10-20Configuring a Certificate Attribute-Based Access Control PolicyNetwork requirementsz The client accesses the remote HTTP Security (HTTPS) server through the HTTPS protocol.z SSL is configured to ensure that only legal clients log into the HTTPS server.z Create a certificate attribute-based access control policy to control access to the HTTPS server.Figure 10-4 Configure a certificate attribute-based access control policyConfiguration procedurez For detailed information about SSL configuration, refer to SSL Configuration in the SecurityVolume.z For detailed information about HTTPS configuration, refer to HTTP Configuration in the SystemVolume.z The PKI domain to be referenced by the SSL policy must be created in advance. For detailedconfiguration of the PKI domain, refer to Configure the PKI domain.1) Configure the HTTPS server# Configure the SSL policy for the HTTPS server to use. system-view[Switch] ssl server-policy myssl[Switch-ssl-server-policy-myssl] pki-domain 1[Switch-ssl-server-policy-myssl] client-verify enable[Switch-ssl-server-policy-myssl] quit2) Configure the certificate attribute group# Create certificate attribute group mygroup1 and add two attribute rules. The first rule defines thatthe DN of the subject name includes the string aabbcc, and the second rule defines that the IPaddress of the certificate issuer is 10.0.0.1.[Switch] pki certificate attribute-group mygroup1[Switch-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc[Switch-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1[Switch-pki-cert-attribute-group-mygroup1] quit