Manualshelf

HP-UX IPSec A.02.01.01 Release Notes for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
12345678910
Known Problems and Limitations
This section provides a list of known problems and limitations as known to HP at time of
publication. If workarounds are available, they are described.
Host Name Resolution
If you are using DNS, NIS or NIS+ to resolve hostnames to IP addresses and you have an
IPSec policy that discards, encrypts or authenticates packets to the DNS, NIS or NIS+ server,
you must configure your system to resolve the address for the local hostname and the
loopback name using the /etc/hosts file.
Workaround: Configure the hostname resolution services as follows:
— In the /etc/nsswitch.conf file, specify files as the first database for resolving
hostnames. You can then specify other sources (such as DNS) as backup databases, as
shown in the example below:
hosts: files [NOTFOUND=continue] dns
— In the /etc/hosts file, add an entry for the local hostname mapped to its IP address,
and an entry for the IP address 127.0.0.1 mapped to localhost and loopback,
as shown in the example below:
192.6.1.1 myhost
127.0.0.1 localhost loopback
Re-installing HP-UX IPSec
If you remove HP-UX IPSec (using swremove), and re-install HP-UX IPSec, you must
manually remove the file /var/adm/ipsec/.admin_info and re-establish the HP-UX
IPSec password using the command ipsec_admin -newpasswd.
IPv6 IKE ID Type Not Supported
HP-UX IPSec does not support the IPv6 IKE ID type when using RSA signatures (certificates)
for authentication. Do not specify -alt-ipv6 in the ipsec_config add csr command.
Do not specify -ltype IPV6 or -rtype IPV6 in the ipsec_config add auth command.
OpenSSL CA Does Not Copy Extension Fields
By default, an OpenSSL Certificate Authority (CA) does not copy extension fields from
Certificate Signing Requests (CSRs) to the signed certificate. To use OpenSSL certificates
with HP-UX IPSec, you must configure the OpenSSL CA to copy the extension fields.
Workaround: One way to force the OpenSSL CA to copy the extension fields is by
uncommenting the following entry in the OpenSSL configuration file:
copy_extensions = copy
ipsec_config Requires Subject for Certificate Signing Requests
The X.509 version 3 specification does not require the subject field in a certificate if the
subjectAlternativeName field is present. However, because of requirements in library routines
used by HP-UX IPSec, the ipsec_config add csr command always requires the user
to configure information for the subject field.
Distinguished Names with Multiple Organizational Unit Attributes Not Supported for
Remote Authentication
If you are using certificate-based IKE authentication and the remote system's certificate has
a Distinguished Name (DN) field with multiple Organizational Unit (OU) attributes, the
remote ID field of the authentication record must not contain an OU attribute. For example,
if the remote system's certificate contains the DN
CN=MyHost,C=US,O=HP,OU=West,OU=Blue, the remote ID cannot include any OU
attributes. The remote ID can include other attributes from the DN (-rid
Known Problems and Limitations 9