H3C Technologies H3C SecPath F1000-E User Manual

Page 11

Submitting a PKI certificate request ··················································································································· 308

Retrieving a certificate manually ························································································································ 309

Verifying PKI certificates ····································································································································· 310

Destroying a local RSA key pair ························································································································ 311

Deleting a certificate ··········································································································································· 311

Configuring an access control policy ················································································································ 312

Displaying PKI ······················································································································································ 312

PKI configuration examples at the CLI ······················································································································· 313

Requesting a certificate from a CA server running RSA Keon ······································································· 313

Requesting a certificate from a CA server running Windows 2003 Server ················································· 316

Applying RSA digital signature in IKE negotiation ·························································································· 319

Configuring a certificate attribute-based access control policy ······································································ 322

Troubleshooting PKI ····················································································································································· 323

Failed to retrieve a CA certificate ······················································································································ 323

Failed to request a local certificate ··················································································································· 324

Failed to retrieve CRLs ········································································································································ 324

Configuration guidelines ············································································································································· 325

Managing public keys ············································································································································ 326

Feature and hardware compatibility ·························································································································· 326

Overview ······································································································································································· 326

Basic concepts ····················································································································································· 326

Key algorithm types ············································································································································· 326

Asymmetric key algorithm applications ············································································································ 327

Configuring the local asymmetric key pair ··············································································································· 327

Creating an asymmetric key pair ······························································································································· 327

Displaying or exporting the local RSA or DSA host public key······································································ 328

Destroying an asymmetric key pair ··················································································································· 328

Configuring a peer public key ···································································································································· 328

Displaying public keys ················································································································································· 329

Public key configuration examples ····························································································································· 330

Configuring a peer public key manually ·········································································································· 330

Importing a peer public key from a public key file ·························································································· 332

Configuring SSL VPN ·············································································································································· 335

SSL VPN overview ························································································································································ 335

How SSL VPN works ···················································································································································· 336

SSL VPN advantages ··················································································································································· 336

CLI configuration required to implement SSL VPN ··································································································· 337

Configuration prerequisites ································································································································ 337

Configuration procedure ···································································································································· 337

Example of the CLI configuration required for SSL VPN ················································································· 338

Web configuration required to implement SSL VPN ································································································ 340

SSL VPN gateway configuration task list ·········································································································· 340

Configuring the SSL VPN service ······················································································································· 341

Configuring Web proxy server resources········································································································· 341

Configuring TCP application resources ············································································································ 344

Configuring IP network resources ······················································································································ 350

Configuring a resource group ··························································································································· 356

Configuring local users ······································································································································· 357

Configuring a user group ··································································································································· 361

Viewing user information ···································································································································· 363

Performing basic configurations for the SSL VPN domain ·············································································· 363

Configuring authentication policies ··················································································································· 367

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS