Manualshelf

R3166-R3206-HP High-End Firewalls Getting Started Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
71727374757677787980
68
[Firewall] public-key local create rsa
# Retrieve the CA certificate from the certificate issuing server.
[Firewall] pki retrieval-certificate ca domain 1
# Request a local certificate from a CA through SCEP for the Firewall.
[Firewall] pki request-certificate domain 1
# Create an SSL server policy myssl, specify PKI domain 1 for the SSL server policy, and enable
certificate-based SSL client authentication.
[Firewall] ssl server-policy myssl
[Firewall-ssl-server-policy-myssl] pki-domain 1
[Firewall-ssl-server-policy-myssl] client-verify enable
[Firewall-ssl-server-policy-myssl] quit
# Create a certificate attribute group mygroup1, and configure a certificate attribute rule, specifying that
the Distinguished Name (DN) in the subject name includes the string of new-ca.
[Firewall] pki certificate attribute-group mygroup1
[Firewall-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca
[Firewall-pki-cert-attribute-group-mygroup1] quit
# Create a certificate attribute-based access control policy myacp. Configure a certificate
attribute-based access control rule, specifying that a certificate is considered valid when it matches an
attribute rule in certificate attribute group myacp.
[Firewall] pki certificate access-control-policy myacp
[Firewall-pki-cert-acp-myacp] rule 1 permit mygroup1
[Firewall-pki-cert-acp-myacp] quit
# Associate the HTTPS service with SSL server policy myssl.
[Firewall] ip https ssl-server-policy myssl
# Associate the HTTPS service with certificate attribute-based access control policy myacp.
[Firewall] ip https certificate access-control-policy myacp
# Enable the HTTPS service.
[Firewall] ip https enable
# Create a local user named usera, set the password to 12 3 for the user, and specify the web service type
for the local user.
[Firewall] local-user usera
[Firewall-luser-usera] password simple 123
[Firewall-luser-usera] service-type web
2. Configure the host that acts as the HTTPS client
On the host, run the IE browser. In the address bar, enter http://10.1.2.2/certsrv and request a certificate
for the host as prompted.
3. Verify the configuration
Enter https://10.1.1.1 in the address bar, and select the certificate issued by new-ca. Then the web login
page of the Firewall appears. On the login page, type the username usera, and password 123 to enter
the web management page.