R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

121

122

123

124

125

126

127

128

129

130

122

NOTE:

• If you enable client authentication here, you must request a local certificate for the client.

• Currently, SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds

to SSL 3.1. When the LB module acts as an SSL server, it can communicate with clients runnin

SSL 3.0

or TLS 1.0, and can identify Hello packets from clients runnin

SSL 2.0. If a client runnin

SSL 2.0 also

supports SSL 3.0 or TLS 1.0 (information about supported versions is carried in the packet that the clien

sends to the server), the server will notify the client to use SSL 3.0 or TLS 1.0 to communicate with the

server.

SSL server policy configuration example

Network requirements

As shown in Figure 107, users can access and control the LB module through web pages. For security of

the module, it is required that users use HTTPS (HTTP Security, which uses SSL) to log in to the web

interface of the module and use SSL for identity authentication to ensure that data will not be

eavesdropped or tampered with.

To achieve the goal, perform the following configurations:

• Configure the module to work as the HTTPS server and request a certificate for the module.

• Request a certificate for Host so that the module can authenticate the identity of Host.

• Configure a CA server to issue certificates to the module and Host.

NOTE:

• In this example, Windows Server works as the CA server and the Simple Certificate Enrollment Protocol

(SCEP) plug-in is installed on the CA server.

• Before performing the following configurations, ensure that the module, Host, and CA server have IP

connectivity between each other.

Figure 107 Network diagram for SSL server policy configuration

Configuration procedure

1. Configure the HTTPS server (the LB module)

# Create a PKI entity named en, and configure the common name as http-server1 and the FQDN as

ssl.security.com.

<LB> system-view

[LB] pki entity en

[LB-pki-entity-en] common-name http-server1

10.1.1.1/24

10.1.2.1/24

Host CA

10.1.1.2/24 10.1.2.2/24