Before You Begin
The following procedure assumes that a Sun Crypto Accelerator 6000 board is attached to the system. The procedure also assumes that the software for the board has been installed and that the software has been configured. For instructions, see Sun Crypto Accelerator 6000 Board Product Library Documentation.
You must become an administrator who is assigned the Network IPsec Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
If you administer remotely, see Example 7–1 and How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.2 for secure remote login instructions.
IKEv1 uses the library's routines to handle key generation and key storage on the Sun Crypto Accelerator 6000 board.
$ ikeadm get stats … PKCS#11 library linked in from /usr/lib/libpkcs11.so $
$ ikecert tokens Available tokens with library "/usr/lib/libpkcs11.so": "Sun Metaslot "
The library returns a token ID, also called a keystore name, of 32 characters. In this example, you could use the Sun Metaslot token with the ikecert commands to store and accelerate IKEv1 keys.
For instructions on how to use the token, see How to Generate and Store Public Key Certificates for IKEv1 in Hardware.
The trailing spaces are automatically padded by the ikecert command.
Tokens can be stored on disk, on an attached board, or in the softtoken keystore that the Cryptographic Framework provides. The softtoken keystore token ID might resemble the following.
$ ikecert tokens Available tokens with library "/usr/lib/libpkcs11.so": "Sun Metaslot "
To create a passphrase for the softtoken keystore, see the pktool(1) man page.
A command that resembles the following would add a certificate to the softtoken keystore. Sun.Metaslot.cert is a file that contains the CA certificate.
# ikecert certdb -a -T "Sun Metaslot" < Sun.Metaslot.cert Enter PIN for PKCS#11 token: Type user:passphrase
Next Steps
If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy. For examples of IPsec policy protecting VPNs, see Protecting a VPN With IPsec. For other examples of IPsec policy, see How to Secure Network Traffic Between Two Servers With IPsec.