R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

100

To do… Use the command…

Remarks

Specify the authority for

certificate request

certificate request from { ca |

ra }

Required

No authority is specified by default.

Configure the URL of the

server for certificate request

certificate request url url-string

Required

No URL is configured by default.

Configure the polling

interval and attempt limit for

querying the certificate

request status

certificate request polling { count

count | interval minutes }

Optional

The polling is executed for up to 50 times at

the interval of 20 minutes by default.

Specify the LDAP server

ldap-server ip ip-address [ port

port-number ] [ version

version-number ]

Optional

No LDP server is specified by default.

Configure the fingerprint for

root certificate verification

root-certificate fingerprint { md5

| sha1 } string

Required when the certificate request mode

is auto and optional when the certificate

request mode is manual. In the latter case, if

you do not configure this command, the

fingerprint of the root certificate must be

verified manually.

No fingerprint is configured by default.

NOTE:

• Up to two PKI domains can be created on a LB module.

• The CA name is required only when you retrieve a CA certificate. It is not used when in local certificate

request.

• The URL of the server for certificate request does not support domain name resolving.

Submitting a PKI certificate request

When requesting a certificate, an entity introduces itself to the CA by providing its identity information

and public key, which will be the major components of the certificate. A certificate request can be

submitted to a CA in two ways: online and offline. In offline mode, a certificate request is submitted to

a CA by an “out-of-band” means such as phone, disk, or email.

Online certificate request falls into two categories: manual mode and auto mode.

Submitting a Certificate Request in Auto Mode

In auto mode, an entity automatically requests a certificate through the SCEP protocol when it has no

local certificate or the present certificate is about to expire.

Follow these steps to configure an entity to submit a certificate request in auto mode:

To do… Use the command…

Remarks

Enter system view system-view —

Enter PKI domain view pki domain domain-name —

Set the certificate request

mode to auto

certificate request mode auto [ key-length key-length

| password { cipher | simple } password ] *

Required

Manual by default