Manualshelf

Using OpenSSL Certificates with HP-UX IPSec A.02.01

ManualsBrandsHP ManualsSoftwareHP-UX Identity Management Integration Software
123456789
6
1. Modify the OpenSSL configuration file to copy extensions from the CSR. Uncomment
the following entry in the OpenSSL configuration file:
copy_extensions = copy
2. Create an extension file with the subjectAlternativeName information and specify it
as part of the openssl ca command. Some examples are listed below:
echo "subjectAltName=IP:my_ip_addr" > newcerts/myfile.ext
echo "subjectAltName=DNS:my_fqdn" > newcerts/myfile.ext
echo "subjectAltName=email:my_user-fqdn" > \
newcerts/myfile.ext
4. Use the openssl ca command to sign the host certificate. If you are not using an extension file,
use the following syntax:
openssl ca -out myhost.pem -infiles ipsec.csr
If you are using an extension file, use the following syntax:
openssl ca -out myhost.pem -extfile myfile.ext -infiles ipsec.csr
5. Transfer the host certificates back to the appropriate HP-UX IPSec systems.
6. Transfer the CA certificate to each HP-UX IPSec system.
7. On each HP-UX IPSec system, use the ipsec_config add cert command to load the host
certificate and the CA certificate. For example:
ipsec_config add cert –mycert myhost.pem –cacert cacert.pem
Configuring IPSec Policies, IKE Policies and Authentication Records
On the HP-UX IPSec hosts, complete the basic elements of an HP-UX IPSec configuration, if you have
not already done so.
1. Configure the IPsec and IKE policies. The IKE policies must specify RSA signatures for IKE primary
authentication. For example:
ipsec_config -add ike hostB -remote 192.168.1.5 \
-authentication RSASIG
2. Configure IKE authentication records, if required. You must configure IKE authentication records if
any of the following conditions exist:
The local system is multihomed.
The remote system is multihomed.
The remote system does not use the system IPv4 address as the IKE ID (ISAKMP identity payload).
You are using Aggressive Mode.
In the example below, the local system has HP-UX IPSec A.02.01 installed and the remote system
(hostB) is multihomed, with the IP addresses 192.168.1.5 and 15.1.1.5. The remote system’s
certificate contains IP address 15.1.1.5 in the Subject Alternative Name field. The following
ipsec_config command creates an IKE authentication record for the remote system:
ipsec_config add auth hostB -remote 192.168.1.5 \
-ltype IPV4 -lid 15.1.1.1 \
-rtype IPV4 -rid 15.1.1.5