Using Microsoft Certificates with HP-UX IPSec A.03.00

Transcription

1 Using Microsoft Certificates with HP-UX IPSec A Introduction... 2 Related documentation... 2 Multi-tier PKI topology... 2 Configuration tasks... 4 Single-tier PKI topology with a standalone CA... 4 Configuration tasks... 4 Configuring the root and subordinate CAs... 4 Configuring the root CA... 4 Configuring the intermediate CAs... 5 Configuring the issuing CAs... 7 Configuring certificate services for IPsec on the issuing CAs... 8 Obtaining host certificates for IPsec... 8 Using ipsec_config to obtain host certificates... 8 Using the Microsoft Certificate Services web interface to obtain host certificates Exporting the certificate and keys Configuring HP-UX IPSec Loading the host certificate Loading the CA certificates and CRLs Multi-Tier PKI requirement Loading the CA Certificates from files Loading the CRLs from files Loading the CA certificates from the Active Directory Server Loading the CRLs from the Active Directory Server Configuring host policies Configuring authentication records Configuring IKE policies Verifying the configuration Configuring a cron job to retrieve the CRL... 16

2 Introduction This document describes how to configure an HP-UX IPSec A system to use certificates issued by a Microsoft Windows certification authority (CA) for IPsec. You can use the certificates for Internet Key Exchange (IKE) authentication with other HP-UX systems or with Microsoft Windows systems. The intended audience for this document is a network security administrator who is familiar with Microsoft Windows Server 2003 PKIs, Microsoft Windows Active Directories, the HP-UX IPSec product, and the IP Security protocol suite. Related documentation To configure the PKI, HP used procedures described in the Microsoft document Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure. This document is hereafter referred to as the Microsoft PKI document. This document is available at the following website: To configure certificate services on the Microsoft CAs, HP used procedures described in the Microsoft document How to create offline L2TP/IPSec Certificates. This document is available at the following website: For general information about configuring HP-UX IPSec, see the HP-UX IPSec A Administrator's Guide. This document is available from the HP Technical Documentation website at For information about configuring Microsoft Windows security policies to operate with HP-UX IPSec, see Configuring Microsoft Windows IP Security to Operate with HP-UX IPSec and Configuring Microsoft Windows Vista and Windows Server 2008 to Operate with HP-UX IPSec. These documents are available from the HP Technical Documentation website at Multi-tier PKI topology The multi-tier PKI topology used in for the procedures in this document has the following CAs: Root CA (IPSecRootCA) The root CA is a stand-alone CA (not a member of an Active Directory domain). In this example, the root CA is offline (not connected to the network). Intermediate CAs (IPSecIntermCA1 and IPSecIntermCA2) The intermediate CAs are subordinates of the root CA (their certificates are issued by the root CA). Intermediate CAs are sometimes referred to as policy CAs because they are often used to implement or distinguish differences in security policies needed by different groups. In this example, the intermediate CAs are standalone CAs and are offline. Issuing CAs (IPSecEntCA1 and IPEntCA2) Issuing CAs issue certificates for end entities, such as systems or users. In this example, the issuing CAs issue certificates for the systems to use for IPsec authentication. The issuing CAs are connected to the network and clients can use a web interface to request certificates. In this example, each issuing CA is an enterprise CA. An enterprise CA is member of an Active Directory domain. All CAs have Microsoft Windows Server 2003 Enterprise edition installed with Service Pack 2 (SP). 2

3 The clients use certificates issued by the issuing CAs for IPsec IKE authentication. The client host1 is an HP-UX system with HP-UX IPSec A installed. The client host2 is a Microsoft Windows XP system with Service Pack 2 (SP2) installed. NOTE: When using a multilevel or multitier PKI topology, the HP-UX IPSec version must be A or later. HP-UX IPSec version A does not support multilevel PKIs but is compatible with Microsoft Windows enterprise CAs. Figure 1 shows the PKI topology and the IPsec hosts. Figure 1. PKI Topology with IPsec Hosts The hpent1 system (the IPSecEntCA1 CA) is configured as a member of the following Active Directory domain: dc=hp-ad1,dc=hpipsec,dc=hp,dc=com This is also the Active Directory forest root domain. The hpent2 system (the IPSecEntCA2 CA) is configured as a member of the following Active Directory domain: dc=hp-ad2,dc=hpipsec,dc=hp,dc=com 3

4 Configuration tasks Complete the following tasks to configure a multi-tier PKI for use with HP-UX IPSec: Configure the root and subordinate CAs. See Configuring the root and subordinate CAs. Configure certificate services for IPsec on the issuing CAs. See Configuring certificate services for IPsec on the issuing CAs. Obtain certificates for the IPsec systems. See Obtaining host certificates for IPsec. Configure HP-UX IPSec to use the certificates. See Configuring HP-UX IPSec. Single-tier PKI topology with a standalone CA The single-tier PKI topology has one standalone root CA. The HP-UX system and other clients use certificates issued by the root CA. By default, the CA does not publish its certificate or CRL to an Active Directory server. Configuration tasks The tasks for configuring a single-tier PKI topology with a standalone CA for with HP-UX IPSec are a subset of the tasks used to implement a multi-tier PKI topology. The tasks are as follows: Configure the root CA as described in Configuring the root CA. Obtain host certificates as described in Using ipsec_config to obtain host certificates. Configure HP-UX IPSec as described in Configuring HP-UX IPSec. If the CA does not publish the CA certificate and CRL are in an Active Directory or other LDAP directory, you must load these objects from files as described in Loading CA Certificates from files and Loading CRLs from files. You must also configure the host certificate, host policies, authentication records, and IKE policies as needed. Skip the following procedures: Configuring the intermediate CAs Configuring the issuing CAs Configuring certificate services (standalone CAs cannot use certificate templates) Configuring the root and subordinate CAs This section describes the tasks needed to configure the CAs. The CAs configured are as follows: Root CA Intermediate CAs Issuing CAs If you are implementing a single-tier PKI topology, use the procedure in Configuring the root CA. Skip the procedures in Configuring the intermediate CA and Configuring the issuing CA. Configuring the root CA HP used the procedure described for configuring a standalone root CA in the Microsoft PKI document to configure the root CA with the common name (CN) IPSecRootCA. The major steps and notes for these steps are as follows: 1. Prepare the CAPolicy.inf file. 4

5 HP used the sample CAPolicy.inf file provided in the Microsoft PKI document without modifications. Save this file in %Systemroot%\CAPolicy.inf. 2. Install the offline root CA software components. HP used the Microsoft Components Wizard to install the CertificateServices components. HP did not install Internet Information Services (IIS) for web enrollment support. For CA Type, select Stand-alone root CA. For CA Identifying Information, HP specified the following data: Common name for this CA: IPSecRootCA Distinguished name suffix: dc=hp-ad1,dc=hpipsec,dc=hp,dc=com Because the CA type is Stand-alone root CA, the Wizard creates a self-signed certificate as part of the installation process. 3. Verify the root CA certificate. Enter the certutil ca.cert filename command to save the certificate to a file, where filename is the name of the CA certificate file, such as IPSecRootCA.cer. Make a note of the file name; you will need it in later steps. Enter the certutil.exe filename command to display the contents of the CA certificate file. 4. Verify the root CA configuration information using the certutil cainfo command. 5. Configure the root CA. HP used the sample script for configuring a corporate root CA in the Microsoft PKI document with the following modifications: myadnamingcontext: The value for myadnamingcontext must be set to the namespace of the forest root domain. This value is used to set or map the Active Directory namespace for the CRL location and is used when the CRL is published. HP set this value as follows: SET myadnamingcontext=dc=hp-ad1,dc=hpipsec,dc=hp,dc=com myhttppkivroot: HP set this value as follows: SET myhttppkivroot= HP did not specify a value for the myldapserver variable. Configuring the intermediate CAs HP used the procedure described for configuring a standalone offline intermediate CA in the Microsoft PKI document. HP configured two intermediate CAs with the CNs IPSecIntermCA1 and IPSecIntermCA2. The major steps and notes for these steps are as follows: 1. Prepare the CAPolicy.inf file for the intermediate CA. HP used the sample CAPolicy.inf file provided for intermediate CAs in the Microsoft PKI document without modifications. 2. Obtain the certificate and CRL from the root CA. HP used the procedure described in the Microsoft PKI document for this task. On the root CA, HP used the certutil -ca.cert filename command and the certutil GetCRL filename command to copy the root CA certificate and CRL to removable media. 5

6 3. Import the Root CA certificate and CRL into the intermediate CA. HP used a batch file containing certutil addstore f Root commands for this task as described in the Microsoft PKI document. 4. Verify the Root CA certificate on the intermediate CA. HP used the certutil -verifystore root command to complete this task. 5. Install the Offline Intermediate CA Software Components HP used the Microsoft Components Wizard to install the Certificate Services components. For CA type, select Stand-alone subordinate CA. For CA Identifying Information, HP specified the following data: Common name for this CA: IPSecIntermCA1 (on the second intermediate CA, specify IPSecIntermCA2) Distinguished name suffix: dc=hp-ad1,dc=hpipsec,dc=hp,dc=com. The Wizard creates a certificate request for the intermediate CA and saves it to a file as part of the installation process. 6. Process the certificate request on the Root CA. Transfer the certificate request file to the root CA. On the root CA, process the certificate request to create a certificate for the intermediate CA. HP used the Microsoft Management Console (MMC) snap-in on the root CA to process the certificate request from the intermediate CA as described in the Microsoft PKI document. 7. Export the intermediate CA certificate from the root CA. On the root CA, you must export the certificate for the intermediate CA to a file that also contains the root CA certificate. When exporting the certificate, select Cryptographic Message Syntax Standard - PKCS#7 Certificates (P7B) and select Include all certificates in the certification path if possible. HP saved the PKCS#7 file on removable media for transfer to the intermediate CAs. 8. Install the certificate on the intermediate CA. Before installing the certificate on the intermediate CA, HP used the certutil -verify command as described in the Microsoft PKI document to verify the PKCS#7 file. HP used the certutil.exe -installcert command as described in the Microsoft PKI document to install the PKCS#7 file on the intermediate CA. 9. Configure the intermediate CA. HP used the sample script to configure an intermediate CA provided in the Microsoft PKI document with the following modifications: myadnamingcontext: The value for myadnamingcontext is set to the namespace of the forest root domain. HP set this value as follows: SET myadnamingcontext=dc=hp-ad1,dc=hpipsec,dc=hp,dc=com myhttppkivroot: HP set this value as follows: SET myhttppkivroot= 6

7 HP did not specify a value for the myldapserver variable. The sample script also configures the intermediate CA to include information about the CA policy in its issued certificates. 10.Verify the intermediate CA configuration. Configuring the issuing CAs In this topology, the issuing CAs are enterprise CAs. An enterprise CA must be joined to a domain of an Active Directory forest. HP used the procedure described in the Microsoft PKI document for configuring online enterprise issuing CAs to configure each issuing CA. HP configured two issuing CAs with the CNs IPSecEntCA1 and IPSecEntCA2. The main steps for this procedure are as follows: 1. Retrieve certificates and CRLs for the root and parent (intermediate) CAs. For IPSecEntCA1, the parent CA is IPSecIntermCA1; for IPSecEntCA2, the parent CA is IPSecIntermCA2. 2. Import (publish) the root and intermediate CA certificates and CRLs into Active Directory. HP used the certutil -dspublish command as described the Microsoft PKI document with modifications for the certificate and CRL file names and the system names. For example, on IPSecEntCA1, HP used the following commands: certutil -dspublish -f IPSecRootCA.cer RootCA certutil -dspublish -f IPSecIntermCA1.cer SubCA certutil -dspublish -f IPSecRootCA.crl hproot IPSecRootCA certutil -dspublish -f IPSecIntermCA1.crl hpinterm1 IPSecIntermCA1 3. Prepare the CAPolicy.inf file. HP used the sample CaPolicy.inf file for CorporateEntCA1 in the Microsoft PKI document with the following modification: SET myhttppkivroot= HP did not specify a value for the myldapserver variable. 4. Install the CA components using the procedure for installing online issuing enterprise CAs in the Microsoft PKI document. When prompted for the type of installation, select Enterprise subordinate CA. Set the common name for the CA (IPSecEntCA1 or IPSecEntCA2). Use the default value for the distinguished name suffix (the Active Directory domain namespace). This step also creates a certificate request file for the enterprise CA. 5. Process the certificate request on the intermediate CA. HP used the method described to process certificate requests using web enrollment support as described in the Microsoft PKI document. To use this method, copy the certificate request file to the intermediate CA and copy and paste the contents of the request file in the Submit a Certificate Request or Renewal Request page. You also use the Certification Authority MMC to approve the pending request and create a PKCS#7 (.p7b) file with all the certificates in the chain. 7

8 6. Install the Certificate. HP used the method described in the Microsoft PKI document to install the certificate using the certutil.exe -installcert command This method installs the PKCS#7 (.p7b) file created in the previous step. 7. Configure the Enterprise CA HP used the sample script provided to configure an EnterpriseSubCA in the Microsoft PKI document with the following modification: SET myhttppkivroot= Configuring certificate services for IPsec on the issuing CAs HP configured certificate services on the issuing enterprise CAs to create a certificate template for IPsec certificates. The template enables you to use the Microsoft Certificate Services web interface to create certificate requests with values appropriate for IPsec hosts. You can also use the template when submitting a certificate request created on an HP-UX system. HP used the procedures in the Microsoft document How to create offline L2TP/IPSec Certificates to configure the Certificate Services for IPsec. NOTE: Do not perform the procedure for installing certificate services described in the Microsoft How to create offline L2TP/IPSec Certificates document. If you followed the procedures in this whitepaper, you already installed certificate services on the issuing CAs in the procedure Configuring certificate services for IPsec on the issuing CAs. Complete the following tasks as described in the Microsoft How to create offline L2TP/IPSec Certificates document: 1. Create a custom MMC as described in the Microsoft document. 2. Create a custom certificate template. In the Microsoft document, the template is created with the name L2TP/IPSec (Offline request). On the Request Handling page, select Allow private key to be exported. 3. Issue the custom L2TP/IPSec (Offline request) template as described in the Microsoft document. Obtaining host certificates for IPsec HP tested two methods to create host certificates for IPsec: Use ipsec_config on the HP-UX system to generate a certificate request and submit the request using the Microsoft Certificate Services web interface. This method generates the certificate key pair on the HP-UX system. Use the Microsoft Certificate Services web interface to request a certificate. This method generates the certificate key pair on the Microsoft system. The key pair is exported to the HP-UX system in an encrypted PKCS#12 file. NOTE: If you are using a standalone CA, you must use ipsec_config to obtain host certificates. You cannot use the Microsoft Certificate web interface to request a certificate. Using ipsec_config to obtain host certificates Use the following procedure to create a certificate request with ipsec_config and submit the request to the enterprise CA. This method creates the certificate request and certificate key pair on the HP-UX system. The key pair never leaves the HP-UX system. 8

9 1. Use the ipsec_config add csr command to create the certificate request as documented in the HP-UX IPSec Administrator's Guide. On host1, HP used the following command: ipsec_config add csr -subject cn=host1.hpipsec.hp.com 2. If you do not have a web browser on you HP-UX system that can access the Windows CA's web interface, copy the certificate request file, /var/adm/ipsec/ipsec.csr, to a system with access. 3. Start a web browser and connect to the Microsoft Certificate Services on the CA system using the following URL: Where ca_system is the CA system name or IP address. The Microsoft Certificate Services utility starts and displays the Welcome page. Select Request a certificate. 4. From the Request a certificate page, select advanced certificate request. 5. From the Advanced Certificate Request page, select Submit a certificate request by using a base- 64-encoded CMC or PKCS#10 file. The Certificate Services utility opens the Submit a Certificate Request or Renewal Request page. 6. Paste the contents of the CSR file (the contents of the ipsec.csr file) in the Saved Request window. Alternatively, you can select Browse for a file to insert and specify the name of the CSR file. 7. If you are using an enterprise CA, the page includes a drop-down menu for a Certificate Template. Select the name of the template created in Configuring certificate services for IPSec on an issuing CA, such as the name L2TP/IPSec (Offline request) Leave the Additional Attributes window blank. Click Submit. By default, an enterprise CA is configured to automatically approve certificate requests. If this is not the case, the Certificate Services displays a Certificate Pending page with a request ID number. Record this ID number; you will need it to approve the request. Use a procedure described in the Microsoft documentation to approve the request, such as using the Windows Certification Authority MMC or the Windows certutil command. If the enterprise CA is configured with the default parameters, it automatically approves the certificate request and displays the Certificate Issued page. 8. The Certificates Issued page enables you to download the certificate to a file and select the encoding method. Do not specify Download certificate chain. Click Download certificate to download the certificate to a file. 9. The Windows system opens a File Download - Security Warning box. Click Save. In the Save As dialog box, specify the file location. The default file name is certnew.cer. Click Save. 9

10 10.Transfer the file to the IPsec host system, if needed. You will specify this file in the ipsec_config add mycert -file command. This file does not contain the private key and can be transferred over a non-secure network link. Using the Microsoft Certificate Services web interface to obtain host certificates Use the following procedure to create a certificate request on the enterprise CA for an IPsec host. The certificate request and certificate key pair are created on the CA. After the CA approves the request, you must export the certificate and keys in a single PKCS#7 file (referred to as PFX in Microsoft documentation). 1. On the enterprise CA, start a web browser and connect to the Microsoft Certificate Services web interface using the following URL: Where ca_system is the CA system name or IP address. The Microsoft Certificate Services utility starts and displays the Welcome page. 2. Select Request a certificate. 3. From the Request a certificate page, select advanced certificate request. 4. From the Advanced Certificate Request page, select Create and submit a request to this CA. 5. The Certificate Services opens the Advanced Certificate Request page. Use the following guidelines to complete the information: o In the Certificate Template field, select the name of the template created in Configuring certificate services for IPsec on the issuing CAs, such as the name L2TP/IPSec (Offline request). Click submit. o In the Name field, enter the CN for the system. The Certificate Services will create a CN attribute for the certificate subjectname from this value. For example, HP entered host2.hpipsec.hp.com, and the approved certificate had the subjectname cn=host2.hpipsec.hp.com. o Select Create new key set. o Select Automatic key container name. o Select Mark keys as exportable. o Select Store certificate in the local computer certificate store. o Do not select Save request to a file. By default, an enterprise CA is configured to automatically approve certificate requests. If this is not the case, the Certificate Services displays a Certificate Pending page with a request ID number. Record this ID number; you will need it to approve the request. Use a procedure described in the Microsoft documentation to approve the request, such as using the Windows Certification Authority MMC or the Windows certutil command. If the enterprise CA is configured with the default parameters, it automatically approves the certificate request and displays the Certificate Issued page. 6. If the web browser displays a Potential Scripting Violation window, click Yes. 10

11 7. Click Install this certificate. 8. If the web browser displays a Potential Scripting Violation window, click Yes. Exporting the certificate and keys Use the following procedure to create a PKCS#12 file with the host certificate and certificate keys. 1. On the CA system, start the custom MMC created in Configuring certificate services for IPsec on the issuing CAs. 2. Open the local certificate storage area by expanding Certificates (Local Computer). Expand Personal. Expand Certificates. Look for the certificate you want to export. If you do not see the certificate in the storage area, you must use a Certification Authority MMC to export the certificate to a file, then import the file to the local certificate storage area. 3. Right click on the certificate you want to export. Select All Tasks -> Export. The MMC starts a Certificate Export Wizard. 4. In the Welcome dialog box, click Next. 5. In the Export file format dialog box, select Personal Information Exchange - PKCS #12 (.PFX) and Enable strong protection if they are not already selected. Click Next. 6. In the Password dialog box, enter the password for the PKCS#12 file. Make a note of the password; you will need it for the ipsec_config add mycert command. Click Next. 7. In the File to Export dialog box, specify a name for the PKCS#12 file. The wizard automatically appends.pfx to the file name. Click Next. Click Finish. 8. Copy the PKCS#12 file to the IPsec host. This file is encrypted and can be transferred over a nonsecure network link. Configuring HP-UX IPSec To configure HP-UX IPSec to use the certificate issued by the Microsoft CA, you must: Load the host certificate to the HP-UX IPSec storage scheme Load the CA certificates and CRLs to the HP-UX IPSec storage scheme Configure host policies Configure authentication records Configure IKE policies, if needed Verify the configuration (Optional) Configure a cron job to periodically retrieve the CRL 11

12 Loading the host certificate HP loaded the host certificates from files to the HP-UX IPSec storage scheme. HP used the ipsec_config add mycert file command to complete this task. HP did not retrieve the HP-UX host certificate from the Active Directory because the HP-UX host certificate was not published in the Active Directory (the HP-UX host is not a member of the Active Directory domain). For example: ipsec_config add mycert file certnew.cer Loading the CA certificates and CRLs If you are using enterprise CAs, you can either load the CA certificates and CRLs from the Active Directory server, or you can load the CA certificates and CRLs from files. NOTE: If you are using a single-tier PKI with a standalone root CA that does not publish the CA certificate and CRL to an Advanced Directory or LDAP server, you must load the CA certificate and CRL from files. For more information, see Loading CA Certificates from files and Loading CRLs from files. Multi-Tier PKI requirement In the multi-tier topology, you must add CAs and CRLs for all CAs in the authentication path to the peer. For example, host1 and host2 each must load CAs and CRLs from the following CAs: IPSecRootCA IPSecIntermCA1 IPSecIntermCA2 IPSecEntCA1 IPSecEntCA2 Loading CA Certificates from files Use the following procedure to load a CA certificate from a file: 1. If you do not already have a file with the CA certificate, create one. On the CA, enter the folllowing command: certutil ca.cert my_ca_cert.cer Where my_ca.cert.cer is the name for the CA certificate file. For example: certutil ca.cert IPSecRootCA.cer 2. Transfer the CA certificate file to the HP-UX system. This file can be transferred over a non-secure network link. 3. Enter the ipsec_config add cacert file command to load the certificate. For example: ipsec_config add cacert file IPSecRootCA.cer Loading CRLs from files Use the following procedure to load a CRL from a file: 1. If you do not already have a file with the CRL, create one. On the CA, enter the folllowing command: certutil GetCRL my_crl.crl Where my_crl.crl is the name for the CRL file. For example: 12

13 certutil GetCRL IPSecRootCA.crl 2. Transfer the CRL file to the HP-UX system. This file can be transferred over a non-secure network link. 3. Enter the ipsec_config add crl file command to load the CRL. For example: ipsec_config add crl file IPSecRootCA.crl Loading CA certificates from the Active Directory Server To load the CA certificates from the Active Directory server, use the ipsec_config add cacert ldap command. This command requires the LDAP search filter (base and filter) for the certificate. HP used the following syntax to specify the base and filter for the CA certificates published in the Active Directory: -base "cn=ca_commonname,cn=aia,cn=public Key Services, cn=services,cn=configuration,active_directory_domain" -filter "objectclass=certificationauthority" Where: CA_commonName is the CN value for the CA, such as IPSecRootCA or IPSecIntermCA1. Active_directory_domain is the DN for the Active Directory domain, such as dc=hp-ad1,dc=hpipsec,dc=hp,dc=com. On host1, HP entered the following commands to load CA certificates the from the Active Directory server on the host hp-ad1.hpipsec.hp.com: ipsec_config add cacert -ldap hp-ad1.hpipsec.hp.com \ -base "cn=ipsecrootca,cn=aia,cn=public Key Services,\ ipsec_config add cacert -ldap hp-ad1.hpipsec.hp.com \ -base "cn=ipsecintermca1,cn=aia,cn=public Key Services,\ ipsec_config add cacert -ldap hp-ad1.hpipsec.hp.com \ -base "cn=ipsecintermca2,cn=aia,cn=public Key Services,\ ipsec_config add cacert -ldap hp-ad1.hpipsec.hp.com \ -base "cn=ipsecentca1,cn=aia,cn=public Key Services,\ ipsec_config add cacert -ldap hp-ad1.hpipsec.hp.com \ -base "cn=ipsecentca2,cn=aia,cn=public Key Services,\ 13

14 14

15 Loading CRLs from the Active Directory Server To load the CRLs from the Active Directory server, use the ipsec_config add crl ldap command. This command requires the LDAP search filter (base and filter) for the CRL. HP used the following syntax to specify the search filter. The base is the same as the base used for the CA certificate filter plus a commonname field with the hostname portion of the fully-qualified domanin name (FQDN) of the issuing CA (cn=hostname). The base used for the CA certificates, but the objectclass for the filter is crldistributionpoint. The format is as follows: -base "cn=ca_commonname,cn=hostname,cn=cdp,cn=public Key Services, cn=services,cn=configuration,active_directory_domain" -filter "objectclass=crldistributionpoint" Where: CA_commonName is the CN value for the CA, such as IPSecRootCA or IPSecIntermCA1. hostname is the hostname portion of the fully-qualified domain name for the system, such as hproot. Active_directory_domain is the DN for the Active Directory domain, such as dc=hp-ad1,dc=hpipsec,dc=hp,dc=com. On host1, HP entered the following commands to load CRLs from the Active Directory server on the host hp-ad1.hpipsec.hp.com: ipsec_config add crl -ldap hp-ad1.hpipsec.hp.com \ -base "cn=ipsecrootca,cn=hproot,cn=cdp,cn=public Key Services,\ ipsec_config add crl -ldap hp-ad1.hpipsec.hp.com \ -base "cn=ipsecintermca1,cn=hpinterm1,cn=cdp,cn=public Key Services,\ ipsec_config add crl -ldap hp-ad1.hpipsec.hp.com \ -base "cn=ipsecintermca2,cn=hpinterm2,cn=cdp,cn=public Key Services,\ ipsec_config add crl -ldap hp-ad1.hpipsec.hp.com \ -base "cn=ipsecentca1,cn=hpent1,cn=cdp,cn=public Key Services,\ ipsec_config add crl -ldap hp-ad1.hpipsec.hp.com \ -base "cn=ipsecentca2,cn=hpent2,cn=cdp,cn=public Key Services,\ 15

16 Configuring host policies Configure the host policies as you normally would. For example, on host1, HP configured the following host policy to encrypt packets exchanged with host2: ipsec_config add host host2 destination action ESP_AES128_HMAC_SHA1 Configuring authentication records Configure the authentication records with the appropriate authentication IDs. By default, Microsoft Windows IPsec uses X.500 DNs as the IKE ID type. On host1, HP configured the following authentication record to use with host2: ipsec_config add auth host2 remote ltype X500-DN lid cn=host1.hpipsec.hp.com rtype X500-DN rid cn=host2.hpipsec.hp.com Configuring IKE policies In this example HP used the default IKEv1 policy without modifications. Verifying the configuration To verify the configuration, start IPsec on the HP-UX system and the peer if needed. Initiate traffic that matches the host policy. Use the ipsec_report sa command to verify that the IKE and IPsec SAs are established. TIP: If you restart HP-UX IPSec and the audit level is set to informative or lower, you will see a log message similar to the following if the local certificate is valid: Msg: 4 From: IKMPD Lvl: INFORMATIVE Date: Tue Feb 24 22:40: Event: Either certificate or preshared key can be used for authentication. Configuring a cron job to retrieve the CRL HP-UX IPSec provides the script /var/adm/ipsec/util/crl.cron to retrieve the CRL from an LDAP directory. You can configure a cron job to use this script to periodically retrieve the CRL from the Active Directory server. For more information, see the HP-UX IPSec A Administrator s Guide. 16

17 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Itanium is a trademark or registered trademark of Intel Corporation or its subsidiaries in the United States and other countries. J , May 2009