Manualshelf

Using OpenSSL Certificates with HP-UX IPSec A.03.00

ManualsBrandsHP ManualsSoftwareHP-UX OpenSSL Software
12345678
2
Introduction
This document provides information on using HP-UX IPSec versions A.03.00 and later with OpenSSL
certificates for IKE primary authentication. This document also describes how to store and retrieve
OpenSSL Certificate Revocation Lists (CRLs) using local files or an LDAP (Lightweight Directory Access
Protocol) server. A CRL contains a list of revoked (invalid) certificates. HP-UX IPSec uses the CRL to
verify that a remote system's certificate is valid during IKE primary authentication.
The HP-UX OpenSSL product is available from the HP Software Depot website:
http://www.hp.com/go/softwaredepot
The following LDAP server implementations for HP-UX are also available from the HP Software depot
website:
Netscape Directory Server for HP-UX (NDS)
OpenLDAP, a component of the HP-UX Internet Express bundle
This document assumes that the user is familiar with HP-UX IPSec and how it uses certificates. For
more information about HP-UX IPSec, refer to the HP-UX IPSec Administrator's Guide.
There are numerous ways to use the commands and utilities provided by OpenSSl, NDS, and
OpenLDAP. This document only describes the methods HP tested.
Related Documentation
For general information about configuring HP-UX IPSec, see the HP-UX IPSec A.03.00 Administrator's
Guide. This document is available from the HP Technical Documentation website at http://docs.hp.com.
Configuration Overview
To use HP-UX IPSec with OpenSSL certificates, you must complete the following tasks:
1. Initialize the OpenSSL Certificate Authority (CA).
2. Create the Certificate Revocation List (CRL) on the CA system.
3. (Optional) Add the CA certificate and CRL to the LDAP directory.
4. Create host certificates for HP-UX IPSec hosts.
5. Load the host certificate, CA certificate, and CRL to the HP-UX IPSec storage scheme.
6. Configure IPSec policies, IKE policies, and authentication records on the HP-UX IPSec hosts.
7. Verify the certificate configuration.
Initializing the OpenSSL CA
Use the following procedure to set up the OpenSSL CA. You only need to do this on the system that
will host the OpenSSL CA, and you only need to do this once.
1. On the OpenSSL CA system, modify the OpenSSL master configuration file to match your
installation.
The OpenSSL master configuration file name is typically /opt/openssl/openssl.cnf. Make
the following modifications to the master configuration file:
o Set the dir parameter and other file and directory locations to conform to your file
system layout and naming conventions. By default, the dir parameter in the
configuration file specifies the base for a set of subdirectories in which OpenSSL
stores objects.