HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

101

102

103

104

105

106

107

108

109

110

-filter search_filter

An RFC 2254-compliant LDAP search filter. If it includes spaces or shell special characters, enclose

the value in double quotes. For example, -filter "objectClass=*".

Default: "objectClass=*" (match all values for objectClass).

-user user -password password

User and password needed to access the LDAP directory. If the user name includes spaces, enclose

the name in double quotes.

Default: None.

Examples

The following example retrieves a CA certificate from a directory server with a simple tree structure:

ipsec_config add cacert -ldap myDirsrv \

-base “C=FR,O=Grande Bleu” -filter “CN=My CA”

The following example retrieves three CA certificates for a multiple-level CA structure. The local

system uses a certificate from the CA WestCA. The peer uses a certificate from the CA EastCA.

WestCA and EastCA are child CAs below the CA RootCA. The directory server has complex tree

structure that also requires password authorization.

ipsec_config add cacert -ldap myADS.hp.com \

-base "cn=WestCA,cn=Public Key Services,CN=Services,CN=Configuration,DC=IPsec,DC=hp,DC=com" \

-filter "objectClass=certificationAuthority" \

-user "adminCW@hp.com" \

-password myPass

ipsec_config add cacert -ldap myADS.hp.com \

-base "cn=EastCA,cn=Public Key Services,CN=Services,CN=Configuration,DC=IPsec,DC=hp,DC=com" \

-filter "objectClass=certificationAuthority" \

-user "adminCW@hp.com" \

-password myPass

ipsec_config add cacert -ldap myADS.hp.com \

-base "cn=RootCA,cn=Public Key Services,CN=Services,CN=Configuration,DC=IPsec,DC=hp,DC=com" \

-filter "objectClass=certificationAuthority" \

-user "adminCW@hp.com" \

-password myPass

Step 4: Adding the CRL

Use the ipsec_config add crl command to add a CRL to the HP-UX IPSec storage scheme.

There are two syntax formats for the ipsec_config add crl command:

• ipsec_config add crl -file

The ipsec_config crl -file syntax extracts a CA certificate from a file. The file can

be in PEM or DER format. See “ipsec_config add crl -file Syntax” (page 110).

• ipsec_config add crl -ldap

The ipsec_config add crl -ldap syntax retrieves the certificate from an LDAP database.

See “ipsec_config add crl -ldap Syntax” (page 110).

The ipsec_config add crl command stores the CRLs certificates in the /var/adm/ipsec/

certstore directory. For more information, see “Certificate Storage” (page 112).

The add crl functionality is not supported in ipsec_config batch files.

Multiple Level CAs

If you are using multiple-level CAs, you must use the ipsec_config add crl command to add

a CRL for each CA in the authentication chain to the peer, as described in “Multiple Level CA

Requirements” (page 102).

Each CRL must be contained in a separate file or directory object.

Step 4: Adding the CRL 109