Page 1: Configuration Guide
HP FlexFabric 5930 Switch Series Security Configuration Guide Part number: 5998-4629 Software version: Release 2406 & Release 2407P01 Document version: 6W101-20140404...
Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Page 3: Table Of Contents
Contents Configuring AAA ························································································································································· 1 Overview ············································································································································································ 1 RADIUS ······································································································································································ 2 HWTACACS ····························································································································································· 7 AAA implementation on the device ························································································································ 9 AAA for MPLS L3VPNs ········································································································································· 11 Protocols and standards ······································································································································· 11 RADIUS attributes ·················································································································································· 11 ...
Page 4 Enabling password control ··········································································································································· 52 Setting global password control parameters ·············································································································· 53 Setting user group password control parameters ······································································································· 54 Setting local user password control parameters ········································································································· 54 Setting super password control parameters ················································································································ 55 Displaying and maintaining password control ···········································································································...
Page 5 PKI configuration examples ··········································································································································· 83 Certificate request from an RSA Keon CA server ······························································································ 83 Certificate request from a Windows 2003 CA server ······················································································ 86 Certificate request from an OpenCA server ······································································································· 89 Certificate import and export configuration example ······················································································· 92 ...
Page 6 SSL security mechanism ······································································································································ 138 SSL protocol stack ··············································································································································· 138 SSL configuration task list ············································································································································ 139 Configuring an SSL server policy ······························································································································· 139 Configuring an SSL client policy ································································································································ 140 Displaying and maintaining SSL ································································································································· 141 ...
Page 7 Configuration guidelines ···································································································································· 166 Configuration procedure ···································································································································· 166 Configuration example ······································································································································· 166 Support and other resources ·································································································································· 168 Contacting HP ······························································································································································ 168 Subscription service ············································································································································ 168 Related information ······················································································································································ 168 Documents ···························································································································································· 168 ...
Page 8: Configuring Aaa
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It specifies the following security functions: • Authentication—Identifies users and verifies their validity. Authorization—Grants different users different rights and controls their access to resources and •...
Page 9: Radius
RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. The RADIUS authorization process is combined with the RADIUS authentication process, and user authorization information is piggybacked in authentication responses.
Page 10 Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses in the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.
Page 11 RADIUS packet format RADIUS uses UDP to transmit packets. To ensure smooth packet exchange between the RADIUS server and the client, RADIUS uses a series of mechanisms, including the timer mechanism, the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format.
Page 12 The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and • to encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator. • The Attributes field (variable in length) includes specific authentication, authorization, and accounting information.
Page 13 Vendor-ID—ID of the vendor. Its most significant byte is 0; the other three bytes contains a code • compliant to RFC 1700. • Vendor-Type—Type of the sub-attribute. Vendor-Length—Length of the sub-attribute. • Vendor-Data—Contents of the sub-attribute. • For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS sub-attributes."...
Page 14: Hwtacacs
Figure 5 Format of attribute 26 HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users.
Page 15 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...
Page 16: Aaa Implementation On The Device
The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends a user authorization request packet to the HWTACACS server.
Page 17 AAA methods AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain. The NAS determines the ISP domain and access type of a user, and uses the methods configured for the access type in the domain to control the user's access. AAA also supports configuring a set of default methods for an ISP domain.
Page 18: Aaa For Mpls L3Vpns
authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see Fundamentals Configuration Guide. • User role authentication—Authenticates each user who wants to obtain a temporary user role without logging out or getting disconnected. For more information about temporary user role authorization, see Fundamentals Configuration Guide.
Page 19 Maximum idle time permitted for the user before termination of the session. User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HP device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
Page 20 Access-Requests. This attribute is present when EAP authentication is used. NAS-Port-Id String for describing the port of the NAS that is authenticating the user. HP proprietary RADIUS sub-attributes Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.
Page 21: Aaa Configuration Considerations And Task List
Sub-attribute Description Result of the Trigger-Request or SetPolicy operation, zero for success and Result_Code any other value for failure. Connect_ID Index of the user connection. FTP user working directory. When the RADIUS client acts as the FTP Ftp_Directory server, this attribute is used to set the FTP directory for an FTP user on the RADIUS client.
Page 22: Configuring Aaa Schemes
Configure AAA methods for the users' ISP domains. Remote AAA methods need to reference the configured RADIUS and HWTACACS schemes. Figure 9 AAA configuration procedure To configure AAA, perform the following tasks: Tasks at a glance (Required.) Perform at least one of the following tasks to configure local users or AAA schemes: •...
Page 23: Configuring Local Users
Configuring local users To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device. A local user is uniquely identified by the combination of a username and a user type. The device only supports device management users who log in to the device for device management.
Page 24 Configuring local user attributes Follow these guidelines when you configure local user attributes: • When you use the password-control enable command to globally enable the password control feature, local user passwords are not displayed. The authentication mode of user interfaces is set by the authentication-mode command in user line •...
Page 25 Step Command Remarks The following default settings apply: • No authorization ACL, idle timeout period, or authorized VLAN is configured for local users. • FTP, SFTP, or SCP users are authorized access to the root directory of the device, but they do not have the access authorization-attribute { acl permission.
Page 26 implement centralized user attributes management for the local users in the group. Local user attributes that are manageable include authorization attributes. By default, every new local user belongs to the default user group system and has all attributes of the group.
Page 27: Configuring Radius Schemes
Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the device can work with and defines a set of parameters that the device uses to exchange information with the RADIUS servers, including the IP addresses of the servers, UDP port numbers, shared keys, and server types. Configuration task list Tasks at a glance (Required.)
Page 28 To specify RADIUS authentication servers for a RADIUS scheme: Step Command Remarks Enter system view. system-view Enter RADIUS scheme radius scheme radius-scheme-name view. • Specify the primary RADIUS authentication server: primary authentication Configure at least one command. { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | By default, no authentication server simple } string | vpn-instance...
Page 29 Step Command Remarks • Specify the primary RADIUS accounting server: Configure at least one primary accounting { ipv4-address | command. ipv6 ipv6-address } [ port-number | By default, no accounting key { cipher | simple } string | server is specified. vpn-instance vpn-instance-name ] * Specify RADIUS accounting Two accounting servers in a...
Page 30 Step Command Remarks Specify a VPN for the RADIUS By default, a RADIUS scheme vpn-instance vpn-instance-name scheme. belongs to the public network. Setting the username format and traffic statistics units A username is typically in the format userid@isp-name, where isp-name represents the user's ISP domain name.
Page 31 Setting the status of RADIUS servers To control the RADIUS servers with which the device communicates when the current servers are no longer available, set the status of RADIUS servers to blocked or active. You can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers functioning as the backup of the primary servers.
Page 32 Step Command Remarks • Set the status of the primary RADIUS authentication server: state primary authentication { active | block } Configure at least one • Set the status of the primary RADIUS command. accounting server: By default, every server state primary accounting { active | specified in a RADIUS scheme block }...
Page 33 Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name By default, the source IP address specified by the radius nas-ip Specify a source IP address nas-ip { ipv4-address | ipv6 command in system view is used. If for outgoing RADIUS packets.
Page 34 NAS. The security policy server is the management and control center of the HP EAD solution. To implement all EAD functions, configure both the IP address of the security policy server and that of the IMC Platform on the NAS.
Page 35: Configuring Hwtacacs Schemes
Enabling SNMP notifications for RADIUS When SNMP notifications are enabled for RADIUS, the SNMP agent supports the following notifications generated by RADIUS: • RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts.
Page 36 Tasks at a glance (Optional.) Setting the username format and traffic statistics units (Optional.) Specifying the source IP address for outgoing HWTACACS packets (Optional.) Setting HWTACACS timers (Optional.) Displaying and maintaining HWTACACS Creating an HWTACACS scheme Create an HWTACACS scheme before performing any other HWTACACS configurations. You can configure up to 16 HWTACACS schemes.
Page 37 Specifying the HWTACACS authorization servers You can specify one primary authorization server and up to 16 secondary authorization servers for an HWTACACS scheme. When the primary server is not available, the device tries to communicate with the secondary servers in the order they are configured, and communicates with the first secondary server in active state.
Page 38 Step Command Remarks • Specify the primary HWTACACS accounting server: primary accounting { ipv4-address | Configure at least one command. ipv6 ipv6-address } [ port-number | key { cipher | simple } string | By default, no accounting server is single-connection | vpn-instance specified.
Page 39 Setting the username format and traffic statistics units A username is typically in the format userid@isp-name, where isp-name represents the user's ISP domain name. By default, the ISP domain name is included in a username. However, if HWTACACS servers do not recognize usernames that contain ISP domain names, you can configure the device to remove the domain name from each username to be sent.
Page 40 Step Command Remarks Enter system view. system-view By default, the IP address of the Specify a source IP address hwtacacs nas-ip { ipv4-address | HWTACACS packet outbound for outgoing HWTACACS ipv6 ipv6-address } [ vpn-instance interface is used as the source IP packets.
Page 41: Configuring Aaa Methods For Isp Domains
If the quiet timer of a server expires, the status of the server changes back to active, but the device does not check the server again during the authentication or accounting process. If no server is found reachable during one search process, the device considers the authentication or accounting attempt a failure.
Page 42: Configuration Prerequisites
authorization, and local accounting. If you do not configure any AAA methods for an ISP domain, the device uses the system-defined AAA methods for users in the domain. Configuration prerequisites To use local authentication for users in an ISP domain, configure local user accounts on the device first. "Configuring local user attributes."...
Page 43: Configuring Authentication Methods For An Isp Domain
Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name By default, an ISP domain is in Place the ISP domain in active active state, and users in the state { active | block } or blocked state. domain can request network services.
Page 44: Configuring Authorization Methods For An Isp Domain
Step Command Remarks authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme By default, the default Specify the authentication radius-scheme-name ] [ local ] [ none ] | local authentication method is method for login users. [ none ] | none | radius-scheme used for login users.
Page 45: Configuring Accounting Methods For An Isp Domain
Step Command Remarks authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme By default, the default Specify the authorization radius-scheme-name ] [ local ] [ none ] | authorization method is used method for login users. local [ none ] | none | radius-scheme for login users.
Page 46: Enabling The Session-Control Feature
Enabling the session-control feature A RADIUS server running on IMC can use session-control packets to inform disconnect or dynamic authorization change requests. This task enables the device to receive RADIUS session-control packets on UDP port 1812. To enable the session-control feature: Step Command Remarks...
Page 47: Configuration Procedure
Set the shared keys for secure HWTACACS communication to expert. Configure the switch to send usernames without domain names to the HWTACACS server. Configure the switch to assign the default user role network-operator to SSH users after they pass authentication. Figure 10 Network diagram Configuration procedure Configure the HWTACACS server:...
Page 48: Verifying The Configuration
[Switch-isp-bbb] quit # Create local RSA and DSA key pairs. [Switch] public-key local create rsa [Switch] public-key local create dsa # Enable the SSH service. [Switch] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit...
Page 49: Configuration Procedure
Configuration procedure Configure the HWTACACS server. (Details not shown.) Configure the RADIUS server. (Details not shown.) Configure the switch: # Assign IP addresses to interfaces. (Details not shown.) # Create local RSA and DSA key pairs. <Switch> system-view [Switch] public-key local create rsa [Switch] public-key local create dsa # Enable the SSH service.
Page 50: Verifying The Configuration
Verifying the configuration When the user initiates an SSH connection to the switch and enter the username hello@bbb and the correct password, the user successfully logs in and can use the commands for the network-operator user role. Authentication and authorization for SSH users by a RADIUS server Network requirements As shown in...
Page 51 Set the ports for authentication and accounting to 1812 and 1813, respectively. Select the service type Device Management Service. Select the access device type HP. Select the access device from the device list or manually add the access device (with the IP address 10.1.1.2).
Page 52 Figure 14 Adding an account for device management Configure the switch: # Assign an IP address to VLAN-interface 2, the SSH user access interface. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Assign an IP address to VLAN-interface 3, through which the switch communicates with the server.
Page 53: Verifying The Configuration
# Create a RADIUS scheme. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Switch-radius-rad] key authentication simple expert # Include the domain names in usernames sent to the RADIUS server.
Page 54: Radius Packet Delivery Failure
The user is configured on the RADIUS server. • • The correct password is entered. The same shared key is configured on both the RADIUS server and the NAS. • RADIUS packet delivery failure Symptom RADIUS packets cannot reach the RADIUS server. Analysis Possible reasons include: •...
Page 55: Troubleshooting Hwtacacs
Troubleshooting HWTACACS Similar to RADIUS troubleshooting. See "Troubleshooting RADIUS."...
Page 56: Configuring Password Control
Configuring password control Overview Password control refers to a set of functions provided by the device to manage login and super password setup, expirations, and updates for device management users, and to control user login status based on predefined policies. Local users are divided into two types: device management users and network access users.
Page 57: Password Updating And Expiration
configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail. You can apply the following password complexity requirements: A password cannot contain the username or the reverse of the username. For example, if the •...
Page 58: User Login Control
the history records by at least four characters and the four characters must be different from one another. Otherwise, the system will display an error message, and the password will not be changed. You can set the maximum number of history password records for the system to maintain for each user. When the number of history password records exceeds your setting, the most recent record overwrites the earliest one.
Page 59: Password Control Configuration Task List
Password control configuration task list The password control functions can be configured in several different views, and different views support different functions. The settings configured in different views or for different objects have the following application ranges: • Settings for super passwords apply to only super passwords. Settings in local user view apply to only the password of the local user.
Page 60: Setting Global Password Control Parameters
Setting global password control parameters The password expiration time, minimum password length, and password composition policy can be configured in system view, user group view, or local user view. The password settings with a smaller application scope have higher priority. Global settings in system view apply to the passwords of the local users in all user groups if you do not configure password policies for these users in both local user view and user group view.
Page 61: Setting User Group Password Control Parameters
Setting user group password control parameters Step Command Remarks Enter system view. system-view By default, no user group exists. Create a user group and enter For information about how to user-group group-name user group view. configure a user group, see "Configuring AAA."...
Page 62: Setting Super Password Control Parameters
Step Command Remarks By default, the setting equals that for the user group to which the Configure the password local user belongs. If no expiration expiration time for the local password-control aging aging-time time is configured for the user user. group, the global setting applies to the local user.
Page 63: Displaying And Maintaining Password Control
Step Command Remarks password-control super By default, a super password must Configure the password composition type-number contain at least one character type composition policy for super type-number [ type-length and at least one character for each passwords. type-length ] type. Displaying and maintaining password control Execute display commands in any view and reset commands in user view.
Page 64: Configuration Procedure
A super password must contain four character types and at least five characters for each type. • Configure a password control policy for the local Telnet user test to meet the following requirements: The password must contain at least 24 characters. •...
Page 65: Verifying The Configuration
[Sysname-luser-manage-test] service-type telnet # Set the minimum password length to 24 for the local user. [Sysname-luser-manage-test] password-control length 24 # Specify that the password of the local user must contain at least four character types and at least five characters for each type. [Sysname-luser-manage-test] password-control composition type-number 4 type-length 5 # Set the password for the local user to expire after 20 days.
Page 66 User group: system Bind attributes: Authorization attributes: Work directory: flash: User role list: network-operator Password control configurations: Password aging: Enabled (20 days) Password length: Enabled (24 characters) Password composition: Enabled (4 types, 5 characters per type)
Page 67: Managing Public Keys
Managing public keys Overview This chapter describes public key management for the asymmetric key algorithms including the Revest-Shamir-Adleman Algorithm (RSA), the Digital Signature Algorithm (DSA), and the Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 15.
Page 68: Configuration Procedure
• Table 5 A comparison of different types of asymmetric key algorithms Type Number of key pairs Modulus length HP recommendation • If you specify the key pair name, the command creates a host key pair. The value range is •...
Page 69: Exporting A Host Public Key In A Specific Format To A File
Exporting a host public key in a specific format to a file (use this method if you can import public • keys from a file on the peer device) Displaying a host public key in a specific format and saving it to a file (use this method if you can •...
Page 70: Destroying A Local Key Pair
IMPORTANT: key displayed by the display Manually enter (type or copy) If the peer device is an HP device, use public-key local public command, the peer public key the display public-key local public the system saves the key.
Page 71: Entering A Peer Public Key
Step Command Remarks Import a peer host public key public-key peer keyname import sshkey By default, no peer host from a public key file. filename public key exists. Entering a peer public key Step Command Remarks Enter system view. system-view Specify a name for the peer public key and enter public public-key peer keyname...
Page 72 Figure 16 Network diagram Device A Device B Configuration procedure Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048).
Page 73: Example For Importing A Public Key From A Public Key File
Enter public key view. Return to system view with "peer-public-key end" command. [DeviceB-pkey-public-key-devicea]30819F300D06092A864886F70D010101050003818D003081 2818100DA3B90F59237347B [DeviceB-pkey-public-key-devicea]8D41B58F8143512880139EC9111BFD31EB84B6B7C7A14700 C8F04A827B30C2CAF79242E [DeviceB-pkey-public-key-devicea]45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A744 88EC54A5D31EFAE4F681257 [DeviceB-pkey-public-key-devicea]6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F B1F2D561BF66EA27DFD4788 [DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001 # Save the public key and return to system view. [DeviceB-pkey-public-key-devicea] peer-public-key end Verifying the configuration # Verify that the key is the same as on Device A. [DeviceB] display public-key peer name devicea ============================================= Key name: devicea...
Page 74 # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 75 # Use FTP in binary mode to get the public key file devicea.pub from Device A. <DeviceB> ftp 10.1.1.1 Connected to 10.1.1.1 (10.1.1.1). 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. Remote system type is UNIX. Using binary mode to transfer files.
Page 76: Configuring Pki
PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity. HP's PKI system provides certificate management for SSL. PKI terminology Digital certificate A digital certificate is a document signed by a certificate authority (CA).
Page 77: Pki Architecture
(CPS). You can obtain a CA policy through out-of-band means such as phone, disk, and email. Make sure you understand the CA policy before you select a trusted CA for certificate request because different CAs might use different policies. PKI architecture A PKI system consists of PKI entities, CAs, RAs and a certificate/CRL repository, as shown in Figure Figure 18 PKI architecture...
Page 78: Pki Applications
The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the LDAP server or other certificate repositories to provide directory navigation services, and notifies the PKI entity that the certificate is successfully issued.
Page 79: Pki Configuration Task List
PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity (Required.) Configuring a PKI domain (Required.) Requesting a certificate • Configuring automatic certificate request • Manually requesting a certificate (Optional.) Aborting a certificate request (Optional.) Obtaining certificates (Optional.) Verifying PKI certificates (Optional.)
Page 80: Configuring A Pki Domain
Step Command Remarks Set a common name for the common-name By default, the common name is not set. entity. common-name-sting Set the country code of the country country-code-string By default, the country code is not set. entity. Set the locality of the entity. locality locality-name By default, the locality is not set.
Page 81 Step Command Remarks By default, no trusted CA is specified. To obtain a CA certificate, the trusted CA name must be provided. Specify the trusted CA. ca identifier name The trusted CA name is in SCEP messages, and the CA server does not use this name unless the server has two CAs configured with the same registration server.
Page 82: Requesting A Certificate
Step Command Remarks • Specify an RSA key pair: Use either command. public-key rsa { { encryption name encryption-key-name [ length By default, no key pair is specified. key-length ] | signature name You can specify a non-existing key signature-key-name [ length Specify the key pair for pair, which is generated during the key-length ] } * | general name...
Page 83: Configuring Automatic Certificate Request
Online mode—A certificate request can be automatically or manually submitted. The following • sections describe the online request mode. Configuring automatic certificate request IMPORTANT: If an automatically requested certificate will soon expire or has expired, the entity does not initiate a re-request to the CA automatically, and the applications using the certificate might be interrupted.
Page 84: Aborting A Certificate Request
Before you manually submit a certificate request, make sure the CA certificate exists and a key pair is specified for the PKI domain: The CA certificate is used to verify the authenticity and validity of the obtained local certificate. • The key pair is used for certificate request.
Page 85: Obtaining Certificates
To abort a certificate request: Step Command Remarks Enter system view. system-view pki abort-certificate-request This command is not saved in the Abort a certificate request. domain domain-name configuration file. Obtaining certificates You can obtain the CA certificate, local certificates, and peer certificates related to a PKI domain from a CA and save them locally for higher lookup efficiency.
Page 86: Configuration Procedure
Configuration procedure To obtain certificates: Step Command Remarks Enter system view. system-view • Import certificates in offline mode: pki import domain domain-name { der { ca | local | peer } filename filename | p12 local The pki filename filename | pem { ca | local | peer } retrieve-certificate [ filename filename ] } Import or obtain certificates.
Page 87: Verifying Certificates Without Crl Checking
Step Command Remarks The newly obtained CRL overwrites the old one, if any. (Optional.) Obtain the CRL pki retrieve-crl domain The obtained CRL must be issued by and save it locally. domain-name a CA certificate in the CA certificate chain in the current domain. Verify the validity of the pki validate-certificate domain certificates.
Page 88: Exporting Certificates
Task Command Remarks By default, the storage path for the certificates and CRLs is the PKI directory on the storage media of the device. Specify the storage path for pki storage { certificates | the certificates and CRLs. crls } dir-path For a distributed device, you must specify a path on the current MPU rather than on other MPUs.
Page 89: Configuring A Certificate Access Control Policy
Use public-key local destroy to destroy the existing local key pair. Use public-key local create to generate a new key pair. Request a new certificate. To remove a certificate: Step Command Remarks Enter system view. system-view If no serial number is pki delete-certificate domain domain-name { ca | specified, the command Remove a certificate.
Page 90: Displaying And Maintaining Pki
Step Command Remarks Return to system view. quit Create a certificate access pki certificate access-control-policy By default, no certificate access control policy and enter its policy-name control policy exists. view. By default, no statement is configured, and all certificates can pass the verification.
Page 91 Figure 20 Network diagram Configuring the CA server Create a CA server named myca: In this example, you must configure these basic attributes on the CA server: Nickname—Name of the trusted CA. Subject DN—DN attributes of the CA, including the common name (CN), organization unit (OU), organization (O), and country (C).
Page 92 # Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits. [Device-pki-domain-torsa] public-key rsa general name abc length 1024 [Device-pki-domain-torsa] quit Generate a local RSA key pair. [Device] public-key local create rsa name abc The range of public key size is (512 ~ 2048).
Page 93: Certificate Request From A Windows 2003 Ca Server
RSA Public Key: (1024 bit) Modulus (1024 bit): 00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61 D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points:...
Page 94 Install the SCEP add-on: The Windows 2003 server does not support SCEP by default. Install the SCEP add-on on the server so that the device can automatically register and obtain its certificate from the server. After the SCEP add-on installation completes, you will see a URL. Use the URL to configure it on the device as the URL of the registration server for certificate request.
Page 95 [Device-pki-domain-winserver] quit Generate an RSA local key pair: [Device] public-key local create rsa name abc The range of public key size is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
Page 96: Certificate Request From An Openca Server
10242FDD D3947F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1 X509v3 Authority Key Identifier: keyid:9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points: URI:http://l00192b/CertEnroll/CA%20server.crl URI:file://\\l00192b\CertEnroll\CA server.crl...
Page 97 Configuring the device Synchronize the system time of the device with the CA server, so that the device can correctly request a certificate. Create an entity named aaa with the common name as rnd, the country code as CN, the organization name as test, and the unit name as software.
Page 98 [Device] pki request-certificate domain openca Start to request the general certificate ... … Request certificate of domain openca successfully Verifying the configuration # After obtaining the local certificate, display information about the certificate. [Device] display pki certificate domain openca local Certificate: Data: Version: 3 (0x2)
Page 99: Certificate Import And Export Configuration Example
keyid:85:EB:D5:F7:C9:97:2F:4B:7A:6D:DD:1B:4D:DD:00:EE:53:CF:FD:5B X509v3 Issuer Alternative Name: DNS:root@docm.com, DNS:, IP Address:192.168.154.145, IP Address:192.168.154.138 Authority Information Access: CA Issuers - URI:http://192.168.222.218/pki/pub/cacert/cacert.crt OCSP - URI:http://192.168.222.218:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://192.168.222.218:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.222.218/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 5c:4c:ba:d0:a1:35:79:e6:e5:98:69:91:f6:66:2a:4f:7f:8b: 0e:80:de:79:45:b9:d9:12:5e:13:28:17:36:42:d5:ae:fc:4e: ba:b9:61:f1:0a:76:42:e7:a6:34:43:3e:2d:02:5e:c7:32:f7: 6b:64:bb:2d:f5:10:6c:68:4d:e7:69:f7:47:25:f5:dc:97:af: ae:33:40:44:f3:ab:e4:5a:a0:06:8f:af:22:a9:05:74:43:b6: e4:96:a5:d4:52:32:c2:a8:53:37:58:c7:2f:75:cf:3e:8e:ed: 46:c9:5a:24:b1:f5:51:1d:0f:5a:07:e6:15:7a:02:31:05:8c: 03:72:52:7c:ff:28:37:1e:7e:14:97:80:0b:4e:b9:51:2d:50: 98:f2:e4:5a:60:be:25:06:f6:ea:7c:aa:df:7b:8d:59:79:57:...
Page 100 Figure 23 Network diagram Configuration procedure Export the certificate on Device A to specified files: # Export the CA certificate to a file named pkicachain.pem in PEM format. <DeviceA> system-view [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with the password 111111.
Page 101 friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subencr 11 issuer=/C=CN/L=shangdi/ST=beijing/O=OpenCA Labs/OU=docm/CN=subca1 -----BEGIN CERTIFICATE----- MIIEUDCCAzigAwIBAgIKCHxnAVyzWhIPLzANBgkqhkiG9w0BAQsFADBmMQswCQYD … -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 Key Attributes: <No Attributes>...
Page 102 98:2c:79:ba:5e:8d:97:39:53:00 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=beijing, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:56:49 2011 GMT Not After : Nov 22 05:56:49 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subsign 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:9f:6e:2f:f6:cb:3d:08:19:9a:4a:ac:b4:ac:63:...
Page 103 Full Name: URI:http://192.168.40.130/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 18:e7:39:9a:ad:84:64:7b:a3:85:62:49:e5:c9:12:56:a6:d2: 46:91:53:8e:84:ba:4a:0a:6f:28:b9:43:bc:e7:b0:ca:9e:d4: 1f:d2:6f:48:c4:b9:ba:c5:69:4d:90:f3:15:c4:4e:4b:1e:ef: 2b:1b:2d:cb:47:1e:60:a9:0f:81:dc:f2:65:6b:5f:7a:e2:36: 29:5d:d4:52:32:ef:87:50:7c:9f:30:4a:83:de:98:8b:6a:c9: 3e:9d:54:ee:61:a4:26:f3:9a:40:8f:a6:6b:2b:06:53:df:b6: 5f:67:5e:34:c8:c3:b5:9b:30:ee:01:b5:a9:51:f9:b1:29:37: 02:1a:05:02:e7:cc:1c:fe:73:d3:3e:fa:7e:91:63:da:1d:f1: db:28:6b:6c:94:84:ad:fc:63:1b:ba:53:af:b3:5d:eb:08:b3: 5b:d7:22:3a:86:c3:97:ef:ac:25:eb:4a:60:f8:2b:a3:3b:da: 5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d: ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84: 2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34: 6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d: d6:0a:1c:0b Certificate: Data: Version: 3 (0x2) Serial Number: 08:7c:67:01:5c:b3:5a:12:0f:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=beijing, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:58:26 2011 GMT Not After : Nov 22 05:58:26 2012 GMT...
Page 104: Troubleshooting Pki Configuration
Netscape Cert Type: SSL Server X509v3 Key Usage: Key Encipherment, Data Encipherment Netscape Comment: VPN Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD X509v3 Subject Alternative Name: email:subencr@docm.com X509v3 Issuer Alternative Name: DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt OCSP - URI:http://titan:2560/...
Page 105: Failed To Obtain The Ca Certificate
Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis The network connection is down because, for example, the network cable is damaged or the • connectors have bad contact. No trusted CA is specified. • The URL of the registration server is not correct or not specified.
Page 106: Failed To Request Local Certificates
Configure the correct LDAP server. Specify the key pair used for certificate request in the PKI domain, generate the proper key pair, and make sure it matches the local certificates to the obtained. Reference the proper PKI entity in the PKI domain, and correctly configure the PKI entity. Obtain CRLs.
Page 107: Failed To Obtain Crls
Failed to obtain CRLs Symptom CRLs cannot be obtained. Analysis The network connection is down because, for example, the network cable is damaged or the • connectors have bad contact. No CA certificate has been obtained before you try to obtain CRLs. •...
Page 108: Failed To Import A Local Certificate
Failed to import a local certificate Symptom A local certificate cannot be imported. Analysis The PKI domain has no CA certificate, and the certificate file to be imported does not contain the • CA certificate chain. CRL checking is enabled, but CRLs do not exist locally or CRLs cannot be obtained. •...
Page 109: Failed To Set The Storage Path
Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set. Analysis The specified storage path does not exist. • • The specified storage path is illegal. The disk space is full. • Solution Use mkdir to create the path.
Page 110: Configuring Ssh
Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. Adopting the typical client/server model, SSH can establish a channel to protect data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible.
Page 111: Ssh Authentication Methods
CLI. The text pasted at one time must be no more than 2000 bytes. Interaction HP recommends that you paste commands in the same view. Otherwise, the server might not be able to correctly execute the commands. To execute commands of more than 2000 bytes, save the commands in a configuration file, upload it to the server through SFTP, and use it to restart the server.
Page 112: Configuring The Device As An Ssh Server
Password-publickey authentication—The server requires SSH2 clients to pass both password • authentication and publickey authentication. However, an SSH1 client only needs to pass either authentication, regardless of the requirement of the server. • Any authentication—The server requires clients to pass either password authentication or publickey authentication.
Page 113: Enabling The Ssh Server Function
Configuration guidelines SSH supports locally generated DSA and RSA key pairs with default names rather than with • specified names. For more information about the commands that are used to generate keys, see Security Command Reference. • The public-key local create rsa command generates a server key pair and a host key pair for RSA. SSH1 uses the public key in the server key pair of the SSH server to encrypt the session key before transmitting the session key.
Page 114: Configuring The User Lines For Stelnet Clients
PKCS format. HP recommends that you configure no more than 20 SSH client host public keys on an SSH server. To manually configure a client's host public key:...
Page 115: Configuring An Ssh User
Step Command Remarks Enter system view. system-view Enter public key view. public-key peer keyname When you enter the contents for a host public key, you can use spaces and carriage returns between characters. When you Configure a client's host Enter the content of the host public save the host public key, spaces public key.
Page 116: Setting The Ssh Management Parameters
If the authentication method is password, the user role is authorized by the remote AAA server or the local device. If the authentication method is publickey or password-publickey, the user role is specified by the authorization-attribute command in the associated local user view. If you change the authentication method or public key for an SSH user that has been logged in, the •...
Page 117: Configuring The Device As An Stelnet Client
Maximum number of concurrent online SSH users. When the number of online SSH users reaches • the upper limit, the system refuses new SSH connection requests. To set the SSH management parameters: Step Command Remarks Enter system view. system-view Enable the SSH server to ssh server compatible-ssh1x By default, the SSH server supports support SSH1 clients.
Page 118: Specifying A Source Ip Address Or Source Interface For The Stelnet Client
Stelnet clients in the authentication service, HP recommends that you specify a loopback interface as the source interface. To specify a source IP address or source interface for the Stelnet client:...
Page 119: Configuring The Device As An Sftp Client
Task Command Remarks • Establish a connection to an IPv4 Stelnet server: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 |...
Page 120: Establishing A Connection To An Sftp Server
SFTP clients in the authentication service, HP recommends that you specify a loopback interface as the source interface. To specify a source IP address or source interface for the SFTP client:...
Page 121: Working With Sftp Directories
Task Command Remarks • Establish a connection to an IPv4 SFTP server: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } |...
Page 122: Working With Sftp Files
Working with SFTP files Task Command Remarks Change the name of a file on the rename old-name new-name Available in SFTP client view. SFTP server. Download a file from the remote get remote-file [ local-file ] Available in SFTP client view. server and save it locally.
Page 123: Displaying And Maintaining Ssh
When an SCP client accesses an SCP server, it uses the locally saved host public key of the server to authenticate the server. When acting as an SCP client, the device supports the first authentication by default. When the device accesses an SCP server for the first time but it is not configured with the host public key of the SCP server, it can access the server and locally save the server's host public key for future use.
Page 124: Stelnet Configuration Examples
Task Command Display SSH user information on the SSH display ssh user-information [ username ] server. display public-key local { dsa | rsa } public [ name Display the public keys of the local key pairs. publickey-name ] Display the public keys of the SSH peers. display public-key peer [ brief | name publickey-name ] Stelnet configuration examples Password authentication enabled Stelnet server configuration...
Page 125 Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+. Create the key pair successfully. # Enable the SSH server function. [Switch] ssh server enable # Assign an IP address to VLAN-interface 2. The Stelnet client uses this IP address as the destination for SSH connection.
Page 126: Publickey Authentication Enabled Stelnet Server Configuration Example
Figure 25 Specifying the host name (or IP address) Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client001 in this example) and password (aabbcc in this example), you can enter the CLI of the server.
Page 127 Configuration procedure In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. There are different types of Stelnet client software, such as PuTTY, and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58.
Page 128 Figure 28 Generating process After the key pair is generated, click Save public key, enter a file name (key.pub in this example), and click Save. Figure 29 Saving a key pair on the client...
Page 129 Click Save private key to save the private key. A confirmation dialog box appears. Click Yes, enter a file name (private.ppk in this example), and click Save. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate the RSA key pairs.
Page 130 # Create a local device management user client002 with the service type ssh and the user role network-admin. [Switch] local-user client002 class manage [Switch-luser-manage-client002] service-type ssh [Switch-luser-manage-client002] authorization-attribute user-role network-admin [Switch-luser-manage-client002] quit Specify the private key file and establish a connection to the Stelnet server: Launch PuTTY.exe on the Stelnet client to enter the interface shown in Figure In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server.
Page 131 Figure 31 Specifying the preferred SSH version Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 32 appears. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK.
Page 132: Password Authentication Enabled Stelnet Client Configuration Example
Figure 32 Specifying the private key file Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username. After entering the username (client002), you can enter the CLI of the server. Password authentication enabled Stelnet client configuration example Network requirements...
Page 133 [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
Page 134 [SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0 [SwitchA-Vlan-interface2] quit [SwitchA] quit You can determine whether to configure the host public key of the server on the client before establishing a connection to the server: If you do not configure the host public key of the server on the client, select Yes to access the server without authenticating the server, and locally save the host public key of the server.
Page 135: Publickey Authentication Enabled Stelnet Client Configuration Example
[SwitchA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F7 01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465 8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server 192.168.1.40 and specify the host public key of the server. <SwitchA> ssh2 192.168.1.40 publickey key1 Username: client001 client001@192.168.1.40's password: After you enter the correct password, you successfully log in to Switch B. Publickey authentication enabled Stelnet client configuration example Network requirements...
Page 136 .++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully. # Export the DSA host public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit # Transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate the RSA key pairs.
Page 137: Sftp Configuration Examples
# Create an SSH user client002 with the authentication method publickey, and assign the public key switchkey to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey # Create a local device management user client002 with the service type ssh and the user role network-admin.
Page 138 ......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 139: Publickey Authentication Enabled Sftp Client Configuration Example
Figure 36 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 37, you can log in to Switch B through the SFTP client that runs on Switch A and are assigned the user role network-admin to execute file management and transfer operations. Switch B acts as the SFTP server and uses publickey authentication and the RSA public key algorithm.
Page 140 The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully.
Page 141 [SwitchB] public-key peer switchkey import sshkey pubkey # Create an SSH user client001 with the service type sftp, authentication method publickey, and public key switchkey. [SwitchB] ssh user client001 service-type sftp authentication-type publickey assign publickey switchkey # Create a local device management user client001 with the service type ssh, the user role network-admin, and the working directory flash:/.
Page 142: Scp Configuration Examples
# Rename directory new1 to new2 and verify that the directory has been successfully renamed . sftp> rename new1 new2 sftp> dir -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup...
Page 143 Configuration procedure Configure the SCP server: # Generate the RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 144 [SwitchA-Vlan-interface2] quit [SwitchA] quit Connect to the SCP server, download the file remote.bin from the server, and save it locally with the name local.bin. <SwitchA> scp 192.168.0.1 get remote.bin local.bin Username: client001 Connected to 192.168.0.1 ... The Server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n Enter password: 18471 bytes transfered in 0.001 seconds.
Page 145: Configuring Ssl
Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security mechanism SSL provides the following security services: Privacy—SSL uses a symmetric encryption algorithm to encrypt data and uses an asymmetric key...
Page 146: Ssl Configuration Task List
Figure 40 SSL protocol stack The following describes the major functions of SSL protocols: SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to • the data, and encrypts the data. • SSL handshake protocol—Negotiates the cipher suite used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), authenticates the server and client, and securely exchanges the key between the server and client.
Page 147: Configuring An Ssl Client Policy
Step Command Remarks By default, no PKI domain is specified for an SSL server policy. If SSL clients authenticate the server through a digital certificate, you must use this (Optional.) Specify a PKI pki-domain domain-name command to specify a PKI domain for the SSL server policy.
Page 148: Displaying And Maintaining Ssl
Step Command Remarks By default, no PKI domain is specified for an SSL client policy. If the SSL server authenticates the SSL client through a digital certificate, you must use this (Optional.) Specify a PKI command to specify a PKI pki-domain domain-name domain for the SSL client policy.
Page 149: Configuring Ip Source Guard
Configuring IP source guard Overview IP source guard prevents spoofing attacks by using an IP source guard binding table to match legitimate packets. It drops all packets that do not match the table. The IP source guard binding table can include the following binding entries: IP-interface binding entries.
Page 150: Dynamic Ip Source Guard Binding Entries
IP source guard use static IPv4 source guard binding entries on an interface to filter IPv4 packets received by the interface or cooperate with the ARP detection feature to check user validity. IP source guard use static IPv6 source guard binding entries on an interface to filter IPv6 packets received by the interface. For more information about ARP detection, see "Configuring ARP attack protection."...
Page 151: Configuring The Ipv4 Source Guard Function
Tasks at a glance (Required.) Enabling IPv6 source guard on an interface (Optional.) Configuring a static IPv6 source guard binding entry Configuring the IPv4 source guard function You cannot configure the IPv4 source guard function on a service loopback interface. If IPv4 source guard is enabled on an interface, you cannot assign the interface to a service loopback group.
Page 152: Configuring A Static Ipv4 Source Guard Binding Entry
Configuring a static IPv4 source guard binding entry Static IPv4 source guard binding entries include global static IPv4 source entries and interface-specific static IPv4 source guard binding entries. A global static IPv4 source guard binding entry defines both the source IP address and source MAC address of packets that can be forwarded, and it takes effect on all interfaces.
Page 153: Enabling Ipv6 Source Guard On An Interface
Enabling IPv6 source guard on an interface You must first enable the IPv6 source guard function on an interface and use static entries to filter packets. All the fields in a static IPv6 source guard binding entry are used by IP source guard to filter packets. For more information about how to configure a static IPv6 source guard binding entry, see "Configuring a static IPv6 source guard binding...
Page 154: Displaying And Maintaining Ip Source Guard
Step Command Remarks These types of interfaces are supported: interface interface-type Enter interface view. Layer 2 Ethernet port, Layer 3 Ethernet interface-number interface, VLAN interface. By default, no static IPv6 source guard binding entry is configured on an interface. ipv6 source binding { ip-address The vlan vlan-id option is supported only in Configure a static IPv6 ipv6-address | ip-address...
Page 155 Figure 42 Network diagram Configuration procedure Configure Switch A: # Configure IP addresses for the interfaces. (Details not shown.) # Enable IPv4 source guard on FortyGigE 1/0/2. <SwitchA> system-view [SwitchA] interface fortygige 1/0/2 [SwitchA-FortyGigE1/0/2] ip verify source ip-address mac-address # On FortyGigE 1/0/2, configure a static IPv4 source guard binding entry for Host C. [SwitchA-FortyGigE1/0/2] ip source binding ip-address 192.168.0.3 mac-address 0001-0203-0405 [SwitchA-FortyGigE1/0/2] quit...
Page 156: Dynamic Ipv4 Source Guard Using Dhcp Snooping Configuration Example
Verifying the configuration # Display static IPv4 source guard binding entries on Switch A. The output shows that the static IPv4 source guard binding entries are configured successfully. <SwitchA> display ip source binding static Total entries found: 2 IP Address MAC Address Interface VLAN Type...
Page 157: Dynamic Ipv4 Source Guard Using Dhcp Relay Configuration Example
# Configure FortyGigE 1/0/2 as a trusted interface. [Switch] interface fortygige 1/0/2 [Switch-FortyGigE1/0/2] dhcp snooping trust [Switch-FortyGigE1/0/2] quit Enable IPv4 source guard on FortyGigE 1/0/1 to filter packets based on both the source IP address and the MAC address. Enable recording of client information in DHCP snooping entries on this interface: [Switch] interface fortygige 1/0/1 [Switch-FortyGigE1/0/1] ip verify source ip-address mac-address...
Page 158: Static Ipv6 Source Guard Configuration Example
[Switch-Vlan-interface100] quit Configure the DHCP relay agent: # Enable the DHCP service. [Switch] dhcp enable # Enable recording DHCP relay client entries. [Switch] dhcp relay client-information record # Configure VLAN-interface 100 to operate in DHCP relay mode. [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] dhcp select relay # Specify the IP address of the DHCP server.
Page 159 IPv6 Address MAC Address Interface VLAN Type 2001::1 0001-0202-0202 FGE1/0/1 Static...
Page 160: Configuring Arp Attack Protection
Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.
Page 161: Configuring Arp Source Suppression
ARP source suppression—If the attack packets have the same source address, you can enable the • ARP source suppression function, and set the maximum number of unresolvable IP packets that the device can receive from a host within 5 seconds. If the threshold is reached, the device stops resolving packets from the host until the 5 seconds elapse.
Page 162: Configuring Arp Packet Rate Limit
Figure 46 Network diagram Configuration considerations If the attack packets have the same source address, configure the ARP source suppression function as follows: Enable ARP source suppression. Set the threshold to 100. If the number of unresolvable IP packets received from a host within 5 seconds exceeds 100, the device stops resolving packets from the host until the 5 seconds elapse.
Page 163: Configuration Guidelines
Configuration guidelines Configure this feature when ARP detection is enabled, or when ARP flood attacks are detected. Configuration procedure This task sets a rate limit for ARP packets received on an interface. When the receiving rate of ARP packets on the interface exceeds the rate limit, those packets are discarded. You can enable sending notifications to the SNMP module or enable logging for ARP packet rate limit.
Page 164: Configuring Source Mac-Based Arp Attack Detection
Configuring source MAC-based ARP attack detection This feature checks the number of ARP packets received from the same MAC address within 5 seconds against a specific threshold. If the threshold is exceeded, the device adds the MAC address in an ARP attack entry.
Page 165: Configuration Example
Configuration example Network requirements As shown in Figure 47, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway might crash and cannot process requests from the clients. To solve this problem, configure source MAC-based ARP attack detection on the gateway.
Page 166: Configuring Arp Packet Source Mac Consistency Check
[Device] arp source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body, so that the gateway can learn correct ARP entries.
Page 167: Configuring User Validity Check
Configuring user validity check Upon receiving an ARP packet from an ARP untrusted interface, the device compares the sender IP and MAC addresses against the static IP source guard binding entries and the DHCP snooping entries. If a match is found from those entries, the ARP packet is considered valid and is forwarded. If no match is found, the ARP packet is considered invalid and is discarded.
Page 168: Configuring Arp Restricted Forwarding
ip—Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP • requests. All-one or multicast IP addresses are considered invalid and the corresponding packets are discarded. To configure ARP packet validity check: Step Command Remarks Enter system view.
Page 169: User Validity Check And Arp Packet Validity Check Configuration Example
Task Command Display the VLANs enabled with display arp detection ARP detection. display arp detection statistics [ interface interface-type Display the ARP detection statistics. interface-number ] Clear the ARP detection statistics. reset arp detection statistics [ interface interface-type interface-number ] User validity check and ARP packet validity check configuration example Network requirements...
Page 170: Configuring Arp Automatic Scanning And Fixed Arp
[SwitchB] interface fortygige 1/0/3 [SwitchB-FortyGigE1/0/3] dhcp snooping trust [SwitchB-FortyGigE1/0/3] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream interface as a trusted interface (an interface is an untrusted interface by default).
Page 171: Configuration Procedure
To delete a specific static ARP entry converted from a dynamic one, use the undo arp ip-address • [ vpn-instance-name ] command. Use the reset arp all command to delete all ARP entries or the reset arp static command to delete all static ARP entries. Configuration procedure To configure ARP automatic scanning and fixed ARP: Step...
Page 172: Configuration Example
Step Command Remarks Enable ARP gateway protection By default, ARP gateway arp filter source ip-address for the specified gateway. protection is disabled. Configuration example Network requirements As shown in Figure 49, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B.
Page 173: Configuration Guidelines
Configuration guidelines When you configure ARP filtering, follow these guidelines: • You can configure a maximum of eight permitted entries on an interface. Do not configure both the arp filter source and arp filter binding commands on an interface. • If ARP filtering operates with ARP detection, ARP filtering applies first.
Page 174 Configuration procedure # Configure ARP filtering on Switch B. <SwitchB> system-view [SwitchB] interface fortygige 1/0/1 [SwitchB-FortyGigE1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [SwitchB-FortyGigE1/0/1] quit [SwitchB] interface fortygige 1/0/2 [SwitchB-FortyGigE1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 After the configuration is complete, FortyGigE 1/0/1 permits ARP packets from Host A, and discards other ARP packets.
Page 175: Support And Other Resources
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Page 176: Conventions
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 177 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 178: Index
Index RADIUS accounting-on feature configuration, RADIUS attributes, RADIUS authentication server specification, configuration, 1, RADIUS implementation, device implementation, RADIUS max request transmission attempts, displaying, RADIUS scheme configuration, displaying local users/local user groups, RADIUS scheme creation, HWTACACS accounting server RADIUS scheme VPN specification, specification, RADIUS security policy server IP address HWTACACS authentication server...
Page 179 AAA RADIUS common standard attributes, Address Resolution Protocol. Use security AAA RADIUS extended attributes, alert protocol (SSL), security AAA RADIUS HP proprietary attributes, algorithm security AAA RADIUS scheme configuration, security SSH negotiation, security AAA scheme configuration, any authentication (SSH),...
Page 180 security AAA SSH user local security PKI certificate verification (CRL authentication+HWTACACS checking), authorization+RADIUS accounting, security PKI certificate verification (without CRL auto checking), security ARP automatic scanning, client security PKI certificate request (automatic), security SSL client policy configuration, command security AAA command accounting method, blackhole routing (ARP), security AAA command authorization method, communication...
Page 181 security ARP packet rate limit, security SSH SCP file with password authentication, security ARP packet source MAC consistency check, security SSH SFTP, security ARP packet validity check, security SSH SFTP client publickey authentication, security ARP restricted forwarding, security SSH SFTP server password security ARP source MAC-based attack authentication, detection, 157,...
Page 182 security local key pair, security password control configuration, 49, 52, detecting security password control global parameters, security ARP detection configuration, security password control local user parameters, security ARP source MAC-based attack security password control user group detection, 157, parameters, device security password setting, security AAA configuration, 1, security SFTP server function enable,...
Page 183 security PKI RSA Keon CA server certificate security SSH Stelnet client publickey request, authentication, security PKI verification (CRL checking), dst-mac validity check (ARP), security PKI verification (without CRL dynamic checking), security IP source guard dynamic binding entry, security PKI Windows 2003 CA server security IPv4 source guard dynamic configuration certificate request, with DHCP relay,...
Page 184 1 15 history filtering security password history, security ARP packets, 165, fixed ARP configuration, security AAA RADIUS HP proprietary attributes, format HTTP security AAA HWTACACS username, security SSL configuration, 138, security AAA RADIUS packet format, HW Terminal Access Controller Access Control System.
Page 185 IPv4. See IPv4 source guard security AAA RADIUS session-control IPv6. See IPv6 source guard feature, maintaining, implementing static binding entry, security AAA for MPLS L3VPNs, ip validity check (ARP), security AAA HWTACACS, IPv4 security AAA on device, source guard. See IPv4 source guard security AAA RADIUS, IPv4 source guard...
Page 186 security SSH RSA server key pair, security SSL services, MAC address Layer 3 security ARP attack protection configuration, security PKI MPLS L3VPN support, security ARP source MAC-based attack LDAP detection, protocols and standards, security IP source guard configuration, 142, security AAA configuration, 1, security IPv4 source guard dynamic configuration security AAA local user configuration, with DHCP relay,...
Page 187 security AAA RADIUS security policy server IP security IP source guard static binding entry, address configuration, 27, security IPv4 source guard configuration, network security IPv4 source guard on interface, security AAA device implementation, security IPv6 source guard configuration, security AAA HWTACACS implementation, security IPv6 source guard on interface, security AAA HWTACACS scheme security password control global parameters,...
Page 188 security SSH Stelnet server connection security SSH Stelnet client publickey establishment, 1 1 1 authentication, security SSH user configuration, security SSH Stelnet configuration, 1 17 security SSL client policy configuration, security SSH Stelnet server password authentication, 1 17 security SSL protocol stack, security SSH Stelnet server publickey security SSL server policy configuration, authentication,...
Page 189 security IP source guard static binding entry, password minimum length, security IPv4 source guard dynamic password not displayed, configuration with DHCP relay, password setting, security IPv4 source guard dynamic password updating, 50, configuration with DHCP snooping, super parameters, security IPv4 source guard static user first login, configuration, user group parameters,...
Page 190 RSA Keon CA server certificate request, configuring security AAA ISP domain authorization methods, security public key management, 60, configuring security AAA local user, terminology, configuring security AAA local user attributes, troubleshooting CA certificate import failure, configuring security AAA methods for ISP domain, troubleshooting CA certificate obtain failure, configuring security AAA RADIUS schemes,...
Page 191 configuring security PKI certificate access configuring static IPv4 source guard entry on control policy, interface, configuring security PKI certificate request configuring static IPv6 source guard entry (manual), globally, configuring security PKI certificate request configuring static IPv6 source guard entry on abort, interface, configuring security PKI domain,...
Page 192 establishing security SSH Stelnet server specifying security AAA HWTACACS connection, 1 1 1 authentication server, exporting security host public key to file, specifying security AAA HWTACACS authorization server, exporting security PKI certificate, specifying security AAA HWTACACS outgoing generating security SSH local DSA key pair, packet source IP address, generating security SSH local RSA key pair, specifying security AAA HWTACACS scheme...
Page 193 AAA, extended attributes, security AAA HWTACACS, 7, HP proprietary attributes, security AAA RADIUS, 2, HWTACACS/RADIUS differences, security LDAP, information exchange security mechanism, security SSL configuration, 138, maintaining, security SSL protocol stack, max request transmission attempts, public key outgoing packet source IP address,...
Page 194 registration authority. Use security SSH file transfer with password authentication, remote secure shell. Use security AAA remote accounting method, Secure Sockets Layer. Use security AAA remote authentication, security security AAA remote authentication configuration, AAA configuration, 1, security AAA remote authorization method, AAA device implementation, Remote Authorization Dial-In User Service.
Page 195 ARP source suppression, PKI applications, ARP unresolvable IP attack protection, PKI architecture, ARP user validity check configuration, PKI CA certificate failure, ARP user/packet validity check, PKI CA certificate import failure, creating AAA HWTACACS scheme, PKI CA policy, displaying AAA, PKI CA storage path specification, 80, displaying host public key, PKI certificate access control policy, 82, displaying password control,...
Page 196 SFTP server function enable, troubleshooting AAA RADIUS packet delivery failure, SSH authentication methods, server SSH client host public key configuration, security AAA HWTACACS quiet timer, SSH configuration, security AAA HWTACACS response timeout SSH local DSA key pair generation, timer, SSH local RSA key pair generation, security AAA RADIUS quiet timer, SSH management parameters, security AAA RADIUS response timeout timer,...
Page 197 server function enable, Secure FTP. Use SFTP shared key Secure Telnet. Use Stelnet security AAA HWTACACS, security AAA HWTACACS server SSH user, security AAA RADIUS, security AAA RADIUS server SSH user authentication+authorization, SNMP security AAA SSH user local RADIUS notifications, authentication+HWTACACS source authorization+RADIUS accounting,...
Page 198 server policy configuration, security SSH Stelnet client password authentication, static security SSH Stelnet client publickey IPv4 source guard entry (global), authentication, IPv4 source guard entry (on interface), security SSH Stelnet client source IP IPv6 source guard entry (global), address/interface, 1 1 1 IPv6 source guard entry (on interface), security SSH Stelnet configuration, 1 17...
Page 199 security AAA management by ISP domains, security AAA RADIUS implementation, security AAA management by user access types, security AAA RADIUS max request transmission security AAA user role authentication, attempts, username security AAA RADIUS packet format, security AAA HWTACACS format, security AAA RADIUS session-control security AAA RADIUS format, feature, updating...
Page 200 security SSH SFTP files, 1 15...

HP FlexFabric 5930 Series Security Configuration Manual

Quick Links

Configuration Guide

Troubleshooting

Related Manuals for HP FlexFabric 5930 Series

Summary of Contents for HP FlexFabric 5930 Series

Table of Contents