H3C S3610 Series User manual
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Table of Contents
i
Table of Contents
Chapter 1 SSL Configuration.......................................................................................................1-1
1.1 SSL Overview....................................................................................................................1-1
1.2 SSL Configuration Task List..............................................................................................1-2
1.3 Configuring an SSL Server Policy .....................................................................................1-2
1.3.1 Configuration Prerequisites.....................................................................................1-2
1.3.2 Configuration Procedure.........................................................................................1-2
1.3.3 SSL Server Policy Configuration Example..............................................................1-3
1.4 Configuring an SSL Client Policy.......................................................................................1-5
1.4.1 Configuration Prerequisites.....................................................................................1-5
1.4.2 Configuration Procedure.........................................................................................1-6
1.5 Displaying and Maintaining SSL........................................................................................1-6
1.6 Troubleshooting SSL .........................................................................................................1-6
1.6.1 SSL Handshake Failure..........................................................................................1-6
Chapter 2 HTTPS Configuration ..................................................................................................2-1
2.1 HTTPS Overview...............................................................................................................2-1
2.2 HTTPS Configuration Task List.........................................................................................2-1
2.3 Associating the HTTPS Service with an SSL Server Policy..............................................2-2
2.4 Enabling the HTTPS Service.............................................................................................2-2
2.5 Associating the HTTPS Service with a Certificate Attribute Access Control Policy..........2-3
2.6 Associating the HTTPS Service with an ACL....................................................................2-4
2.7 Displaying and Maintaining HTTPS...................................................................................2-4
2.8 HTTPS Configuration Example..........................................................................................2-5
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration
1-1
Chapter 1 SSL Configuration
When configuring SSL, go to these sections for information you are interested in:
zSSL Overview
zSSL Configuration Task List
zDisplaying and Maintaining SSL
zTroubleshooting SSL
1.1 SSL Overview
Secure Sockets Layer (SSL) is a security protocol providing secure connection service
for TCP-based application layer protocols, for example, HTTP protocol. It is widely
used in E-business and online bank fields to provide secure data transmission over the
Internet.
SSL provides these security services:
zConfidentiality: SSL encrypts datausing a symmetric encryption algorithm andthe
key generated during the handshake phase.
zAuthentication: SSL supports authenticating both the server and the client through
certificates, with the authentication of the client being optional.
zReliability: SSL uses key-based message authentication code (MAC) to verify
message integrity.
As shown in Figure 1-1, the SSL protocol consists of two layers of protocols: the SSL
record protocol at the lower layer and the SSLhandshake protocol, change cipher spec
protocol, and alert protocol at the upper layer.
Figure 1-1 SSL protocol stack
zSSL handshake protocol: Responsible for establishing a session between a client
and the server. A session consists of a set of parameters such as the session ID,
peer certificate, cipher suite (including key exchange algorithm, data encryption
algorithm and MAC algorithm), compression algorithm, and master key. An SSL
session can be used to establish multiple connections, reducing session
negotiation cost.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration
1-2
zSSL change cipher spec protocol: Used for notification between a client and the
server that the subsequent packets are to be protected and transmitted based on
the newly negotiated cipher suite and key.
zSSL alert protocol: Allowing a client and the server to send alert messages to each
other. An alert message contains the alert severity level and a description.
zSSL record protocol: Fragmenting and compressing data to be transmitted,
calculating and adding MAC to the data, and encrypting the data before
transmitting it to the peer end.
1.2 SSL Configuration Task List
Different parameters are required on the SSL server and the SSL client.
Complete the following tasks to configure SSL:
Task Remarks
Configuring an SSL Server Policy Required
Configuring an SSL Client Policy Optional
1.3 Configuring an SSL Server Policy
An SSLserver policy is a set of SSLparameters for a server to use when booting up. An
SSL server policy takes effect only after it is associated with an application layer
protocol, HTTP protocol, for example.
1.3.1 Configuration Prerequisites
Before configuring an SSL server policy, you must configure a PKI (public key
infrastructure) domain.
1.3.2 Configuration Procedure
Follow these steps to configure an SSL server policy:
To do... Use the command... Remarks
Enter system view system-view —
Create an SSL server
policy and enter its view ssl server-policy
policy-name Required
Specify a PKI domain for
the SSL server policy pki-domain
domain-name
Required
By default, no PKI domain
is specified for an SSL
server policy.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration
1-3
To do... Use the command... Remarks
Specify the cipher suite(s)
for the SSL server policy
to support
ciphersuite
[ rsa_aes_128_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha ] *
Optional
By default, an SSL server
policy supports all cipher
suites.
Set the handshake
timeout time for the SSL
server handshake timeout time Optional
3,600 seconds by default
Configure the SSL
connection close mode close-mode wait Optional
Not wait by default
Set the maximum number
of cached sessions and
the caching timeout time
session {cachesize size
| timeout time } *
Optional
The defaults are as
follows:
500 for the maximum
number of cached
sessions,
3600 seconds for the
caching timeout time.
Enable certificate-based
SSL client authentication client-verify enable Optional
Not enabled by default
Note:
If you enable client authentication here, you must request a local certificate for the
client.
1.3.3 SSL Server Policy Configuration Example
I. Network requirements
zA switch works as the HTTPS server.
zA host works as the client and accesses the HTTPS server through HTTP secured
with SSL.
zA certificate authentication (CA) issues a certificate to the switch.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration
1-4
Caution:
In this instance, Windows Server works as the CA and the Simple Certificate
Enrollment Protocol (SCEP) plug-in is installed on the CA.
II. Network diagram
Figure 1-2 Network diagram for SSL server policy configuration
III. Configuration procedure
1) Request a certificate for the switch
# Create a PKI entity named en and configure it.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] common-name http-server1
[Sysname-pki-entity-en] fqdn ssl.security.com
[Sysname-pki-entity-en] quit
# Create a PKI domain and configure it.
[Sysname] pki domain 1
[Sysname-pki-domain-1] ca identifier ca1
[Sysname-pki-domain-1] certificate request url
http://10.1.2.2/certsrv/mscep/mscep.dll
[Sysname-pki-domain-1] certificate request from ra
[Sysname-pki-domain-1] certificate request entity en
[Sysname-pki-domain-1] quit
# Create a local key pair through RSA.
[Sysname] public-key local create rsa
# Retrieve the CA certificate.
[Sysname] pki retrieval-certificate ca domain 1
# Request a local certificate.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration
1-5
[Sysname] pki request-certificate domain 1
2) Configure an SSL server policy
# Create an SSL server policy named myssl.
[Sysname] ssl server-policy myssl
# Specify the PKI domain for the SSL server policy as 1.
[Sysname-ssl-server-policy-myssl] pki-domain 1
# Enable client authentication.
[Sysname-ssl-server-policy-myssl] client-verify enable
[Sysname-ssl-server-policy-myssl] quit
3) Associate HTTPS service with the SSL server policy and enable HTTPS service
# Configure HTTPS service to use SSL server policy myssl.
[Sysname] ip https ssl-server-policy myssl
# Enable HTTPS service.
[Sysname] ip https enable
4) Verify your configuration
Launch IE on the host and enter https://10.1.1.1 in the address bar. You should be able
to log in to the switch and manage it.
Note:
zFor details about PKI configuration commands, refer to PKI Commands.
zFor details about the public-key local create rsa command, refer to SSH
Commands.
1.4 Configuring an SSL Client Policy
An SSL client policy is a set of SSL parameters for a client to use when connecting to
the server. An SSLclient policy takes effect only after it is associated with an application
layer protocol.
1.4.1 Configuration Prerequisites
Before configuring an SSL client policy, you must configure a PKI domain. For details
about PKI domain configuration, refer to PKI Configuration.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration
1-6
1.4.2 Configuration Procedure
Follow these steps to configure an SSL client policy:
To do... Use the command... Remarks
Enter system view system-view —
Create an SSL client
policy and enter its view ssl client-policy
policy-name Required
Specify a PKI domain for
the SSL client policy pki-domain
domain-name
Required
No PKI domain is
configured by default.
Specify the preferred
cipher suite for the SSL
client policy
prefer-cipher
{rsa_aes_128_cbc_sha
| rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha }
Optional
rsa_rc4_128_md5 by
default
Specify the SSL protocol
version for the SSL client
policy version { ssl3.0 | tls1.0 } Optional
TLS 1.0 by default
Note:
If you enable client authentication on the server, you must request a local certificate for
the client.
1.5 Displaying and Maintaining SSL
To do... Use the command... Remarks
Display SSL server policy
information display ssl server-policy
{policy-name | all }
Display SSL client policy
information display ssl client-policy
{policy-name |all }
Available in any
view
1.6 Troubleshooting SSL
1.6.1 SSL Handshake Failure
I. Symptom
As the SSL server, the device fails to handshake with the SSL client.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 1 SSL Configuration
1-7
II. Analysis
SSL handshake failure may result from the following causes:
zNo SSL server certificate exists, or the certificate is not trusted.
zThe server is expected to authenticate the client, but the SSL client has no
certificate or the certificate is not trusted.
zThe cipher suites used by the server and the client do not match.
III. Solution
1) You can issue the debugging ssl command and view the debugging information
to locate the problem:
zIf the SSL server has no certificate, request one for it.
zIf the server certificate cannot be trusted, install on the SSL client the root
certificate of the CA that issues the local certificate to the SSL server, or let the
server requests a certificate from the CA that the SSL client trusts.
zIf the SSL server is configured to authenticate the client, but the certificate of the
SSL client does not exist or cannot be trusted, request and install a certificate for
the client.
2) You can use the display ssl server-policy command to view the cipher suite
used by the SSL server policy. If the cipher suite used by the SSL server does not
match that used by the client, use the ciphersuite command to modify the cipher
suite of the SSL server.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 2 HTTPS Configuration
2-1
Chapter 2 HTTPS Configuration
When configuring HTTPS, go to these sections for information you are interested in:
zHTTPS Overview
zHTTPS Configuration Task List
zAssociating the HTTPS Service with an SSL Server Policy
zEnabling the HTTPS Service
zAssociating the HTTPS Service with a Certificate Attribute Access Control Policy
zAssociating the HTTPS Service with an ACL
zDisplaying and Maintaining HTTPS
zHTTPS Configuration Example
2.1 HTTPS Overview
The HTTP Security (HTTPS) refers to the HTTP protocol that supports the Security
Socket Layer (SSL) protocol.
The SSL protocol of HTTPS enhances the security of the device in the following ways:
zUses the SSL protocol to ensure the legal clients to access the device securely
and prohibit the illegal clients;
zEncrypts the data exchanged between the HTTPS client and the device to ensure
the data security and integrity, thus realizing the security management of the
device;
zDefines certificate attribute-based access control policy for the device to control
the access right of the client, in order to further avoid attacks from illegal clients.
Note:
The total number of HTTP connections and HTTPS connections on a device cannot
exceed ten.
2.2 HTTPS Configuration Task List
Complete these tasks to configure HTTPS:
Configuration task Remarks
Associating the HTTPS Service with an SSL Server Policy Required
Enabling the HTTPS Service Required
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 2 HTTPS Configuration
2-2
Configuration task Remarks
Associating the HTTPS Service with a Certificate Attribute
Access Control Policy Optional
Associating the HTTPS Service with an ACL Optional
2.3 Associating the HTTPS Service with an SSL Server Policy
You need to associate the HTTPS service with a created SSL server policy before
enabling the HTTPS service.
Follow these steps to associate the HTTPS service with an SSL server policy:
To do… Use the command… Remarks
Enter system view system-view —
Associate the HTTPS
service with an SSL
server policy
ip https
ssl-server-policy
policy-name
Required
Not associated by default
Note:
zIf the ip https ssl-server-policy command is executed repeatedly, the HTTPS
service is only associated with the last specified SSL server policy.
zWhen the HTTPS service is disabled, the association between the HTTPS service
and the SSL server is automatically removed. To enable it again, you need to
re-associate the HTTPS service with an SSL server policy.
zWhen the HTTPS service is enabled, no modification of its associated SSL server
policy takes effect.
2.4 Enabling the HTTPS Service
Before configuring the HTTPS, make sure that the HTTPS server is enabled.
Otherwise, other related configurations cannot take effect.
Follow these steps to enable the HTTPS service:
To do… Use the command… Remarks
Enter system view system-view —
Enable the HTTPS
service ip https enable Required
Disabled by default.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 2 HTTPS Configuration
2-3
Note:
zAfter the HTTPS service is enabled, you can use the display ip https command to
view the state of the HTTPS service and verify the configuration.
zEnabling of the HTTPS service will trigger an SSL handshake negotiation process.
During the process, if the local certificate of the device already exists, the SSL
negotiation is successfully performed, and the HTTPS service can be started
normally. If no local certificate exists, a certificate application process will be
triggered by the SSL negotiation. Since the application process takes much time,
the SSL negotiation may fail and the HTTPS service cannot be started normally.
Therefore, the ip https enable command must be executed for multiple times to
ensure normal startup of the HTTPS service.
2.5 Associating the HTTPS Service with a Certificate
Attribute Access Control Policy
Associating the HTTPS service with a configured certificate access control policy helps
control the access right of the client, thus providing the device with enhanced security.
Follow these steps to associate the HTTPS service with a certificate attribute access
control policy:
To do… Use the command… Remarks
Enter system view system-view —
Associate the HTTPS
service with a certificate
attribute access control
policy
ip https certificate
access-control-policy
policy-name
Required
Not associated by default.
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 2 HTTPS Configuration
2-4
Note:
zIf the ip https certificate access-control-policy command is executed repeatedly,
the HTTPS server is only associated with the last specified certificate attribute
access control policy.
zIf the HTTPS service is associated with a certificate attribute access control policy,
the client-verify enable command must be configured in the SSL server policy.
Otherwise, the client cannot log onto the device.
zIf the HTTPS service is associated with a certificate attribute access control policy,
the latter must contain at least one permit rule. Otherwise, no HTTPS client can log
onto the device.
zFor the configuration of an SSL server policy, refer to PKI Configuration.
2.6 Associating the HTTPS Service with an ACL
Associating the HTTPS service with anACL can filter out requests from some clients to
let pass only clients that pass theACL filtering.
Follow these steps to associate the HTTPS service with anACL:
To do… Use the command… Remarks
Enter system view system-view —
Associate the HTTPS
service with an ACL ip https acl acl-number Required
Not associated by default.
Note:
If the ip https acl command is executed repeatedly, the HTTPS service is only
associated with the last specified ACL.
2.7 Displaying and Maintaining HTTPS
To do… Use the command… Remarks
Display information about
HTTPS display ip https Available in any view
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 2 HTTPS Configuration
2-5
2.8 HTTPS Configuration Example
I. Network requirements
zHost acts as the HTTPS client and Switch acts as the HTTPS server.
zHost accesses Switch through Web to control Switch.
zCA (Certificate Authority) issues certificate to Switch. The common name of CA is
new-ca.
Caution:
In this configuration example, Windows Server serves as CA and you need to install
Simple Certificate Enrollment Protocol (SCEP) component.
II. Network diagram
Figure 2-1 Network diagram for HTTPS configuration
III. Configuration procedure
Perform the following configurations on Switch:
1) Apply for a certificate for Switch
# Configure a PKI entity.
<Switch> system-view
[Switch] pki entity en
[Switch-pki-entity-en] common-name http-server1
[Switch-pki-entity-en] fqdn ssl.security.com
[Switch-pki-entity-en] quit
# Configure a PKI domain.
[Switch] pki domain 1
[Switch-pki-domain-1] ca identifier ca1
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 2 HTTPS Configuration
2-6
[Switch-pki-domain-1] certificate request url
http://10.1.2.2:8080/certsrv/mscep/mscep.dll
[Switch-pki-domain-1] certificate request from ra
[Switch-pki-domain-1] certificate request entity en
[Switch-pki-domain-1] quit
# Generate a key pair locally by using the RSAalgorithm.
[Switch] public-key local create rsa
# Obtain a server certificate from CA.
[Switch] pki retrieval-certificate ca domain 1
# Apply for a local certificate.
[Switch] pki request-certificate domain 1
2) Configure an SSL server policy associated with the HTTPS service
# Configure SSL server policy.
[Switch] ssl server-policy myssl
[Switch-ssl-server-policy-myssl] pki-domain 1
[Switch-ssl-server-policy-myssl] client-verify enable
[Switch-ssl-server-policy-myssl] quit
3) Configure certificate access control policy
# Configure certificate attribute group.
[Switch] pki certificate attribute-group mygroup1
[Switch-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn
new-ca
[Switch-pki-cert-attribute-group-mygroup1] quit
# Configure certificate access control policy myacp and create a control rule.
[Switch] pki certificate access-control-policy myacp
[Switch-pki-cert-acp-myacp] rule 1 permit mygroup1
[Switch-pki-cert-acp-myacp] quit
4) Reference an SSL server policy
# Associate the HTTPS service with the SSL server policy myssl.
[Switch] ip https ssl-server-policy myssl
5) Associate the HTTPS service with a certificate attribute access control policy
# Associate the HTTPS service with a certificate attribute access control policy myacp.
[Switch] ip https certificate access-control-policy myacp
6) Enable the HTTPS service
# Enable the HTTPS service.
[Switch] ip https enable
7) Verify the configuration
Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches Chapter 2 HTTPS Configuration
2-7
Launch the IE explorer on Host, and enter https://10.1.1.1. You can log onto Switch and
control it.
Note:
zFor details of PKI commands, refer to PKI Commands.
zFor details of the public-key local create rsa command, refer to SSH Commands.
Other manuals for S3610 Series
21
This manual suits for next models
2
Table of contents
Other H3C Switch manuals
H3C
H3C S12500X-AF Series Quick guide
H3C
H3C S6800 Series User manual
H3C
H3C S3610 Series Installation instructions
H3C
H3C S7500E-XS Series Installation manual
H3C
H3C S5820V2-48S User guide
H3C
H3C S6520X-EI Series User manual
H3C
H3C s5820x series User manual
H3C
H3C LSXM1SEERBA2 User manual
H3C
H3C S5500-EI series User manual
H3C
H3C H3C S5100-SI User manual
H3C
H3C S5120-SI Series User manual
H3C
H3C S5850 Series User manual
H3C
H3C S7500X Series User manual
H3C
H3C S5120-SI Series User manual
H3C
H3C S5500-EI series User manual
H3C
H3C S12500X-AF Series Application guide
H3C
H3C S6550XE-HI Series User manual
H3C
H3C S12501X-AF User manual
H3C
H3C S5120-EI Series User manual
H3C
H3C S5120-EI Series User manual
Popular Switch manuals by other brands
Siemens
Siemens 3VA1225-1AA 2 Series operating instructions
Endress+Hauser
Endress+Hauser Liquiphant T FTL20H instruction manual
Hirschmann
Hirschmann RS20 series user manual
Trust
Trust HU-4440p user guide
Speaka Professional
Speaka Professional 55 43 36 operating instructions
Gianni Industries
Gianni Industries GEM KS-750 Specifications
