HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

211

212

213

214

215

216

217

218

219

220

1. On the configuration node, use the OpenSSL utility to export the private key and host certificate

to an encrypted PKCS#12 file:

# openssl pkcs12 -export -in /var/adm/ipsec/certstore/mycert.pem \

-inkey /var/adm/ipsec/certstore/mykey.pem \

-out my_file.p12

The OpenSSL utility will prompt you for an Export Password, a password that OpenSSL uses

to encrypt the contents of the file. Make a note of this password; you will need it to extract

(import) the contents of the PKCS#12 file. HP recommends that you use the HP-UX IPSec

password.

2. Transfer the PKCS#12 file to the other cluster nodes.

3. On the remote cluster node, use the ipsec_config add mycert command to extract the private

key and certificate and load them into the HP-UX IPSec storage scheme:

# ipsec_config add mycert -file my_file.p12

The restored key file will contain additional header information and will be slightly larger than

the source key file. This header will not affect IPsec processing.

4. Verify the system certificate by entering the following command:

# ipsec_config show mycert

NOTE: If you do not want to use the above procedure, you can use the following methods to

securely distribute the private key:

• Transfer the private key file using SSH FTP.

• Copy the private key file to removable media and physically transfer the file to the other cluster

nodes.

crontab File

If the CRL is stored in an LDAP directory and you want to automatically retrieve the CRL periodically,

you must also modify the root user’s crontab file (/var/spool/cron/crontabs/root ) on

each cluster node. Add an entry to execute the /var/adm/ipsec/util/crl.cron file. Re-submit

the crontab file.

Step 8: Configuring Serviceguard

Configure Serviceguard according to the Serviceguard product documentation, with the additional

requirements listed below. Verify the Serviceguard configuration using the cmcheckconf command,

as described in the Serviceguard product documentation.

Cluster Configuration

HP strongly recommends that you do not secure heartbeat messages using IPsec (with AH or ESP).

However, if you did configure HP-UX IPSec to secure heartbeat messages, increase the

NODE_TIMEOUT parameter value in the cluster configuration to allow time for HP-UX IPSec to

establish SAs and authenticate or encrypt the heartbeat messages.

Package Configuration

For each package using HP-UX IPSec, create the Package Configuration as described in the

Serviceguard documentation. Configure the service information for HP-UX IPSec with the following

values:

• Service command: /var/adm/ipsec/ipsec_status.sh. This is the HP-UX IPSec monitor

script.

• Service fail fast enabled feature: HP recommends that you disable this feature so Serviceguard

does not halt the node if HP-UX IPSec is not available.

• Service restart: None.

• Service halt timeout: HP recommends 300 (seconds) for this parameter.

212 HP-UX IPSec and Serviceguard