This appendix is a quick-start guide for SunScreen SKIP. It covers installing the SunScreen SKIP binaries or adding the packages with pkgadd, and setting up IP-level encryption between two hosts. These instructions assume that only one network interface is active on each machine.
For complete documentation, refer to the SunScreen SKIP documentation and the SKIP man pages.
Mount the CD-ROM and type:
volcheck
If you are not using vold on your system, type # mount -F hsfs -oro /dev/dsk/c0t6d0s0/mnt The device name or the mount point or both depends on your local system configuration.
Go to the directory on the CD-ROM for your OS
Solaris operating environment for the SPARC Platform:
cd /cdrom/cdrom0/sparc |
Solaris operating environment for the Intel Platform:
cd /cdrom/cdrom0/x86 |
If you have mounted the CD-ROM manually, replace /cdrom/cdrom0 with /mnt.
Use the standard Solaris operating environment pkgadd command to add all packages:
pkgadd -d `pwd` |
Add /usr/sbin to your PATH variable:
PATH=/usr/sbin:$PATH export PATH |
Initialize the SKIP directories by issuing the command:
skiplocal -i |
Generate a secret and a public certificate locally by issuing the command:
skiplocal -k |
Add SKIP to your network interface by issuing the command:
skipif -a
Reboot the machine.
Enable SKIP and configure IP encryption with one other host:
skiphost -a default default IP traffic is unencrypted skiplocal -x prints the skiphost command to check info others need to run to talk to us skiplocal -x| mail Friend@remote.host |
Friend@remote.host should issue these commands as well. Once the corresponding mail is received, verify out-of-band (for example, over the telephone) that the received mail matches the mail that was sent. Then Friend executes the received skiphost command.
Turn SKIP on:
skiphost -o on enable SKIP |
At this point, SKIP encryption should be enabled with the remote host. Traffic will be exchanged with all other hosts in the clear.
ping the other host to make sure everything is working:
ping host |
View the key manager log file to see if the certificate exchange and the shared-secret computation succeeded:
tail /var/log/skipd.log |
If you have snoop, tcpdump, etherfind, or some other packet dumping utility, you can verify that encrypted packets are using protocol 57.
skiphost |
list the SKIP access control entries |
skiplocal -l |
list the set of local identities |
skipdb -l |
list the certificates in our database |
skipca -l |
list the Certificate Authorities we trust |
SKIP configuration files are stored in the /etc/skip directory.