HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

111

112

113

114

115

116

117

118

119

120

Examples

The following example retrieves a CRL certificate from a directory server with a simple tree structure.

The CRL is stored as an attribute of the certificationAuthority object.

ipsec_config add cacert -ldap myDirsrv \

-base “C=FR,O=Grande Bleu” -filter “CN=My CA”

The following example retrieves three CRLs for a multiple-level CA structure. The directory server

has a complex tree structure that also requires password authorization.

ipsec_config add crl -ldap myADS.hp.com \

-base "cn=WestCA,cn=Public Key Services,CN=Services,CN=Configuration,DC=IPsec,DC=hp,DC=com" \

-filter "objectClass=cRLDistributionPoint" \

-user "adminCW@hp.com" \

-password myPass

ipsec_config add crl -ldap myADS.hp.com \

-base "cn=EastCA,cn=Public Key Services,CN=Services,CN=Configuration,DC=IPsec,DC=hp,DC=com" \

-filter "objectClass=cRLDistributionPoint" \

-user "adminCW@hp.com" \

-password myPass

ipsec_config add crl -ldap myADS.hp.com \

-base "cn=RootCA,cn=Public Key Services,CN=Services,CN=Configuration,DC=IPsec,DC=hp,DC=com" \

-filter "objectClass=cRLDistributionPoint" \

-user "adminCW@hp.com" \

-password myPass

Step 5: Retrieving the CRL Using cron

If the CA periodically publishes the CRL to an LDAP directory, you can use the following procedure

to automatically retrieve it using the cron utility.

1. Enter the ipsec_config add crl -ldap command if you have not already done so. In

addition to retrieving the CRL, this command creates a file in /var/adm/ipsec/crl_cron

directory that contains information about the LDAP server. The files in this directory are used

by the /var/adm/ipsec/util/crl.cron script file to retrieve the CRLs.

2. Add the following entries to the root user’s crontab file.

# Retrieve the CRL from the Certificate Authority

# (for HP-UX IPSec)

mn hr mn_day mon wkday /var/adm/ipsec/util/crl.cron

The fields in italics are placeholders. Replace them with appropriate values when you enter

the lines into the crontab file.

For example, to retrieve the CRL every hour on the hour, add the following entries to the

crontab file:

# Retrieve the CRL from the Certificate Authority

# (for HP-UX IPSec)

0 * * * * /var/adm/ipsec/util/crl.cron

3. Execute the crontab command to submit the root crontab file:

crontab /var/spool/cron/crontabs/root

For more information about cron jobs and the crontab file format, see the cron(1M) and

crontab(1) manpages.

Configuration Example

This example shows the sequence of commands used to configure certificates for HP-UX IPSec on

the system hostA. In addition, the administrator must complete the configuration tasks described

in Chapter 4: “Configuring HP-UX IPSec” (page 57), such as configuring IPsec polices, authentication

rules, and IKE policies.

Step 5: Retrieving the CRL Using cron 111