HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

121

122

123

124

125

126

127

128

129

130

-ldap server

The hostname or address of the LDAP server where the CA certificate is stored.

Default: None.

-port port_number

TCP port number for the LDAP server.

Range: 1 - 65535.

Default: 389, the IANA registered TCP port number for LDAP.

-base search_base

Search base for the certificate, in X.500 Distinguished Name (DN) format, such as

C=US,O=HP,OU=Lab. The search base with the search filter appended to it form a search path

to the location of the cACertificate attribute in the LDAP directory.

If there are spaces in the DN, you must enclose the DN in double quotes (““ ). For example,

“C=US,O=My Company,OU=Blue Lab”.

Default: None.

-filter search_filter

An RFC 2254-compliant LDAP search filter. If it includes spaces or shell special characters, enclose

the value in double quotes. For example, -filter "objectClass=*".

Default: "objectClass=*" (match all values for objectClass).

-user user -password password

User and password needed to access the LDAP directory. If the user name includes spaces,

enclose the name in double quotes.

Default: None.

Examples

The following example retrieves a CA certificate from a directory server with a simple tree

structure:

ipsec_config add cacert -ldap myDirsrv \

-base “C=FR,O=Grande Bleu” -filter “CN=My CA”

The following example retrieves three CA certificates for a multiple-level CA structure. The local

system uses a certificate from the CA WestCA. The peer uses a certificate from the CA EastCA.

WestCA and EastCA are child CAs below the CA RootCA. The directory server has complex

tree structure that also requires password authorization.

ipsec_config add cacert -ldap myADS.hp.com \

-base "cn=WestCA,cn=Public Key Services,CN=Services,CN=Configuration,DC=IPsec,DC=hp,DC=com" \

-filter "objectClass=certificationAuthority" \

-user "adminCW@hp.com" \

-password myPass

ipsec_config add cacert -ldap myADS.hp.com \

-base "cn=EastCA,cn=Public Key Services,CN=Services,CN=Configuration,DC=IPsec,DC=hp,DC=com" \

-filter "objectClass=certificationAuthority" \

-user "adminCW@hp.com" \

-password myPass

ipsec_config add cacert -ldap myADS.hp.com \

-base "cn=RootCA,cn=Public Key Services,CN=Services,CN=Configuration,DC=IPsec,DC=hp,DC=com" \

-filter "objectClass=certificationAuthority" \

-user "adminCW@hp.com" \

-password myPass

Step 3: Adding the CA Certificates 125