HP Firewall manual 65

#Create a PKI domain, specify the trusted CA as new-ca, the URL of the server for certificate request as http://10.1.2.2/certsrv/mscep/mscep.dll, authority for certificate request as RA, and the entity for certificate request as en.

[Firewall] pki domain 1 [Firewall-pki-domain-1] ca identifier new-ca

[Firewall-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll [Firewall-pki-domain-1] certificate request from ra

[Firewall-pki-domain-1] certificate request entity en

[Firewall-pki-domain-1] quit

# Create RSA local key pairs.

[Firewall] public-key local create rsa

# Retrieve the CA certificate from the certificate issuing server.

[Firewall] pki retrieval-certificate ca domain 1

# Request a local certificate from a CA through SCEP for the firewall.

[Firewall] pki request-certificate domain 1

#Create an SSL server policy myssl, specify PKI domain 1 for the SSL server policy, and enable certificate-based SSL client authentication.

[Firewall] ssl server-policy myssl [Firewall-ssl-server-policy-myssl] pki-domain 1

[Firewall-ssl-server-policy-myssl] client-verify enable

[Firewall-ssl-server-policy-myssl] quit

#Create a certificate attribute group mygroup1, and configure a certificate attribute rule, specifying that the distinguished name in the subject name includes the string of new-ca.

[Firewall] pki certificate attribute-group mygroup1 [Firewall-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca

[Firewall-pki-cert-attribute-group-mygroup1] quit

#Create a certificate attribute-based access control policy myacp. Configure a certificate attribute-based access control rule, specifying that a certificate is considered valid when it matches an attribute rule in certificate attribute group myacp.

[Firewall] pki certificate access-control-policy myacp [Firewall-pki-cert-acp-myacp] rule 1 permit mygroup1

[Firewall-pki-cert-acp-myacp] quit

# Associate the HTTPS service with SSL server policy myssl.

[Firewall] ip https ssl-server-policy myssl

# Associate the HTTPS service with certificate attribute-based access control policy myacp.

[Firewall] ip https certificate access-control-policy myacp

# Enable the HTTPS service.

[Firewall] ip https enable

#Create a local user named usera, set the password to 123, specify the Web service type, and specify the user privilege level 3. A level-3 user can perform all operations supported by the firewall.

[Firewall] local-user usera [Firewall-luser-usera] password simple 123

[Firewall-luser-usera] service-type web

[Firewall-luser-usera] authorization-attribute level 3

2.Configure the host (HTTPS client):

59