HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

211

212

213

214

215

216

217

218

219

220

To verify that all messages sent between the heartbeat IP addresses pass in clear text, run

ipsec_policy specify only the source and destination IP addresses (use the default wildcard

values for the other parameters). For example, you could use the following command on node

15.1.1.1 to verify that all messages sent to 15.2.2.2 pass in clear text:

ipsec_policy -sa 15.1.1.1 -da 15.2.2.2

You can also explicitly verify that HP-UX IPSec will pass heartbeat messages in clear text. The

example below tests if Serviceguard TCP heartbeat messages (port 5300) will pass in clear text

to node 15.1.1.1 from node 15.2.2.2. The dummy value 65535 is used for the dynamically

assigned source port number (-sp 65535 ).

ipsec_policy -sa 15.1.1.1 -sp 65535 -da 15.2.2.2 -dp 5300

-p tcp

Step 6: Configuring HP-UX IPSec Start-up Options

HP-UX IPSec must be running on all nodes in the cluster before Serviceguard starts. After you have

verified the configuration, you can configure HP-UX IPSec to start automatically at system startup

time. See Chapter 4, “Step 9: Configuring HP-UX IPSec to Start Automatically” (page 98) to

configure HP-UX IPSec to start automatically at system boot-up time.

Step 7: Distributing HP-UX IPSec Configuration Files

After you have verified and tested the HP-UX IPSec configuration on the configuration node, distribute

the HP-UX IPSec configuration database file, /var/adm/ipsec/config.db, to the other nodes

in the cluster.

NOTE: Do not redistribute the configuration database file if HP-UX IPSec is running. If you need

to modify the configuration while HP-UX IPSec is running on the cluster, use an ipsec_config

batch file to make changes on one system. Distribute the batch file to the other nodes in the cluster,

then run ipsec_config with the batch file on the other systems.

Certificate Configuration Files

Distribute the following certificate configuration and data files if you are using RSA signatures for

IKE authentication:

• All files in the /var/adm/ipsec/certstore directory

• All files in the /var/adm/ipsec/crl_cron directory if you are using cron to periodically

retrieve CRL files

You must redistribute the above files if you get a new certificate, or change CRL retrieval information.

CAUTION: The private key for the local system certificate is stored in the clear text file /var/

adm/ipsec/certstore/mykey.pem. Use a secure mechanism to transfer this file, as described

in the section that follows.

Securely Distributing the Private Key File and Certificates

The private key file (/var/adm/ipsec/certstore/mykey.pem) is not encrypted and is

protected only by the file system security mechanism (superuser capability is required). Do not

transfer this file using non-secure channels such as ftp.

If you received the certificate and private key from the CA in a PKCS#12 file, you can transfer the

PKCS#12 file to the other cluster nodes and use the ipsec_config add mycert command on

the cluster nodes to install the certificate and private key.

If you do not have a PKCS#12 file, you can use the following procedure to create an encrypted

PKCS#12 file that you can use to transfer the private key:

Step 6: Configuring HP-UX IPSec Start-up Options 211