Manualshelf

R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
161162163164165166167168169170
164
# Create certificate attribute group mygroup2 and add two attribute rules. The first rule defines that the
FQDN of the alternative subject name does not include the string of apple, and the second rule defines
that the DN of the certificate issuer name includes the string aabbcc.
[Firewall] pki certificate attribute-group mygroup2
[Firewall-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn
apple
[Firewall-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc
[Firewall-pki-cert-attribute-group-mygroup2] quit
c. Configure the certificate attribute-based access control policy
# Create the certificate attribute-based access control policy of myacp and add two access control rules.
[Firewall] pki certificate access-control-policy myacp
[Firewall-pki-cert-acp-myacp] rule 1 deny mygroup1
[Firewall-pki-cert-acp-myacp] rule 2 permit mygroup2
[Firewall-pki-cert-acp-myacp] quit
d. Apply the SSL server policy and certificate attribute-based access control policy to HTTPS
service and enable HTTPS service.
# Apply SSL server policy myssl to HTTPS service.
[Firewall] ip https ssl-server-policy myssl
# Apply the certificate attribute-based access control policy of myacp to HTTPS service.
[Firewall] ip https certificate access-control-policy myacp
# Enable HTTPS service.
[Firewall] ip https enable
Configuration guidelines
When configuring PKI, note the following guidelines:
Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of
certificates will be abnormal.
The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
PKI entity identity information in a certificate request goes beyond a certain limit, the server will not
respond to the certificate request.
The SCEP plug-in is required when you use the Windows Server as the CA. In this case, specify RA
as the authority for certificate request when configuring the PKI domain.
The SCEP plug-in is not required when you use the RSA Keon software as the CA. In this case, you
need to specify CA as the authority for certificate request when configuring the PKI domain.