HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1907
242
Step Command Remarks
4. Specify the VLAN to which the
HABP client belongs. habp client vlan
vlan-id Optional
By default, an HABP client belongs
to VLAN 1.
The VLAN to which an HABP client
belongs must be the same as that
specified on the HABP server for
transmitting HABP packets.
Displaying and maintaining HABP
Task Command Remarks
Display HABP configuration
information.
display habp
[ | { begin | exclude
| include } regular-expression ] Available in any view
Display...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1906.png "Page 1907
242
Step Command Remarks
4. Specify the VLAN to which the
HABP client belongs. habp client vlan
vlan-id Optional
By default, an HABP client belongs
to VLAN 1.
The VLAN to which an HABP client
belongs must be the same as that
specified on the HABP server for
transmitting HABP packets.
Displaying and maintaining HABP
Task Command Remarks
Display HABP configuration
information.
display habp
[ | { begin | exclude
| include } regular-expression ] Available in any view
Display...")
![Page 1908
243
Figure 90 Network diagram
Configuration procedure
1. Configure Switch A:
# Perform 802.1X related configurations on Switch A (see Configuring 802.1X).
# Enable HABP. (HABP is enabled by defaul t. This configuration is optional.)
system-view
[SwitchA] habp enable
# Configure HABP to work in server mode, and specify VLAN 1 for HABP packets.
[SwitchA] habp server vlan 1
# Set the interval at which the switch sends HABP request packets to 50 seconds.
[SwitchA] habp timer 50
2....](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1907.png "Page 1908
243
Figure 90 Network diagram
Configuration procedure
1. Configure Switch A:
# Perform 802.1X related configurations on Switch A (see Configuring 802.1X).
# Enable HABP. (HABP is enabled by defaul t. This configuration is optional.)
system-view
[SwitchA] habp enable
# Configure HABP to work in server mode, and specify VLAN 1 for HABP packets.
[SwitchA] habp server vlan 1
# Set the interval at which the switch sends HABP request packets to 50 seconds.
[SwitchA] habp timer 50
2....")
![Page 1912
247
If your local device functions to authenticate the peer device, you must specify the peer public key on the
local device. For more information, see Specifying the peer public key on the local device .
Displaying and recording the host public key information
To display the local public key:
Task Command Remarks
Display the local RSA public keys. display public-key local
rsa public
[ | { begin | exclude | include }
regular-expression ]
Available in any view.
Use at least one...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1911.png "Page 1912
247
If your local device functions to authenticate the peer device, you must specify the peer public key on the
local device. For more information, see Specifying the peer public key on the local device .
Displaying and recording the host public key information
To display the local public key:
Task Command Remarks
Display the local RSA public keys. display public-key local
rsa public
[ | { begin | exclude | include }
regular-expression ]
Available in any view.
Use at least one...")
![Page 1915
250
[DeviceA] public-key local create rsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
Generating Keys...
++++++
++++++
++++++++
++++++++
# Display the public keys of the local RSA key pairs.
[DeviceA] display public-key local rsa public
=====================================================
Time of Key pair created: 09:50:06 2012/03/07
Key...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1914.png "Page 1915
250
[DeviceA] public-key local create rsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
Generating Keys...
++++++
++++++
++++++++
++++++++
# Display the public keys of the local RSA key pairs.
[DeviceA] display public-key local rsa public
=====================================================
Time of Key pair created: 09:50:06 2012/03/07
Key...")
![Page 1916
251
[DeviceB-pkey-key-code] public-key-code end
[DeviceB-pkey-public-key] peer-public-key end
# Display the host public key of Device A saved on Device B.
[DeviceB] display public-key peer name devicea
=====================================
Key Name : devicea
Key Type : RSA
Key Module: 1024
=====================================
Key Code:
30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A4\
4A2A2CD3F...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1915.png "Page 1916
251
[DeviceB-pkey-key-code] public-key-code end
[DeviceB-pkey-public-key] peer-public-key end
# Display the host public key of Device A saved on Device B.
[DeviceB] display public-key peer name devicea
=====================================
Key Name : devicea
Key Type : RSA
Key Module: 1024
=====================================
Key Code:
30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A4\
4A2A2CD3F...")
246
Task Remarks
Configuring a local
asymmetric key pair on the
local device Creating a local asymmetric key pair
Required
Displaying or exporting the local host public key Optional
Destroying a local asymmetric key pair Optional
Specifying the peer public key on the local device Optional
Creating a local asymmetric key pair
When you create an asymmetric key pair on the local device, follow these guidelines:
• Create an asymmetric key pair of the proper type to work with a target application.
• After you enter the command, specify a proper modulus length for the key pair. The following table
compares the three types of key pairs.
Table 13 A comparison between different types of asymmetric key pairs
T
ype Number of key pairs Modulus length Remarks
RSA Two key pairs, one server key pair and one
host key par. Each key pair comprises a
public key and a private key
512 to 2048 bits
1024 by default To achieve high
security, specify at least
768 bits.
DSA One key pair, the host key pair
IMPORTANT:
Only SSH1.5 uses the RSA server key pair.
To create a local asymmetric key pair:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create a local asymmetric key
pair. public-key local create
{ dsa | rsa }
By default, no asymmetric key pair
is created.
Key pairs created with the
public-key local create command
are saved automatically and can
survive system reboots.
Displaying or exporting the local host public key
In SSH, to allow your local device to be authentica ted by a peer device through digital signature, you
must display or export the local host public key, which will then be specified on the peer device.
To display or export the local host public key, choose one of the following methods:
• Displaying and recording the host public key information
• Displaying the host public key in a spec if
ic format and saving it to a file
• Exporting the host public key in a specific format to a file
247
If your local device functions to authenticate the peer device, you must specify the peer public key on the
local device. For more information, see Specifying the peer public key on the local device .
Displaying and recording the host public key information
To display the local public key:
Task Command Remarks
Display the local RSA public keys. display public-key local
rsa public
[ | { begin | exclude | include }
regular-expression ]
Available in any view.
Use at least one command.
Display the local host public key. display public-key local
dsa public
[ | { begin | exclude | include }
regular-expression ]
The display public-key local rsa public command displays both the RSA server and host public keys.
Recording the RSA host public key is enough.
After displaying the host public key, record the key information for manual configuration of the key on the
peer device.
Displaying the host public key in a specific format and saving it to a file
To display the local host public key in a specific format:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Display the local RSA or
DSA host public key in a
specific format.
• To display the local RSA host public key:
public-key local export rsa { openssh | ssh1
| ssh2 }
• To display the local DSA host public key:
public-key local export dsa { openssh |
ssh2 } Use at least one command.
After you display the host public key in a specify format,
save the key to a file, and transfer this file to the
peer device.
Exporting the host public key in a specific format to a file
After you export and save the host public key in a spec ify format to a file, transfer the file to the peer
device.
To export and save the local host public key to a file:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Export a local RSA or DSA
host public key in a specific
format to a file.
• To export a local RSA host public key:
public-key local export rsa { openssh |
ssh1 | ssh2 } filename
• To export a local DSA host public key:
public-key local export dsa { openssh |
ssh2 } filename Use at least one command.
248
Destroying a local asymmetric key pair
You may need to destroy a local asymmetric key pair and generate a new pair when an intrusion event
has occurred, the storage media of the device is repl aced, the asymmetric key has been used for a long
time, or the local certificate expires. For more information about the local certificate, see
1Configuring
PKI .
To destroy a local asymmetric key pair:
Step Command
1. Enter system view.
system-view
2. Destroy a local asymmetric key pair.
public-key local destroy { dsa | rsa }
Specifying the peer public key on the local device
I n SSH, to enabl e the lo c al device to authentic ate a peer device, specify the peer public key on the local
device. The device supports up to 20 peer public keys.
For information about displaying or exporting the host public key, see Displaying or exporting the local
ho
st public key .
Take one of the following methods to specify the peer public key on the local device:
Method Prerequisites Remarks
Import the public key from a public
key file (recommended) 3.
S ave t h e h os t p u b l ic key o f t h e
intended asymmetric key pair
in a file.
4. Transfer a copy of the file
through FTP or TFTP in binary
mode to the local device. During the import process, the
system automatically converts the
public key to a string in Public Key
Cryptography Standards (PKCS)
format.
Manually configure the public
key—input or copy the key data
•
Display and record the public
key of the intended asymmetric
key pair.
• If the peer device is an HP
device, use the display
public-key local public
command to view and record
its public key. A public key
displayed by other methods for
the HP device may not be in a
correct format.
• The recorded public key must
be in the correct format, or the
manual configuration of a
format-incompliant public key
will fail.
• Always use the first method if
you are not sure about the
format of the recorded public
key.
To import the host public key from a public key file to the local device:
Step Command
1. Enter system view.
system-view
2. Import the host public key from the public key file. public-key peer keyname import sshkey filename
To manually configure the peer public key on the local device:
249
Step Command Remarks
1. Enter system view.
system-view N/A
2. Specify a name for the public
key and enter public key view. public-key peer
keyname N/A
3. Enter public key code view.
public-key-code begin N/A
4. Configure the peer public key.
Type or copy the key Spaces and carriage returns are
allowed between characters.
5.
Return to public key view.
public-key-code end When you exit public key code
view, the system automatically
saves the public key.
6.
Return to system view.
peer-public-key end N/A
Displaying and maintaining public keys
Task Command Remarks
Display the local public keys. display public-key local
{ dsa | rsa } public
[ | { begin | exclude | include }
regular-expression ] Available in any view
Display the specified or all peer
public keys on the local device. display public-key peer
[ brief | name
publickey-name ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Public key configuration examples
Manually specifying the peer public key on the local device
Network requirements
As shown in Figure 92, to prevent illegal access, Device B (the local device) authenticates Device A (the
peer device) through a digital signature. Before configuring authentication parameters on Device B,
configure the public key of Device A on Device B.
• Configure Device B to use the asymmetric key algorithm of RSA to authenticate Device A.
• Manually specify the host public key of Device As public key pair on Device B.
Figure 92 Network diagram
Configuration procedure
1. Configure Device A;
# Create local RSA key pairs on Device A, setting the modulus length to the default, 1024 bits.
system-view
250 [DeviceA] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++ ++++++ ++++++++ ++++++++ # Display the public keys of the local RSA key pairs. [DeviceA] display public-key local rsa public ===================================================== Time of Key pair created: 09:50:06 2012/03/07 Key name: HOST_KEY Key type: RSA Encryption Key ===================================================== Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A4\ 4A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A\ 9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB1250\ 35EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10\ 203010001 ===================================================== Time of Key pair created: 09:50:07 2012/03/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB\ 2D0433B87 BB6158E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC\ 63D004B44 90DACBA3CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372\ 771C2C1F0 203010001 2. Configure Device B: # Configure the host public key of Device As RSA k e y p a i r s o n D e v i c e B . I n public key code view, input the host public key of Device A. The host pu blic key is the content of HOST_KEY displayed on Device A by using the display public-key local dsa public command. system-view [DeviceB] public-key peer devicea Public key view: return to System View with peer-public-key end. [DeviceB-pkey-public-key] public-key-code begin Public key code view: return to last view with public-key-code end. [DeviceB-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818\ 902818100 D90003FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D8716\ 2D1F398E6 E5E51E5E353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A\ 0D7AD3994 E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CC\ AE4A77F1E F999B2BF9C4A10203010001
251 [DeviceB-pkey-key-code] public-key-code end [DeviceB-pkey-public-key] peer-public-key end # Display the host public key of Device A saved on Device B. [DeviceB] display public-key peer name devicea ===================================== Key Name : devicea Key Type : RSA Key Module: 1024 ===================================== Key Code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A4\ 4A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A\ 9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB1250\ 35EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10\ 203010001 T he ou tpu t s ho w s that the ho s t pu bl ic k e y o f De vi ce A save d o n De vi c e B i s co nsi s te nt w i th the o ne created on Device A. Importing a peer public key from a public key file Network requirements As shown in Figure 93, to prevent illegal access, Device B (the local device) authenticates Device A (the peer device) through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device B. • Configure Device B to use the asymmetric key algorithm of RSA to authenticate Device A. • Import the host public key of Device A from the public key file to Device B. Figure 93 Network diagram Configuration procedure 1. Create key pairs on Device A and export the host public key: # Create local RSA key pairs on Device A, setti ng the modulus length to the default, 1024 bits. system-view [DeviceA] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++ ++++++ ++++++++ ++++++++
252 # Display the public keys of the local RSA key pairs. [DeviceA] display public-key local rsa public ===================================================== Time of Key pair created: 09:50:06 2012/03/07 Key name: HOST_KEY Key type: RSA Encryption Key ===================================================== Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A4\ 4A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A\ 9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB1250\ 35EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10\ 203010001 ===================================================== Time of Key pair created: 09:50:07 2012/03/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB\ 2D0433B87 BB6158E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC\ 63D004B44 90DACBA3CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372\ 771C2C1F0 203010001 # Export the RSA host public key HOST_KEY to a file named devicea.pub. [DeviceA] public-key local export rsa ssh2 devicea.pub 2. Enable the FTP server function on Device A: # Enable the FTP server function, create an FTP user with the username ftp, password 123, and user level 3 . This user level guarantees that the user has the permission to perform FTP operations. [DeviceA] ftp server enable [DeviceA] local-user ftp [DeviceA-luser-ftp] password simple 123 [DeviceA-luser-ftp] service-type ftp [DeviceA-luser-ftp] authorization-attribute level 3 [DeviceA-luser-ftp] quit 3. On Device B, get the public key file of Device A: # F r o m D e v i c e B , u s e F T P t o l o g i n t o D e v i c e A , a n d g e t t h e p u b l i c k e y f i l e devicea.pub with the file transfer mode of binary. ftp 10.1.1.1 Trying 10.1.1.1 ... Press CTRL+K to abort Connected to 10.1.1.1. 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. [ftp] binary
253 200 Type set to I. [ftp] get devicea.pub 227 Entering Passive Mode (10,1,1,1,5,148). 125 BINARY mode data connection already open, transfer starting for /dev\ icea.pub. 226 Transfer complete. FTP: 299 byte(s) received in 0.189 second(s), 1.00Kbyte(s)/sec. [ftp] quit 221 Server closing. 4. Import the host public key of Device A to Device B: # Import the host public key of Device A from the key file devicea.pub to Device B. system-view [DeviceB] public-key peer devicea import sshkey devicea.pub # Display the host public key of Device A on Device B. [DeviceB] display public-key peer name devicea ===================================== Key Name : devicea Key Type : RSA Key Module: 1024 ===================================== Key Code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A4\ 4A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A\ 9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB1250\ 35EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10\ 203010001 T he ou tpu t s ho w s that the ho s t pu bl ic k e y o f De vi ce A save d o n De vi c e B i s co nsi s te nt w i th the o ne created on Device A.
254 Configuring PKI Overview The Public Key Infrastructure (PKI) is a general security infrastructure used to provide information security through public key technologies. PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt the data. The key pair consists of a private key and a public key. The private key must be kept secret but the public key needs to be distributed. Data encrypted by one of the two keys can only be decrypted by the other. A key problem with PKI is how to manage the public keys. PKI employs the digital certificate mechanism to solve this problem. The digital certificate mech anism binds public keys to their owners, helping distribute public keys in large networks securely. With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity. HPs PKI system provides certificate management for Secure Sockets Layer (SSL). PKI terms • Digital certificate A digital certificate is a file signed by a certificate authority (CA) for an entity. It includes mainly the identity information of the entity, the public key of the entity, the name and signature of the CA, and the validity period of the certificate. The sign ature of the CA ensures the validity and authority of the certificate. A digital certificate must comply with the international standard of ITU-T X.509. The most common standard is X.509 v3. This document discusses two types of certificates : local certificate and CA certificate. A local certificate is a digital certificate signed by a CA fo r an entity. A CA certificate is the certificate of a CA. If multiple CAs are trusted by different users in a PKI system, the CAs will form a CA tree with the root CA at the top level. The root CA has a CA certificate signed by itself and each lower level CA has a CA certificate signed by the CA at the next higher level. • CRL An existing certificate might need to be revoked when, for example, the username changes, the private key leaks, or the user stops the business. Revoking a certificate removes the binding of the public key with the user identity information. In PKI, the revocation is made through certificate revocation lists (CRLs). Whenever a certificate is revoked, the CA publishes one or more CRLs to show all certificates that have been revoked. Th e CRLs contain the serial numbers of all revoked certificates and provide an effective way fo r checking the validity of certificates. A CA might publish multiple CRLs when the numb er of revoked certificates is so large that publishing them in a single CRL might degrade network performance. A CA uses CRL distribution points to indicate the URLs of these CRLs. • CA policy A CA policy is a set of criteria that a CA follo ws in processing certificate requests, issuing and revoking certificates, and publis hing CRLs. Usually, a CA advertise s its policy in the form of certification practice statement (CPS). A CA po licy can be acquired through out-of-band means
255 such as phone, disk, and email. As different CAs might use different methods to examine the binding of a public key with an entity, make su re that you understand the CA policy before selecting a trusted CA fo r certificate request. PKI architecture A PKI system consists of entities, a CA, a regi stration authority (RA) and a PKI repository. Figure 94 PKI architecture • Entity An entity is an end user of PKI products or serv ices, such as a person, an organization, a device, or a process running on a computer. • CA A CA is a trusted authority responsible for issuin g and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes cert ificates as needed by publishing CRLs. • RA A registration authority (RA) is an extended part of a CA or an independent authority. An RA can implement functions including id entity authentication, CRL management, key pair generation and key pair backup. The PKI standard recommends that an independent RA be used for registration management to achieve higher security. • PKI repository A PKI repository can be a Lightweight Director y Access Protocol (LDAP) server or a common database. It stores and manages information like ce rtificate requests, certificates, keys, CRLs and logs when it provides a simple query function. LDAP is a protocol for accessing and managing PKI information. An LDAP server stores user information and digital certificates from the RA se rver and provides directory navigation service. From an LDAP server, an entity can retrieve local and CA certificates of its own as well as certificates of other entities. PKI applications The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI has a wide range of applications. Here are some application examples.