HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

101

102

103

104

105

106

107

108

109

110

-base search_base

Search base for the certificate, in X.500 Distinguished Name (DN) format, such as

C=US,O=HP,OU=Lab. The search base with the search filter appended to it form a search path

to the location of the userCertificate attribute in the LDAP directory.

If there are spaces in the DN, you must enclose the DN in double quotes (““ ). For example,

“C=US,O=My Company,OU=Blue Lab”.

Default: None.

-filter search_filter

An RFC 2254-compliant LDAP search filter. If it includes spaces or shell special characters, enclose

the value in double quotes. For example, -filter "objectClass=*".

Default: "objectClass=*" (match all values for objectClass).

-user user -password password

User and password needed to access the LDAP directory. If the user name includes spaces, enclose

the name in double quotes.

Default: None.

Examples

The following example retrieves a host certificate from a directory server with a simple tree structure:

ipsec_config add mycert -ldap myDirSrv.hp.com \

-base "o=HPUXIPSec" \

-filter cn=myHost"

The following example retrieves a host certificate from a directory server with a more complex tree

structure that also requires password authorization:

ipsec_config add mycert -ldap myADS.hp.com \

-base "cn=myHostB,cn=Public Key Services,CN=Services,CN=Configuration,DC=IPsec,DC=hp,DC=com" \

-filter "objectClass=certificate" \

-user "adminCW@hp.com" \

-password myPass

Step 3: Adding the CA Certificates

Use the ipsec_config add cacert command to add CA certificates to the HP-UX IPSec storage

scheme.

There are two syntax formats for the ipsec_config add cacert command:

• ipsec_config add cacert -file

The ipsec_config add cacert -file syntax extracts a CA certificate from a file. The

file can be in PEM or DER format. See “ipsec_config add cacert -file Syntax”

(page 108).

• ipsec_config add cacert -ldap

The ipsec_config add cacert -ldap syntax retrieves the certificate from an LDAP

database. See “ipsec_config add cacert -ldap Syntax” (page 108).

The ipsec_config add cacert command stores the CA certificates in the /var/adm/ipsec/

certstore directory. For more information, see “Certificate Storage” (page 112).

The ipsec_config add cacert functionality is not supported in ipsec_config batch files.

Step 3: Adding the CA Certificates 107