Using OpenSSL Certificates with HP-UX IPSec A.01.07 and HP-UX IPSec A.02.00 Overview ......................................................................................................................................2 Creating and Configuring OpenSSL Certificates and CRLs......................................................................2 Procedure ..................................................................................................................................3 For more information .
Overview This document provides information on using HP-UX IPSec versions A.01.07, A.02.00 and A.02.00.01 with OpenSSL certificates for IKE primary authentication. This document also describes how to store and retrieve OpenSSL Certificate Revocation Lists (CRLs) using an LDAP (Lightweight Directory Access Protocol) server. A CRL contains a list of revoked (invalid) certificates.
Procedure The following procedure describes how to use a sample OpenSSL Certificate Authority (CA) with an LDAP server configured on the same system as the CA. 1. On the system where the CA is located, modify the OpenSSL master configuration file to match your installation. Modify the OpenSSL master configuration by specifying file and directory locations to conform to your file system layout and naming conventions.
5. Create a certificate for each HP-UX IPSec system. The following shell script takes the host name as the input parameter and creates a PKCS#12 file (certs/hostname.p12) with the certificate for the system, the system's private key, and the CA's certificate. /bin/sh if [ $# -ne 1 ]; then echo "hostname required" exit 1 fi # # Create an RSA public/private key pair with key length of 1024 # bits # openssl genrsa -out private/$1.
version: 1 dn: ou=lab,o=example,c=us cn: pki-ca description: Certificate Authority certificate and revocation list cACertificate;binary:< file:///opt/openssl/CA/cacert.der certificateRevocationList;binary:< file:///opt/openssl/CA/crl/crl.der authorityRevocationList;binary: objectClass: certificationAuthority objectCLass: applicationProcess NOTE: The Netscape Directory Server for HP-UX (NDS) version 6.
7. Transfer each PKCS#12 file to the appropriate HP-UX IPSec node. On each node, use the HP-UX IPSec configuration GUI to import the PKCS#12 file into HP-UX IPSec. ipsec_mgr, Start ipsec_mgr by entering the following command from the HP-UX prompt: ipsec_mgr Do not run ipsec_mgr as a background process. The ipsec_mgr prompts for the HP-UX IPSec password before starting the GUI. If the Baltimore Certificates window is not already displayed, click the Baltimore tab at the left side of the screen. Figure 1.
The ipsec_mgr displays the Baltimore Certificate Import screen: Figure 2. IPSec Manager Baltimore Certificate Import Window Enter the IP address of LDAP server, port number (the default is 389, the IANA registered port number for LDAP), the CRL search base, and the CRL search filter. The CRL search base and search filter combined together form the DN of the CRL. The CRL search base is typically the suffix used to store the certificates and CRL, such as ou=lab,o=example,c=us.
Configure IKE authentication records, if required. You must configure IKE authentication records if one of the following conditions exist: The local system is multihomed The remote system is multihomed The remote system is a not an HP-UX system and does not use the system IPv4 address as the IKE ID (ISAKMP identity payload). In the example below, the local system has HP-UX IPSec A.02.00 installed and the remote system (nodeb) is multihomed, with the IP addresses 192.168.1.5 and 15.1.1.5.
For more information www.docs.hp.com/hpux/internet/index.html#HP-UX%20IPSec HP-UX IPSec version A.02.00 Administrator’s Guide, HP, 2004 Copyright  2005 Hewlett-Packard Development Company L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.
