Preface
Welcome to SunscreenTM SKIP. The purpose of this guide is to provide you with the information that you need to be able to set up and manage SunScreen SKIP on your system.
Who Should Use This Guide
This guide is written for people familiar with SolarisTM Versions 2.4, 2.5, and 2.5.1 or Solaris for the Intel Platform who wish to run IP-level encryption on their system.
Before You Read This Guide
This guide assumes that you are familiar with TCP/IP, networking, and public-key and shared-key cryptography.
How This Guide Is Organized
The SunScreen SKIP User's Guide is divided into the following chapters:
Chapter 1, "Installing SunScreen SKIP," describes how to install the SunScreen SKIP software from the CD-ROM onto your Solaris Versions 2.4, 2.5, or 2.5.1 or Solaris for the Intel platform system. This chapter also describes how to protect your locally stored secrets with a passphrase.
Chapter 2, "Installing Keys and Certificates," details how to create and install keys and certificates on your system. If you installed Unsigned Diffie-Hellman Key during installation, you may skip this chapter.
Chapter 3, "Managing SunScreen SKIP Through skiptool," describes how to use the skiptool graphical user interface (GUI) to monitor the network, how to configure SKIP, how to enable SKIP, how to verify SKIP installation and setup, how to view statistics, and how to manage keys.
Chapter 4, "Managing SunScreen SKIP Through the Command-Line Interface," describes how to use the command-line interface as superuser or root.
Chapter 5, "Usage Examples," describes examples of the usage of SunScreen SKIP in several network configurations.
Appendix A, "Quick-Start Guide," covers installing the SKIP binaries or adding the packages with pkgadd, and setting up IP-level encryption between two hosts.
Appendix B, "SunScreen SKIP Theory of Operations," is an overview of what SKIP provides to users and how SunScreen SKIP fits in with other security products that use SKIP.
Appendix C, "Glossary," covers those terms that are specific or unique to Sun and the SunScreen line of products.
What Is New in This Release
SunScreen SKIP, Release 1.1, is the upgrade for SKIP for Solaris, Release 1.0. The following is a list of the new features for SunScreen SKIP, Release 1.1.
-
The random number generator has been changed so that using this line rng_dev_audio 1 in the skipd.conf: file will cause the random number generator to use /dev/audio for enhanced entropy collection. This is the default.
-
Local identities can now be protected with a passphrase; that is, /etc/opt/SUNWicg/skip/localid/0.secret, 1.secret through <n>.secret are DES encrypted).
You can protect with a passphrase, change the passphrase, or remove (delete) the passphrase:
skiplocal passwd, skiplocal rmpasswd
If you protect your local identities with a passphrase, these commands will prompt for passwd when invoked:
skiplocal keygen, skiplocal add. The daemon skipd also requires the passphrase.
When rebooting the system, if passphrase protection is used, no encrypted connections can be supported until the key manager, skipd, is reinitialized with the skipd_restart command, which will prompt for the passphrase.
-
Support for tunnel addresses has been added to skiphost -a (add and SCL entry) by means of the parameter -A, which takes the tunnel address as its argument.
In the skipd.conf file, the line cdp_server = has been added, which means by default the host specified as the tunnel address will be asked for the certificate.
-
skiphost no longer supports plumb and unplumb (-p, -u) as options.
-
print_cert and man page are now available. This command will print contents of a certificate found in the certificate file specified
-
skipif with the arguments- -l -v now lists Access Control Lists on an interface
-
skipdb and skiplocal now use the keyword udh in preference to dhpublic when referring to Unsigned Diffie-Hellman certificates.
-
skipdb, skiplocal, and skipca now use the keyword rm in preference to del when removing items from their respective databases.
What Has Been Fixed
All of the outstanding problems from SKIP for Solaris, Release 1.0 and Release 1.03, have been fixed.
Related Books and Publications
It may be helpful to refer to the following books when installing the SunScreen SKIP:
-
Applied Cryptography Bruce Schneier John Wiley & Sons, 1994, ISBN 0-471-59756-2
-
Building Internet Firewalls D. Brent Chapman and Elizabeth D. Zwicky O'Reilly &Associates, 1995, ISBN 1-56592-124-0
-
Firewalls and Internet Security Bill Cheswick and Steve Bellovin Addison-Wesley, 1994, ISBN 0-201-63357-4
-
Handbook of Computer-Communications Standards Volume 3: The TCP/IP Protocol Suite William Stallings, Macmillan, 1990
-
Internetworking with TCP/IP, 2nd Edition Douglas E. Comer, Prentice Hall, 1995, ISBN 0-13-216987-8
-
Network and Internetwork Security Principles and Practice William Stallings, Prentice Hall, 1995, ISBN 0-02-415483-0
-
Practical UNIX Security Simson Garfinkel and Gene Spafford O'Reilly & Associates, 1991
-
TCP/IP Illustrated, Volume 1 The Protocols W. Richard Stevens Addison-Wesley, 1994, ISBN 0-201-63346-9
-
TCP/IP Network Administration Craig Hunt O'Reilly & Associates, 1992
What Typographic Changes and Symbols Mean
The following table describes the type changes and symbols used in this book.
|
Typeface or Symbol |
Meaning |
Example |
|---|---|---|
|
AaBbCc123 |
The names of application or program groups, book titles, new words or terms, or words to be emphasized |
Open the SunScreen SPF-100 program group.Select the Configure application.Read Chapter 6 in User's Guide. These are called class options. |
|
AaBbCc123 |
The name of a menu item, button, or key. |
Select Exit from the File pull-down menu.Press the F1 key for help.Click on the Done button. |
Keys, Certificates, and Algorithms
Upgrade packages for U.S. Domestic and U.S. Export keys, certificates, and algorithms from SunCA (Sun Microsystems' Certificate Authority) are intended to be used with SunScreen SKIP, Release 1.1, as well as with SKIP for Solaris, Release 1.0.
U.S. customers and companies and some foreign customers and companies may order additional keys, certificates, and algorithms in stronger encryption strengths.
To place an order with ICG please follow the directions below.
-
Complete a Purchase Order for the product.
Please include the following information:
-
Ship-to address
-
Bill-to address
-
Contact Name
-
Telephone
-
Product Name
-
Part Number
-
Quantity
-
Purchase Order Number
-
-
Fax your Purchase Order to 415-336-0074.
You will receive confirmation when your order ships with an airbill number.
-
If you cannot fax your Purchase Order, please send it to the following address:
Internet Commerce Group Sun Microsystems, Inc. Mail Stop PAL-01-550 2550 Garcia Avenue Mountain View, CA 94043-1100
Telephone Numbers:
1-800-820-9995 (U.S. Customers)
415-336-0018 (Foreign Customers)
415-336-0074 (fax)
- © 2010, Oracle Corporation and/or its affiliates