Manualshelf

Using Microsoft Certificates with HP-UX IPSec A.03.00

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
12345678910
2
Introduction
This document describes how to configure an HP-UX IPSec A.03.00 system to use certificates issued
by a Microsoft Windows certification authority (CA) for IPsec. You can use the certificates for Internet
Key Exchange (IKE) authentication with other HP-UX systems or with Microsoft Windows systems.
The intended audience for this document is a network security administrator who is familiar with
Microsoft Windows Server 2003 PKIs, Microsoft Windows Active Directories, the HP-UX IPSec
product, and the IP Security protocol suite.
Related documentation
To configure the PKI, HP used procedures described in the Microsoft document Best Practices for
Implementing a Microsoft Windows Server 2003 Public Key Infrastructure. This document is hereafter
referred to as the Microsoft PKI document. This document is available at the following website:
http://technet.microsoft.com/en-us/library/cc772670.aspx
To configure certificate services on the Microsoft CAs, HP used procedures described in the Microsoft
document How to create offline L2TP/IPSec Certificates. This document is available at the following
website:
http://support.microsoft.com/kb/555281
For general information about configuring HP-UX IPSec, see the HP-UX IPSec A.03.00 Administrator's
Guide. This document is available from the HP Technical Documentation website at
http://docs.hp.com.
For information about configuring Microsoft Windows security policies to operate with HP-UX IPSec,
see Configuring Microsoft Windows IP Security to Operate with HP-UX IPSec and Configuring
Microsoft Windows Vista and Windows Server 2008 to Operate with HP-UX IPSec. These documents
are available from the HP Technical Documentation website at http://docs.hp.com.
Multi-tier PKI topology
The multi-tier PKI topology used in for the procedures in this document has the following CAs:
Root CA (IPSecRootCA)
The root CA is a stand-alone CA (not a member of an Active Directory domain). In this example, the
root CA is offline (not connected to the network).
Intermediate CAs (IPSecIntermCA1 and IPSecIntermCA2)
The intermediate CAs are subordinates of the root CA (their certificates are issued by the root CA).
Intermediate CAs are sometimes referred to as policy CAs because they are often used to
implement or distinguish differences in security policies needed by different groups. In this example,
the intermediate CAs are standalone CAs and are offline.
Issuing CAs (IPSecEntCA1 and IPEntCA2)
Issuing CAs issue certificates for end entities, such as systems or users. In this example, the issuing
CAs issue certificates for the systems to use for IPsec authentication. The issuing CAs are connected
to the network and clients can use a web interface to request certificates. In this example, each
issuing CA is an enterprise CA. An enterprise CA is member of an Active Directory domain.
All CAs have Microsoft Windows Server 2003 Enterprise edition installed with Service Pack 2 (SP).