Using OpenSSL Certificates with HP-UX IPSec A.02.01

ManualsBrandsHP ManualsSoftwareHP-UX Identity Management Integration Software

Overview............................................................................................................................................ 2

Additional Requirements....................................................................................................................... 2

Creating and Configuring OpenSSL Certificates and CRLs........................................................................ 2

Initializing the OpenSSL CA .............................................................................................................. 3

Creating the CRL.............................................................................................................................. 4

Adding the CRL to the LDAP Directory................................................................................................. 4

Workaround 1............................................................................................................................. 4

Workaround 2............................................................................................................................. 5

Creating Host Certificates ................................................................................................................. 5

Configuring IPSec Policies, IKE Policies and Authentication Records ....................................................... 6

Verifying the Certificate Configuration ............................................................................................ 7

Adding the CRL to the HP-UX IPSec Configuration ................................................................................ 7

Retrieving the CRL from an LDAP Directory.......................................................................................7

Retrieving the CRL from a Local File ................................................................................................ 7

Verifying the Certificate and CRL Configuration ............................................................................... 7

For more information............................................................................................................................ 9

Summary of content (9 pages)

PAGE 1
Using OpenSSL Certificates with HP-UX IPSec A.02.01 Overview............................................................................................................................................ 2 Additional Requirements ....................................................................................................................... 2 Creating and Configuring OpenSSL Certificates and CRLs ........................................................................ 2 Initializing the OpenSSL CA ....
PAGE 2
Overview This document provides information on using HP-UX IPSec versions A.02.01 and later with OpenSSL certificates for IKE primary authentication. This document also describes how to store and retrieve OpenSSL Certificate Revocation Lists (CRLs) using local files or an LDAP (Lightweight Directory Access Protocol) server. A CRL contains a list of revoked (invalid) certificates. HP-UX IPSec uses the CRL to verify that a remote system's certificate is valid during IKE primary authentication.
PAGE 3
Initializing the OpenSSL CA Use the following procedure to set up the OpenSSL CA. You only need to do this on the system that will host the OpenSSL CA, and you only need to do this once. 1. On the OpenSSL CA system, modify the OpenSSL master configuration file to match your installation. The OpenSSL master configuration file name is typically /opt/openssl/openssl.cnf.
PAGE 4
Creating the CRL Use the following procedure to create the CRL on the OpenSSL CA system. After you create the initial CRL, you must generate a new CRL after you revoke a certificate. You must also generate a new CRL when the CRL expires. In the example below, the CRL expires in 15 days. 1. Enter the following OpenSSL command to generate the CRL: openssl ca -gencrl -crldays 15 -out crl/crl.pem 2. Enter the following OpenSSL command to convert the CRL to DER format: openssl crl -in crl/crl.
PAGE 5
file data). 2. Use the Directory Server Console to modify certificationAuthority object and load the file data for the attribute values. Workaround 2 Add the –b (binary data) option to the ldapmodify command and replace each redirection and URI in the LDIF file with the absolute path for the file. For example: ldapmodify -a –b -v –w - -W -D “cn=admin,ou=lab,o=example,c=us” \ -f crl.ldif Configure the crl.
PAGE 6
1. Modify the OpenSSL configuration file to copy extensions from the CSR. Uncomment the following entry in the OpenSSL configuration file: copy_extensions = copy 2. Create an extension file with the subjectAlternativeName information and specify it as part of the openssl ca command. Some examples are listed below: echo "subjectAltName=IP:my_ip_addr" > newcerts/myfile.ext echo "subjectAltName=DNS:my_fqdn" > newcerts/myfile.ext echo "subjectAltName=email:my_user-fqdn" > \ newcerts/myfile.ext 4.
PAGE 7
Verifying the Certificate Configuration You can verify the basic certicate configuration (certificates without the CRL) before adding the CRL to the HP-UX IPSec configuration. The HP-UX IPSec software does not require you to configure a CRL, but HP strongly recommends that you do so in production environments. You can use the following procedure to verify basic certicate configuration: 1. Generate traffic that matches an IPSec policy to encrypt or authenticate data. 2.
PAGE 8
2. Generate traffic that matches an IPSec policy to encrypt or authenticate data. 3. Enter the command ipsec_report –sa and verify that HP-UX IPSec established an IKE SA and IPSec SAs with the remote system.
PAGE 9
For more information www.docs.hp.com/hpux/internet/index.html#HP-UX%20IPSec HP-UX IPSec version A.02.01 Administrator’s Guide, HP, 2005 Copyright  2006 Hewlett-Packard Development Company L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.