HP-UX IPSec A.03.01.01 Release Notes (HP-UX 11i Version 3)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

HP-UX IPSec A.03.01.01 Release Notes

HP-UX 11i version 3

Abstract

This document provides information about the A.03.01.01 release of HP-UX IPSec for HP-UX 11i v3 (B.11.31).

HP Part Number: 5900-2191

Published: March 2012

Edition: 1.0

Summary of content (23 pages)

PAGE 1
HP-UX IPSec A.03.01.01 Release Notes HP-UX 11i version 3 Abstract This document provides information about the A.03.01.01 release of HP-UX IPSec for HP-UX 11i v3 (B.11.31). HP Part Number: 5900-2191 Published: March 2012 Edition: 1.
PAGE 2
© Copyright 2012 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
PAGE 3
Contents 1 HP-UX IPSec overview.................................................................................5 2 New and changed features.........................................................................6 New and changed features in A.03.01.01...................................................................................6 New and changed features in A.03.00.01...................................................................................6 New and changed features in A.03.00.00.............
PAGE 4
Disk requirements...................................................................................................................17 Hardware requirements...........................................................................................................17 Public Key Infrastructure requirements........................................................................................18 Multiple-level CA requirements.......................................................................................
PAGE 5
1 HP-UX IPSec overview HP-UX IPSec provides transparent encryption for IP-based applications. It also enhances the privacy of Internet communications. HP-UX IPSec supports PKI-based authentication, rule-based access control, and the Internet Key Exchange (IKE) protocol. It also serves as a framework for open standards networking, requires no application modification to take advantage of network-level security, and can be a component of the HP Virtual Private Network (VPN) solution.
PAGE 6
2 New and changed features New and changed features in A.03.01.01 The A.03.01.01 release of HP-UX IPSec introduces the following changes: • Revised requirement for OpenSSL software HP-UX IPSec now requires version A.00.09.08q or later. For more information, see “Software requirements” (page 17). • IKE support for D-H group 24 HP-UX IPSec now supports the Diffie-Hellman (D-H) group having Transform ID 24 for IKE. The group is used with the IKE protocol to provide security for Internet communications.
PAGE 7
Revised ipsec_config add csr command syntax The new command syntax for the command is as follows: ipsec_config add csr -subj[ect_name] subject_name [-alt-ipv4 ipv4_addr1 [-alt-ipv4 ipv4_addr2 ... -alt-ipv4 ipv4_addr20]] [-alt-fqdn fqdn1 [-alt-fqdn fqdn2 ... -alt-fqdn fqdn20]] [-alt-user-fqdn user_fqdn1 [-alt-user-fqdn user_fqdn2 ...
PAGE 8
New and changed features in A.03.00.
PAGE 9
• “Mobile IPv6 support is obsolete” (page 13) • “Gateway policies are obsolete” (page 14) IKE policy changes The following sections describe product changes related to IKE policies. Support for IKE version 2 HP-UX IPSec now supports IKE version 2 (IKEv2) in addition to IKE version 1 (IKEv1). IKEv1 and IKEv2 policies replace IKE policies Policies for ike are replaced by ikev1 and ikev2 policies.
PAGE 10
If you are using an IKE policy with DES encryption to communicate with peers that still support DES, you must modify the peer configuration to use 3DES or an alternate algorithm. NOTE: RFC 4772 deprecates DES. DES is susceptible to brute-force attacks. IKEv1 Perfect Forward Secrecy supported with keys only HP-UX IPSec now supports IKE Perfect Forward Secrecy (PFS) with key protection only.
PAGE 11
Authentication records specify the IKE (key management protocol) version Authentication records now include a kmp (key management protocol) field that specifies the IKE version (IKEv1 or IKEv2). The default IKE version is IKEv1. You can specify both IKE versions. The IKE daemon uses the first version for all negotiations it initiates, and responds to negotiations for both versions.
PAGE 12
Support for IP Address and port number ranges in host policies You can specify IP address or port number ranges in source and destination arguments (-source and -destination) for IPsec host policies. This feature is not supported with manual keys. Support for IP Address ranges in tunnel policies You can specify IP address ranges in the end-to-end source and destination arguments (-source and -destination) for IPsec tunnel policies.
PAGE 13
(PKI) utilities that generate the public-private key pair and export a file that contains the certificate and the keys. Certificate retrieval from LDAP directories HP-UX IPSec can import system and CA certificates from LDAP directories that are stored in Distinguished Encoded Rules (DER) format. The ipsec_config add mycert and ipsec_config add cacert commands support options to import certificates from LDAP directories.
PAGE 14
Gateway policies are obsolete IPsec gateway policies are obsolete. The ipsec_config add gateway and related gateway commands are not supported.
PAGE 15
3 Known problems that have been fixed Known problems fixed in IPSec A.03.00.01 The following table lists the known problems and fixes in the A.03.00.01 release of HP-UX IPSec. Table 1 Fixes in HP-UX IPSec A.03.00.01 Defect ID QXCR1001070877 Description The HP-UX IPsec startup script, S011ipsec, might fail to configure the IPSec device file if /tmp is full during HP-UX system startup. This can lead to a hang at system boot or shutdown. Known problems fixed in IPSec A.03.00.
PAGE 16
4 Known problems and limitations This section provides a list of known problems and limitations as known to HP at time of publication. If workarounds are available, they are described.
PAGE 17
5 Compatibility and installation requirements This section describes the compatibility information and installation requirements for this release. For specific installation instructions, refer to HP-UX IPSec version A.03.00 Administrator's Guide (J4256–90043). Operating system and version compatibility HP-UX IPSec A.03.00 is supported on HP-UX 11i v2 Update 2 (v2UD2) and HP-UX 11i v3. Software requirements HP-UX IPSec requires the following software: • OpenSSL software version A.00.09.08q or later.
PAGE 18
Public Key Infrastructure requirements To use security certificates with HP-UX IPSec, your topology must meet the following requirements: • All security certificates must be administered using a PKI product from the same vendor. When you configure HP-UX IPSec, you must configure only one PKI vendor for all security certificate operations.
PAGE 19
6 Migrating to HP-UX IPSec A.03.00 The following sections contain information for migrating from HP-UX IPSec version A.02.01 to A.03.00. NOTE: If you are using a version of HP-UX IPSec prior to A.02.01, you must upgrade to HP-UX IPSec A.02.01 or A.02.01.01 first, then migrate to HP-UX IPSec A.03.00. Refer to the HP-UX IPSec A.02.01 Administrator's Guide (J4256-90015) for information on migrating from previous versions to A.02.01 or A.02.01.01.
PAGE 20
3. 4. Check if you need to make any additional changes to the configuration database. See “Additional configuration tasks” (page 20) for more information. Start HP-UX IPSec: ipsec_admin -start Additional configuration tasks The ipsec_migrate utility changes object types and values when converting a configuration database for HP-UX IPSec A.03.00. Check the following list for additional changes that may be needed after running ipsec_migrate: • Check the IKEv1 policies.
PAGE 21
0x and are using it with a release prior to A.03.00, the key values will not match. Change the preshared key values on both systems. • Configure the AUTOCONF flag in authentication records for autoconfiguration clients. In previous releases, the AUTOCONF flag was set in host policies. The use of the AUTOCONF flag in host policies is deprecated and might be removed in future product releases. Certificate files Beginning with release A03.00, HP-UX IPSec stores certificate and CRL files in new locations.
PAGE 22
7 Support and other resources Contacting HP HP encourages your comments concerning this document. We are truly committed to providing documentation that meets your needs. To make comments and suggestions about product documentation, send a message to: http://www.hp.com/bizsupport/feedback/ww/webfeedback.html Please include document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document.
PAGE 23
variable The name of an environment variable, for example PATH or errno. value A value that you may replace in a command or function, or information in a display that represents several possible values. [ ] The contents are optional in formats and command descriptions. { } The contents are required in formats and command descriptions. | Separates items in a list of choices. In the following example, you must specify either item-a or item-b: {item-a | item-b} \ The continuous line symbol.