACL

zDisplaying and Maintaining HTTPS

zHTTPS Configuration Example

2.1 HTTPS Overview

The HTTP Security (HTTPS) refers to the HTTP protocol that supports the Security

Socket Layer (SSL) protocol.

The SSL protocol of HTTPS enhances the security of the device in the following ways:

zUses the SSL protocol to ensure the legal clients to access the device securely

and prohibit the illegal clients;

zEncrypts the data exchanged between the HTTPS client and the device to ensure

the data security and integrity, thus realizing the security management of the

device;

zDefines certificate attribute-based access control policy for the device to control

the access right of the client, in order to further avoid attacks from illegal clients.

Note:

The total number of HTTP connections and HTTPS connections on a device cannot

exceed ten.

2.2 HTTPS Configuration Task List

Complete these tasks to configure HTTPS:

Configuration task Remarks

Associating the HTTPS Service with an SSL Server Policy Required

Enabling the HTTPS Service Required

Operation Manual – SSL-HTTPS

H3C S3610&S5510 Series Ethernet Switches Chapter 2 HTTPS Configuration

2-2

Configuration task Remarks

Associating the HTTPS Service with a Certificate Attribute

Access Control Policy Optional

Associating the HTTPS Service with an ACL Optional

2.3 Associating the HTTPS Service with an SSL Server Policy

You need to associate the HTTPS service with a created SSL server policy before

enabling the HTTPS service.

Follow these steps to associate the HTTPS service with an SSL server policy:

To do… Use the command… Remarks

Enter system view system-view —

Associate the HTTPS

service with an SSL

server policy

ip https

ssl-server-policy

policy-name

Required

Not associated by default

Note:

zIf the ip https ssl-server-policy command is executed repeatedly, the HTTPS

service is only associated with the last specified SSL server policy.

zWhen the HTTPS service is disabled, the association between the HTTPS service

and the SSL server is automatically removed. To enable it again, you need to

re-associate the HTTPS service with an SSL server policy.

zWhen the HTTPS service is enabled, no modification of its associated SSL server

policy takes effect.

2.4 Enabling the HTTPS Service

Before configuring the HTTPS, make sure that the HTTPS server is enabled.

Otherwise, other related configurations cannot take effect.

Follow these steps to enable the HTTPS service:

To do… Use the command… Remarks

Enter system view system-view —

Enable the HTTPS

service ip https enable Required

Disabled by default.

Other manuals for S3610 Series

This manual suits for next models

Table of contents

Other H3C Switch manuals

H3C

H3C S5120-SI Series User manual

H3C

H3C S3100-52P User manual

H3C

H3C S5500-28 C-EI-DC User manual

H3C

H3C H3C S3600 Series User manual

H3C

H3C S6820-56HF Operating and maintenance manual

H3C

H3C S5500-EI series User manual

H3C

H3C S5130S-10P-EI User manual

H3C

H3C S7500 Series User manual

H3C

H3C S9500E Series User manual

H3C

H3C SecPath NSQ1FAB12D0 User manual

H3C

H3C H3C S5100-SI User manual

H3C

H3C S9500 Series User manual

H3C

H3C T300M-XS Operating and maintenance manual

H3C

H3C S6300 Series Operating and maintenance manual

H3C

H3C S5500-SI Series User manual

H3C

H3C S5120-EI Series User manual

H3C

H3C S7500 Series User manual

H3C

H3C S6890 Series Quick guide

H3C

H3C S5500-SI Series User manual

H3C

H3C S9500E Series Installation manual

H3C

H3C S6805 Series User manual

H3C

H3C H3C S5100-SI User manual

H3C

H3C S12500 Series Quick start guide

H3C

H3C S9500 Series User manual

Popular Switch manuals by other brands

URC

URC Total Control MFS-8 installation manual

Azbil

Azbil HPQ-D11 user manual

Sony

Sony DFS-900M operating instructions

SICK

SICK i17S operating instructions

F&F

F&F SZR-277 quick start guide

Shure

Shure UAMS/BK user guide

Dräger

Dräger X-zone Switch Off Instructions for use

Asco

Asco Joucomatic 349 Series manual

BT Mini Hub user guide

D-Link

D-Link DES-1226G manual

Johnson Controls

Johnson Controls FS80-C installation instructions

MicroNet

MicroNet SP1200A user manual

Ruijie

Ruijie RG-PF2920 Series Hardware installation and reference guide

Altinex

Altinex DA1914SX user guide

RJM

RJM MASTERMIND PBC/6X user manual

Atlas

Atlas MMK-KVM8 owner's manual

Cabletron Systems

Cabletron Systems GIGAswitch GSR-16 Getting started guide

Cisco

Cisco Catalyst X4448 supplementary guide