HP A 5120 Manual

 
181 
To do… Use the command… Remarks 
Enter system view system-view — 
Display the local RSA host public 
key on the screen in a specified 
format, or export it to a specified 
file 
public-key local export rsa { 
openssh | ssh1 | ssh2 } [ 
filename ] Select a command according to 
the type of the key to be 
exported. Display the local DSA host public 
key on the screen in a specified 
format or export it to a specified 
file 
public-key local export dsa { 
openssh | ssh2 } [ filename ] 
 
Destroying...

 
182 
To do… Use the command… Remarks 
Import the peer host public key 
from the public key file 
public-key peer keyname import 
sshkey filename Required 
 
Follow these steps to configure a peer public key manually: 
To do… Use the command… Remarks 
Enter system view system-view — 
Specify a name for a peer public 
key and enter public key view  public-key peer keyname Required 
Enter public key code view public-key-code begin — 
Configure the peer host or server 
public key Type or copy the key...

 
183 
 Configure  Device  B  to  use  the asymmetric key  algorithm  of RSA for  identity  authentication  of  Device 
A. 
 Manually configure the host public key of Device A on Device B. 
Figure 52 Network diagram for manually configuring a peer public key 
 
 
Configuration procedure 
1. Configure Device A. 
# Create RSA key pairs on Device A. 
 system-view 
[DeviceA] public-key local create rsa 
The range of public key size is (512 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
It will...

 
184 
2. Configure Device B. 
#  Configure  the  host  public  key  of  Device  A  on  Device  B.  In public key  code  view,  input the host  public 
key of Device A. The host public key is the content of HOST_KEY displayed on Device A using the display 
public-key local dsa public command. 
 system-view 
[DeviceB] public-key peer devicea 
Public key view: return to System View with peer-public-key end. 
[DeviceB-pkey-public-key] public-key-code begin 
Public key code view: return to last view with...

 
185 
# Create RSA key pairs on Device A. 
 system-view 
[DeviceA] public-key local create rsa 
The range of public key size is (512 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
It will take a few minutes. 
Press CTRL+C to abort. 
Input the bits of the modulus[default = 1024]: 
Generating Keys... 
++++++ 
++++++ 
++++++++ 
++++++++ 
# Display the public keys of the created RSA key pairs. 
[DeviceA] display public-key local rsa public 
 
=====================================================...

 
186 
[DeviceB-luser-ftp] authorization-attribute level 3 
[DeviceB-luser-ftp] quit 
3. Upload the public key file of Device A to Device B. 
# FTP the public key file devicea.pub to Device B with the file transfer mode of binary. 
 ftp 10.1.1.2 
Trying 10.1.1.2 ... 
Press CTRL+K to abort 
Connected to 10.1.1.2. 
220 FTP service ready. 
User(10.1.1.2:(none)):ftp 
331 Password required for ftp. 
Password: 
230 User logged in. 
[ftp] binary 
200 Type set to I. 
[ftp] put devicea.pub 
227 Entering Passive...

 
187 
PKI configuration 
PKI overview 
The Public Key Infrastructure  (PKI)  is a  general  security  infrastructure used  to provide information  security 
through public key technologies.  
PKI,  also  called  asymmetric  key  infrastructure,  uses  a  key  pair  to  encrypt  and  decrypt  the  data. The  key 
pair  consists of  a  private  key  and  a  public  key.  The  private  key  must  be  kept  secret but the  public  key 
needs to be distributed. Data encrypted by one of the two keys can only...

 
188 
statement  (CPS). A  CA  policy can  be  acquired  through  out-of-band  means  such  as  phone,  disk,  and 
email. As different  CAs might use  different  methods  to  check  the  binding  of  a  public  key  with  an  entity, 
make sure that you understand the CA policy before selecting a trusted CA for certificate request. 
PKI architecture 
A PKI system consists of entities, a CA, a registration authority (RA), and a PKI repository. 
Figure 54 PKI architecture 
 
 
 Entity 
An  entity  is...

 
189 
 VPN 
A  virtual  private  network  (VPN)  is  a private data  communication  network  built on the  public 
communication infrastructure. A VPN can leverage network layer security protocols—for example, IPsec—
in conjunction with PKI-based encryption and digital signature technologies for confidentiality. 
 Secure email 
Emails require confidentiality, integrity, authentication, and non-repudiation. PKI can address these needs. 
The  secure  email  protocol  that  is  developing  rapidly  is...

 
190 
Task Remarks 
Configuring an access control policy Optional 
 
Configuring an entity DN 
A  certificate  is the binding of  a  public  key  and the identity information  of  an  entity,  where  the identity 
information  is  identified  by an  entity  distinguished  name  (DN). A CA  identifies  a  certificate  applicant 
uniquely by entity DN. 
An entity DN is defined by these parameters: 
 Common name of the entity. 
 Country code of the entity, a standard 2-character code. For example, CN...