Manualshelf

R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
111112113114115116117118119120
106
NOTE:
The above configuration procedure covers only the configurations for IKE negotiation using RSA digital
signature. For an IPsec tunnel to be established, you also need to perform IPsec configurations. For
information about IPsec configuration, see the chapter “IPsec configuration.”
Configuring a certificate attribute-based access control policy
1. Network requirements
The client accesses the remote HTTP Security (HTTPS) server through the HTTPS protocol.
SSL is configured to ensure that only legal clients log into the HTTPS server.
Create a certificate attribute-based access control policy to control access to the HTTPS server.
Figure 101 Configure a certificate attribute-based access control policy
NOTE:
For more information about SSL configuration, see the chapter “SSL configuration.
For more information about HTTPS configuration, see
System Management Configuration Guide
.
The PKI domain to be referenced by the SSL policy must be created in advance. For more information
about PKI domain configuration, see “Configure the PKI domain.”
2. Configure the HTTPS server
# Configure the SSL policy for the HTTPS server to use.
<LB> system-view
[LB] ssl server-policy myssl
[LB-ssl-server-policy-myssl] pki-domain 1
[LB-ssl-server-policy-myssl] client-verify enable
[LB-ssl-server-policy-myssl] quit
3. Configure the certificate attribute group
# Create certificate attribute group mygroup1 and add two attribute rules. The first rule defines that the
DN of the subject name includes the string aabbcc, and the second rule defines that the IP address of the
certificate issuer is 10.0.0.1.
[LB] pki certificate attribute-group mygroup1
[LB-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc
[LB-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1
[LB-pki-cert-attribute-group-mygroup1] quit
# Create certificate attribute group mygroup2 and add two attribute rules. The first rule defines that the
FQDN of the alternative subject name does not include the string of apple, and the second rule defines
that the DN of the certificate issuer name includes the string aabbcc.