Manualshelf

HP-UX IPSec A.03.00 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
10111213141516171819
Support for 4096 Bit Key Pairs for Certificates
HP-UX IPSec now supports 4096-bit public/private key pairs for certificate-based IKE
authentication. The ipsec_config add csr command also supports the argument
-key_length 4096.
Support for PKCS#12 Certificates
HP-UX IPSec supports certificates stored in Public Key Cryptography Standards (PKCS) #12
format (commonly referred to as PKCS#12). A PKCS#12 file can also include the private key for
the certificate.
Previous versions of HP-UX IPSec required administrators to generate a local certificate signing
request (CSR) and public-private key pair using the ipsec_config add certreq command,
and exporting the CSR to the Certificate Authority (CA) for signing. Support for PKCS#12
certificates enables administrators to use alternate methods to obtain certificates, such as public
key infrastructure (PKI) utilities that generate the public-private key pair and export a file that
contains the certificate and the keys.
Certificate Retrieval from LDAP Directories
HP-UX IPSec can import system and CA certificates from LDAP directories that are stored in
Distinguished Encoded Rules (DER) format. The ipsec_config add mycert and
ipsec_config add cacert commands support options to import certificates from LDAP
directories.
Support for Multiple Level Public Key Infrastructures
HP-UX IPSec can authenticate a peer using multiple-level Public Key Infrastructures (PKIs) with
multiple Certificate Authorities (CAs) if the local system and the peer share a common root CA.
You must install a certificate for the root CA and a certificate for each intermediate CA in the
path from the local system to the root CA, and for each intermediate CA in the path from the
peer to the root CA. Each CA certificate and CRL must be contained in a separate file or directory
object; HP-UX cannot store multiple certificates or CRLs from a single file or directory object.
Certificate Revocation List cron File Change
The name and location of the file containing a cron script to retrieve a certificate revocation list
(CRL) changed. The new file path is /var/adm/ipsec/util/crl.cron. The file path in
previous releases was /var/adm/ipsec_gui/cron/crl.cron.
If you have an entry in a crontab file that references the /var/adm/ipsec_gui/cron/
crl.cron file, you do not need to modify it. The migration utility creates a softlink from /var/
adm/ipsec_gui/cron/crl.cron to /var/adm/ipsec/util/crl.cron.
In previous releases, HP-UX IPSec also stored information about the location of the LDAP server
for the CRL from the /var/adm/ipsec/cainfo.txt file. This information is now stored in
files in the /var/adm/ipsec/crl_cron directory.
Support for RFC 4301 Security Processing for ICMP Errors
The ipsec_config startup configuration argument -icmp_error_process enables or
disables RFC 4301 security processing for ICMP errors. When this feature is enabled, an IPsec
SA used to secure a normal network session is also used to secure any ICMP or ICMPv6 error
messages generated by that session. By default, this feature is disabled.
Profile File Changes
The ipsec_config profile file format changed.
The default location for the HP-UX IPSec profile file is /var/adm/ipsec/.ipsec_profile.
If this file exists when you install HP-UX IPSec A.03.00, the installation script installs the A.03.00
12