Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX IPSec version A.01.06 Administrator's Guide: HP-UX 11i Version 2 > Chapter 4 Using Certificates with HP-UX IPSec

Using VeriSign Certificates
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

There are three main components in the VeriSign OnSite architecture.

  • A VeriSign OnSite Server, which is located at a VeriSign data center, and administered by VeriSign. The Onsite Server acts as the Certificate Authority (CA) and creates and manages certificates and Certificate Revocation Lists (CRLs).

  • A local OnSite Administrator, a person located at the your site who approves client's requests for certificates and may ask the OnSite Server to revoke a client's certificate. The OnSite Administrator communicates with the OnSite Server through the VeriSign OnSite Control Center Website.

  • Clients located at your site who request, get and use certificates. For HP-UX IPSec, a client is a system that uses a certificate-based primary authentication method for IKE, such as RSA signatures. Each system must request and get a certificate before starting the HP-UX IPSec subsystem that uses RSA signature-based authentication.

    To perform this task, use the ipsec_mgr program to request and receive certificates from the OnSite Server.

NOTE: All HP-UX IPSec systems using VeriSign certificates must have IPv4 addresses. HP-UX IPSec does not support the use of IPv6 addresses with certificates.

Figure 4-1 VeriSign Symmetric Key Cryptosystem

VeriSign Symmetric Key Cryptosystem

VeriSign Certificate Tasks

To use VeriSign certificates, you must complete the following tasks:

  1. Complete and verify the prerequisite requirements.

  2. Configure web proxy server parameters if you will use a web proxy to access the VeriSign OnSite server. You must do this on each HP-UX IPSec system using VeriSign certificates.

  3. Register the OnSite Administrator. You only need to do this once, regardless of the number of IPSec systems using VeriSign certificates.

  4. Request and retrieve a VeriSign certificate. You must do this on each HP-UX IPSec system using VeriSign certificates.

  5. Configure certificate IDs if you have a multi-homed system or are using certificates to authenticate multi-homed systems or systems from other vendors. This task is described in “Configuring Certificate IDs”.

  6. Configure your system to automatically retrieve the Certificate Revocation List (CRL), or manually retrieve the CRL. This task is described in “Retrieving the Certificate Revocation List (CRL)”.

Step 1: Verifying Prerequisites

Prior to configuring the HP-UX IPSec product with VeriSign certificate authentication, you will need to:

  1. Purchase the VeriSign OnSite for VPNs product from VeriSign (www.verisign.com).

  2. Assign a local VeriSign OnSite Administrator.

  3. Ensure that the system used by the VeriSign OnSite Administrator meets the VeriSign hardware and software requirements listed below. For the very latest VeriSign hardware and software requirements, check the VeriSign OnSite documentation.

    • Netscape or Internet Explorer browser version 4.0 or later, enabled for secure Hypertext Transfer Protocol (SHTTP)

    • An available serial port for a smart card reader (VeriSign provides the smart card)

    • E-mail or browser application that supports the S/MIME protocol

  4. Verify that the HP-UX IPSec systems and the system used by the VeriSign OnSite Administrator can exchange HTTP packets with the VeriSign OnSite server. Depending on your network topology and access to external sites, this can be done with a web proxy server or with direct access to the VeriSign OnSite Server.

    If you will use a web proxy server, get the following information about the proxy server:

    • Hostname of the proxy server

    • Port number on which the proxy server receives internal requests

    • User name for the proxy server, if the proxy server requires user name and password authentication

    • Password for the proxy server, if the proxy server requires user name and password authentication

Step 2: Configuring Web Proxy Server Parameters

If you need to use a web proxy server to access the VeriSign OnSite server, use the following procedure to configure web proxy server information for ipsec_mgr.

  1. Click on the ipsec_mgr Options menu. Select System, then Proxy Information.

    The Proxy Server Settings window opens.

    Complete the fields with the parameters for your web proxy server:

    1. Local Hostname: hostname of the proxy server

    2. Local Port: port number on which the proxy server receives internal requests

    3. User Name: the user name for the proxy server, if the proxy server requires user name and password authentication

    4. Password: the password for the proxy server, if the proxy server requires user name and password authentication

  2. Click OK. The ipsec_mgr program saves the proxy server settings.

Step 3: Registering the Administrator

The VeriSign OnSite Administrator registers with VeriSign through the URL that VeriSign provides for a VeriSign OnSite Control Center. Follow the instructions provided by VeriSign, with the following additional provisions.

  1. Record the DNS domain name entered in the Administrator’s application. This DNS domain name entered in the Administrator's application must match the DNS name that the IPSec Administrator will enter in the ipsec_mgr GUI when requesting a certificate.

    (The DNS domain name in the Administrator's application determines the domain for which the OnSite Administrator can approve and revoke certificates.)

  2. The number of certificates must be equal the number of IPSec systems that will be using certificate-based primary authentication for IKE (such as RSA signatures).

Step 4: Requesting and Receiving Certificates

Each HP-UX IPSec system that will use a certificate-based primary authentication method for IKE must request and get its own certificate before starting the HP-UX IPSec subsystem.

Make sure the number of certificates accommodates the number of HP-UX IPSec systems using VeriSign for IKE primary authentication. Each system needs only one certificate for HP-UX IPSec, even if the system has multiple IP addresses.

To request and receive a VeriSign certificate with HP-UX IPSec:

  1. Select Certificate Authority from the ipsec_mgr Options menu.

  2. The Certificates tab is enabled on the ipsec_mgr screen. If the VeriSign screen is not already displayed, click the VeriSign tab at the left side of the screen.

  3. Click Request Certificate on the Certificates screen. The Request Certificate screen appears.

  4. Enter the interface IP address for the certificate being created in the IP Address field. This value is preset to 127.0.0.1 since creation is for ‘local’ certificates only.

  5. Enter the Local Hostname for the certificate.

  6. Enter the Domain Name for the certificate.

  7. Enter the Size of the certificate.

  8. Enter the CA Server Address you received from VeriSign.

  9. Click OK. Your request is automatically sent to VeriSign for processing.

  10. When the request for the certificate is made, GUI displays a message window: “Your certificate request is pending.”

    In addition, the Request Certificate button changes to Check on Request.

  11. The local OnSite Administrator receives an email notification that a client has requested a certificate.

  12. The OnSite Administrator uses the VeriSign OnSite Control Center Website to process the request by selecting Process Requests from the Certificate Management menu. The OnSite Administrator can approve or reject the request.

  13. After the OnSite Administrator has approved the certificate request and the OnSite Server has processed the approval, click the Check on Request button on the Certificate screen:

    The ipsec_mgr program retrieves the certificate from the OnSite Server if the request was granted. The Check on Request button changes back to Request Certificate.

    If there is a problem with the certificate, ipsec_mgr displays the message “Your request has been rejected” in a new window.

  14. The certificate is downloaded to the client system and added to the file /var/adm/ipsec/certs.txt by the ipsec_mgr program.

Go on to “Configuring Certificate IDs”.



Overview
  		 


Using Baltimore Certificates  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2003 Hewlett-Packard Development Company, L.P.