HP-UX IPSec A.02.01.01 Release Notes HP-UX 11i version 1 and HP-UX 11i version 2 Update 2 HP Part Number: J4256-90024 Published: February 2007 Edition: 2.
© Copyright 2007 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents Overview.................................................................................................................................................7 HP-UX IPSec......................................................................................................................................7 New and Changed Features in This Release..........................................................................................7 New Features................................................
List of Tables 1 Fixes in HP-UX IPSec A.02.01.01..........................................................................................................
This document provides information about the A.02.01.01 release of HP-UX IPSec for HP-UX 11i version 1 (B.11.11) and HP-UX 11i version 2 Update 2 (B.11.23). Overview The A.02.01.01 release of HP-UX IPSec contains the following changes: • Defect fixes. • Changes for compatibility with ARPA Transport releases. See “Migration Recommendations for HP-UX 11i v1 Customers” (page 18) for migration recommendations for HP-UX 11i v1 customers.
Table 1 Fixes in HP-UX IPSec A.02.01.01 (continued) Defect ID SR: 8606420262 Description (JAGaf80092) IKE SA negotiations fail on HP-UX PA-RISC systems when using certificate-based authentication with a Certificate Authority (CA) that generates Version 2 Certificate Revocation Lists (CRLs), such a Microsoft CA. The audit log will show messages that include the following text: ERROR...crypto_validate_and_insert_certificate, Error processing CERT payload, and Phase 1 MM processing failed.
Known Problems and Limitations This section provides a list of known problems and limitations as known to HP at time of publication. If workarounds are available, they are described.
CN=MyHost,C=US,O=HP), if doing so provides sufficient information to identify the remote system. Alternatively, you can authenticate the identity of the remote system using another ID type, such as IPv4 address (IPV4).
Compatibility and Installation Requirements This section describes the compatibility information and installation requirements for this release. For specific installation instructions, refer to HP-UX IPSec version A.02.01 Administrator's Guide (J4256–90016). Operating System and Version Compatibility HP-UX IPSec A.02.01.01 is supported on HP-UX 11i v1 (B.11.11) and HP-UX 11i v2 Update 2 (v2UD2).
ARPA Transport Upgrades The ARPA Transport upgrades required for HP-UX IPSec A.02.01.01 vary according to the HP-UX version and the use of the following optional features: • • The Streams NOSYNC option. The NOSYNC option is a Streams feature that improves IP performance by enabling it to simultaneously process multiple requests received on the same queue. Dynamic keying for MIPv6 (available with HP-UX 11.23 v2UD2 and later).
Migrating to A.02.01.01 The following sections contain procedures for migrating from previous versions of HP-UX IPSec. NOTE: HP-UX IPSec A.02.01.01 contains changes for compatibility with ARPA Transport. If you are using HP-UX IPSec on an HP-UX 11i v1 system, see “Migration Recommendations for HP-UX 11i v1 Customers” (page 18). Migrating without Reusing Configuration Data If you do not want to reuse your HP-UX IPSec configuration data, complete the procedure described in “Installing A.02.01.
Migrating from Versions A.01.03 - A.01.05 To migrate from HP-UX IPSec version A.01.03, A.01.04, or A.01.05 and reuse configuration data, you must migrate in a step-wise manner, as follows: 1. 2. Migrate from A.01.03, A.01.04, or A.01.05 to A.01.07. Migrate from A.01.07 to A.02.01.01. Use the following migration procedure: 1. 2. 3. If you are migrating from HP-UX IPSec version A.01.03 (or lower), check if you are using any transforms with the MD5 algorithm.
Migration Tasks This section describes the following migration tasks: • • • • • • “Installing A.02.01.01 without Reusing Configuration Data” “Using ipsec_migrate” “Modifying the Baltimore CRL Retrieval Method” “Modifying the VeriSign CRL Retrieval Method” “Migrating A.01.01 - A.01.03 MD5 Transforms” (page 17). “Migrating from Versions A.01.01 and A.01.02 to Version A.01.05 ” (page 17). Installing A.02.01.01 without Reusing Configuration Data Use the following procedure to install HP-UX IPSec A.02.01.
copy and saves it in the file /var/adm/ipsec/backup/config.db.timestamp or /var/adm/ipsec/backup/cainfo.txt.timestamp, as applicable. The timestamp is in the format dd-mm-yy-hh-mn-ss, where: dd is the day mm is the month yy are the last two digits of the year hh is the hour mn is the number of minutes ss is the number of seconds The ipsec_migrate utility saves updated files in the appropriate locations (/var/adm/ipsec/config.db and /var/adm/ipsec/cainfo.txt).
To retrieve a VeriSign CRL, you must manually retrieve it using the VeriSign OnSite web interface to store it in a local file, and then use the following command to manually store the file in the HP-UX IPSec storage scheme: ipsec_config add crl -file crl_filename The crl_filename is the name of the local file that contains the CRL retrieved from VeriSign. Migrating A.01.01 - A.01.03 MD5 Transforms HP-UX IPSec versions A.01.04 and higher fix a defect in the HP-UX IPSec MD5 algorithm.
Migration Recommendations for HP-UX 11i v1 Customers HP-UX IPSec version A.02.01.01 also contains changes for compatibility with ARPA Transport releases. In mid-2007, HP will release the ARPA Transport patch PHNE_35351 on HP-UX 11i v1. PHNE_35351 will incorporate Transport Optional Upgrade Release (TOUR) functionality and fix critical defects. All subsequent ARPA Transport patches and releases will include functionality previously available only with TOUR.
