HP-UX IPSec A.03.00 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

HP-UX 11i version 2 Update 2 and HP-UX 11i

version 3

HP Part Number: J4256-90044

Published: April 2009

Edition: 1.0

Summary of content (19 pages)

PAGE 1
HP-UX IPSec A.03.00 Release Notes HP-UX 11i version 2 Update 2 and HP-UX 11i version 3 HP Part Number: J4256-90044 Published: April 2009 Edition: 1.
PAGE 2
© Copyright 2009 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
PAGE 3
Table of Contents Overview.................................................................................................................................................7 HP-UX IPSec......................................................................................................................................7 New and Changed Features...................................................................................................................7 IKE Policy Changes.................................
PAGE 4
Profile File..................................................................................................................................17 Configuration Database.............................................................................................................17 Additional Configuration Tasks.................................................................................................18 Certificate Files......................................................................................
PAGE 5
List of Tables 1 Fixes in HP-UX IPSec A.03.00........................................................................................................
PAGE 6
PAGE 7
This document provides information about the A.03.00 release of HP-UX IPSec for HP-UX 11i version 1 (B.11.11) and HP-UX 11i version 2 Update 2 (B.11.23). Overview The A.03.00 release of HP-UX IPSec contains the following changes: • Defect fixes. • Numerous enhancements to support IKE version 2 (IKEv2) and the IPsecv3 protocol specifications. For more information, see “New and Changed Features” (page 7) . HP-UX IPSec HP-UX IPSec provides transparent encryption for IP-based applications.
PAGE 8
• “Certificate Changes” (page 11) — “The ipsec_config add cert Command is Deprecated” (page 11) — “Support for 4096 Bit Key Pairs for Certificates” (page 12) — “Support for PKCS#12 Certificates” (page 12) — “Certificate Retrieval from LDAP Directories” (page 12) — “Support for Multiple Level Public Key Infrastructures” (page 12) — “Certificate Revocation List cron File Change” (page 12) • • • • “Support for RFC 4301 Security Processing for ICMP Errors” (page 12) “Profile File Changes” (page 12) “Mobile I
PAGE 9
The ipsec_config utility now supports the following commands for IKEv2 records: • • • ipsec_config add ikev2 ipsec_config delete ikev2 ipsec_config show ikev2 IKE DES Encryption Is Obsolete HP-UX IPSec no longer supports DES encryption for IKEv1 SAs. If an existing IKE policy has DES encryption configured, the migration utility converts the DES value to the default IKEv1 encryption algorithm in the profile file (3DES). The migration utility also converts the policy type to IKEv1 and displays a warning.
PAGE 10
Authentication Records Include a Priority Value Authentication records now include a priority value. HP-UX IPSec searches the records in priority order (lowest value to highest). The search fields differ according to the role of the daemon in the IKE negotiation, the IKE version, and the IKEv1 exchange mode. The migration utility sorts existing authentication records using the address prefix length (longest to shortest).
PAGE 11
This feature is useful when configuring host policies for remote subnets where not all nodes in the subnet support IPsec. WARNING! Using the FALLBACK_TO_CLEAR flag is a security risk. It can allow packets from non-secure nodes to communicate with the local system. Support for Multiple Source and Destination Arguments in Host and Tunnel Policies You can specify up to 20 instances of the -source and -destination arguments in the ipsec_config add host and ipsec_config add tunnel commands.
PAGE 12
Support for 4096 Bit Key Pairs for Certificates HP-UX IPSec now supports 4096-bit public/private key pairs for certificate-based IKE authentication. The ipsec_config add csr command also supports the argument -key_length 4096. Support for PKCS#12 Certificates HP-UX IPSec supports certificates stored in Public Key Cryptography Standards (PKCS) #12 format (commonly referred to as PKCS#12). A PKCS#12 file can also include the private key for the certificate.
PAGE 13
profile file under the file name /var/adm/ipsec/.ipsec_profile.blank. When you run the ipsec_migrate utility, ipsec_migrate saves the existing /var/adm/ipsec/ .ipsec_profile file in the /var/adm/ipsec/backup directory before moving the /var/ adm/ipsec/.ipsec_profile.blank file to /var/adm/ipsec/.ipsec_profile. If you use customized settings in your profile file, edit the /var/adm/ipsec/ .ipsec_profile.blank file with your customized settings before running ipsec_migrate.
PAGE 14
192.6.1.1 127.0.0.1 • myhost localhost loopback OpenSSL CA Does Not Copy Extension Fields By default, an OpenSSL Certificate Authority (CA) does not copy extension fields from Certificate Signing Requests (CSRs) to the signed certificate. To use OpenSSL certificates with HP-UX IPSec, you must configure the OpenSSL CA to copy the extension fields.
PAGE 15
Compatibility and Installation Requirements This section describes the compatibility information and installation requirements for this release. For specific installation instructions, refer to HP-UX IPSec version A.03.00 Administrator's Guide (J4256–90043). Operating System and Version Compatibility HP-UX IPSec A.03.00 is supported on HP-UX 11i v2 Update 2 (v2UD2) and HP-UX 11i v3. Software Requirements HP-UX IPSec requires the following software: • OpenSSL software version A.00.09.071 or later.
PAGE 16
• • All security certificates must be administered using a PKI product from the same vendor. When you configure HP-UX IPSec, you must configure only one PKI vendor for all security certificate operations.
PAGE 17
Migrating to HP-UX IPSec A.03.00 The following sections contain information for migrating from HP-UX IPSec version A.02.01 to A.03.00. NOTE: If you are using a version of HP-UX IPSec prior to A.02.01, you must upgrade to HP-UX IPSec A.02.01 or A.02.01.01 first, then migrate to HP-UX IPSec A.03.00. Refer to the HP-UX IPSec A.02.01 Administrator's Guide (J4256-90015) for information on migrating from previous versions to A.02.01 or A.02.01.01.
PAGE 18
3. 4. Check if you need to make any additional changes to the configuration database. See “Additional Configuration Tasks” (page 18) for more information. Start HP-UX IPSec: ipsec_admin -start Additional Configuration Tasks The ipsec_migrate utility changes object types and values when converting a configuration database for HP-UX IPSec A.03.00. Check the following list for additional changes that may be needed after running ipsec_migrate: • Check the IKEv1 policies.
PAGE 19
Certificate Files Beginning with release A03.00, HP-UX IPSec stores certificate and CRL files in new locations. The ipsec_migrate utility performs the following tasks when migrating to HP-UX IPSec version A.03.00 from previous versions: • Extracts certificates, the private key and certificate data from the following files under the /var/adm/ipsec/backup directory: /var/adm/ipsec/cainfo.txt /var/adm/ipsec/ipsec.key /var/adm/ipsec/ipsec.