HP-UX IPSec A.03.00.01 Release Notes HP-UX 11i version 3 Abstract This document provides information about the A.03.00.01 release of HP-UX IPSec for HP-UX 11i v3 (B.11.31). HP Part Number: 5900-1280 Published: November 2010 Edition: 2.
© Copyright 2010 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 HP-UX IPSec overview.................................................................................5 2 New and changed features.........................................................................6 New and changed features in A.03.00.01...................................................................................6 New and changed features in A.03.00.00..................................................................................7 IKE policy changes..................................
Known problems and limitations.................................................................15 5 Compatibility and installation requirements..................................................16 Operating system and version compatibility...............................................................................16 Software requirements.............................................................................................................16 Disk requirements........................................
1 HP-UX IPSec overview HP-UX IPSec provides transparent encryption for IP-based applications. It also enhances the privacy of Internet communications. HP-UX IPSec supports PKI-based authentication, rule-based access control, and the Internet Key Exchange (IKE) protocol. It also serves as a framework for open standards networking, requires no application modification to take advantage of network-level security, and can be a component of the HP Virtual Private Network (VPN) solution.
2 New and changed features New and changed features in A.03.00.01 With the A.03.00.01 release of HP-UX IPSec, the ipsec_config add csr command now supports specifying multiple values (up to 20) for the following types of alternative names for the subjectAlternativeName field of a certificate: -alt-ipv4 -alt-fqdn -alt-user_fqdn Without this enhancement, if IPSec is being used with the Secure Resource Partitions (SRP) product, then each SRP would have to use the same ID when authenticating.
-alt-user-fqdn johnson@myhost.acme.com nichols@home.acme.com Examples of the ipsec_config add csr command specifying multiple alternative names In the following example, the ipsec_config add csr command specifies two IPv4 addresses, two FQDNs, and a single User-FQDN as alternative names in the specified certificate: %ipsec_config add csr -subject cn=myhost,c=us,o=hp,ou=lab \ -alt-ipv4 192.6.2.2 -alt-ipv4 192.6.1.1 \ -alt-fqdn myhost.hp.com -alt-fqdn myhost2.hp.com \ -alt-user-fqdn roadrunner@acme.
• • “Host and tunnel policy changes” (page 11) ◦ “Nested transforms and DES transforms are obsolete” (page 11) ◦ “Support for fallback to clear in host policies” (page 11) ◦ “Support for multiple source and destination arguments in host and tunnel policies” (page 11) ◦ “Support for IP Address ranges in tunnel policies” (page 11) ◦ “Support for IP Address and port number ranges in host policies” (page 11) ◦ “Port numbers and services are ignored in tunnel policies” (page 11) ◦ “Support for IC
default IKEv1 and IKEv2 policies The product includes preloaded IKEv1 and IKEv2 policies named default. You can modify these policies, but cannot delete them. The default policies are always last in the search order. The ipsec_config add ike command is deprecated The ipsec_config add ike command and related commands (ipsec_config delete ike, ipsec_config show ike) are deprecated. These command are still supported, but not documented.
IKE support for AES128-CBC encryption IKEv1 and IKEv2 policies support AES128-CBC encryption. Authentication record changes The following sections describe product changes related to authentication records. Authentication records are mandatory In releases prior to A.03.
Hexadecimal storage for preshared key values starting with 0x The ipsec_config utility now stores preshared key values that start with 0x as hexadecimal values. (In releases prior to A.03.00, ipsec_config stored all preshared key values as ASCII strings.) This change can cause configuration mismatches with previous HP-UX IPSec versions. For example, if an HP-UX IPSec A.03.00 system and an HP-UX IPSec A.02.00 system both configure the value 0x123 for a preshared key, IKE negotiations will fail.
Support for ICMPv4 and ICMPv6 type codes in host policies The ipsec_config add host command supports the following options to specify ICMPv4 and ICMPv6 message type codes in packet filters: • dst_icmp_type and src_icmp_type (source and destination ICMPv4 type values) • dst_icmpv6_type and src_icmpv6_type (source and destination ICMPv6 type values) Support for IPv6 mobility header type codes in host policies The ipsec_config add host command supports dst_mh_type and src_mh_type options to specify IPv6 Mo
the root CA. Each CA certificate and CRL must be contained in a separate file or directory object; HP-UX cannot store multiple certificates or CRLs from a single file or directory object. Certificate revocation list cron file change The name and location of the file containing a cron script to retrieve a certificate revocation list (CRL) changed. The new file path is /var/adm/ipsec/util/crl.cron. The file path in previous releases was /var/adm/ipsec_gui/cron/crl.cron.
3 Known problems that have been fixed Known problems fixed in IPSec A.03.00.01 The following table lists the known problems and fixes in the A.03.00.01 release of HP-UX IPSec. Table 1 Fixes in HP-UX IPSec A.03.00.01 Defect ID QXCR1001070877 Description The HP-UX IPsec startup script, S011ipsec, might fail to configure the IPSec device file if /tmp is full during HP-UX system startup. This can lead to a hang at system boot or shutdown. Known problems fixed in IPSec A.03.00.
4 Known problems and limitations This section provides a list of known problems and limitations as known to HP at time of publication. If workarounds are available, they are described.
5 Compatibility and installation requirements This section describes the compatibility information and installation requirements for this release. For specific installation instructions, refer to HP-UX IPSec version A.03.00 Administrator's Guide (J4256–90043). Operating system and version compatibility HP-UX IPSec A.03.00 is supported on HP-UX 11i v2 Update 2 (v2UD2) and HP-UX 11i v3. Software requirements HP-UX IPSec requires the following software: • OpenSSL software version A.00.09.071 or later.
Public Key Infrastructure requirements To use security certificates with HP-UX IPSec, your topology must meet the following requirements: • All security certificates must be administered using a PKI product from the same vendor. When you configure HP-UX IPSec, you must configure only one PKI vendor for all security certificate operations.
6 Migrating to HP-UX IPSec A.03.00 The following sections contain information for migrating from HP-UX IPSec version A.02.01 to A.03.00. NOTE: If you are using a version of HP-UX IPSec prior to A.02.01, you must upgrade to HP-UX IPSec A.02.01 or A.02.01.01 first, then migrate to HP-UX IPSec A.03.00. Refer to the HP-UX IPSec A.02.01 Administrator's Guide (J4256-90015) for information on migrating from previous versions to A.02.01 or A.02.01.01.
3. 4. Check if you need to make any additional changes to the configuration database. See “Additional configuration tasks” (page 19) for more information. Start HP-UX IPSec: ipsec_admin -start Additional configuration tasks The ipsec_migrate utility changes object types and values when converting a configuration database for HP-UX IPSec A.03.00. Check the following list for additional changes that may be needed after running ipsec_migrate: • Check the IKEv1 policies.
0x and are using it with a release prior to A.03.00, the key values will not match. Change the preshared key values on both systems. • Configure the AUTOCONF flag in authentication records for autoconfiguration clients. In previous releases, the AUTOCONF flag was set in host policies. The use of the AUTOCONF flag in host policies is deprecated and might be removed in future product releases. Certificate files Beginning with release A03.00, HP-UX IPSec stores certificate and CRL files in new locations.
7 Support and other resources Contacting HP HP encourages your comments concerning this document. We are truly committed to providing documentation that meets your needs. To make comments and suggestions about product documentation, send a message to: http://www.hp.com/bizsupport/feedback/ww/webfeedback.html Please include document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document.
variable The name of an environment variable, for example PATH or errno. value A value that you may replace in a command or function, or information in a display that represents several possible values. [ ] The contents are optional in formats and command descriptions. { } The contents are required in formats and command descriptions. | Separates items in a list of choices. In the following example, you must specify either item-a or item-b: {item-a | item-b} \ The continuous line symbol.
