Manualshelf

Using OpenSSL Certificates with HP-UX IPSec A.02.01

ManualsBrandsHP ManualsSoftwareHP-UX Identity Management Integration Software
123456789
7
Verifying the Certificate Configuration
You can verify the basic certicate configuration (certificates without the CRL) before adding the CRL to
the HP-UX IPSec configuration. The HP-UX IPSec software does not require you to configure a CRL, but
HP strongly recommends that you do so in production environments. You can use the following
procedure to verify basic certicate configuration:
1. Generate traffic that matches an IPSec policy to encrypt or authenticate data.
2. Enter the command ipsec_report –sa and verify that HP-UX IPSec established an IKE security
association (SA) and IPSec SAs with the remote system.
Adding the CRL to the HP-UX IPSec Configuration
HP-UX IPSec can retrieve the CRL from an LDAP directory or a local file.
Use one of the following procedures on each HP-UX IPSec system to retrieve the CRL and add it to the
HP-UX IPSec configuration.
Retrieving the CRL from an LDAP Directory
1. On the HP-UX IPSec system, use the following command to retrieve the CRL from the LDAP
database. This command also saves the LDAP directory information in the file
/var/adm/ipsec/cainfo.txt, which is read by the HP-UX IPSec cron script file,
/var/adm/ipsec_gui/cron/crl.cron.
ipsec_config add crl –ldap ldap_host \
–base ou=lab,o=example,c=us –filter cn=pki-ca
2. Add an entry to the root user’s crontab file (/var/spool/cron/crontabs/root) to
periodically retrieve the CRL from the LDAP directory using the HP-UX IPSec script, located in
/var/adm/ipsec_gui/cron/crl.cron. For example, the following entry executes the HP-UX
IPSec script every hour:
0 * * * * /var/adm/ipsec_gui/cron/crl.cron
Execute the crontab command to submit the root crontab file:
crontab /var/spool/cron/crontabs/root
Retrieving the CRL from a Local File
1. Manually copy the CRL file from the OpenSSL CA system to the HP-UX IPSec system. The CRL file
must be in DER format.
2. On the HP-UX system, use the following command to add the CRL file to the HP-UX IPSec
configuration:
ipsec_config add crl –file file_name
Verifying the Certificate and CRL Configuration
After you have added the CRL to the HP-UX IPSec configuration, you can repeat the procedure you
used to verify the local and remote certificates (generate IPsec traffic and enter the command
ipsec_report –sa). to verify the certificates with the CRL.
1. Enter the command ipsec_report –sa to check if there are any existing SAs between the local
and remote systems. If there are, use the ipsec_admin –deletesa ip_address command to
delete the SAs. Alternatively, you can stop and restart HP-UX IPSec on the local and remote system.