Manualshelf

Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
31323334353637383940
Configuration
Setting Up the HP-UX HIDS Secure Communications
Chapter 2
23
*
* They are stored in /var/opt/ids/tmp as hostname.tar.Z
*
* You should now transfer the bundles via a secure channel
* to the IDS agent machines.
*
* On each agent you will need to run the IDS_importAgentKeys
* script to finish the installation.
************************************************************
The agent certificate bundles are generated and stored in the files:
/var/opt/ids/tmp/myhost1.tar.Z
/var/opt/ids/tmp/myhost2.tar.Z
/var/opt/ids/tmp/15.27.43.6.tar.Z
TIP You can automate agent certificate creation by creating a file of host names and IP
addresses, one host name or IP address per line. Each entry must refer to a single IP
address on an agent system. (See “Configuring a Multihomed Agent System” on page 25
for more information.)
If your file name is list_of_hosts, then the command is:
cat list_of_hosts | IDS_genAgentCerts
NOTE The IDS_genAdminKeys and IDS_genAgentCerts commands have options to provide
alternate key lengths and alternate expiration dates for the administration and agent
certificates. For more information, see the manpages IDS_genAdminKeys (1M) and
IDS_genAgentCerts (1M). The default key length is 1024 bits. The default expiration is
after 700 days.
Step 2. Transport the Certificates
Transfer the agent certificate bundles via a secure channel to the agent systems.
To securely transport the certificate bundles stored in
/var/opt/ids/tmp/
hostname
.tar.Z to each of the agent machines, you will need an
out-of-band secure channel. There are different ways to move your files from one
machine to another securely. For example, you could use encrypted PGP e-mail, a
portable medium (like a floppy disk or tape cassette) that you carry from the first system
to another, an NFS mount, or an FTP site. However, since every environment is
different, you will need to determine which method is best for your particular situation.
CAUTION FTP, RCP, and unencrypted e-mail are not considered to be secure methods of
transportation; the contents of the file could be exposed to eavesdroppers which would
threaten the security of the communication system.