HP 5500 Ei 5500 Si Switch Series Configuration Guide

 266 
After completing the configuration, you must perform CRL related configurations. In this example, 
select the local CRL distribution  mode of Hypertext Transfer Prot ocol (HTTP) and set the HTTP URL 
to http://4.4.4.133:447/myca.crl. 
After the configuration, make sure the system clock  of the switch is synchronous to that of the CA, 
so that the switch can request certif icates and retrieve CRLs properly. 
Configuring the switch 
1. Configure the entity DN: 
# Configure the entity name as  aaa and...

 267 
The trusted CAs finger print is: 
    MD5  fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB 
    SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 \
 
Is the finger print correct?(Y/N):y 
 
Saving CA/RA certificates chain, please wait a moment...... 
CA certificates retrieval success. 
# Retrieve CRLs and save them locally. 
[Device] pki retrieval-crl domain torsa 
Connecting to server for retrieving CRL. Please wait a while..... 
CRL retrieval success! 
# Request a local...

 268 
                    D3A5C849 CBDE350D 2A1926B7 0AE5EF5E 
                    D1D8B08A DBF16205 7C2A4011 05F11094 
                    73EB0549 A65D9E74 0F2953F2 D4F0042F 
                    19103439 3D4F9359 88FB59F3 8D4B2F6C 
                    2B 
                Exponent: 65537 (0x10001) 
        X509v3 extensions: 
            X509v3 CRL Distribution Points: 
            URI:http://4.4.4.133:447/myca.crl 
 
    Signature Algorithm: sha1WithRSAEncryption 
        836213A4 F2F74C1A 50F4100D...

 269 
3.
 
Modify the certificate service attributes: 
a. Select  Control Panel  > Administrative Tools  > Certificate Authority  from the start menu.  
If the CA server and SCEP add-on have been  installed successfully, there should be two 
certificates issued by the CA to the RA.  
b.  Right-click the CA server in the navigation tree and select  Properties > Policy Module .  
c. Click  Properties  and select  Follow the settings in the certificate template, if applicable. 
Otherwise, automatically...

 270 
Input the bits in the modulus [default = 1024]: 
Generating Keys... 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
++++++++++++++++++++++++++++++++++++++ 
+++++++++++++++++++++++++++++++++++++++++++++++ 
+++++++++++++++++++++++ 
 
4. Apply for certificates: 
# Retrieve the CA certificate and save it locally. 
[Device] pki retrieval-certificate ca domain torsa 
Retrieving CA/RA certificates. Please wait a while...... 
The trusted CAs finger print is: 
    MD5  fingerprint:766C D2C8...

 271 
                    00A6637A 8CDEA1AC B2E04A59 F7F6A9FE 
                    5AEE52AE 14A392E4 E0E5D458 0D341113 
                    0BF91E57 FA8C67AC 6CE8FEBB 5570178B 
                    10242FDD D3947F5E 2DA70BD9 1FAF07E5 
                    1D167CE1 FC20394F 476F5C08 C5067DF9 
                    CB4D05E6 55DC11B6 9F4C014D EA600306 
                    81D403CF 2D93BC5A 8AF3224D 1125E439 
                    78ECEFE1 7FA9AE7B 877B50B8 3280509F 
                    6B...

 272 
Figure 97 Network diagram 
 
 
Configuration procedure 
The configuration procedure involves SSL configuration and HTTPS configuration. For more information 
about SSL configuration, see Configuring SSL.
   For more information about HTTPS configuration, see 
Fundamentals Configuration Guide . 
The PKI domain to be referenced by the SSL policy  must exist. For how to configure a PKI domain, see 
 Configure the PKI domain: .  
Th
 e configuration procedure is as follows: 
1.  Configure the HTTPS...

 273 
[Device-pki-cert-acp-myacp] quit 
4. Apply the SSL server policy and certificate attrib ute-based access control policy to HTTPS service 
and enable HTTPS service:  
# Apply SSL server policy  myssl to HTTPS service. 
[Device] ip https ssl-server-policy myssl 
# Apply the certificate attribute- based access control policy of myacp to HTTPS service. 
[Device] ip https certificate access-control-policy myacp 
# Enable HTTPS service.  
[Device] ip https enable 
Troub l es h o o t i n g  P KI  
Failed...

 274 
•  The URL of the registration server for certificate request is not correct or not configured.  
•   No authority is specified for certificate request. 
•   Some required parameters of the entity DN are not configured.  
Solution 
•  Make sure that the network connection is physically proper. 
•   Retrieve a CA certificate. 
•   Regenerate a key pair. 
•   Specify a trusted CA. 
•   Use the  ping command to verify that the RA server is reachable. 
•   Specify the authority for certificate request....

 275 
Configuring IPsec 
Overview 
IP Security (IPsec) is a security framework defined by the Internet Engineering Task Force (IETF) for 
securing IP communications. It is a Layer 3 virtual private network (VPN) technology that transmits data 
in a secure tunnel established between two endpoints.  
IPsec guarantees the confidentiality, integrity, and au thenticity of data and provides anti-replay service at 
the IP layer in an insecure network environment. 
•   Confidentiality —The sender encrypts...