Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Installing and Administering IPSec/9000 > Chapter 1 Installing and Configuring IPSec/9000

Step 5B: Setting Up a VeriSign Administrator
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

There are three main components in the VeriSign OnSite architecture.

  1. A VeriSign OnSite Server, which is located at a VeriSign data center. The Onsite Server acts as the Certificate Authority (CA) and creates and manages certificates and Certificate Revocation Lists (CRLs).

  2. A local OnSite Administrator, a person located at the customer's site who approves client's requests for certificates and may ask the OnSite Server to revoke a client's Certificate. The OnSite Administrator communicates with the OnSite Server through the VeriSign OnSite Control Center Website.

  3. Clients located at the customer's site who request, get and use certificates. For IPSec/9000, a client is a system that uses a certificate-based primary authentication method for IKE, such as RSA signatures. Each such system must request and get a certificate before starting the IPSec/9000 subsystem that uses RSA signature-based authentication.

    To perform this task, use the ipsec_mgr program to request and receive certificates from the OnSite Server.

NOTE: All IPSec/9000 systems using VeriSign certificates must have IPv4 addresses. IPSec/9000 does not support the use of IPv6 addresses with certificates.

Figure 1-2 VeriSign Symmetric Key Cryptosystem

VeriSign Symmetric Key Cryptosystem
NOTE: VirtualVault

The socks configuration file (socks.conf) on VirtualVault must be created with the SYSTEM sensitivity label. To check the sensitivity label of the file, use the lslevel(1) command. To change the sensitivity label of the file, use the chlevel(1M) command. For the syntax of these commands, refer to the corresponding entries in the VirtualVault Operating System Reference, "Section 1" and "Section 1M" respectively. For more details on sensitivity labels, refer to the VirtualVault Administrator's Reference, "Information Separation and Labeling" chapter, "Understanding Information Separation" section.VirtualVault

VirtualVault does not support incoming e-mail. The OnSite Administrator must be configured to receive e-mail on an alternate host.

What You Need

Prior to configuring the IPSec/9000 product with VeriSign certificate authentication, you will need to:

  1. Purchase the VeriSign OnSite for VPNs product from VeriSign (www.verisign.com).

  2. Assign a local VeriSign OnSite Administrator.

  3. Ensure that the system used by the VeriSign OnSite Administrator meets the following VeriSign hardware and software requirements listed below. (For the very latest VeriSign hardware and software requirements, check the VeriSign OnSite documentation.)

    1. Netscape or Internet Explorer browser version 4.0 or later

    2. An available serial port for a smart card reader (VeriSign provides the smart card).

    3. E-mail or browser application that supports the S/MIME protocol.

    4. In addition, the VeriSign Onsite Administrator application uses secure http (shttp) to communicate with the VeriSign Onsite Server. Make sure the VeriSign OnSite Administrator's browser is enabled for shttp. Depending on your network topology and access to external sites, you may need to configure your browser to access web sites external to your company's network.

  4. Configure the IPSec/9000 systems to be able to exchange HTTP (Hypertext Transfer Protocol) packets with the VeriSign OnSite server. Depending on your network topology and access to external sites, this can be done with a Socks Proxy Server that can service Socks version 4 client requests or with direct access to the VeriSign OnSite Server. Alternately, you can use the following entries in a Socks configuration file.

    • If you are using a proxy server, you can use the following environment variables on your client:

      • SOCKS_HOST=socks_server_name,

      • SOCKS_NS=dns_server_name, and

      • SOCKS_BIND_MODE=E.

    • You must create a socks configuration file, socks.conf, in the directory /etc/opt/socks/. The file must have the following entry:

      server socks_server_name
      nameserver dns_server_name

      where

      socks_server_name: A comma separated list of Socks servers that can be used as proxy for this destination. No spaces or tabs are allowed inside the list. Names beginning with a '$' are expanded from the users environment. Each server in the list is tried until a successful connection is established. When a server has multiple addresses, it is assumed to be a group of hosts, the address list is randomized and each address is tried before proceeding to the next name in the list. The user can override this field using the SOCKS_SERVER environment variable.

      dns_server_name      : A comma separated list of Domain Name Servers (DNS) that are able to resolve addresses outside of the domain. The user can override this field using the SOCKS_NS environment variable.

VeriSign Certificate Procedures

Complete Step 1 below to register your OnSite Administrator. This needs only be completed once. You must complete Step 2 for each client system.

Step 1: Registering the Administrator

The OnSite Administrator registers with VeriSign through the URL that VeriSign provides for a VeriSign OnSite Control Center.

  1. The DNS domain name entered in the Administrator's application must match the DNS name that the IPSec Administrators will enter in the ipsec_mgr GUI when requesting a certificate.

    (The DNS domain name in the Administrator's application determines the customer's domain for which the OnSite Administrator can approve and revoke certificates.)

  2. The number of certificates must be equal the number of IPSec systems that will be using certificate-based primary authentication for IKE (such as RSA signatures).

Step 2: Requesting and Getting Certificates

Each IPSec/9000 system that will use a certificate-based primary authentication method for IKE (such as RSA signatures) must request and get its own certificate before starting the IPSec/9000 subsystem. Refer to "Step 7A: Configuring a Certificate" for more details.

Make sure the number of certificates accommodates the number of IPSec/9000 systems using VeriSign for IKE primary authentication. Each system needs only one certificate for IPSec/9000, even if the system has multiple IP addresses.

  1. On the client system, the user (IPSec Administrator) selects "Request Certificate" from the Certificates section of ipsec_mgr. The ipsec_mgr program generates a public/private key pair. The ipsec_mgr program stores the private key in a local, encrypted file and sends a request for a certificate that contains the public key to the OnSite Server. The CA will return a certificate containing the public key.

    When the request for the certificate is made, GUI displays a window with the message, "Your certificate request is pending."

    In addition, the "Request Certificate" button label will change to "Check on Request."

  2. The local OnSite Administrator will receive an e-mail message notifying him that a client has requested a certificate.

  3. The OnSite Administrator uses the VeriSign OnSite Control Center Website to process the request by selecting "Process Requests" from the "Certificate Management" menu. The OnSite Administrator can approve or reject the request.

  4. After the OnSite Administrator has approved the certificate request and the OnSite Server has processed the approval, the IPSec/9000 administrator can select the "Check on Request" button from the Certificate screen. The ipsec_mgr program will retrieve the certificate from the OnSite Server if the request was granted. The GUI menu button will change back to "Request Certificate." Otherwise a window will appear with the message, "Your request has been rejected."

  5. The certificate is downloaded to the client system and added to the file /var/adm/ipsec/certs.txt by the ipsec_mgr program.



Step 5A: Prerequisites for Using Entrust Certificates
  		 


Step 5C: Requesting a Baltimore Certificate  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2001 Hewlett-Packard Development Company, L.P.