3Com 4500G Family Configuration Manual page 723

For detailed information about SSL configuration, refer to SSL Configuration in the Security
Volume.
For detailed information about HTTPS configuration, refer to HTTP Configuration in the System
Volume.
The PKI domain to be referenced by the SSL policy must be created in advance. For detailed
configuration of the PKI domain, refer to
1) Configure the HTTPS server
# Configure the SSL policy for the HTTPS server to use.
<Switch> system-view
[Switch] ssl server-policy myssl
[Switch-ssl-server-policy-myssl] pki-domain 1
[Switch-ssl-server-policy-myssl] client-verify enable
[Switch-ssl-server-policy-myssl] quit
2) Configure the certificate attribute group
# Create certificate attribute group mygroup1 and add two attribute rules. The first rule defines that the
DN of the subject name includes the string aabbcc, and the second rule defines that the IP address of
the certificate issuer is 10.0.0.1.
[Switch] pki certificate attribute-group mygroup1
[Switch-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc
[Switch-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1
[Switch-pki-cert-attribute-group-mygroup1] quit
# Create certificate attribute group mygroup2 and add two attribute rules. The first rule defines that the
FQDN of the alternative subject name does not include the string of apple, and the second rule defines
that the DN of the certificate issuer name includes the string aabbcc.
[Switch] pki certificate attribute-group mygroup2
[Switch-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn apple
[Switch-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc
[Switch-pki-cert-attribute-group-mygroup2] quit
3) Configure the certificate attribute-based access control policy
# Create the certificate attribute-based access control policy of myacp and add two access control
rules.
[Switch] pki certificate access-control-policy myacp
[Switch-pki-cert-acp-myacp] rule 1 deny mygroup1
[Switch-pki-cert-acp-myacp] rule 2 permit mygroup2
[Switch-pki-cert-acp-myacp] quit
4) Apply the SSL server policy and certificate attribute-based access control policy to HTTPS service
and enable HTTPS service.
# Apply SSL server policy myssl to HTTPS service.
[Switch] ip https ssl-server-policy myssl
# Apply the certificate attribute-based access control policy of myacp to HTTPS service.
[Switch] ip https certificate access-control-policy myacp
# Enable HTTPS service.
[Switch] ip https enable
Configure the PKI domain.
1-19