Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX IPSec version A.01.06 Administrator's Guide: HP-UX 11i Version 2 > Chapter 4 Using Certificates with HP-UX IPSec

Using Baltimore Certificates
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

If you are using the Baltimore CA for authentication with IPSec, you must first purchase the Baltimore UniCERT 3.5 package. For more information about any of the prerequisites below, see the documentation you received from Baltimore.

Baltimore Certificate Tasks

To use Baltimore certificates, you must complete the following tasks:

  1. Complete and verify the prerequisite requirements.

  2. Request a Baltimore certificate from the Baltimore CA Administrator and transfer the certificate file to the HP-UX IPSec system. You must do this for each HP-UX IPSec system using Baltimore certificates.

  3. Configure the Baltimore certificate on the HP-UX IPSec system using ipsec_mgr. The ipsec_mgr program will extract information from the certificate file for IPSec.

  4. Configure certificate IDs if you have a multi-homed system or are using certificates to authenticate multi-homed systems or systems from other vendors. This task is described in “Configuring Certificate IDs”.

  5. Configure your system to automatically retrieve the Certificate Revocation List (CRL), or manually retrieve the CRL. This task is described in “Retrieving the Certificate Revocation List (CRL)”.

Step 1: Verifying Prerequisites

NOTE: All HP-UX IPSec systems using Baltimore certificates must have IPv4 addresses. HP-UX IPSec does not support the use of IPv6 addresses with certificates.

Before you request Baltimore certificates for IPSec systems, you must:

  1. Make sure all components of the Baltimore CA are installed and available. See your Baltimore documentation for installation and configuration instructions.

    NOTE: You do not need to install any Baltimore software on the IPSec hosts that will use Baltimore certificates.

  2. Set up the PKI structure on the Baltimore CA host. The PKI structure is a part of the Certificate Authority Operator (CAO) component.

  3. Enable LDAP.

  4. In the CAO->CA Attributes->Certificate CRL and Directory Options tab, be sure that the IDP Extension on CRLs/ARLs is critical option is selected.

    NOTE: HP-UX IPSec does not support the use of Certificate Distribution Points (CDPs) with Baltimore certificates.

  5. Set up a policy or policies in the UniCERT CAO component for use when requesting certificates for IPSec hosts. The policy must contain the following fields:

    • IP address (mandatory for HP-UX IPSec systems)

    • DNS (Fully Qualified Domain Name)

    • Key Size: 1024

    • Key Type: RSA

    • Key Usage: Digital Signature

    • Certificate Interval Start

    • Certificate Interval End

    • Common Name

    • Org Unit

    • Organization

    • Country Code

Step 2: Requesting the Baltimore Certificate

Before you configure a Baltimore certificate using ipsec_mgr, you must obtain a PKCS#12 file from the Baltimore Certificate Authority. The Baltimore CA Administrator at your site must use the Face to Face method to request the certificate, and must note certain information during the request and retrieval process. To request a certificate as the Baltimore CA Administrator:

  1. Start the RA component of the UniCERT software. Once it is running, start the RAO component.

  2. On the initial RAO screen, you must choose the Face to Face option.

  3. Choose Register New User to request a new certificate. Next, choose a policy set up for requesting IPSec certificates.

  4. Fill out any fields on the certificate request form that are not defaulted. Click Accept when the request form is complete.

    Make a note of the Distinguished Name fields (common name, organizational unit, organization, and country). The IPSec Administrator may need this information to complete the IPSec configuration.

  5. Choose PKCS#12 as the format for the Secret Key. You must choose this format for certificates used by IPSec.

  6. Create a passphrase for the PKCS#12 file.

    Make a note of this passphrase; the IPSec Administrator will use it to import the certificate into IPSec.

  7. Save the PKCS#12 file (use the p12 extension) with the secret key to disk.

    Make a note of the full path to the PKCS#12 file. Later the IPSec Administrator will need to install this file on the IPSec host.

  8. Later, go back to the RAO and choose Collect Reply from Last Request to retrieve the certificate.

  9. Choose to save the certificate to a File.

  10. Choose PKCS#12 encoded certificate as the format in which to save the certificate.

  11. Save the certificate to the same file you saved the request with the secret key.

    The message Do you want to replace this file will appear. Select Yes. The file is not replaced; the new information is appended to the original file.

The PKCS#12 file is encrypted and contains key information used by the HP-UX IPSec IKE daemon to register with the Baltimore PKI and perform certificate operations.

NOTE: Once the PKCS#12 file is complete, you must transfer it from its saved location to the IPSec host that will use the certificate. When you save the file to the new location on the IPSec host, be sure to note the full path to the file. This path is necessary to import the certificate into IPSec.

Step 3: Configuring the Baltimore Certificate

Prior to entering information into the Baltimore certificate screens, you must have received a PKCS#12 file from the Baltimore Certificate Authority, that includes the CA Certificate, User Private Key, and User Certificate information. In addition, you must have the passphrase used to protect the PKCS#12 file from the Baltimore Administrator. For instructions on obtaining a PKCS#12 file, see “Step 1: Verifying Prerequisites”.

  1. Choose Certificate Authority from the Options menu.

  2. The Certificates tab is enabled on the main ipsec_mgr screen. If the Baltimore window is not already displayed, click the Baltimore tab at the left side of the screen.

  3. Click Import Cert to import the certificate contained in the PKCS#12 file.

    The Baltimore Certificate Import screen appears.

  4. Enter the IP address of the CA provided by the Baltimore CA Administrator into the CA’s IP Address field.

  5. Enter the full path for the PKCS#12 file you received from the Baltimore CA Administrator into the File Name field. You can use the Browse button to locate the PKCS#12 file if you do not know the full path.

  6. Enter the passphrase provided to you by the Baltimore CA Administrator into the Passphrase field. This must be the same passphrase used to secure the PKCS#12 file.

  7. If you plan to use the Baltimore CRL, follow the steps below to fill out the CRL server information. HP recommends that you use the CRL provided by the CA if you choose to use certificates.

    1. Enter the server name or IP address of the LDAP server where the Certificate Revocation List (CRL) for the Baltimore PKI is stored.

    2. Enter the TCP port number used for connecting to the LDAP server where the CRL is stored.

      The standard port number for an LDAP server is 389.

    3. Enter the search base values for the CRL for the CA. The search base is not case sensitive.

      You can obtain the search base values from your LDAP Administrator. The search base is the suffix configured to store all certificates and CRLs in the LDAP directory.

      These values form path or part of a path combined with the search filter values to the location of the CRL on the LDAP server. The values of the search base and the search filter may form the certificate distinguishedName. If that is the case, the search will be faster.

      The following are examples of search base values. Please note that the syntax of these examples is precise, including delimiting commas between attributes and lack of other punctuation.

      • ou=ipsec, o=hp, c=US

      • o=hp, c=US

      • c=US

    4. Enter the search filter values for the CRL. The search filter is not case sensitive.

      You can obtain search filter values from your LDAP Administrator. These values should form the second part of a path, beginning with the search base, to the location of the CRL on the LDAP server.

      The values of the search base and the search filter may combine to form the certificate distinguishedName (DN). If this is the case, the search will be faster. If the search base and search filter form the DN, they must not overlap. For example, the value o=HP can be a part of the search base value or the search filter value, but not both.

      The following are examples of search filter values. Each example corresponds to the search base example in step C. Please note that the syntax of these examples is precise, including delimiting commas between attributes and lack of other punctuation.

      • cn=unicertpki1

      • cn=unicertpki1, ou=ipsec

      • cn=unicertpki1, ou=ipsec, o=hp

  8. Click OK. The certificate configuration is saved.

Go on to “Configuring Certificate IDs”.



Using VeriSign Certificates
  		 


Configuring Certificate IDs  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2003 Hewlett-Packard Development Company, L.P.