Manualshelf

HP-UX IPSec A.02.01 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
12345678910
HP-UX IPSec Release Notes
Known Problems and Workarounds
Chapter 110
Known Problems and Workarounds
If you are using DNS, NIS or NIS+ to resolve hostnames to IP addresses and you have an
IPSec policy that discards, encrypts or authenticates packets to the DNS, NIS or NIS+
server, you must make sure that the hostname resolution services are configured as
follows:
—The /etc/nsswitch.conf file must specify files as the first database for resolving
hostnames. You can then specify other sources (such as DNS) as backup databases, as
shown in the example below:
hosts: files [NOTFOUND=continue] dns
—The /etc/hosts file must contain an entry for the local hostname mapped to its IP
address an entry for localhost and loopback mapped to the IP address 127.0.0.1, as
shown in the example below:
192.6.1.1 myhost
127.0.0.1 localhost loopback
If you remove HP-UX IPSec (using swremove), and re-install HP-UX IPSec, you must
manually remove the file /var/adm/ipsec/.admin_info and re-establish the HP-UX
IPSec password using the command ipsec_admin -newpasswd.
On HP 9000 Servers (PA-RISC servers), HP-UX IPSec does not support X.509 Version 2
Certificate Retrieval Lists.
HP-UX IPSec does not support the IPv6 IKE ID type when using RSA signatures
(certificates) for authentication. Do not specify -alt-ipv6 in the ipsec_config add csr
command. Do not specify -ltype IPV6 or -rtype IPV6 in the ipsec_config add auth
command.
By default, an OpenSSL Certificate Authority (CA) does not copy extension fields from
Certificate Signing Requests (CSRs) to the signed certificate. To use OpenSSL certificates
with HP-UX IPSec, you must configure the OpenSSL CA to copy the extension fields. One
way to do this is by uncommenting the following entry in the OpenSSL configuration file:
copy_extensions = copy
The X.509 version 3 specification does not require the subject field in a certificate if the
subjectAlternativeName field is present. However, because of requirements in library
routines used by HP-UX IPSec, the ipsec_config add csr command always requires the
user to configure information for the subject field.