Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
21222324252627282930
Support for 4096 bit key pairs for certificates
HP-UX IPSec now supports 4096-bit public/private key pairs for certificate-based IKE authentication.
The ipsec_config add csr command also supports the argument -key_length 4096.
Support for PKCS#12 certificates
HP-UX IPSec supports certificates stored in Public Key Cryptography Standards (PKCS) #12 format
(commonly referred to as PKCS#12). A PKCS#12 file can also include the private key for the
certificate.
Previous versions of HP-UX IPSec required administrators to generate a local certificate signing
request (CSR) and public-private key pair using the ipsec_config add certreq command,
and exporting the CSR to the Certificate Authority (CA) for signing. Support for PKCS#12 certificates
enables administrators to use alternate methods to obtain certificates, such as public key infrastructure
(PKI) utilities that generate the public-private key pair and export a file that contains the certificate
and the keys.
Certificate retrieval from LDAP directories
HP-UX IPSec can import system and CA certificates from LDAP directories. The ipsec_config
add mycert and ipsec_config add cacert commands support options to import certificates
from LDAP directories.
Support for multiple level public key infrastructures
HP-UX IPSec can authenticate a peer using multiple-level Public Key Infrastructures (PKIs) with
multiple Certificate Authorities (CAs) if the local system and the peer share a common root CA.
You must install a certificate for the root CA and a certificate for each intermediate CA in the path
from the local system to the root CA, and for each intermediate CA in the path from the peer to
the root CA. Each CA certificate and CRL must be contained in a separate file or directory object;
HP-UX cannot store multiple certificates or CRLs from a single file or directory object.
Certificate Revocation List cron file change
The name and location of the file containing a cron script to retrieve a certificate revocation list
(CRL) changed. The new file path is /var/adm/ipsec/util/crl.cron. The file path in previous
releases was /var/adm/ipsec_gui/cron/crl.cron.
If you have an entry in a crontab file that references the /var/adm/ipsec_gui/cron/
crl.cron file, you do not need to modify it. The migration utility creates a softlink from /var/
adm/ipsec_gui/cron/crl.cron to /var/adm/ipsec/util/crl.cron.
In previous releases, HP-UX IPSec also stored information about the location of the LDAP server for
the CRL from the /var/adm/ipsec/cainfo.txt file. This information is now stored in files in
the /var/adm/ipsec/crl_cron directory.
Support for RFC 4301 security processing for ICMP errors
The ipsec_config startup configuration argument -icmp_error_process enables or
disables RFC 4301 security processing for ICMP errors. When this feature is enabled, an IPsec
SA used to secure a normal network session is also used to secure any ICMP or ICMPv6 error
messages generated by that session. By default, this feature is disabled.
Profile file changes
The ipsec_config profile file format changed.
The default location for the HP-UX IPSec profile file is /var/adm/ipsec/.ipsec_profile. If
this file exists when you install HP-UX IPSec A.03.00, the installation script installs the A.03.00
profile file under the file name /var/adm/ipsec/.ipsec_profile.blank. When you run
Support for RFC 4301 security processing for ICMP errors 25