HPE FlexNetwork 7500 Series Security Configuration Manual page 8

Verifying certificates without CRL checking ··························································································· 250
Specifying the storage path for the certificates and CRLs ············································································· 251
Exporting certificates ······································································································································ 251
Removing a certificate ··································································································································· 252
Configuring a certificate-based access control policy ···················································································· 252
Displaying and maintaining PKI ····················································································································· 253
PKI configuration examples ··························································································································· 253
Requesting a certificate from an RSA Keon CA server ·········································································· 254
Requesting a certificate from a Windows Server 2003 CA server ························································· 256
Requesting a certificate from an OpenCA server ··················································································· 260
Certificate-based access control policy configuration example ······························································ 263
Certificate import and export configuration example ·············································································· 264
Troubleshooting PKI configuration ················································································································· 269
Failed to obtain the CA certificate ·········································································································· 270
Failed to obtain local certificates ············································································································ 270
Failed to request local certificates ·········································································································· 271
Failed to obtain CRLs ····························································································································· 272
Failed to import the CA certificate ·········································································································· 272
Failed to import the local certificate ········································································································ 273
Failed to export certificates ···················································································································· 273
Failed to set the storage path ················································································································· 274
Configuring SSH ························································································· 275
Overview ························································································································································ 275
How SSH works ····································································································································· 275
SSH authentication methods ·················································································································· 276
SSH support for Suite B ························································································································· 277
Protocols and standards ························································································································ 277
FIPS compliance ············································································································································ 278
Configuring the device as an SSH server ······································································································ 278
SSH server configuration task list ·········································································································· 278
Generating local key pairs ······················································································································ 278
Enabling the Stelnet server ···················································································································· 279
Enabling the SFTP server ······················································································································ 279
Enabling the SCP server ························································································································ 280
Enabling NETCONF over SSH ·············································································································· 280
Configuring the user lines for SSH login ································································································ 280
Configuring a client's host public key ····································································································· 281
Configuring an SSH user ······················································································································· 282
Configuring the SSH management parameters ····················································································· 283
Specifying a PKI domain for the SSH server ························································································· 284
Configuring the device as an Stelnet client ···································································································· 284
Stelnet client configuration task list ········································································································ 284
Specifying the source IP address for SSH packets ················································································ 285
Establishing a connection to an Stelnet server ······················································································ 285
Establishing a connection to an Stelnet server based on Suite B ·························································· 288
Configuring the device as an SFTP client ······································································································ 288
SFTP client configuration task list ·········································································································· 288
Specifying the source IP address for SFTP packets ·············································································· 288
Establishing a connection to an SFTP server ························································································ 289
Establishing a connection to an SFTP server based on Suite B ···························································· 291
Working with SFTP directories ··············································································································· 292
Working with SFTP files ························································································································· 292
Displaying help information ···················································································································· 293
Terminating the connection with the SFTP server ················································································· 293
Configuring the device as an SCP client ········································································································ 293
Establishing a connection to an SCP server ·························································································· 293
Establishing a connection to an SCP server based on Suite B······························································ 296
Specifying algorithms for SSH2 ····················································································································· 296
Specifying key exchange algorithms for SSH2 ······················································································ 296
Specifying public key algorithms for SSH2 ···························································································· 297
Specifying encryption algorithms for SSH2 ···························································································· 297
vi