test

SunScreen SKIP User's Guide, Release 1.5.1

Appendix A Quick-Start Guide

This appendix is a quick-start guide for SunScreen SKIP. It covers installing the SunScreen SKIP binaries or adding the packages with pkgadd, and setting up IP-level encryption between two hosts. These instructions assume that only one network interface is active on each machine.

For complete documentation, refer to the SunScreen SKIP documentation and the SKIP man pages.

Installing SKIP Binaries

  1. Mount the CD-ROM and type:

    volcheck

    Note -

    If you are not using vold on your system, type # mount -F hsfs -oro /dev/dsk/c0t6d0s0/mnt The device name or the mount point or both depends on your local system configuration.

  2. Go to the directory on the CD-ROM for your OS

    Solaris operating environment for the SPARC Platform:


     cd /cdrom/cdrom0/sparc

    Solaris operating environment for the Intel Platform:


    cd /cdrom/cdrom0/x86
    Note -

    If you have mounted the CD-ROM manually, replace /cdrom/cdrom0 with /mnt.

  3. Use the standard Solaris operating environment pkgadd command to add all packages:


    pkgadd  -d `pwd`

  4. Add /usr/sbin to your PATH variable:


    PATH=/usr/sbin:$PATH export PATH

  5. Initialize the SKIP directories by issuing the command:


    skiplocal -i

  6. Generate a secret and a public certificate locally by issuing the command:


    skiplocal -k

  7. Add SKIP to your network interface by issuing the command:

    skipif -a

  8. Reboot the machine.

  9. Enable SKIP and configure IP encryption with one other host:


    skiphost -a default	 default IP traffic is unencrypted
skiplocal -x	prints the skiphost command to check info
 	others need to run to talk to us
skiplocal -x| mail Friend@remote.host

    Friend@remote.host should issue these commands as well. Once the corresponding mail is received, verify out-of-band (for example, over the telephone) that the received mail matches the mail that was sent. Then Friend executes the received skiphost command.

  10. Turn SKIP on:


    skiphost -o on	enable SKIP

Is It Working?

At this point, SKIP encryption should be enabled with the remote host. Traffic will be exchanged with all other hosts in the clear.

  1. ping the other host to make sure everything is working:


    ping host

  2. View the key manager log file to see if the certificate exchange and the shared-secret computation succeeded:


    tail /var/log/skipd.log

  3. If you have snoop, tcpdump, etherfind, or some other packet dumping utility, you can verify that encrypted packets are using protocol 57.

Examining the Local SKIP Configuration

skiphost

list the SKIP access control entries 

skiplocal -l

list the set of local identities 

skipdb -l

list the certificates in our database 

skipca -l

list the Certificate Authorities we trust 

SKIP configuration files are stored in the /etc/skip directory.