R2511-HP MSR Router Series Security Configuration Guide(V5)
398
# Specify the PKI domain for the SSL server policy as 1.
[Device-ssl-server-policy-myssl] pki-domain 1
# Enable client authentication.
[Device-ssl-server-policy-myssl] client-verify enable
[Device-ssl-server-policy-myssl] quit
# Configure the HTTPS service to use SSL server policy myssl.
[Device] ip https ssl-server-policy myssl
# Enable the HTTPS service.
[Device] ip https enable
# Create a local user named usera, and set the password to 123 and service type to web.
[Device] local-user usera
[Device-luser-usera] password simple 123
[Device-luser-usera] service-type web
2. Configure the HTTPS client on Host:
On Host, launch IE, enter http://10.1.2.2/certsrv in the address bar, and request a certificate for
Host as prompted.
Verifying the configuration:
Perform the following tasks on the Host:
1. Launch IE and enter https://10.1.1.1 in the address bar.
2. Select the certificate issued by the CA server.
The Web interface of the device appears.
3. Enter username usera and password 123.
Verify that now you can log in to the Web interface to access and manage the device.
For more information about configuring PKI commands, see "Configuring PKI." For more information
about the public-key local create rsa command, see Security Command Reference. For more information
about HTTPS, see Fundamentals Configuration Guide.
In FIPS mode, only TLS 1.0 is supported.
Troubleshooting SSL
SSL handshake failure
Symptom
As the SSL server, the device fails to handshake with the SSL client.
Analysis
SSL handshake failure might result from the following causes:
• The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or the
certificate is not trusted.
• The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate or the
certificate is not trusted.
• The server and the client have no matching cipher suite.