HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

231

232

233

234

235

236

237

238

239

240

Step 4: Configuring Authentication Records for Certificates

This section describes configuration requirements for authentication records if you are using

security certificates (RSA signatures) for IKE authentication. If you are not using security

certificates for IKE authentication, go to “Step 5: Verifying and Testing the HP-UX IPSec

Configuration” (page 242).

All nodes in an Serviceguard cluster share the same certificate and IKE ID configuration. Import

or retrieve a certificate and configure IKE ID information on one node in the cluster and transfer

the certificate files to the other nodes in the cluster.

Certificates

On the configuration node, obtain and install one certificate for the cluster, as described in

Chapter 5: “Using Certificates with HP-UX IPSec ” (page 113). All nodes in the cluster will use

this certificate. You will distribute copies of the certificate files to the other nodes in the cluster

in “Step 7: Distributing HP-UX IPSec Configuration Files” (page 244).

On each cluster client, obtain and install a certificate for the client.

Authentication Records and IKE ID Information

Serviceguard systems are multihomed—each node has at least one stationary address, and can

be assigned a relocatable or package address at any time. You must configure local ID information

in the authentication record for each remote system address. This enables HP-UX IPSec to send

the correct local ID type and ID value to the remote systems.

Use the procedure described in “Step 3: Configuring Authentication Records and Preshared

Keys” (page 85) to configure authentication records, with the additional requirements described

in the following sections.

Cluster Node

On each cluster node, add entries to the ipsec_config batch file with add auth operations

to configure an authentication record for each cluster client as follows:

• Remote IP Address (-remote ): The cluster client address.

• Local ID type (-ltype ): The IKE ID type sent by the cluster nodes. This must be X500-DN,

or one of the types of identifiers in the subjectAlternativeName field of the cluster certificate,

such as IPV4. The default is the address type (IPV4 or IPV6) of the interface used to

communicate with the remote system.

• Local ID value (-lid ): The ID value that corresponds to the local ID type. This must match

a value in the cluster certificate. The default is the IP address of the interface used to

communicate with the remote system.

• Remote ID type (-rtype ): The IKE ID type sent by the remote system (cluster client). This

must be X500-DN, or one of the types of identifiers in the subjectAlternativeName field of

the client certificate. The default is the address type (IPV4 or IPV6) for the -remote

argument.

• Remote ID value (-rid ): The IKE ID value sent by the remote system (cluster client). This

must match the appropriate value in the client certificate. The default is the address specified

for the -remote argument.

If the cluster client is an HP-UX IPSec system and is not multihomed, you can use the default

values for the remote ID type and value.

Step 4: Configuring Authentication Records for Certificates 239