Before configuring HTTPS SSL decryption defense, perform the operations described in this section to load the component package and import the SSL certificate.
Prerequisites
The device has activated the licenses for component packages to be dynamically loaded. For details, see Manual Activation of the License.
NOTE: After the configurations in this section, complete HTTPS SSL decryption defense configuration and deployment on the ATIC. For details, see SSL Decryption Defense.
For the AntiDDoS8000, the SSL decryption function is available only after the application security service subcard be installed. For the description of the application security service subcard, see SPCA-APPSEC-FWor SPCB-APPSEC-FW.
Dynamically Loading the SSL decryption Component
- Access Huawei security platform (domain name: sec.huawei.com). Choose . Select the corresponding product and version.
- Download the required component package file.
The SSL encryption and decryption component package is downloaded on the The content security package (SSL-encrypted traffic detection) tab page.
Ensure that the system software version and component package version match. Otherwise, the component package cannot be loaded.
- Upload the file to the $_install_mod folder in the root directory.
- Run the install-module filename [ next-startup ] command to load the component package
for the current or next startup.
NOTE: After the license expires, the license-controlled components become invalid after the device restarts (the configuration can be retained, but services cannot take effect). To continue to use related components, you must re-load the license.
Checking the Configuration
After configuring dynamic loading, you can run the display module-information verbose command to view details on dynamically loaded modules.
NOTE: When the entire device restarts or the application security SPC is swapped, wait for the successful engine loading (run the display engine information command to display the engine running state) before viewing the dynamic loading component package information.
Uninstalling the SSL decryption Component
If a component package does not need to be dynamically loaded, run the uninstall-module { file-name [ next-startup ] | next-startup all } command to uninstall the component package to release system resources.
NOTE: After the component package is uninstalled using the uninstall-module file-name command, if you need to install this component package again, you must first restart the system.
Importing the SSL Certificate
When performing HTTPS SSL decryption defense, the AntiDDoS sends a server certificate to the client and decrypts SSL-encrypted traffic sent from the client using the private key of the server certificate to obtain the symmetric key. Therefore, you need to import the server certificate and private key to the AntiDDoS, and specify the server certificate as the internal server certificate.
- Save the uploaded server certificate and private key in
the hardware storage medium of the AntiDDoS.
NOTE:
The uploaded certificate and its private key must be saved to the specified directory as required. The certificate and private key used by the AntiDDoS1600 must be saved in the hda1:/pki/public/ directory. The certificate and its private key used by the AntiDDoS8000 must be stored in the cfcard:/pki/public/ directory. If the certificate and its private key are not saved in the required directory, the system displays a message indicating that the certificate does not exist when the certificate and its private key are imported to the device memory.
- Save the uploaded server certificate and private key to
the AntiDDoS memory.
The certificate and private key can be stored in either one certificate file that contains the private key or two separate files. The method for importing the certificate and private key varies according to whether the certificate and private key are stored in one or two files.
- The certificate file contains the private key.
pki import rsa-key-pair key-name { pem | pkcs12 } file-name [ password password ]
key-name indicates that the certificate name and private key name to be generated in the memory. Note that the certificate file name generated last in the memory is little different from the specified one. That is, _local.cer is added to the certificate name. file-name specifies the file name of the certificate and private key to be imported. If the certificate and private key are stored in the same file, the certificate name can also be considered as the private key name. password password specifies the encryption password of the private key. After making the private key file, the certificate issuer will encrypt the file for storage. The password is set during file encryption.
- The certificate and private key are stored in separate files.
Import the certificate file.
pki import-certificate local [ [ realm realm-name ] { der | pkcs12 | pem } ] filename filename
filename specifies the name of the certificate file to be imported. After the certificate file is imported to the memory, the system will remove the file name extension and add _local.cer to the original certificate file name. If you cannot determine whether the current certificate is in the der, pkcs12, or pem format, do not specify the parameter. The system will automatically identify the certificate format.
Import the private key file.
pki import rsa-key-pair key-name { pem | pkcs12 } file-name [ password password ]
key-name specifies the name of the private file to be generated in the memory. The file name extension of the private key file is generally either .pem or .p12. For the private key file corresponding to .p12, select pkcs12. filename specifies the name of the private key file to be imported. password password specifies the encryption password of the private key. After making the private key file, the certificate issuer will encrypt the file for storage. The password is set during file encryption.
Although the certificate and private key are stored in two separate files, the system automatically associates the two files when the certificate and private key are imported to the memory. You can run the pki match-rsa-key certificate-filename file-name command to view the mappings between certificates and keys.
The pki import-certificate command imports only the certificate file to the memory. Even through the certificate file contains a private key, the private key is not imported to the memory. The pki import rsa-key-pair command imports only the private key file. However, if the private key file contains a certificate, the certificate will be imported to the memory together with the private key. Therefore, you need to prevent errors caused by command misuse when importing certificates in different formats.
- The certificate file contains the private key.