Setting Up an Encrypted Connection Between a Host and a SunScreen SPF-100
The following figure depicts the configuration of an encrypted connection between a host and a SunScreen SPF-100.
Figure 5-2 Communicating with a SunScreen SPF-100
In this case, both the host and the SunScreen SPF-100 must
-
Install a SunCA X.509 key of the same encryption strength.
-
Manually exchange certificates.
-
Use SKIP protocol Version 1.
-
Have an IP address or remote name.
-
Use the same algorithm that includes authentication, key encryption, and traffic encryption.
-
Enable SKIP.
A machine must also have a local identity. Hosts can have many identities, but the user must choose one with which to communicate to the remote host. This local identity consists of the local key type and the local key name.
X.509 certificates and keys must be used when communicating with a SunScreen SPF-100. You must physically exchange the physical diskettes containing the public keys. The only method of exchanging key IDs is to have each user run skiptool, then call each other on the telephone and type the other's key ID in the Remote Key ID field in the Add window.
You must configure both the host and the SunScreen SPF-100 ACLs with each other's address. The host must also include the addresses of any networks and hosts attached to the SunScreen SPF-100 in its ACL. The SunScreen SPF-100 does not really use the ACL; It uses packet filtering rules. These rule must be set to "match" the ACL on the host running SunScreen SKIP.
- © 2010, Oracle Corporation and/or its affiliates