Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX IPSec version A.02.00 Administrator's Guide: HP-UX 11i version 1 and HP-UX 11i version 2 > Chapter 4 Using Certificates with HP-UX IPSec

Using VeriSign Certificates
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Overview

There are three main components in the VeriSign Managed PKI architecture.

  • A VeriSign Managed PKI Certificate Authority (CA), which is located at a VeriSign data center and administered by VeriSign. The Managed PKI CA creates and manages certificates and Certificate Revocation Lists (CRLs). The VeriSign Managed PKI CA is accessed through the VeriSign Managed PKI Control Center website.

  • A local Managed PKI Administrator, a person located at your site who uses the VeriSign Managed PKI Control Center website to approve client certificate requests and can ask the Managed PKI CA to revoke a client's certificate.

  • Clients located at your site who request, get and use certificates. For HP-UX IPSec, a client is a system that uses a certificate-based primary authentication method for IKE, such as RSA signatures. Each system must request and get a certificate before starting the HP-UX IPSec subsystem that uses certificate-based authentication.

    To perform this task, use the ipsec_mgr program to request and receive certificates from the Managed PKI CA. The ipsec_mgr program will send the requests to the Managed PKI CA through the Managed PKI Control Center website.

The general data flow between these components is listed below and shown in Figure 4-1 “VeriSign PKI Data Flow”.

  1. The IPSec administrator requests a VeriSign certificate using the ipsec_mgr program. The ipsec_mgr program sends a certificate request on behalf of HP-UX IPSec to the Managed PKI CA via the Managed PKI Control Center website.

  2. The Managed PKI CA sends a Notify for Request message to the local Managed PKI Administrator at the customer site. This message notifies the Managed PKI Administrator that the client (the HP-UX IPSec system) is requesting a certificate. The Notify for Request message is typically sent using a secure email message.

  3. The local Managed PKI Administrator uses a web browser to visit the Managed PKI Control Center website and approve the certificate request. This sends an Approve Request message to the Managed PKI CA.

  4. The IPSec administrator requests ipsec_mgr to check on the certificate request. The ipsec_mgr program sends a message to the Managed PKI Control Center to retrieve the certificate.

  5. The Managed PKI CA sends the certificate to ipsec_mgr. The ipsec_mgr program stores the certificate and associated information in files for HP-UX IPSec to use.

Figure 4-1 VeriSign PKI Data Flow

VeriSign PKI Data Flow

VeriSign Certificate Tasks

To use VeriSign certificates, you must complete the following tasks:

  1. Complete and verify the prerequisite requirements.

  2. Configure web proxy server parameters if you will use a web proxy to access the VeriSign Managed PKI Control Center. You must do this on each HP-UX IPSec system using VeriSign certificates.

  3. Register the Managed PKI Administrator. You only need to do this once, regardless of the number of IPSec systems using VeriSign certificates.

  4. Request and retrieve a VeriSign certificate. You must do this on each HP-UX IPSec system using VeriSign certificates.

  5. Configure authentication records with IKE IDs. This task is described in “Configuring Authentication Records with IKE IDs”.

  6. Configure your system to automatically retrieve the Certificate Revocation List (CRL), or manually retrieve the CRL. This task is described in “Retrieving the Certificate Revocation List (CRL)”.

Step 1: Verifying Prerequisites

Prior to configuring the HP-UX IPSec product with VeriSign certificate authentication, you will need to:

  1. Purchase the VeriSign Managed PKI product from VeriSign (www.verisign.com).

  2. Assign a local VeriSign Managed PKI Administrator.

  3. Ensure that the system used by the VeriSign Managed PKI Administrator meets the VeriSign hardware and software requirements listed below. For the very latest VeriSign hardware and software requirements, check the VeriSign Managed PKI documentation.

    • Netscape or Internet Explorer browser version 4.0 or later, enabled for secure Hypertext Transfer Protocol (S-HTTP)

    • E-mail or browser application that supports the S/MIME protocol

  4. Receive the security certificate for the Managed PKI
    Administrator from VeriSign. Install the certificate on the system used by the Managed PKI Administrator, as described in the VeriSign documentation.

  5. Verify that the HP-UX IPSec systems and the system used by the VeriSign Managed PKI Administrator can exchange HTTP packets with the VeriSign Managed PKI Control Center. Depending on your network topology and access to external sites, this can be done with a web proxy server or with direct access to the VeriSign Managed PKI Control Center website.

    If you will use a web proxy server, get the following information about the proxy server:

    • Hostname of the proxy server

    • Port number on which the proxy server receives internal requests

    • User name for the proxy server, if the proxy server requires user name and password authentication

    • Password for the proxy server, if the proxy server requires user name and password authentication

Step 2: Configuring Web Proxy Server Parameters

If you need to use a web proxy server to access the VeriSign Managed PKI Control Center, use the following procedure to configure web proxy server information for ipsec_mgr.

  1. Start ipsec_mgr, the IPSec Manager configuration GUI. Enter the following command from the HP-UX prompt:

    ipsec_mgr

    Do not run ipsec_mgr as a background process. The ipsec_mgr prompts for the HP-UX IPSec password before starting the GUI.

    If no password has been set, you must create one using the ipsec_admin -newpasswd command. See Chapter 2 “Installing HP-UX IPSec ”, “Step 3: Setting the HP-UX IPSec Password” for instructions.

    Using a Remote Display Device. The ipsec_mgr configuration GUI requires a graphical display device. If you are using a remote graphical display device, be sure that you:

    • Set the DISPLAY environment variable to your display device. For example, if you are using the KORN shell, the command is:

            export DISPLAY=display_device:0.0

    • Execute the ipsec_mgr program from the system console.

  2. Click on the Options menu. Select System, then Proxy Information.

    The Proxy Server Settings window opens.

    Complete the fields with the parameters for your web proxy server:

    1. Local Hostname: hostname of the proxy server

    2. Local Port: port number on which the proxy server receives internal requests, such as 80, the IANA port registered for the HTTP service.

    3. User Name: the user name for the proxy server, if the proxy server requires user name and password authentication

    4. Password: the password for the proxy server, if the proxy server requires user name and password authentication

  3. Click OK. The ipsec_mgr program saves the proxy server settings.

Step 3: Registering the Administrator

The VeriSign Managed PKI Administrator registers with VeriSign through the URL that VeriSign provides for a VeriSign Managed PKI Control Center. Follow the instructions provided by VeriSign, with the following additional provisions.

  1. Record the DNS domain name entered in the Administrator’s application. This DNS domain name entered in the Administrator's application must match the DNS name that the IPSec Administrator will enter in the ipsec_mgr GUI when requesting a certificate.

    (The DNS domain name in the Administrator's application determines the domain for which the Managed PKI Administrator can approve and revoke certificates.)

  2. The number of certificates must be equal the number of IPSec systems that will be using certificate-based primary authentication for IKE (such as RSA signatures).

Step 4: Requesting and Receiving Certificates

Each HP-UX IPSec system that will use a certificate-based primary authentication method for IKE must request and get its own certificate before starting the HP-UX IPSec subsystem.

Make sure the number of certificates accommodates the number of HP-UX IPSec systems using VeriSign for IKE primary authentication. Each system needs only one certificate for HP-UX IPSec, even if the system has multiple IP addresses.

To request and receive a VeriSign certificate with HP-UX IPSec:

  1. If the VeriSign screen is not already displayed, click the VeriSign tab on the left side of the screen.

  2. Click Request Certificate in lower-left corner of the Certificates screen. The Request Certificate screen appears.

  3. Enter the interface IP address for the certificate being created in the IP Address field. The default is the first IP address ipsec_mgr finds for the local system.

    The IP address specified in this field will be the SubjectAlternativeName field for the local system’s certificate.

    Make a note of the address specified in this field. You will use this address as the local ID when you configure authentication records.

  4. Enter the Local Hostname for the certificate.

  5. Enter the Domain Name for the certificate.

  6. Enter the Size of the certificate.

  7. Enter the CA Server Address you received from VeriSign.

  8. Click OK. Your request is automatically sent to VeriSign for processing.

  9. When the request for the certificate is made, GUI displays a message window: “Your certificate request is pending.”

    In addition, the Request Certificate button changes to Check on Request.

  10. The local Managed PKI Administrator receives an email notification that a client has requested a certificate.

  11. The Managed PKI Administrator uses the VeriSign Managed PKI Control Center website to process the request by selecting Process Requests from the Certificate Management menu. The Managed PKI Administrator can approve or reject the request.

  12. After the Managed PKI Administrator has approved the certificate request and the Managed PKI Control Center has processed the approval, click the Check on Request button on the Certificate screen (actual address information captured in the screen image below was obscured for publication):

    The ipsec_mgr program retrieves the certificate from the Managed PKI Control Center if the request was granted. The Check on Request button changes back to Request Certificate.

    If there is a problem with the certificate, ipsec_mgr displays the message “Your request has been rejected” in a new window.

  13. The certificate is downloaded to the client system and added to the file /var/adm/ipsec/certs.txt by the ipsec_mgr program.

Go on to “Configuring Authentication Records with IKE IDs”.



Overview
  		 


Using Baltimore Certificates  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2004 Hewlett-Packard Development Company, L.P.