JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: IP Services
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Introducing System Administration: IP Services

1.  Oracle Solaris TCP/IP Protocol Suite (Overview)

Part II TCP/IP Administration

2.  Planning Your TCP/IP Network (Tasks)

3.  Introducing IPv6 (Overview)

4.  Planning an IPv6 Network (Tasks)

5.  Configuring TCP/IP Network Services and IPv4 Addressing (Tasks)

6.  Administering Network Interfaces (Tasks)

7.  Configuring an IPv6 Network (Tasks)

8.  Administering a TCP/IP Network (Tasks)

9.  Troubleshooting Network Problems (Tasks)

10.  TCP/IP and IPv4 in Depth (Reference)

11.  IPv6 in Depth (Reference)

Part III DHCP

12.  About DHCP (Overview)

13.  Planning for DHCP Service (Tasks)

14.  Configuring the DHCP Service (Tasks)

15.  Administering DHCP (Tasks)

16.  Configuring and Administering the DHCP Client

17.  Troubleshooting DHCP (Reference)

18.  DHCP Commands and Files (Reference)

Part IV IP Security

19.  IP Security Architecture (Overview)

20.  Configuring IPsec (Tasks)

21.  IP Security Architecture (Reference)

22.  Internet Key Exchange (Overview)

23.  Configuring IKE (Tasks)

Configuring IKE (Task Map)

Configuring IKE With Preshared Keys (Task Map)

Configuring IKE With Preshared Keys

How to Configure IKE With Preshared Keys

How to Refresh IKE Preshared Keys

How to View IKE Preshared Keys

How to Add an IKE Preshared Key for a New Policy Entry in ipsecinit.conf

How to Verify That IKE Preshared Keys Are Identical

Configuring IKE With Public Key Certificates (Task Map)

Configuring IKE With Public Key Certificates

How to Configure IKE With Self-Signed Public Key Certificates

How to Configure IKE With Certificates Signed by a CA

How to Generate and Store Public Key Certificates on Hardware

How to Handle a Certificate Revocation List

Configuring IKE for Mobile Systems (Task Map)

Configuring IKE for Mobile Systems

How to Configure IKE for Off-Site Systems

Configuring IKE to Find Attached Hardware (Task Map)

Configuring IKE to Find Attached Hardware

How to Configure IKE to Find the Sun Crypto Accelerator 1000 Board

How to Configure IKE to Find the Sun Crypto Accelerator 4000 Board

Changing IKE Transmission Parameters (Task Map)

Changing IKE Transmission Parameters

How to Change the Duration of Phase 1 IKE Key Negotiation

24.  Internet Key Exchange (Reference)

25.  IP Filter in Oracle Solaris (Overview)

26.   IP Filter (Tasks)

Part V Mobile IP

27.  Mobile IP (Overview)

28.  Administering Mobile IP (Tasks)

29.  Mobile IP Files and Commands (Reference)

Part VI IPMP

30.  Introducing IPMP (Overview)

31.  Administering IPMP (Tasks)

Part VII IP Quality of Service (IPQoS)

32.  Introducing IPQoS (Overview)

33.  Planning for an IPQoS-Enabled Network (Tasks)

34.  Creating the IPQoS Configuration File (Tasks)

35.  Starting and Maintaining IPQoS (Tasks)

36.  Using Flow Accounting and Statistics Gathering (Tasks)

37.  IPQoS in Detail (Reference)

Glossary

Index

Configuring IKE to Find Attached Hardware

Public key certificates can also be stored on attached hardware. The Sun Crypto Accelerator 1000 board provides storage only. The Sun Crypto Accelerator 4000 and the Sun Crypto Accelerator 6000 board provide storage, and enable public key operations to be offloaded from the system to the board.

How to Configure IKE to Find the Sun Crypto Accelerator 1000 Board

Before You Begin

The following procedure assumes that a Sun Crypto Accelerator 1000 board is attached to the system. The procedure also assumes that the software for the board has been installed and that the software has been configured. For instructions, see the Sun Crypto Accelerator 1000 Board Version 2.0 Installation and User’s Guide.

  1. On the system console, assume the Primary Administrator role or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

    Note - Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for secure remote login.

  2. Check that the PKCS #11 library is linked.

    Type the following command to determine whether a PKCS #11 library is linked:

    # ikeadm get stats
Phase 1 SA counts:
Current:   initiator:          0   responder:          0
Total:     initiator:          0   responder:          0
Attempted: initiator:          0   responder:          0
Failed:    initiator:          0   responder:          0
           initiator fails include 0 time-out(s)
PKCS#11 library linked in from /usr/lib/libpkcs11.so
#
  3. Solaris 10 1/06: Starting in this release, you can store keys in the softtoken keystore.

    For information on the keystore that is provided by the Solaris cryptographic framework, see the cryptoadm(1M) man page. For an example of using the keystore, see Example 23–12.

How to Configure IKE to Find the Sun Crypto Accelerator 4000 Board

Before You Begin

The following procedure assumes that a Sun Crypto Accelerator 4000 board is attached to the system. The procedure also assumes that the software for the board has been installed and that the software has been configured. For instructions, see the Sun Crypto Accelerator 4000 Board Version 1.1 Installation and User’s Guide.

If you are using a Sun Crypto Accelerator 6000 board, see the Sun Crypto Accelerator 6000 Board Version 1.1 User’s Guide for instructions.

  1. On the system console, assume the Primary Administrator role or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

    Note - Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for secure remote login.

  2. Check that the PKCS #11 library is linked.

    IKE uses the library's routines to handle key generation and key storage on the Sun Crypto Accelerator 4000 board. Type the following command to determine whether a PKCS #11 library has been linked:

    $ ikeadm get stats
…
PKCS#11 library linked in from /usr/lib/libpkcs11.so
$

    Note - The Sun Crypto Accelerator 4000 board supports keys up to 2048 bits for RSA. For DSA, this board supports keys up to 1024 bits.

  3. Find the token ID for the attached Sun Crypto Accelerator 4000 board.
    $ ikecert tokens
Available tokens with library "/usr/lib/libpkcs11.so":

"Sun Metaslot                     "

    The library returns a token ID, also called a keystore name, of 32 characters. In this example, you could use the Sun Metaslot token with the ikecert commands to store and accelerate IKE keys.

    For instructions on how to use the token, see How to Generate and Store Public Key Certificates on Hardware.

    The trailing spaces are automatically padded by the ikecert command.

Example 23-12 Finding and Using Metaslot Tokens

Tokens can be stored on disk, on an attached board, or in the softtoken keystore that the Solaris encryption framework provides. The softtoken keystore token ID might resemble the following.

$ ikecert tokens
Available tokens with library "/usr/lib/libpkcs11.so":

"Sun Metaslot                   "

To create a passphrase for the softtoken keystore, see the pktool(1) man page.

A command that resembles the following would add a certificate to the softtoken keystore. Sun.Metaslot.cert is a file that contains the CA certificate.

# ikecert certdb -a -T "Sun Metaslot" < Sun.Metaslot.cert
Enter PIN for PKCS#11 token: Type user:passphrase
Copyright © 1999, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next