 |
» |
|
|
|
If you are using the Baltimore CA for authentication with
IPSec, you must first purchase the Baltimore UniCERT 3.5 package.
For more information about any of the prerequisites below, see the
documentation you received from Baltimore. Baltimore
Certificate Tasks | |
To use Baltimore certificates,
you must complete the following tasks: Complete and verify
the prerequisite requirements. Request a Baltimore certificate
from the Baltimore CA Administrator and transfer the certificate
file to the HP-UX IPSec system. You must do this for each HP-UX
IPSec system using Baltimore certificates. Configure the Baltimore certificate
on the HP-UX IPSec system using ipsec_mgr. The ipsec_mgr program will extract information from the certificate
file for IPSec. Configure authentication records
with IKE IDs. This task is described in “Configuring Authentication
Records with IKE IDs”. Configure your system to automatically
retrieve the Certificate Revocation List (CRL), or manually retrieve
the CRL. This task is described in “Retrieving the Certificate
Revocation List (CRL)”.
Step 2:
Requesting the Baltimore Certificate | |
Before you configure a Baltimore
certificate using ipsec_mgr, you must obtain a PKCS#12 file from the Baltimore Certificate
Authority. The Baltimore CA Administrator at your site must use the Face to Face method to request the certificate, and must note
certain information during the request and retrieval process. To
request a certificate as the Baltimore CA Administrator: Start the Registration Authority (RA) component
of the UniCERT software. Once it is running, start the Registration
Authority Operator (RAO) component. On the initial RAO screen, you must choose
the Face to Face option. Choose Register New User to request a new certificate. Next, choose a policy
set up for requesting IPSec certificates. Fill out any fields on the certificate request
form that are not defaulted. Click Accept when the request form is complete. Make a note of the IP Address and Distinguished Name fields (common name, organizational unit, organization,
and country). If this is a multihomed system, you will specify the IP Address value as the local ID when you configure authentication
records. You may also need the Distinguished Name information to complete the IPSec configuration. Choose PKCS#12 as the format for the Secret Key. You must choose this
format for certificates used by IPSec. Create a passphrase for the PKCS#12 file. Make a note of this passphrase; the IPSec Administrator must specify
it to import the certificate into IPSec. Save the PKCS#12 file (use the p12 extension) with
the secret key to disk. Make a note of the full path to the PKCS#12 file. Later the
IPSec Administrator will need to install this file on the IPSec
host. Later, go back to the RAO and choose Collect Reply from Last Request to retrieve the certificate. Choose to save the certificate to a File. Choose PKCS#12 encoded certificate as the format in which to save the certificate. Save the certificate to the same file you saved
the request with the secret key. The message Do you want to replace this file will appear. Select Yes. The file is not replaced; the new information
is appended to the original file.
The PKCS#12 file is encrypted and contains key information
used by the HP-UX IPSec IKE daemon to register with the Baltimore
PKI and perform certificate operations. | | | |  | NOTE: Once the PKCS#12 file is complete, you must transfer
it from its saved location to the IPSec host that will use the certificate.
When you save the file to the new location on the IPSec host, be
sure to note the full path to the file. This path is necessary to
import the certificate into IPSec. | | | | |
Step 3:
Configuring the Baltimore Certificate | |
Prior to entering information into the Baltimore certificate
screens, you must have received a PKCS#12 file from the Baltimore
Certificate Authority, that includes the CA Certificate, User Private
Key, and User Certificate information. In addition, you must have
the passphrase used to protect the PKCS#12 file from the Baltimore
Administrator. For instructions on obtaining a PKCS#12 file, see “Step
1: Verifying Prerequisites”. Start ipsec_mgr, the IPSec Manager configuration GUI. Enter the following
command from the HP-UX prompt: ipsec_mgr Do not run ipsec_mgr as a background process. The ipsec_mgr prompts for the HP-UX IPSec password before starting
the GUI. If no password has been set, you must create one using the ipsec_admin -newpasswd command. See Chapter 2 “Installing HP-UX
IPSec ”, “Step 3: Setting the
HP-UX IPSec Password” for instructions. Using
a Remote Display Device. The ipsec_mgr configuration GUI requires a graphical display device.
If you are using a remote graphical display device, be sure that
you: Set the DISPLAY environment variable to your display device. For example,
if you are using the KORN shell, the command is: export DISPLAY=display_device:0.0 Execute the ipsec_mgr program from the system console.
If the Baltimore window is not already displayed, click the Baltimore tab at the left side of the screen. Click Import Cert to import the certificate contained in the PKCS#12
file. The Baltimore Certificate Import screen appears. Enter the IP address of the
CA provided by the Baltimore CA Administrator into the CA’s IP Address field. Enter the full path for the
PKCS#12 file you received from the Baltimore CA Administrator into
the File Name field. You can use the Browse button to locate the PKCS#12 file if you do not
know the full path. Enter the passphrase provided
to you by the Baltimore CA Administrator into the Passphrase field. This must be the same passphrase used to
secure the PKCS#12 file. If you plan to use the Baltimore CRL, follow the
steps below to fill out the CRL server information. HP recommends
that you use the CRL provided by the CA if you choose to use certificates. Enter the server
name or IP address of the LDAP server where the Certificate Revocation
List (CRL) for the Baltimore PKI is stored. Enter the TCP port number
used for connecting to the LDAP server where the CRL is stored.
The
standard port number for an LDAP server is 389. Enter the search base values for the CRL for the
CA. The search base is not case sensitive. You can obtain the search base values from your LDAP Administrator.
The search base is the suffix configured to store all certificates
and CRLs in the LDAP directory. These values form path or part of a path combined with the search
filter values to the location of the CRL on the LDAP server. The
values of the search base and the search filter may form the certificate
distinguishedName. If that is the case, the search will be faster. The following are examples of search base values. The syntax
of these examples is precise, including delimiting commas between attributes
and lack of other punctuation. Enter the search filter values for the CRL. The
search filter is not case sensitive. You can obtain search filter values from your LDAP Administrator.
These values should form the second part of a path, beginning with
the search base, to the location of the CRL on the LDAP server. The values of the search base and the search filter may combine to
form the certificate distinguishedName (DN). If this is the case,
the search will be faster. If the search base and search filter form
the DN, they must not overlap. For example, the value o=HP can be
a part of the search base value or the search filter value, but
not both. The following are examples of search filter values. Each example corresponds
to the search base example in step C. The syntax of these examples
is precise, including delimiting commas between attributes and lack
of other punctuation. cn=unicertpki1, ou=ipsec, o=hp
Click OK. The certificate configuration is saved.
Go on to “Configuring Authentication
Records with IKE IDs”. |
Printable version
