Using Microsoft Certificates with HP-UX IPSec A.03.00

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

Introduction......................................................................................................................................... 2

Related documentation ..................................................................................................................... 2

Multi-tier PKI topology .......................................................................................................................... 2

Configuration tasks .......................................................................................................................... 4

Single-tier PKI topology with a standalone CA......................................................................................... 4

Configuration tasks .......................................................................................................................... 4

Configuring the root and subordinate CAs.............................................................................................. 4

Configuring the root CA ................................................................................................................... 4

Configuring the intermediate CAs ...................................................................................................... 5

Configuring the issuing CAs .............................................................................................................. 7

Configuring certificate services for IPsec on the issuing CAs...................................................................... 8

Obtaining host certificates for IPsec ....................................................................................................... 8

Using ipsec_config to obtain host certificates....................................................................................... 8

Using the Microsoft Certificate Services web interface to obtain host certificates .................................... 10

Exporting the certificate and keys ................................................................................................. 11

Configuring HP-UX IPSec .................................................................................................................... 11

Loading the host certificate.............................................................................................................. 12

Loading the CA certificates and CRLs ............................................................................................... 12

Multi-Tier PKI requirement ............................................................................................................ 12

Loading the CA Certificates from files ........................................................................................... 12

Loading the CRLs from files .......................................................................................................... 12

Loading the CA certificates from the Active Directory Server ............................................................ 13

Loading the CRLs from the Active Directory Server .......................................................................... 15

Configuring host policies ................................................................................................................ 16

Configuring authentication records................................................................................................... 16

Configuring IKE policies.................................................................................................................. 16

Verifying the configuration .............................................................................................................. 16

Configuring a cron job to retrieve the CRL......................................................................................... 16

Summary of content (17 pages)

PAGE 1
Using Microsoft Certificates with HP-UX IPSec A.03.00 Introduction......................................................................................................................................... 2 Related documentation ..................................................................................................................... 2 Multi-tier PKI topology ..........................................................................................................................
PAGE 2
Introduction This document describes how to configure an HP-UX IPSec A.03.00 system to use certificates issued by a Microsoft Windows certification authority (CA) for IPsec. You can use the certificates for Internet Key Exchange (IKE) authentication with other HP-UX systems or with Microsoft Windows systems.
PAGE 3
The clients use certificates issued by the issuing CAs for IPsec IKE authentication. The client host1 is an HP-UX system with HP-UX IPSec A.03.00 installed. The client host2 is a Microsoft Windows XP system with Service Pack 2 (SP2) installed. NOTE: When using a multilevel or multitier PKI topology, the HP-UX IPSec version must be A.03.00 or later. HP-UX IPSec version A.02.01 does not support multilevel PKIs but is compatible with Microsoft Windows enterprise CAs.
PAGE 4
Configuration tasks Complete the following tasks to configure a multi-tier PKI for use with HP-UX IPSec:  Configure the root and subordinate CAs. See “Configuring the root and subordinate CAs.”  Configure certificate services for IPsec on the issuing CAs. See “Configuring certificate services for IPsec on the issuing CAs.”  Obtain certificates for the IPsec systems. See “Obtaining host certificates for IPsec.”  Configure HP-UX IPSec to use the certificates. See “Configuring HP-UX IPSec.
PAGE 5
HP used the sample CAPolicy.inf file provided in the Microsoft PKI document without modifications. Save this file in %Systemroot%\CAPolicy.inf. 2. Install the offline root CA software components. HP used the Microsoft Components Wizard to install the CertificateServices components. HP did not install Internet Information Services (IIS) for web enrollment support. For CA Type, select Stand-alone root CA.
PAGE 6
3. Import the Root CA certificate and CRL into the intermediate CA. HP used a batch file containing certutil –addstore –f Root commands for this task as described in the Microsoft PKI document. 4. Verify the Root CA certificate on the intermediate CA. HP used the certutil -verifystore root command to complete this task. 5. Install the Offline Intermediate CA Software Components HP used the Microsoft Components Wizard to install the Certificate Services components.
PAGE 7
HP did not specify a value for the myLDAPserver variable. The sample script also configures the intermediate CA to include information about the CA policy in its issued certificates. 10. Verify the intermediate CA configuration. Configuring the issuing CAs In this topology, the issuing CAs are enterprise CAs. An enterprise CA must be joined to a domain of an Active Directory forest.
PAGE 8
6. Install the Certificate. HP used the method described in the Microsoft PKI document to install the certificate using the certutil.exe -installcert command This method installs the PKCS#7 (.p7b) file created in the previous step. 7. Configure the Enterprise CA HP used the sample script provided to configure an EnterpriseSubCA in the Microsoft PKI document with the following modification: SET myhttpPKIvroot=http://www.hp.
PAGE 9
1. Use the ipsec_config add csr command to create the certificate request as documented in the HP-UX IPSec Administrator's Guide. On host1, HP used the following command: ipsec_config add csr -subject cn=host1.hpipsec.hp.com 2. If you do not have a web browser on you HP-UX system that can access the Windows CA's web interface, copy the certificate request file, /var/adm/ipsec/ipsec.csr, to a system with access. 3.
PAGE 10
. Transfer the file to the IPsec host system, if needed. You will specify this file in the ipsec_config add mycert -file command. This file does not contain the private key and can be transferred over a non-secure network link. Using the Microsoft Certificate Services web interface to obtain host certificates Use the following procedure to create a certificate request on the enterprise CA for an IPsec host. The certificate request and certificate key pair are created on the CA.
PAGE 11
7. Click Install this certificate. 8. If the web browser displays a Potential Scripting Violation window, click Yes. Exporting the certificate and keys Use the following procedure to create a PKCS#12 file with the host certificate and certificate keys. 1. On the CA system, start the custom MMC created in Configuring certificate services for IPsec on the issuing CAs. 2. Open the local certificate storage area by expanding Certificates (Local Computer). Expand Personal. Expand Certificates.
PAGE 12
Loading the host certificate HP loaded the host certificates from files to the HP-UX IPSec storage scheme. HP used the ipsec_config add mycert –file command to complete this task. HP did not retrieve the HP-UX host certificate from the Active Directory because the HP-UX host certificate was not published in the Active Directory (the HP-UX host is not a member of the Active Directory domain). For example: ipsec_config add mycert –file certnew.
PAGE 13
certutil –GetCRL IPSecRootCA.crl 2. Transfer the CRL file to the HP-UX system. This file can be transferred over a non-secure network link. 3. Enter the ipsec_config add crl –file command to load the CRL. For example: ipsec_config add crl –file IPSecRootCA.crl Loading CA certificates from the Active Directory Server To load the CA certificates from the Active Directory server, use the ipsec_config add cacert –ldap command.
PAGE 14
-password myPass 14
PAGE 15
Loading CRLs from the Active Directory Server To load the CRLs from the Active Directory server, use the ipsec_config add crl –ldap command. This command requires the LDAP search filter (base and filter) for the CRL. HP used the following syntax to specify the search filter. The base is the same as the base used for the CA certificate filter plus a commonName field with the hostname portion of the fully-qualified domanin name (FQDN) of the issuing CA (cn=hostname).
PAGE 16
Configuring host policies Configure the host policies as you normally would. For example, on host1, HP configured the following host policy to encrypt packets exchanged with host2: ipsec_config add host host2 –destination 10.0.0.22 –action ESP_AES128_HMAC_SHA1 Configuring authentication records Configure the authentication records with the appropriate authentication IDs. By default, Microsoft Windows IPsec uses X.500 DNs as the IKE ID type.
PAGE 17
© 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.