HP VPN Firewall Appliances VPN Configuration Guide
304
Certificate attribute-based access control policy configuration
example
Network requirements
The client accesses the remote Hypertext Transfer Protocol Secure (HTTPS) server through the HTTPS
protocol.
Configure SSL to make sure only legal clients log into the HTTPS server. Create a certificate
attribute-based access control policy to control access to the HTTPS server.
Figure 214 Network diagram
Configuration procedure
For more information about SSL configuration, see Network Management Configuration Guide.
For more information about HTTPS configuration, see Getting Started Guide.
NOTE:
The PKI domain to be referenced by the SSL policy must be created in advance. For how to configure a PKI
domain, see "Configuring a PKI domain."
1. Configure the SSL policy on the HTTPS server:
<Firewall> system-view
[Firewall] ssl server-policy myssl
[Firewall-ssl-server-policy-myssl] pki-domain 1
[Firewall-ssl-server-policy-myssl] client-verify enable
[Firewall-ssl-server-policy-myssl] quit
2. Configure the certificate attribute group:
# Create certificate attribute group mygroup1 and add two attribute rules. The first rule defines
that the DN of the subject name includes the string aabbcc, and the second rule defines that the IP
address of the certificate issuer is 10.0.0.1.
[Firewall] pki certificate attribute-group mygroup1
[Firewall-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc
[Firewall-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1
[Firewall-pki-cert-attribute-group-mygroup1] quit
# Create certificate attribute group mygroup2 and add two attribute rules. The first rule defines
that the FQDN of the alternative subject name does not include the string of apple, and the second
rule defines that the DN of the certificate issuer name includes the string aabbcc.
[Firewall] pki certificate attribute-group mygroup2