Manualshelf

Using OpenSSL Certificates with HP-UX IPSec A.03.00

ManualsBrandsHP ManualsSoftwareHP-UX OpenSSL Software
12345678
7
To load the CRL from an LDAP directory, use the ipsec_config add crl -ldap command.
For example:
ipsec_config add crl –ldap myDirSrv \
–base ou=lab,o=example,c=us \
-filter cn=pki-ca
Configuring a cron job to retrieve the CRL
HP-UX IPSec provides the script /var/adm/ipsec/util/crl.cron to retrieve the CRL from an
LDAP directory. You can configure a cron job to use this script to periodically retrieve the CRL from
the LDAP directory. For more information, see the HP-UX IPSec A.03.00 Administrator’s Guide.
Configuring IPSec Policies, IKE Policies and Authentication
Records
On the HP-UX IPSec hosts, complete the basic elements of an HP-UX IPSec configuration if you have
not already done so.
1. Configure the IPsec and IKE policies. For example:
ipsec_config -add ikev1 hostB -remote 192.168.1.5
Configure IKE authentication records.
In the example below, the local system has HP-UX IPSec installed and the remote system (hostB) is
multihomed, with the IP addresses 192.168.1.5 and 15.1.1.5. The remote system’s certificate
contains IP address 15.1.1.5 in the Subject Alternative Name field. The following ipsec_config
command creates an IKE authentication record for the remote system:
ipsec_config add auth hostB -remote 192.168.1.5 \
-ltype IPV4 -lid 15.1.1.1 \
-rtype IPV4 -rid 15.1.1.5
Verifying the Certificate Configuration
Use the following procedure to verify basic certicate configuration:
1. Enter the command ipsec_report –sa to check if there are any existing SAs between the local
and remote systems. If there are, use the ipsec_admin –deletesa ip_address command to
delete the SAs. Alternatively, you can stop and restart HP-UX IPSec on the local and remote system.
2. Generate traffic that matches an IPSec policy to encrypt or authenticate data.
3. Enter the command ipsec_report –sa and verify that HP-UX IPSec established an IKE security
association (SA) and IPSec SAs with the remote system.
TIP: If you restart HP-UX IPSec and the audit level is set to informative or lower, you will see a log
message similar to the following if the local certificate is valid:
Msg: 4 From: IKMPD Lvl: INFORMATIVE Date: Tue Feb 24 22:40:32 2009
Event: Either certificate or preshared key can be used for
authentication.