HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1916
251
[DeviceB-pkey-key-code] public-key-code end
[DeviceB-pkey-public-key] peer-public-key end
# Display the host public key of Device A saved on Device B.
[DeviceB] display public-key peer name devicea
=====================================
Key Name : devicea
Key Type : RSA
Key Module: 1024
=====================================
Key Code:
30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A4\
4A2A2CD3F...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1915.png "Page 1916
251
[DeviceB-pkey-key-code] public-key-code end
[DeviceB-pkey-public-key] peer-public-key end
# Display the host public key of Device A saved on Device B.
[DeviceB] display public-key peer name devicea
=====================================
Key Name : devicea
Key Type : RSA
Key Module: 1024
=====================================
Key Code:
30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A4\
4A2A2CD3F...")
![Page 1917
252
# Display the public keys of the local RSA key pairs.
[DeviceA] display public-key local rsa public
=====================================================
Time of Key pair created: 09:50:06 2012/03/07
Key name: HOST_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A4\
4A2A2CD3F
814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A\
9AB16C9E7...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1916.png "Page 1917
252
# Display the public keys of the local RSA key pairs.
[DeviceA] display public-key local rsa public
=====================================================
Time of Key pair created: 09:50:06 2012/03/07
Key name: HOST_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A4\
4A2A2CD3F
814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A\
9AB16C9E7...")
![Page 1918
253
200 Type set to I.
[ftp] get devicea.pub
227 Entering Passive Mode (10,1,1,1,5,148).
125 BINARY mode data connection already open, transfer starting for /dev\
icea.pub.
226 Transfer complete.
FTP: 299 byte(s) received in 0.189 second(s), 1.00Kbyte(s)/sec.
[ftp] quit
221 Server closing.
4. Import the host public key of Device A to Device B:
# Import the host public key of Device A from the key file devicea.pub to Device B.
system-view
[DeviceB] public-key peer devicea import sshkey...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1917.png "Page 1918
253
200 Type set to I.
[ftp] get devicea.pub
227 Entering Passive Mode (10,1,1,1,5,148).
125 BINARY mode data connection already open, transfer starting for /dev\
icea.pub.
226 Transfer complete.
FTP: 299 byte(s) received in 0.189 second(s), 1.00Kbyte(s)/sec.
[ftp] quit
221 Server closing.
4. Import the host public key of Device A to Device B:
# Import the host public key of Device A from the key file devicea.pub to Device B.
system-view
[DeviceB] public-key peer devicea import sshkey...")
256 • VPN A virtual private network (VPN) is a private dat a communication network built on the public communication infrastructure. A VPN can leverage network layer security protocols (for instance, IPsec) in conjunction with PKI-based encryp tion and digital signature technologies for confidentiality. • Secure email Emails require confidentiality, integrity, auth entication, and non-repudiation. PKI can address these needs. The secure email protocol that is de veloping rapidly is Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails with signature. • We b s e cu ri t y For web security, two peers can establish an SSL connection first for transparent and secure communications at the application layer. With PKI, SSL enables encrypted communications between a browser and a server. Both of the co mmunication parties can verify each other’s identity through digital certificates. How PKI operates In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check the validity of certificates. Here is how it operates: 1. An entity submits a certificate request to the RA. 2. The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. 3. The CA verifies the digital signature, approves the application, and issues a certificate. 4. The RA receives the certificate from the CA, sends it to the LDAP server to provide directory navigation service, and notifies the entity that the certificate is successfully issued. 5. The entity retrieves the certificate. With the ce rtificate, the entity can communicate with other entities safely through encryption and digital signature. 6. The entity makes a request to the CA when it needs to revoke its certificate. The CA approves the request, updates the CRLs and publis hes the CRLs on the LDAP server. PKI configuration task list Task Remarks Configuring an entity DN Required. Configuring a PKI domain Required. Submitting a PKI certificate request • Submitting a certificate request in auto mode • Submitting a certificate request in manual mode Required. Use either approach. Retrieving a certificate manually Optional. Configuring PKI certificate verification Optional. Destroying a local RSA key pair Optional. Deleting a certificate Optional.
257 Task Remarks Configuring an access control policy Optional. Configuring an entity DN A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity distinguishe d name (DN). A CA identifies a certificate applicant uniquely by entity DN. An entity DN is defined by these parameters: • Common name of the entity. • Country code of the entity, a standard 2-character code. For example, CN represents China and US represents the United States. • Fully qualified domain name (FQDN) of the entity, a unique identifier of an entity on the network. It consists of a host name and a domain name and can be resolved to an IP address. For example, www.whatever.com i s a n F Q D N , w h e r e www i s a h o s t n a m e a n d whatever.com a domain name. • IP address of the entity. • Locality where the entity resides. • Organization to which the entity belongs. • Unit of the entity in the organization. • State where the entity resides. The configuration of an entity DN must comply with the CA certificate issue policy. You must determine, for example, which entity DN parameters are mandator y and which are optional. Otherwise, certificate requests might be rejected. To configure an entity DN: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an entity and enter its view. pki entity entity-name No entity exists by default. 3. Configure the common name for the entity. common-name name Optional. No common name is specified by default. 4. Configure the country code for the entity. country country-code-str Optional. No country code is specified by default. 5. Configure the FQDN for the entity. fqdn name-str Optional. No FQDN is specified by default. 6. Configure the IP address for the entity. ip ip-address Optional. No IP address is specified by default. 7. Configure the locality for the entity. locality locality-name Optional. No locality is specified by default.
258 Step Command Remarks 8. Configure the organization name for the entity. organization org-name Optional. No organization is specified by default. 9. Configure the unit name for the entity. organization-unit org-unit-name Optional. No unit is specified by default. 10. Configure the state or province for the entity. state state-name Optional. No state or province is specified by default. NOTE: The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the entity DN in a certificate request goes beyond a certain limit, the server will not respond to the certificate request. Configuring a PKI domain Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain. A PKI domain is only intended for convenient reference by applications like SSL, and only has local significance . A PKI domain configured on a switch is invisible to the CA and other switches, and each PKI domain has its own parameters. A PKI domain defines these parameters: • Trusted CA —An entity requests a certificate from a trusted CA. • Entity —A certificate applicant uses an entity to provide its identity information to a CA. • RA—Generally, an independent RA is in charge of certificate request management. It receives the registration request from an entity, examines its qu alification, and determines whether to ask the CA to sign a digital certificate. The RA only examines the application qualification of an entity; it does not issue any certificate. Sometimes, the registrati on management function is provided by the CA, in which case no independent RA is required. It is a good practice to deploy an independent RA. • URL of the registration server —An entity sends a certificate request to the registration server through Simple Certification Enrollment Protocol (SCEP), a dedicated protocol for an entity to communicate with a CA. This URL is also called the certificate request URL. • Polling interval and count —After an applicant makes a certificate request, the CA might need a long period of time if it verifies the certificate request manually. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed. You can configure the polling interval and count to query the request status. • IP address of the LDAP server—An LDAP server is usually deployed to store certificates and CRLs. If this is the case, you must configure the IP address of the LDAP server. • Fingerprint for root certificate verification —After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate c o n t e n t . T h i s h a s h v a l u e i s u n i q u e t o e v e r y c e r t i f i c a t e . I f t h e f i n g e r p r i n t o f t h e r o o t c e r t i f i c a t e d o e s n o t match the one configured for the PKI domain, the entity will reject the root certificate. Configuration guidelines • Up to two PKI domains can be created on a switch.
259
• The CA name is required only when you retrieve a CA certificate. It is not used when in local
certificate request.
• The certificate request URL does not support domain name resolution.
Configuration procedure
To configure a PKI domain:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create a PKI domain and
enter its view. pki domain domain-name
No PKI domain exists by default.
3. Specify the trusted CA.
ca identifier name No trusted CA is specified by
default.
4.
Specify the entity for
certificate request. certificate request entity
entity-name No entity is specified by default.
The specified entity must exist.
5.
Specify the authority for
certificate request. certificate request from
{ ca | ra } No authority is specified by
default.
6. Configure the certificate
request URL. certificate request url url-string
No certificate request URL is
configured by default.
7.
Configure the polling interval
and attempt limit for querying
the certificate request status. certificate request polling
{ count
count | interval minutes } Optional.
The polling is executed for up to 50
times at the interval of 20 minutes
by default.
8.
Specify the LDAP server. ldap-server
ip ip-address [ port
port-number ] [ version
version-number ] Optional.
No LDP server is specified by
default.
9.
Configure the fingerprint for
root certificate verification. root-certificate fingerprint
{ md5 |
sha1 } string Required when the certificate
request mode is auto and optional
when the certificate request mode
is manual. In the latter case, if you
do not configure this command, the
fingerprint of the root certificate
must be verified manually.
No fingerprint is configured by
default.
Submitting a PKI certificate request
When requesting a certificate, an entity introduces itself to the CA by providing its identity information
and public key, which will be the major components
of the certificate. A certificate request can be
submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to
a CA by an out-of-band means such as phone, disk, or email.
An online certificate request can be su bmitted in manual mode or auto mode.
260
Submitting a certificate request in auto mode
I n a u t o m o d e, a n e n t i t y a u t o m a t i c a l l y re q u e s t s a c e r t i f i c a t e f ro m t h e C A s e r ve r i f i t h a s n o l o c a l c e r t i fi c a t e
for an application working with PKI, and then retrieves the certificate and saves the certificate locally.
Before requesting a certificate, if the PKI domain does not have the CA certificate yet, the entity
automatically retrieves the CA certificate.
To configure an entity to submit a certificate request in auto mode:
Step Command Remarks
1. Enter system view.
system-view N/A
2.
Enter PKI domain view.
pki domain domain-name N/A
3. Set the certificate request
mode to auto. certificate request mode auto
[
key-length key-length | password
{ cipher | simple } password ] * Manual by default
IMPORTANT:
In auto mode, an entity does not automatically re-req
uest a certificate to replace a certificate that is
expiring or has expired. After the certificate expires, the service using the certificate might be interrupted.
Submitting a certificate request in manual mode
In manual mode, you manually submit a certificate re quest for an entity. Before submitting a certificate
request, you must make sure that an RSA key pair has been generated and the CA certificate has been
retrieved and saved locally.
The CA certificate is required to verify the authentici ty and validity of a local certificate. The public key
of the key pair is an important part of the request information and will be transferred to the CA along with
some other information. For more information about RSA key pair configuration, see Security
Configuration Guide .
Configuration guidelines
• If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency
between the key pair and the certificate. To generate a new RSA key pair, delete the local certificate
and then issue the public-key local create command. For more information about the public-key
local create command, see Security Command Reference .
• A newly created key pair will overwrite the existing one. If you perform the public-key local create
command in the presence of a local RSA key pair, the system will ask you whether you want to
overwrite the existing one.
• If a PKI domain already has a local certificate, yo u cannot request another certificate for it. This
helps avoid inconsistency between the certificate and the registration information resulting from
configuration changes. Before requesting a new certificate, use the pki delete-certificate command
to delete the existing local certificate and the CA certificate stored locally.
• When it is impossible to request a certificate from the CA through SCEP, you can print the request
information or save the request information to a local file, and then send the printed information or
saved file to the CA by an out-of-band means. To print the request information, use the pki
request-certificate domain command with the pkcs10 keyword. To save the request information to
a local file, use the pki request-certificate domain command with the pkcs10 filename filename
option.
261 • Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the certificate will be abnormal. • The configuration made by the pki request-certificate domain command is not saved in the configuration file. Configuration procedure To submit a certificate request in manual mode: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter PKI domain view. pki domain domain-name N/A 3. Set the certificate request mode to manual. certificate request mode manual Optional. Manual by default. 4. Return to system view. quit N/A 5. Retrieve a CA certificate manually. See Retrieving a certificate manually N/A 6. Generate a local RSA key pair. public-key local create rsa No local RSA key pair exists by default. 7. Submit a local certificate request manually. pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ] N/A Retrieving a certificate manually You can download CA certificates, local certificates, or peer entity certificates from the CA server and save them locally. To do so, use either the offline mode or the online mode. In offline mode, you must retrieve a certificate by an out-of-band means like FTP, disk, or email, and then import it into the local PKI system. Certificate retrieval serves the following purposes: • Locally store the certificates associated with the local security domain for improved query efficiency and reduced query count • Prepare for certificate verification Configuration guidelines • Before retrieving a local certificate in online mode, be sure to complete the LDAP server configuration. • If a PKI domain already has a CA certificate, you ca nnot retrieve another CA certificate for it. This restriction helps avoid inconsistency between the certificate and registration information resulted from configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and the local certificate first. • The configuration made by the pki retrieval-certificate configuration is not saved in the configuration file. • M ake s u re the swi tch’s system ti me fal l s i n the val idi ty period of the certificate so that the certificate is valid.
262
Configuration procedure
To retrieve a certificate manually:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Retrieve a certificate
manually.
• In online mode:
pki retrieval-certificate { ca | local } domain
domain-name
• In offline mode:
pki import-certificate { ca | local } domain
domain -name { der | p12 | pem } [ filename
filename ] Use either command.
Configuring PKI certificate verification
A certificate needs to be verified before being used. Certificate verification can examine whether the
certificate is signed by the CA and whether the certificate has expired or been revoked.
You can specify whether to perform CRL checking during certificate verification. If you enable CRL
checking, CRLs will be used in verification of a certificate, and you must retrieve the CA certificate and
CRLs to the local switch before the certificate verification. If you disable CRL checking, you only need to
retrieve the CA certificate.
Configuration guidelines
•
The CRL update period defi nes the interval at which the entity downloads CRLs from the CRL server.
The CRL update period setting manually configured on the switch is prior to that carried in the CRLs.
• The configuration made by the pki retrieval-crl domain command is not saved in the configuration
file.
• The URL of the CRL distribution point do es not support domain name resolution.
Configuring CRL-checking-enabled PKI certificate verification
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter PKI domain view.
pki domain domain-name N/A
3. Specify the URL of the CRL
distribution point. crl url
url-string Optional.
No CRL distribution point URL is
specified by default.
4.
Set the CRL update period.
crl update-period hours Optional.
By default, the CRL update period
depends on the next update field in
the CRL file.
5.
Enable CRL checking.
crl check enable Optional.
Enabled by default.
263
Step Command Remarks
6. Return to system view.
quit N/A
7. Retrieve the CA certificate. See
Retrieving a certificate
manually N/A
8.
Retrieve CRLs. pki retrieval-crl domain
domain-name
N/A
9.
Verify the validity of a
certificate. pki validate-certificate
{ ca | local }
domain domain-name N/A
Configuring CRL-checking-disabled PKI certificate verification
To configure CRL-checking-disabled PKI certificate verification:
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Enter PKI domain view.
pki domain domain-name N/A
3. Disable CRL checking.
crl check disable Enabled by default
4. Return to system view.
quit N/A
5. Retrieve the CA certificate. See
Retrieving a certificate
manually N/A
6.
Verify the validity of the
certificate. pki validate-certificate
{ ca | local }
domain domain-name N/A
Destroying a local RSA key pair
A certificate has a lifetime, which is determined by
the CA. When the private key leaks or the certificate
is about to expire, you can destroy the old RSA key pair and then create a pair to request a new
certificate.
To destroy a local RSA key pair:
Step Command
1. Enter system view.
system-view
2. Destroy a local RSA key pair.
public-key local destroy rsa
For more information about the public-key local destroy command, see Security Command Reference .
Deleting a certificate
When a certificate requested manually is about to expire or you want to request a new certificate, you
can delete the current local certificate or CA certificate.
264
To delete a certificate:
Step Command
1. Enter system view.
system-view
2. Delete certificates.
pki delete-certificate { ca | local } domain domain -name
Configuring an access control policy
By configuring a certificate attribute-based access co ntrol policy, you can further control access to the
server, providing additional security for the server.
To configure a certificate attribute-based access control policy:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create a certificate attribute
group and enter its view. pki certificate attribute-group
group-name
No certificate attribute group
exists by default.
3.
Configure an attribute rule for
the certificate issuer name,
certificate subject name, or
alternative subject name. attribute
id { alt-subject-name
{ fqdn | ip } | { issuer-name |
subject-name } { dn | fqdn | ip } }
{ ctn | equ | nctn | nequ }
attribute-value Optional.
No restriction exists on the issuer
name, certificate subject name
and alternative subject name by
default.
4.
Return to system view.
quit N/A
5. Create a certificate
attribute-based access control
policy and enter its view. pki certificate access-control-policy
policy-name
No access control policy exists by
default.
6.
Configure a certificate
attribute-based access control
rule. rule
[ id ] { deny | permit }
group-name No access control rule exists by
default.
A certificate attribute group must
exist to be associated with a rule.
Displaying and maintaining PKI
Task Command Remarks
Display the contents or request
status of a certificate.
display pki certificate
{ { ca | local }
domain domain-name |
request-status } [ | { begin |
exclude | include }
regular-expression ] Available in any view
Display CRLs.
display pki crl domain
domain-name
[ | { begin | exclude
| include } regular-expression ] Available in any view
265
Task Command Remarks
Display information about
certificate attribute groups. display pki certificate
attribute-group
{ group-name |
all } [ | { begin | exclude |
include } regular-expression ] Available in any view
Display information about
certificate attribute-based access
control policies. display pki certificate
access-control-policy { policy-name
|
all } [ | { begin | exclude |
include } regular-expression ] Available in any view
PKI configuration examples
This section describes details about PKI configuration examples.
When the CA uses Windows Server, the SCEP add-on is required, and you must use the
certificate
request from ra command to specify that the entity request a certificate from an RA.
When the CA uses RSA Keon, the SCEP add-on is not required, and you must use the certificate request
from ca command to specify that the entity request a certificate from a CA.
Requesting a certificate from a CA server running RSA Keon
Network requirements
The switch submits a local certificate request to the CA server. The switch acquires the CRLs for certificate
verification.
Figure 95 Network diagram
Configuring the CA server
1. Create a CA server named myca:
In this example, you need to configure these basic attributes on the CA server at first:
{ Nickname —Name of the trusted CA.
{ Subject DN —DN information of the CA, including the Common Name (CN), Organization
Unit (OU), Organization (O), and Country (C).
Use the default values for the other attributes.
2. Configure extended attributes:
After configuring the basic attributes, perform configuration on the jurisdiction configuration page
of the CA server. This includes selecting the proper extension profiles, enabling the SCEP
autovetting function, and adding the IP address list for SCEP autovetting.
3. Configure the CRL distribution behavior: