Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Installing and Administering IPSec/9000 > Chapter 1 Installing and Configuring IPSec/9000

Step 5A: Prerequisites for Using Entrust Certificates
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

To use IPSec/9000 with Entrust certificates, each IPSec/9000 system must meet the following prerequisites:

  • Each IPSec/9000 system must be able to access an Entrust/PKI (Public Key Infrastructure). If you are running the Entrust/PKI version 4.0 on an HP-UX system, you must use HP-UX 10.20. If you are running the Entrust/PKI version 5.0 on an HP-UX system, you must use HP-UX 11.0.

  • Each IPSec/9000 system must have an Entrust Engine library (libEntrust.sl) for HP-UX 11.x, Version v4.0d installed. Contact your Entrust representative if you do not have this library. By default, IPSec/9000 will search for this library in /usr/local/lib/libEntrust.sl.

    If you install the libEntrust.sl file in a different directory, you must add the directory to the SHLIB_PATH environment variable when you start IPSec/9000 using the ipsec_admin utility.

  • All IPSec/9000 systems must have IPv4 addresses. IPSec/9000 does not support the use of IPv6 addresses with certificates.

NOTE: VirtualVault

The Entrust Engine Library located at /usr/local/lib/libEntrust.sl on VirtualVault must be installed with the SYSTEM sensitivity label. To check the sensitivity label of the file, use the lslevel(1) command. To change the sensitivity label of the file, use the chlevel(1M) command. For the syntax of these commands, refer to the corresponding entries in the VirtualVault Operating System Reference, "Section 1" and "Section 1M" respectively. For more details on sensitivity labels, refer to the VirtualVault Administrator's Reference, "Information Separation and Labeling" chapter, "Understanding Information Separation" section

VirtualVault

The Entrust initialization file (entrust.ini) on VirtualVault must be installed with the SYSTEM sensitivity label.

Security Startup Package

The Entrust Security Officer or Entrust Administrator must use the Entrust/Admin utility to add an Entrust user for IPSec/9000. This new Entrust user should be used only for IPSec/9000 ISAKMP functions.

You may want to use a naming convention to easily identify the Entrust users for IPSec/9000. For example, use the system name for the user's first name and "IPSec" for the user's last name.

Request that the certificate contain a subjectAlternativeName set to the IP address of the IPSec system. If the IPSec system has more than one IP address, select one for the certificate and make a note of it. Other IPSec/9000 administrators will need this address to configure certificate IDs for this system.

The Entrust Security Officer or Entrust Administrator must provide the IPSec/9000 administrator with a start-up package that includes the following items:

  1. An Entrust initialization file, typically named entrust.ini. The IPSec/9000 administrator must install this on the system running IPSec/9000. ipsec_mgr will request the local path for this file.

  2. The following information, which the IPSec/9000 administrator will enter in the IPSec/9000 GUI to create an Entrust Profile (also referred to as an epf file):

    • Reference Number

    • Authorization Code

The Entrust Profile (or epf file) is encrypted and contains key information used by the IPSec/9000 IKE daemon to register with the Entrust PKI and perform certificate operations.

NOTE: You must use the IPSec/9000 GUI (ipsec_mgr) to create the Entrust Profiles used for IPSec/9000. Do NOT use the Entrust client utility or other utilities to create Entrust Profiles for IPSec/9000.

Figure 1-1 Entrust Data Flow

Entrust Data Flow


Step 4: Setting the IPSec/9000 Password
  		 


Step 5B: Setting Up a VeriSign Administrator  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2001 Hewlett-Packard Development Company, L.P.