HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

241

242

243

244

245

246

247

248

249

250

Step 7: Distributing HP-UX IPSec Configuration Files

After you have verified and tested the HP-UX IPSec configuration on the configuration node,

distribute the HP-UX IPSec configuration database file, /var/adm/ipsec/config.db, to the

other nodes in the cluster.

NOTE: Do not redistribute the configuration database file if HP-UX IPSec is running. If you

need to modify the configuration while HP-UX IPSec is running on the cluster, use an

ipsec_config batch file to make changes on one system. Distribute the batch file to the other

nodes in the cluster, then run ipsec_config with the batch file on the other systems.

Certificate Configuration Files

Distribute the following certificate configuration and data files if you are using RSA signatures

for IKE authentication:

• All files in the /var/adm/ipsec/certstore directory

• All files in the /var/adm/ipsec/crl_cron directory if you are using cron to periodically

retrieve CRL files

You must redistribute the above files if you get a new certificate, or change CRL retrieval

information.

CAUTION: The private key for the local system certificate is stored in the clear text file /var/

adm/ipsec/certstore/mykey.pem. Use a secure mechanism to transfer this file, as described

in the section that follows.

Securely Distributing the Private Key File and Certificates

The private key file (/var/adm/ipsec/certstore/mykey.pem) is not encrypted and is

protected only by the file system security mechanism (superuser capability is required). Do not

transfer this file using non-secure channels such as ftp.

If you received the certificate and private key from the CA in a PKCS#12 file, you can transfer

the PKCS#12 file to the other cluster nodes and use the ipsec_config add mycert command

on the cluster nodes to install the certificate and private key.

If you do not have a PKCS#12 file, you can use the following procedure to create an encrypted

PKCS#12 file that you can use to transfer the private key:

1. On the configuration node, use the OpenSSL utility to export the private key and host

certificate to an encrypted PKCS#12 file:

# openssl pkcs12 -export -in /var/adm/ipsec/certstore/mycert.pem \

-inkey /var/adm/ipsec/certstore/mykey.pem \

-out my_file.p12

The OpenSSL utility will prompt you for an Export Password, a password that OpenSSL

uses to encrypt the contents of the file. Make a note of this password; you will need it to

extract (import) the contents of the PKCS#12 file. HP recommends that you use the HP-UX

IPSec password.

2. Transfer the PKCS#12 file to the other cluster nodes.

3. On the remote cluster node, use the ipsec_config add mycert command to extract the private

key and certificate and load them into the HP-UX IPSec storage scheme:

# ipsec_config add mycert -file my_file.p12

The restored key file will contain additional header information and will be slightly larger

than the source key file. This header will not affect IPsec processing.

4. Verify the system certificate by entering the following command:

# ipsec_config show mycert

244 HP-UX IPSec and Serviceguard