Certificate-Based Access Control Policy Configuration Example - HP FlexNetwork 10500 Series Security Configuration Manual

81:99:31:89
To display detailed information about the CA certificate, use the display pki certificate domain
command.
Certificate-based access control policy configuration
example
Network requirements
As shown in
Configure a certificate-based access control policy on the device to authenticate the host and verify
the validity of the host's certificate.
Figure 82 Network diagram
Configuration procedure
1. Create PKI domain domain1 to be used by SSL. (Details not shown.)
2. Request an SSL server certificate for the device from the CA server. (Details not shown.)
3. Configure the HTTPS server (the device):
# Enable the HTTPS services.
<Device> system-view
[Device] ip https enable
# Configure an SSL policy for the HTTPS server.
[Device] ssl server-policy abc
[Device-ssl-server-policy-abc] pki-domain domain1
[Device-ssl-server-policy-abc] client-verify enable
[Device-ssl-server-policy-abc] quit
4. Configure certificate attribute groups:
# Create a certificate attribute group named mygroup1 and add two attribute rules. The first
rule defines that the DN in the subject DN contains the string of aabbcc. The second rule
defines that the IP address of the certificate issuer is 10.0.0.1.
[Device] pki certificate attribute-group mygroup1
[Device-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc
[Device-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1
[Device-pki-cert-attribute-group-mygroup1] quit
# Create a certificate attribute group named mygroup2 and add two attribute rules. The first
rule defines that the FQDN in the alternative subject name does not contain the string of apple.
The second rule defines that the DN of the certificate issuer name contains the string of
aabbcc.
[Device] pki certificate attribute-group mygroup2
Figure 82, the host accesses the device through HTTPS.
265