Manualshelf

Host Intrusion Detection System Administrator's Guide Release 3.1

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
31323334353637383940
Configuration
Setting Up the HP-UX HIDS Secure Communications
Chapter 2
20
Setting Up the HP-UX HIDS Secure Communications
HP-UX HIDS provides a secure communication environment between its administration
System Manager and its agent processes through the Secure Sockets Layer (SSL)
protocol. (See “Glossary of HP-UX HIDS Terms” on page 14.)
To use the SSL protocol, each component involved in the communication requires a
separate identity, or certificate. A seperate identity or certificate is required for the
components to identify itself and to authenticate that any information received from
another HP-UX HIDS component is genuine and not initiated by an unauthorized
outsider.
To ensure secure communication, both the System Manager process which runs on the
administration system, and the HP-UX HIDS agent process which runs on each
participating agent system, need to have a certificate associated with it. HP-UX HIDS
provides a toolset to generate X.509 certificates to provide authentication. The System
Manager will not start until you establish such secure communication.
Table 2-1 provides an overview of the IDS scripts you can use to set up SSL
environment. See the detailed steps following the table.
NOTE HP-UX HIDS certificate management is self-contained and does not require (and cannot
not be integrated with) a pre-existing public key infrastructure (PKI).
To set up the SSL environment, complete the following procedure:
Step 1. Create the X.509 Certificates
To create a certificate for the HP-UX HIDS System Manager process you must first
generate user ids locally on the HP-UX HIDS administration system. Only then can the
certificates for each of the agent nodes be signed by the HP-UX HIDS administration
station. The administration system holds the Root Certification Authority (Root CA) that
is used to endorse all other certificates.
a. On the administration system, become user ids:
$ su - ids
b. Change directory to /opt/ids/bin:
$ cd /opt/ids/bin
Table 2-1 IDS Scripts to Set Up Secure Communications
Script to Use Where Used End Product
IDS_genAdminKeys Administration
system
Root Certification Authority and
Administration SSL certificate
IDS_genAgentCerts Administration
system
A bundle of signed certificates for
each agent system
IDS_importAgentKeys Agent systems Agent SSL certificate