R3166-R3206-HP High-End Firewalls Network Management Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

521

522

523

524

525

526

527

528

529

530

511

Configuration procedure

Follow these steps to configure an SSL server policy:

To do... Use the command...

Remarks

Enter system view system-view —

Create an SSL server policy and

enter its view

ssl server-policy policy-name Required

Specify a PKI domain for the SSL

server policy

pki-domain domain-name

Required

By default, no PKI domain is

specified for an SSL server policy.

Specify the cipher suite(s) for the

SSL server policy to support

ciphersuite [ rsa_aes_128_cbc_sha

| rsa_des_cbc_sha |

rsa_rc4_128_md5 |

rsa_rc4_128_sha ] *

Optional

By default, an SSL server policy

supports all cipher suites.

Set the handshake timeout time for

the SSL server

handshake timeout time

Optional

3,600 seconds by default

Configure the SSL connection close

mode

close-mode wait

Optional

Not wait by default

Set the maximum number of

cached sessions and the caching

timeout time

session { cachesize size | timeout

time } *

Optional

The defaults are as follows:

• 500 for the maximum number

of cached sessions,

• 3600 seconds for the caching

timeout time.

Enable certificate-based SSL client

authentication

client-verify enable

Optional

Not enabled by default

Configure the policy to use a

hardware encryption card for SSL

encryption and decryption

crypto-accelerator encrypt

interface-number

Optional

By default, a policy uses software

for encryption and decryption.

NOTE:

• If you enable client authentication here, you must request a local certificate for the client.

• SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds to SSL 3.1.

When the firewall acts as an SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and

can identify Hello packets from clients runnin

SSL 2.0. If a client runnin

SSL 2.0 also supports SSL 3.0

or TLS 1.0 (information about supported versions is carried in the packet that the client sends to the

server), the server notifies the client to use SSL 3.0 or TLS 1.0 to communicate with the server.

SSL server policy configuration example

Network requirements

• Firewall works as the HTTPS server.

• A host works as the client and accesses the HTTPS server through HTTP secured with SSL.

• A CA issues a certificate to Firewall.