Certificate-Based Access Control Policy Configuration Example - HPE FlexNetwork 10500 Series Security Configuration Manual

Generating Keys...
..........................++++++
.....................................++++++
Create the key pair successfully.
# Obtain the CA certificate and save it locally.
[DeviceB] pki retrieve-certificate ca domain 1
# Submit a certificate request manually.
[DeviceB] pki request-certificate domain 1
# Create IKE proposal 1, and configure the authentication method as RSA digital signature.
[DeviceB] ike proposal 1
[DeviceB-ike-proposal-1] authentication-method rsa-signature
[DeviceB-ike-proposal-1] quit
# Reference the PKI domain used in IKE negotiation for IKE profile peer.
[DeviceB] ike profile peer
[DeviceB-ike-profile-peer] certificate domain 1
The configurations are for IKE negotiation with RSA digital signature. For information about how to
configure IPsec SAs to be set up, see
Certificate-based access control policy configuration
example
Network requirements
As shown in
Configure a certificate-based access control policy on the device to authenticate the host and verify
the validity of the host's certificate.
Figure 90 Network diagram
Host
HTTPS client
Configuration procedure
1. Create PKI domain domain1 to be used by SSL. (Details not shown.)
2. Request an SSL server certificate for the device from the CA server. (Details not shown.)
3. Configure the HTTPS server:
# Configure an SSL server policy named abc.
<Device> system-view
[Device] ssl server-policy abc
[Device-ssl-server-policy-abc] pki-domain domain1
[Device-ssl-server-policy-abc] client-verify enable
[Device-ssl-server-policy-abc] quit
Figure 90, the host accesses the device through HTTPS.
IP network
"Configuring IPsec."
CA server
Device
HTTPS server
318