Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX AAA Server A.06.02 Administrator's Guide: HP-UX 11i v1 and 11i v2 > Chapter 12 Securing LAN Access With EAP

Digital Certificate Administration
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Some security methods (like TLS, TTLS, or PEAP) use digital certificates assigned to each user for authentication. If your organization has a Public Key Infrastructure (PKI), you can deploy digital certificates for user authentication. The following is a list of the certificates involved:

  • Server certificate—digital certificate identifying the server.

  • Server CA certificate—a copy of the certificate for the authority that issued the server certificate.

  • Client certificate—if clients will be authenticated by digital certificates (EAP-TLS), install a certificate on each client and add the client CA to the AAA server’s CA list.

  • Client CA certificate—a copy of the certificate for the authority that issued the client certificate.

NOTE: If you are supporting multiple realms, configure digital certificates after you add all of your realms.

Using the “Self-Signed” Digital Certificates

The HP-UX AAA Server creates a unique set of “self-signed” digital certificates during installation that are based on its DNS name. Server Manager uses these certificates by default. You can use the self-signed certificates in production environments for TTLS and PEAP, and in testing environments for TLS. The self-signed server certificates are in
/etc/opt/aaa/security/.

The following is a list of the self-signed certificates located in /etc/opt/aaa/security/:

  • rsa_cert.pem—AAA server certificate

  • rsa_key.pem—AAA server key

  • ca_list.pem—list of client CA certificates

  • demouser.p12—sample client certificate

  • root.cer—CA for AAA server certificate

For TTLS and PEAP

If you are using TTLS or PEAP, the default certificates are safe to deploy in your production environment. The AAA server is its own Certificate Authority. If you are managing multiple AAA servers, you must have the same set of digital certificates on each server in your configuration. Pick one of your AAA servers and copy the set of self-signed digital certificates to every AAA server in the configuration. You should save each AAA server's original self-signed certificates for future use.

  • Copy /etc/opt/aaa/security/root.cer to the CA storage on supplicants that enable server certificate checking.

For TLS

If you are using TLS, use the default certificates to familiarize yourself with TLS certificate administration before you deploy your own enterprise certificates.

  1. Copy /etc/opt/aaa/security/root.cer to the CA storage on the supplicant.

  2. Copy /etc/opt/aaa/security/demouser.p12 to user the certificate storage on the supplicant:

    • the pass phrase for demouser.p12 is: 1234

    • the user name for demouser.p12 is: demouser@eap.realm

  3. Configure a TLS realm for eap.realm on the AAA server

Installing Your Own Digital Certificates and Keys

You can use your own certificates if your organization has a PKI and you don’t want to use the self-signed certificates included with the AAA server. Refer to the supplicant documentation to determine each supplicant’s specific certificate requirements.

NOTE: HP recommends using the self-signed certificates included with the AAA server to simulate your certificate administration before deploying your own personal certificates in a production environment.

The AAA server has the following digital certificate requirements:

  • all certificate files stored on the AAA server must be in .pem or .cer format

  • the server’s certificate must be generated with a key file that is not encrypted with a pass-phrase

  • For TLS only, the Common Name (CN) on the client certificate will be used to as the user name and therefore must be less than 128 characters ASCII characters and cannot include the < > ( ) [ ] \ / . , ; : or space characters.

NOTE: Refer to the supplicant documentation to determine each supplicant’s specific certificate requirements. For example, some supplicants require the client and server certificate to have the Enhanced Key Usage (EKU) field. For the client certificate, the Enhanced Key Usage (EKU) field must contain the Client Authentication certificate purpose (OID "1.3.6.1.5.5.7.3.2"); and, for the server certificate, the EKU field must contain the Server Authentication certificate purpose (OID "1.3.6.1.5.5.7.3.1").

Installing Server Certificates and Keys

  • Copy the server certificate and key file to the AAA server in the /etc/opt/aaa/security/directory.

    1. If you are using TLS, copy the client CA certificate to the /etc/opt/aaa/security/ directory. You can combine multiple CA files into one file.

    2. For TLS users whose certificates have been revoked, copy or append their certificates to the Certificate Revocation List (CRL) file.

Installing Client Certificates and Keys

  1. Copy the server CA certificate to the client.

  2. Copy the client certificate to the client (for TLS only).

  3. Use your supplicant’s utility to install and configure the certificates.

Defining Certificate Locations on the HP-UX AAA Server

The HP-UX AAA Server uses its self-signed certificates by default. If you want to use your own certificates, you must define where the required certificates reside on the AAA server. Following steps illustrate how to define certificate locations:

  1. In the navigation tree, click Server Properties in the navigation tree.

  2. Click Certificate Properties.

    The Certificate Properties pane opens as shown in Figure 12-2 “ Server Manager’s Certificate Properties Screen”.

    Figure 12-2  Server Manager’s Certificate Properties Screen

    Server Manager’s Certificate Properties Screen

  3. Define the locations to certificates by entering the path, and clicking Create.

    Following list explains how to enter the path names in these fields:

    • Server Certificate Path: For TLS, TTLS, and PEAP. Enter the fully-qualified file name to the AAA server certificate in .pem or .cer format.

    • Server Private Key Path: Enter the fully-qualified file name to a file in .pem or .cer format that contains the private key used to generate the AAA server certificate. This file cannot be encrypted.

    • Client Certificate Authority Path: For TLS only. Enter the fully-qualified file name to the CA certificate for the client certificate. Used by the AAA server to authenticate client certificates. The CA certificate for the client certificate must be in .pem format.

    • Random Seed Path: For TLS, TTLS, and PEAP. Enter the fully-qualified file name containing any random data used to seed the random engine for TLS based EAP mechanisms. This file can contain any random data.

    • Certificate Revocation List Path: For TLS. Enter the fully-qualified file name to a list of prohibited client certificates. File must be in .pem or .cer format.

    • Client User Name Attribute: Used for EAP-TLS based authentication. Identifies the attribute in the user digital certificate to retrieve the user’s name. This must match the user name configured on the supplicant (client) software. The HP-UX AAA Server then checks the user name in the certificate against the user name supplied in the EAP-TLS authentication request. Select “Disable” to disable this check. You can select any one of the following attribute values:

      • Subject:CommonName (default)- Use the CommonName (CN) in the Subject attribute

      • Subject:EmailAddress- Use the Email Address (E) in the Subject attribute

      • SubjectAltName:RFC822Name- Use the RFC822Name in the SubjectAltName attribute

      • Check All Attributes-Search all the above three fields for a matching name

      • Disabled- Ignore comparing User name with Certificate name



Securing WLANs with the HP-UX AAA Server
  		 


Chapter 13 Managing Sessions  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2001-2005 Hewlett-Packard Development Company, L.P.