HP-UX IPSec version A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

141

142

143

144

145

146

147

148

149

150

Using Certificates with HP-UX IPSec

Configuring Authentication Records with IKE IDs

Chapter 4140

For

remote_id_type

USER-FQDN,

remote_id

is the User-Fully Qualified

Domain Name (User-FQDN) in SMTP format, such as

user@myhost.hp.com. This must match the subject of the certificate.

For

remote_id_type

X500-DN,

remote_id

is the X.500 Distinguished

Name. This must match the Subject distinguishedName (Subject DN) of

the certificate. The format for the DN is:

CN=

commonName

,O=

organization

,C=c

ountry

[,OU=

organizationUnit

]

Where:

commonName

: The commonName of the Subject DN is printable string

format. This field is required. Commas are not accepted as part of this

value. The size of this value must not exceed 64 bytes.

organization

: The organization of the Subject DN, for example

Hewlett-Packard. This field is required. Commas are not accepted as

part of this value. The size of this value must not exceed 64 bytes.

country

: The two-character ISO 3166-1 code for the country listed in the

Subject DN, for example US for United States of America. This field is

required. Commas are not accepted as part of this value. The size of this

value must not exceed 64 bytes.

organizationUnit

: The organizationalUnit for the Subject DN, for

example Marketing. This field is optional. Commas are not accepted as

part of this value. The size of this value must not exceed 64 bytes.

Default: If

remote_id_type

and

remote_id

are not specified, HP-UX

uses the IPv4 or IPv6 address of the IP address of the remote system,

from the source address of the inbound IP packets.

Examples

The remote system Mike with address 192.1.1.1 uses X.500

Distinguished Names as IKE IDs. The local system is not multihomed, so

you do not have to specify local ID information.

ipsec_config add auth Mike -remote 192.1.1.1 \

-rtype X500-DN -rid CN=hostn,O=myco,c=US

You are using certificate-based authentication between HP-UX systems

Black (10.10.10.10) and Zebra. Zebra is multihomed, with addresses

10.20.20.20 and 192.6.2.20. The security certificate for Zebra

contains the address 10.20.20.20 as the SubjectAlternativeName.

On Black, you add the following entries to the ipsec_config batch file: