HP MSR2000/3000/4000 Router Series Security Command Reference
193
Predefined user roles
network-admin
Parameters
id: Assigns a number to the statement, in the range of 1 to 16. The default setting is the smallest unused
number in this range. Rules in a policy are sorted in ascending order and a rule with a smaller number
is compared first.
deny: Denies the certificates that match the associated certificate group.
permit: Permits the certificates that match the associated certificate group.
group-name: Specifies a certificate attribute group, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can associate a nonexistent certificate attribute group when you create a statement. Later you can
use the pki certificate attribute-group command to create the certificate attribute group.
If the associated certificate attribute group does not exist, or the group has no attribute rules (set by the
attribute command), any certificates can match the statement.
The statements in a policy are sorted in an ascending order. When a certificate matches a statement, the
match process stops, and access control is performed based on the certificate verification result.
Examples
# Create a permit statement and associate the statement with the certificate attribute group mygroup.
<Sysname> system-view
[Sysname] pki certificate access-control-policy mypolicy
[Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup
Related commands
• attribute
• display pki certificate access-control-policy
• pki certificate attribute-group
source
Use source to specify the source IP address for PKI protocol packets.
Use undo source to remove the configuration.
Syntax
source { ip | ipv6 } { ip-address | interface interface-type interface-number }
undo source
Default
The source IP address is the outgoing interface IP address of the route to the CA.
Views
PKI domain view
Predefined user roles
network-admin