Configuring and Binding an SSL Policy

SSL policies can be used to protect transmitted data from being tampered with, improving security.

Context

Some traditional protocols, such as syslog, do not have security mechanisms. They transmit data in clear text, cannot authenticate communicating devices or prevent transmitted data from being tampered with, exposing data transmission to security risks. SSL provides data encryption, identity authentication, and message integrity check o ensure the security of TCP-based application layer protocols.

Procedure

Deploy an SSL policy in the SSL policy view:

  1. Run system-view

    The system view is displayed.

  2. Run ssl policy policy-name

    An SSL policy is configured, and the SSL policy view is displayed.

  3. (Optional) Run ecdh group { nist | curve | brainpool } *

    Elliptic curve parameters are configured for the ECDHE algorithm.

  4. Run ssl minimum version { tls1.1 | tls1.2 | tls1.3 }

    The minimum version is configured for the SSL policy.

    After a device configured with TLS 1.0 is upgraded to a version that does not support configuration of TLS 1.0, the minimum version supported by the SSL policy is still TLS 1.0. You can run the ssl minimum version { tls1.1 | tls1.2 | tls1.3 } command to reconfigure the minimum version for the SSL policy. This process is irreversible.

    After a device which is not configured with the ssl minimum version command is upgraded to the current version, the minimum version supported by the SSL policy is TLS 1.1. The default minimum version is TLS 1.2. You can run the ssl minimum version { tls1.1 | tls1.2 | tls1.3 } command to reconfigure the minimum version for the SSL policy.

  5. (Optional) Run ssl verify { basic-constrain | key-usage | version { cert-version3 | crl-version2 } } enable

    Certificate verification is enabled.

  6. (Optional) Run ssl verify certificate-chain minimum-path-length path-length

    The minimum path length of the digital certificate chain is configured.

  7. (Optional) Run signature algorithm-list { ecdsa-secp256r1-sha256 | ecdsa-secp384r1-sha384 | ecdsa-secp521r1-sha512 | ed25519 | ed448 | rsa-pss-pss-sha256 | rsa-pss-pss-sha384 | rsa-pss-pss-sha512 | rsa-pss-rsae-sha256 | rsa-pss-rsae-sha384 | rsa-pss-rsae-sha512 | rsa-pkcs1-sha256 | rsa-pkcs1-sha384 | rsa-pkcs1-sha512 | ecdsa-sha1 | ecdsa-sha224 | rsa-sha1 | rsa-sha224 | dsa-sha1 | dsa-sha224 | dsa-sha256 | dsa-sha384 | dsa-sha512 } *

    A signature algorithm is configured for SSL handshake.

    After the upgrade, fewer signature algorithms are supported by default. As a result, SSL handshake may fail due to signature algorithm mismatch. To prevent this problem, you can run this command to adjust the supported signature algorithms.

  8. (Optional) Run pki-domain pki-domain

    A PKI domain is bound to the SSL policy.

    • After a PKI domain is bound to an SSL policy, the SSL policy uses the certificates and certificate revocation list (CRL) in the PKI domain.
    • In addition to loading and revoking certificates using PKI, you can also perform the following steps to manually load and revoke certificates.
  9. (Optional) Run certificate load

    A digital certificate is loaded. Currently, the PEM and PFX certificates and the PEM certificate chain are supported. Load a digital certificate or certificate chain as needed.

    • Run the certificate load pem-cert certFile key-pair { dsa | rsa } key-file keyFile auth-code [ cipher authCode ] command to load a PEM certificate for the SSL policy.
    • Run the certificate load pfx-cert certFile key-pair { dsa | rsa } mac or certificate load pfx-cert certFile key-pair { dsa | rsa } { mac cipher mac-code | key-file keyFile } auth-code cipher authCode command to load a PFX certificate for the SSL policy.
    • Run the certificate load pem-chain certFile key-pair { dsa | rsa } key-file keyFile auth-code [ cipher authCode ] command to load a certificate chain in PEM format for the SSL policy.

    Loading a digital certificate is optional for a device but mandatory for an NMS.

  10. (Optional) Run crl load crlType crlFile

    A digital CRI is loaded.

    A maximum of two CRL files can be loaded to an SSL policy.

  11. Run trusted-ca load

    A trusted-CA file is loaded. A maximum of four trusted-CA files can be loaded for an SSL policy.

    • Run the trusted-ca load pem-ca caFile command to load a trusted-CA file in PEM format for the SSL policy.
    • Run the trusted-ca load asn1-ca caFile command to load a trusted-CA file in ASN1 format for the SSL policy.
    • Run the trusted-ca load pfx-ca caFile auth-code [ cipher authCode ] command to load a trusted-CA file in PFX format for the SSL policy.
  12. (Optional) Run binding cipher-suite-customization customization-name

    A cipher suite is bound to the SSL policy. Before binding a cipher suite to an SSL policy, ensure that the cipher suite has been configured for the SSL policy. For details, see Configuring an SSL Cipher Suite.

  13. (Optional) Run cipher-suit exclude key-exchange rsa

    The RSA key exchange algorithm is excluded from the SSL policy cipher suite.

    The RSA key exchange algorithm is not recommended on networks that have high security requirements because this algorithm is not secure.

  14. (Optional) Run cipher-suite exclude cipher mode cbc

    CBC encryption algorithms are excluded from the SSL policy cipher suite.

    The CBC encryption algorithm is not recommended for networks that have high security requirements because this algorithm is not secure.

  15. (Optional) Run cipher-suite exclude hmac sha1

    The SHA1 digest algorithm is excluded from the SSL cipher suite.

    The SHA1 digest algorithm is not recommended for networks that have high security requirements because this algorithm is not secure.

  16. (Optional) Run diffie-hellman modulus modulus-val

    The modulus of the Diffie-Hellman key exchange algorithm is configured.

    After the upgrade, the default modulus length of the Diffie-Hellman key exchange algorithm increases. As a result, SSL handshake may fail if the modulus length is too long. To prevent this problem, you can run this command to adjust the modulus length.

  17. Run quit

    Return to the system view.

  18. (Optional) Run ssl certificate alarm-threshold early-alarm time check-interval check-period

    The certificate expiration alarm threshold and check interval are configured.

  19. Run the bind ssl-policy command in the corresponding service view to bind the SSL policy.
    1. Dual-device backup service

      Run the remote-backup-service service-name command to enter the RBS view.

      Run the bind ssl-policy ssl-policy-name command to bind an SSL policy.

      In VS mode, this command is supported only by the admin VS.

      For detailed dual-device backup service configurations, see Establishing a Dual-Device Backup Platform.

    2. DCN service

      Run the dcn command to enter the DCN view.

      Run the bind ssl-policy ssl-policy-name command to bind an SSL policy.

      For detailed DCN service configurations, see Configuring SSL Authentication on a GNE.

  20. Run commit

    The configuration is committed.

Deploy an SSL policy in the DTLS policy view.
  1. Run system-view

    The system view is displayed.

  2. Run dtls policy policyName

    An SSL policy is configured, and the DTLS policy view is displayed.

  3. (Optional) Run ssl verify { basic-constrain | key-usage } enable

    Certificate verification is enabled.

  4. (Optional) Run ssl verify certificate-chain minimum-path-length path-length

    The minimum path length of the digital certificate chain is configured.

  5. (Optional) Run pki-domain pki-domain

    A PKI domain is bound to the SSL policy.

    After a PKI domain is bound to an SSL policy, the SSL policy uses the certificates and CRL in the PKI domain.

  6. Run commit

    The configuration is committed.

Parent Topic: Accessing Other Devices Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >