HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1927
262
Configuration procedure
To retrieve a certificate manually:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Retrieve a certificate
manually.
• In online mode:
pki retrieval-certificate { ca | local } domain
domain-name
• In offline mode:
pki import-certificate { ca | local } domain
domain -name { der | p12 | pem } [ filename
filename ] Use either command.
Configuring PKI certificate verification
A certificate needs to be verified before being...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1926.png "Page 1927
262
Configuration procedure
To retrieve a certificate manually:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Retrieve a certificate
manually.
• In online mode:
pki retrieval-certificate { ca | local } domain
domain-name
• In offline mode:
pki import-certificate { ca | local } domain
domain -name { der | p12 | pem } [ filename
filename ] Use either command.
Configuring PKI certificate verification
A certificate needs to be verified before being...")
![Page 1930
265
Task Command Remarks
Display information about
certificate attribute groups. display pki certificate
attribute-group
{ group-name |
all } [ | { begin | exclude |
include } regular-expression ] Available in any view
Display information about
certificate attribute-based access
control policies. display pki certificate
access-control-policy { policy-name
|
all } [ | { begin | exclude |
include } regular-expression ] Available in any view
PKI configuration examples
This...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1929.png "Page 1930
265
Task Command Remarks
Display information about
certificate attribute groups. display pki certificate
attribute-group
{ group-name |
all } [ | { begin | exclude |
include } regular-expression ] Available in any view
Display information about
certificate attribute-based access
control policies. display pki certificate
access-control-policy { policy-name
|
all } [ | { begin | exclude |
include } regular-expression ] Available in any view
PKI configuration examples
This...")
![Page 1932
267
The trusted CAs finger print is:
MD5 fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB
SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 \
Is the finger print correct?(Y/N):y
Saving CA/RA certificates chain, please wait a moment......
CA certificates retrieval success.
# Retrieve CRLs and save them locally.
[Device] pki retrieval-crl domain torsa
Connecting to server for retrieving CRL. Please wait a while.....
CRL retrieval success!
# Request a local...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1931.png "Page 1932
267
The trusted CAs finger print is:
MD5 fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB
SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 \
Is the finger print correct?(Y/N):y
Saving CA/RA certificates chain, please wait a moment......
CA certificates retrieval success.
# Retrieve CRLs and save them locally.
[Device] pki retrieval-crl domain torsa
Connecting to server for retrieving CRL. Please wait a while.....
CRL retrieval success!
# Request a local...")
![Page 1935
270
Input the bits in the modulus [default = 1024]:
Generating Keys...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++
4. Apply for certificates:
# Retrieve the CA certificate and save it locally.
[Device] pki retrieval-certificate ca domain torsa
Retrieving CA/RA certificates. Please wait a while......
The trusted CAs finger print is:
MD5 fingerprint:766C D2C8...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1934.png "Page 1935
270
Input the bits in the modulus [default = 1024]:
Generating Keys...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++
4. Apply for certificates:
# Retrieve the CA certificate and save it locally.
[Device] pki retrieval-certificate ca domain torsa
Retrieving CA/RA certificates. Please wait a while......
The trusted CAs finger print is:
MD5 fingerprint:766C D2C8...")
266 After completing the configuration, you must perform CRL related configurations. In this example, select the local CRL distribution mode of Hypertext Transfer Prot ocol (HTTP) and set the HTTP URL to http://4.4.4.133:447/myca.crl. After the configuration, make sure the system clock of the switch is synchronous to that of the CA, so that the switch can request certif icates and retrieve CRLs properly. Configuring the switch 1. Configure the entity DN: # Configure the entity name as aaa and the common name as device. system-view [Device] pki entity aaa [Device-pki-entity-aaa] common-name device [Device-pki-entity-aaa] quit 2. Configure the PKI domain: # Create PKI domain torsa and enter its view. [Device] pki domain torsa # Configure the name of the trusted CA as myca. [Device-pki-domain-torsa] ca identifier myca # Configure the URL of the registration server in th e format of http://host:port/Issuing Jurisdiction ID, where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server. [Device-pki-domain-torsa] certificate request url http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 # Set the registration authority to CA. [Device-pki-domain-torsa] certificate request from ca # Specify the entity for certificate request as aaa. [Device-pki-domain-torsa] certificate request entity aaa # Configure the URL for the CRL distribution point. [Device-pki-domain-torsa] crl url http://4.4.4.133:447/myca.crl [Device-pki-domain-torsa] quit 3. Generate a local key pair using RSA: [Device] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits in the modulus [default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ 4. Apply for certificates: # Retrieve the CA certificate and save it locally. [Device] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while......
267
The trusted CAs finger print is:
MD5 fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB
SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 \
Is the finger print correct?(Y/N):y
Saving CA/RA certificates chain, please wait a moment......
CA certificates retrieval success.
# Retrieve CRLs and save them locally.
[Device] pki retrieval-crl domain torsa
Connecting to server for retrieving CRL. Please wait a while.....
CRL retrieval success!
# Request a local certificate manually.
[Device] pki request-certificate domain torsa challenge-word
Certificate is being requested, please wait......
[Device]
Enrolling the local certificate,please wait a while......
Certificate request Successfully!
Saving the local certificate to device......
Done!
Verifying the configuration
# Use the following command to view information about the local certificate acquired.
[Device] display pki certificate local domain torsa
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9A96A48F 9A509FD7 05FFF4DF 104AD094
Signature Algorithm: sha1WithRSAEncryption
Issuer:
C=cn
O=org
OU=test
CN=myca
Validity
Not Before: Jan 8 09:26:53 2012 GMT
Not After : Jan 8 09:26:53 2012 GMT
Subject:
CN=device
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00D67D50 41046F6A 43610335 CA6C4B11
F8F89138 E4E905BD 43953BA2 623A54C0
EA3CB6E0 B04649CE C9CDDD38 34015970
981E96D9 FF4F7B73 A5155649 E583AC61
268
D3A5C849 CBDE350D 2A1926B7 0AE5EF5E
D1D8B08A DBF16205 7C2A4011 05F11094
73EB0549 A65D9E74 0F2953F2 D4F0042F
19103439 3D4F9359 88FB59F3 8D4B2F6C
2B
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
URI:http://4.4.4.133:447/myca.crl
Signature Algorithm: sha1WithRSAEncryption
836213A4 F2F74C1A 50F4100D B764D6CE
B30C0133 C4363F2F 73454D51 E9F95962
EDE9E590 E7458FA6 765A0D3F C4047BC2
9C391FF0 7383C4DF 9A0CCFA9 231428AF
987B029C C857AD96 E4C92441 9382E798
8FCC1E4A 3E598D81 96476875 E2F86C33
75B51661 B6556C5E 8F546E97 5197734B
C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C
Yo u c a n a l s o u s e display pki certificate ca domain and display pki crl domain to display detailed
information about the CA certificate and CRLs. For more information about the commands, see Security
Command Reference .
Requesting a certificate from a CA server running Windows
2003 Server
Network requirements
Configure PKI entity Device to request a local certificate from the CA server.
Figure 96 Network diagram
Configuring the CA server
1. Install the certificate service suites:
a. Select Control Panel > Add or Remove Programs from the start menu.
b. Select Add/Remove Windows Components > Certificate Services .
c. Click Next to begin the installation.
2. Install the SCEP add-on:
Because a CA server running the Windows 2003 se rver does not support SCEP by default, you
must install the SCEP add-on so that the switch ca n register and obtain its certificate automatically.
After the SCEP add-on installation completes, a UR L is displayed, which you must configure on the
switch as the URL of the server for certificate registration.
269 3. Modify the certificate service attributes: a. Select Control Panel > Administrative Tools > Certificate Authority from the start menu. If the CA server and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA. b. Right-click the CA server in the navigation tree and select Properties > Policy Module . c. Click Properties and select Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate . 4. Modify the Internet Information Services (IIS) attributes: a. Select Control Panel > Administrative Tools > Internet Information Services (IIS) Manager from the start menu. b. Select Web Sites from the navigation tree. c. Right-click Default Web Site and select Properties > Home Directory . d. Specify the path for certificate service in the Local path text box. To avoid conflict with existing services, spec ify an available port number as the TCP port number of the default website. After completing the configuration, make sure the system clock of the switch is synchronous to that of the CA server, so that that the switch can request a certificate normally. Configuring the switch 1. Configure the entity DN: # Configure the entity name as aaa and the common name as device. system-view [Device] pki entity aaa [Device-pki-entity-aaa] common-name device [Device-pki-entity-aaa] quit 2. Configure the PKI domain: # Create PKI domain torsa and enter its view. [Device] pki domain torsa # Configure the name of the trusted CA as myca. [Device-pki-domain-torsa] ca identifier myca # Configure the URL of the registration se rver in the format of http://host:port/ certsrv/mscep/mscep.dll, where host:port indica tes the IP address and port number of the CA server. [Device-pki-domain-torsa] certificate request url http://4.4.4.1:8080/certsrv/mscep/mscep.dll # Set the registration authority to RA. [Device-pki-domain-torsa] certificate request from ra # Specify the entity for certificate request as aaa. [Device-pki-domain-torsa] certificate request entity aaa 3. Generate a local key pair using RSA: [Device] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
270
Input the bits in the modulus [default = 1024]:
Generating Keys...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++
4. Apply for certificates:
# Retrieve the CA certificate and save it locally.
[Device] pki retrieval-certificate ca domain torsa
Retrieving CA/RA certificates. Please wait a while......
The trusted CAs finger print is:
MD5 fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB
SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4
Is the finger print correct?(Y/N):y
Saving CA/RA certificates chain, please wait a moment......
CA certificates retrieval success.
# Request a local certificate manually.
[Device] pki request-certificate domain torsa challenge-word
Certificate is being requested, please wait......
[Device]
Enrolling the local certificate,please wait a while......
Certificate request Successfully!
Saving the local certificate to device......
Done!
Verifying the configuration
# Use the following command to view information about the local certificate acquired.
[Device] display pki certificate local domain torsa
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
48FA0FD9 00000000 000C
Signature Algorithm: sha1WithRSAEncryption
Issuer:
CN=myca
Validity
Not Before: Feb 21 12:32:16 2012 GMT
Not After : Feb 21 12:42:16 2012 GMT
Subject:
CN=device
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
271
00A6637A 8CDEA1AC B2E04A59 F7F6A9FE
5AEE52AE 14A392E4 E0E5D458 0D341113
0BF91E57 FA8C67AC 6CE8FEBB 5570178B
10242FDD D3947F5E 2DA70BD9 1FAF07E5
1D167CE1 FC20394F 476F5C08 C5067DF9
CB4D05E6 55DC11B6 9F4C014D EA600306
81D403CF 2D93BC5A 8AF3224D 1125E439
78ECEFE1 7FA9AE7B 877B50B8 3280509F
6B
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1
X509v3 Authority Key Identifier:
keyid:9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE
X509v3 CRL Distribution Points:
URI:http://l00192b/CertEnroll/CA%20server.crl
URI:file://\\l00192b\CertEnroll\CA server.crl
Authority Information Access:
CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20serv\
er.crt
CA Issuers - URI:file://\\l00192b\CertEnroll\l00192b_CA \
server.crt
1.3.6.1.4.1.311.20.2:
.0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e
Signature Algorithm: sha1WithRSAEncryption
81029589 7BFA1CBD 20023136 B068840B
(Omitted)
You can also use some other display commands to display more information about the CA certificate. For
more information about the display pki certificate ca domain command, see Security Command
Reference .
Configuring a certificate attribute-based access control policy
Network requirements
The client accesses the remote HTTP Secure (HTTPS) server through the HTTPS protocol.
Configure SSL to make sure that only legal clients log into the HTTPS server, and create a certificate
attribute-based access control policy to control access to the HTTPS server.
272 Figure 97 Network diagram Configuration procedure The configuration procedure involves SSL configuration and HTTPS configuration. For more information about SSL configuration, see Configuring SSL. For more information about HTTPS configuration, see Fundamentals Configuration Guide . The PKI domain to be referenced by the SSL policy must exist. For how to configure a PKI domain, see Configure the PKI domain: . Th e configuration procedure is as follows: 1. Configure the HTTPS server: # Configure the SSL policy for the HTTPS server to use. system-view [Device] ssl server-policy myssl [Device-ssl-server-policy-myssl] pki-domain 1 [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit 2. Configure the certificate attribute group: # Create certificate attribute group mygroup1 and add two attribute rules. The first rule defines that the DN of the subject name includes the string aabbcc, and the second rule defines that the IP address of the certificate issuer is 10.0.0.1. [Device] pki certificate attribute-group mygroup1 [Device-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn c\ tn aabbcc [Device-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1 [Device-pki-cert-attribute-group-mygroup1] quit # Create certificate attribute group mygroup2 and add two attribute rule s. The first rule defines that the FQDN of the alternative subject name does not include the string of apple, and the second rule defines that the DN of the certificate issuer name includes the string aabbcc. [Device] pki certificate attribute-group mygroup2 [Device-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name \ fqdn nctn apple [Device-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ct\ n aabbcc [Device-pki-cert-attribute-group-mygroup2] quit 3. Configure the certificate attribut e-based access control policy: # Create the certificate attribute-based access control policy of myacp and add two access control rules. [Device] pki certificate access-control-policy myacp [Device-pki-cert-acp-myacp] rule 1 deny mygroup1 [Device-pki-cert-acp-myacp] rule 2 permit mygroup2
273 [Device-pki-cert-acp-myacp] quit 4. Apply the SSL server policy and certificate attrib ute-based access control policy to HTTPS service and enable HTTPS service: # Apply SSL server policy myssl to HTTPS service. [Device] ip https ssl-server-policy myssl # Apply the certificate attribute- based access control policy of myacp to HTTPS service. [Device] ip https certificate access-control-policy myacp # Enable HTTPS service. [Device] ip https enable Troub l es h o o t i n g P KI Failed to retrieve a CA certificate Symptom Failed to retrieve a CA certificate. Analysis Possible reasons include: • The network connection is not proper. For example, the network cable might be damaged or loose. • No trusted CA is specified. • The URL of the registration server for certificate request is not correct or not configured. • No authority is specified for certificate request. • The system clock of the switch is not synchronized with that of the CA. Solution • Make sure that the network connection is physically proper. • Check that the required commands are configured properly. • Use the ping command to verify that the RA server is reachable. • Specify the authority for certificate request. • Synchronize the system clock of the switch with that of the CA. Failed to request a local certificate Symptom Failed to request a local certificate. Analysis Possible reasons include: • The network connection is not proper. For example, the network cable might be damaged or loose. • No CA certificate has been retrieved. • The current key pair has been bound to a certificate. • No trusted CA is specified.
274 • The URL of the registration server for certificate request is not correct or not configured. • No authority is specified for certificate request. • Some required parameters of the entity DN are not configured. Solution • Make sure that the network connection is physically proper. • Retrieve a CA certificate. • Regenerate a key pair. • Specify a trusted CA. • Use the ping command to verify that the RA server is reachable. • Specify the authority for certificate request. • Configure the required entity DN parameters. Failed to retrieve CRLs Symptom Failed to retrieve CRLs. Analysis Possible reasons include: • The network connection is not proper. For example, the network cable might be damaged or loose. • No CA certificate has been retrieved before you try to retrieve CRLs. • The IP address of LDAP server is not configured. • The CRL distribution URL is not configured. • The LDAP server version is wrong. Solution • Make sure that the network connection is physically proper. • Retrieve a CA certificate. • Specify the IP address of the LDAP server. • Specify the CRL distribution URL. • Re -configure the LDAP version.
275 Configuring IPsec Overview IP Security (IPsec) is a security framework defined by the Internet Engineering Task Force (IETF) for securing IP communications. It is a Layer 3 virtual private network (VPN) technology that transmits data in a secure tunnel established between two endpoints. IPsec guarantees the confidentiality, integrity, and au thenticity of data and provides anti-replay service at the IP layer in an insecure network environment. • Confidentiality —The sender encrypts packets before transmitting them over the Internet. • Data integrity —The receiver verifies the packets received from the sender to ensure they are not tampered with during transmission. • Data origin authentication—The receiver verifies the authenticity of the sender. • Anti-replay—The receiver examines packets and drops outdated and duplicate packets. IPsec delivers these benefits: • Reduced key negotiation overheads and simplified maintenance by supporting the Internet Key Exchange (IKE) protocol. IKE provides automatic key negotiation and automatic IPsec security association (SA) setup and maintenance. • Good compatibility. You can apply IPsec to all IP-based application systems and services without modifying them. • Encryption on a per-packet rather than per-flow basis. Per-packet encryption allows for flexibility and greatly enhances IP security. IPsec implementation IPsec comprises a set of protocols for IP data security, including Authentication Header (AH), Encapsulating Security Payload (ESP), IKE, and algorithms for authentication and encryption. AH and ESP provide security services and IKE performs key exchange. IPsec provides two security mechanisms: authentication and encryption. The authentication mechanism allows the receiver of an IP packet to authenticate the sender and check if the packet has been tampered with. The encryption mechanism ensures data conf identiality and protects the data from being eavesdropped en route. IPsec can use two security protocols: • AH (protocol 51) —Provides data origin authentication, data integrity, and anti-replay services by adding an AH header to each IP packet. AH is suitable only for transmitting non-critical data because it cannot prevent eavesd ropping, although it can prevent data tampering. AH supports authentication algorithms such as Message Digest (MD5) and Secure Hash Algorithm (SHA-1). • ESP (protocol 50) —Provides data encryption as well as data origin authentication, data integrity, and anti-replay services by inserting an ESP header and an ESP trailer in IP packets. Unlike AH, ESP encrypts data before encapsulating the data to ensu re data confidentiality. ESP supports encryption algorithms such as Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES), and authentication algorithms such as MD5 and SHA-1. The authentication function is optional to ESP.