HTTPS Web Configuration Example

Http://www.h3c.com.cn/Products___Technology/Technology/Security_Encrypt/Other_technology/Representative_ Collocate_enchiridion/201010/697325_30003_0.htm

HTTPS Web Configuration Example

Keywords: HTTPS, SSL, PKI, CA, RA

Summary: HTTPS is an HTTP protocol that supports SSL. The user can safely log on to the device via the HTTPS protocol and control the device through a Web page. This article describes the configuration process for HTTPS.

Abbreviations:

Abbreviations	English full Name	Chinese explanation
Ca	Certificate Authority	Certificate Authority
HTTPS	Hypertext Transfer Protocol Secure	Secure Hypertext Transfer Protocol
Iis	Internet Information Service	Internet Information Services
Mac	Message Authentication Code	Message Verification Code
Pki	Public Key Infrastructure	Public Key Infrastructure
Ra	Registration Authority	Registration Authority
SCEP	Simple Certificate Enrollment Protocol	Simple Certificate Enrollment Protocol
Ssl	Secure Sockets Layer	Secure Sockets Layer

Directory

1 Introduction to Features

2 application situations

3 Configuration Examples

3.1 Networking requirements

3.2 Configuration Ideas

3.2.1 CA Server Configuration Ideas

3.2.2 HTTPS server configuration ideas

3.3 Configuration steps

3.3.1 Configuring the CA server

3.3.2 Configuring an HTTPS server

3.4 Validation Results

1 Introduction to Features

For devices that support web management features, when the HTTP service is turned on, the device can act as a Web server, allowing users to log on through the HTTP protocol and access and control of the device using Web pages. However, the HTTP protocol itself cannot authenticate the identity of the Web server, nor does it guarantee the privacy of the data transfer and provide security assurances. To this end, the device provides HTTPS functionality, the combination of HTTP and SSL, the server through SSL authentication, the transmission of data encryption, so as to achieve the security management of the device.

HTTPS uses the SSL protocol to improve security in the following ways:

The client authenticates the server with a digital certificate to ensure that the client accesses the correct server.

The data that interacts between client and server needs to be encrypted, which guarantees the security and integrality of data transmission, thus realizes the security management of the server (ie device).

2 application situations

HTTPS is primarily used by network administrators to configure devices remotely. 1, a company in A, b respectively set up branch offices, located in the network administrator can not directly configure the device B located in B. To implement security management for device B, the network administrator logs on to device B via HTTPS and configures remote device B with a Web page.

Figure 1 HTTPS typical application scenario

3 Configuration Example 3.1 Networking requirements

Company A's network administrator and the company's research and development site in different cities, network administrators want to safely telnet to the development of the gateway equipment, to achieve its control.

As shown in 2, HTTPS can meet this requirement:

The network administrator uses the host admin to establish an HTTPS connection with the gateway device gateways to control the gateway via a Web page.

The security mechanism of SSL is used to authenticate the HTTPS server gateway, which improves the security of remote login.

To implement certificate-based authentication, company A also needs to configure the CA server to issue certificates to the gateway. This configuration is an example of Windows Server 2003, which describes how the CA server is configured.

Figure 2 HTTPS Typical configuration example Group Network Diagram

3.2 Configuration Ideas

In order to achieve the above networking requirements, the operation in table 1 needs to be completed.

Table 1 Introduction to Configuration steps

Operation	Configuration ideas	Detailed configuration
Configuring the CA Server	3.2.1	3.3.1
Configuring an HTTPS server	3.2.2	3.3.2

3.2.1 CA Server Configuration Ideas

When you use Windows Server 2003 as a CA server, you need to install and enable IIS on the CA server.

When you use Windows Server 2003 as a CA server, the configuration process is:

(1) Install the Certificate Services component and set the type, name, and other parameters of the CA server.

(2) Install the SCEP plugin. SCEP is the protocol that a certificate requester uses when communicating with a certification authority. When Windows Server 2003 is a CA server, SCEP is not supported by default, so you need to install the SCEP plug-in so that the CA server has the ability to automatically handle certificate enrollment and issuance.

(3) Modify the issuance policy of Certificate Services to automatically issue certificates. Otherwise, after receiving the certificate request, the administrator needs to confirm the request and issue the certificate manually.

(4) Modify the properties of the IIS service. Modify the path of the default Web site to the path saved by Certificate Services, and to avoid conflicts with existing services, we recommend that you modify the TCP port number for the default Web site.

3.2.2 HTTPS server configuration ideas

The configuration process for HTTPS servers is:

(1) Configure the PKI. PKI is a system that ensures system information security through public key technology and digital certificate, and is responsible for verifying the identity of digital certificate holder. SSL enables authentication of servers and clients through the PKI. Before you configure an HTTPS server, you must first complete the configuration of the PKI, which includes:

L Configure the PKI entity. The entity's identity information is used to uniquely identify the certificate requester.

L Configure the PKI domain. Entities need to configure some registration information to match the process of completing the request before the certificate request operation. The collection of this information is the PKI domain of an entity. The purpose of creating a PKI domain is to make it easier for other applications to reference PKI configurations.

L generate RSA local key pair. The generation of key pairs is an important step in the certificate application process. The application process uses a pair of host keys: The private key and the public key. The private key is reserved by the user, and the public key and other information is signed by the CA Center, resulting in a certificate.

L Obtain the CA certificate and download it locally to verify the authenticity and legality of the request to the certificate.

L Apply for a local certificate. Local certificates can be applied both manually and automatically. This configuration is done as an example of a manual approach.

(2) Enable HTTPS service and configure the PKI domain to be used by HTTPS.

(3) Create a local user, through the user name and password to implement the authentication of user identity.

3.3 Configuration steps

Before you configure the following, you need to ensure that the routing between the HTTPS server gateway, the HTTPS client admin, and the CA server is reached.

The following describes the configuration of the HTTPS server with the Secpath F1000-E product as an example, the pages of other products may be different.

Configuration items for each page or window in the configuration step below, with their default settings if no special instructions are specified.

3.3.1 Configuring CA server 1. Install the Certificate Services component

(1) Open [Control Panel] [Add or Remove Programs], select [Add/Remove Windows Components]. In the Windows Components Wizard, select Certificate Services, and click < Next > button.

Figure 3 Installing the Certificate Services component 1

(2) Select the CA type as stand-alone root CA and click < Next > button.

Figure 4 Installing the Certificate Services component 2

(3) Enter the CA name for CA server and click < Next > button.

Figure 5 Installing the Certificate Services component 3

(4) Select the location where the CA certificate database, database logs, and shared folders are stored, and click < Next > button.

Figure 6 Installing the Certificate Services component 4

When you install the Certificate Services component, the default storage path for the CA certificate database, database logs, and shared folders appears on the interface. The default storage path is used in this configuration example, where "Ca" in the shared folder storage path is the host name of the CA server.

(5) After the Certificate Services component is successfully installed, click the < finish > button to exit the Windows Components Wizard window.

2. Install the SCEP plugin

(1) Double-click the install file running SCEP, in the pop-up window, clicking < Next > button.

SCEP installation files can be downloaded from the Microsoft Web site for free.

Figure 7 Installing the SCEP plugin 1

(2) Select Use the Local System account as the identity and click < Next > button.

Figure 8 Installing the SCEP plugin 2

(3) Remove the "Require SCEP Challenge Phrase to Enroll" option, click < Next > button.

Figure 9 Installing the SCEP plugin 3

(4) Enter the RA identification information used when the RA is registered with the CA server, click < Next > button. The functions of RA include personal identity auditing, CRL management, key pair generation and key pair backup. RA is an extension of the CA and can be used as part of a CA.

Figure 10 Installing the SCEP plugin 4

(5) After completing the above configuration, click the < finish > button to eject the 11 prompt box. Record the URL address and click the < OK > button.

Figure 11 Installing the SCEP plugin 5

When configuring the HTTPS server gateway, you need to configure the registration server address as the URL address in the Prompt box, where the hostname CA can be replaced with the IP address of the CA server.

3. Modifying the properties of Certificate Services

When you have completed the above configuration, open [certification authority] in [Control Panel/Administrative Tools] and, if the installation is successful, there will be a certificate issued to RA for two CA servers in [issued certificates].

(1) Right-click [CA Server] and select [Properties].

Figure 12 Modifying the properties of Certificate Services

(2) in the CA Server Properties window, select the Policy Module tab, click the < properties > button.

Figure 13 Certificate Services Properties window

(3) Select the properties of the policy module as "If you can, follow the settings in the certificate template." Otherwise, the certificate (F) is automatically issued. , click < OK > button.

Figure 14 Properties of the policy module

(4) Restart Certificate Services by clicking the Stop service in Figure 15 and the Start Service button in Figure 16.

Figure 15 Stopping Certificate Services

Figure 16 Starting Certificate Services

4. Modify the properties of the IIS service

(1) Open [Internet Information Services (IIS) manager] in [Control Panel/Administrative Tools], right-click [Default Web Site], and select [Properties].

Figure of IIS Manager

(2) Select the Home Directory tab in the Default Web Site Properties window to modify the local path to the path saved by Certificate Services.

Figure 18 Modifying the home directory of the default Web site

(3) Select the Web Site tab in the Default Web Site Properties window to change the TCP port to 8080.

To avoid conflicts with existing services, the TCP port number for the default Web site cannot be the same as the port number of the existing service, and it is not recommended to use the default port number 80.

Figure 19 Modifying the TCP port number for the default Web site

3.3.2 Configure HTTPS server 1. Configure gateway to request a certificate from the CA server

The certificate contains a valid time and it is recommended that you synchronize the time of the gateway with the CA server before requesting a certificate from the gateway to avoid obtaining a certificate failure.

By default, the default PKI domain and certificate exist on the device and can be referenced directly when configuring the HTTPS service, so this step is optional. The default PKI domain and certificate are specific to the device model, please take the actual situation of the equipment.

(1) Configure the PKI entity AAA.

L Select "VPN > Certificate management > PKI entity" in the navigation bar, click < New > button.

L Enter the PKI entity name "AAA".

L Enter the generic name "gateway".

L Click < OK > button to complete the operation.

Figure 20 Configuring the PKI entity AAA

(2) Configure PKI domain SSL.

L Select "VPN > Certificate management > PKI Domain" in the navigation bar, click < New > button.

The input PKI domain name is called "SSL".

L Enter the CA identifier as CA server.

L Select the local entity as "AAA".

• Select the registration authority as "RA".

L Enter the certificate request URL as "Http://5.5.5.1:8080/certsrv/mscep/mscep.dll" (the URL address that pops up when the SCEP plugin is installed,in the format "http://" T/certsrv/mscep/mscep.dll ", where" host"and"Port"are the host address and port number of the CA server, respectively.

L Click < OK > button, the Pop-up dialog prompts "No root certificate thumbprint is specified, the root certificate thumbprint will not be validated when the CA certificate is obtained, confirm that you want to continue?" , click < OK again > button to complete the operation.

Figure 21 Configuring the PKI domain SSL

(3) Generate RSA local key pair.

L Select "VPN > Certificate Management" in the navigation bar and click the < Create key > button.

L Input Key length is "1024".

L Click < OK > button to complete the operation.

Figure 22 Generating the RSA local key pair

(4) Manually obtain the CA certificate online.

L Click < get certificate > button on certificate Display page.

L Select the PKI domain name as "SSL".

L Select the certificate type is CA.

L Click < OK > button to complete the operation. Page jumps back to the certificate Display page and you can see the CA certificate that has been obtained.

Figure 23 Obtaining the CA certificate

(5) Manually apply for local certificate online.

L on the Certificate Display page, click < request Certificate > button.

L Select the PKI domain name as "SSL".

L Click < OK > button to submit the certificate request.

Figure 24 requesting a local certificate

L Pop-up Prompt box "certificate request has been submitted. , click < OK again > button. Page jumps back to the certificate Display page and you can see the local certificate that you have requested.

Figure 25 Certificate Display page after completing the certificate request

2. Configuring HTTPS Services

Enable the HTTPS service, and configure HTTPS to use a local certificate for PKI domain SSL.

L Select "Device Management > Service Management" in the navigation bar.

Select the check box before enable HTTPS service.

L Select the certificate as "Cn=gateway".

L Click < OK > button to complete the operation.

Figure 26 Configuring the HTTPS service

3. Configure Local Users

Configure local user ABC, password 123, service type is Web, access level is management.

L Select "User Management > Local Users" in the navigation bar, click the < New > button.

L Enter the user name "abc".

L Select the access level to "Management".

L Select the service type is WEB.

Enter the password as "123" and enter the confirmation password as "123".

L Click < OK > button to complete the operation.

Figure 27 New Local User ABC

3.4 Validation Results

(1) on the admin open ie, enter the URL https://1.1.1.1. A dialog box that pops up [security alert] prompts the user to continue accessing the server.

Figure 28 confirming the certificate of the HTTPS server

(2) Click the < yes > button to enter the Gateway Web Administrator user Login screen.

(3) Enter the user name ABC, password 123 and verification code, select the language type of the Web page, click the < login > button, you can access the gateway's web interface to control it.

Map Web Management User Login interface