Completing the SKIP Certificates Installation Procedure
After installing the SunScreen software and the SKIP certificates on the Screen, the Screen's certificate information must be loaded onto the Administrating Station to complete the installation. This information is located on the Screen in the /etc/sunscreen/AdminSetup.readme file.
The following procedure explains how to display this file.
To Display the /etc/sunscreen/AdminSetup.readme File
-
Display the /etc/sunscreen/AdminSetup.readme file by typing:
# more /etc/sunscreen/AdminSetup.readme
The AdminSetup.readme file contains the Screen's certificate ID as well as the command run to give the Administration Station the Screen's certificate ID.
This command adds the Screen to the ACL with the necessary encrypting parameter settings. If it executes successfully, then the configuration is complete, and you can go to "To Configure the Administration Station to Communicate With the Screen Using SKIP".
-
Write down the command, which begins with skiphost -a, that is requried in the next procedure.
Note -You can use ftp to copy the /etc/sunscreen/AdminSetup.readme file onto the Administration Station if you trust that the network between the Screen and Administration Station is secure. Otherwise, display the file and write down the information for use in the next section.
Instructions for using SKIP from the command line are in the "Using the Command-Line Interface" in SunScreen SKIP User's Guide, Release 1.5.1.
To Configure the Administration Station to Communicate With the Screen Using SKIP
The following steps describe how to set up SKIP encryption software on the Administration Station.
If the AdminSetup.readme file was not copied to the Administration Station using ftp (or if the skiphost -a command fails), execute the following steps using the information obtained from that file.
-
Open a terminal window and become root, if not already.
-
Launch the skiptool GUI by typing:
# skiptool &
Note -To set SKIP parameters on a network interface other than the default interface, type: skiptool -i name_of_interface (such as qe3).
The main window of the skiptool GUI appears.
-
Next, add a default access control list (ACL) to communicate unencrypted to all hosts.
-
Next, add an ACL entry for the Screen.
-
Click the Add button and, under Host, choose the SKIP security option.
The Add SKIP Host Properties window appears, as shown in the following figure.
Figure 4-2 Add SKIP Host Properties Window
-
Use the information contained in the Screen's AdminSetup.readme file to complete the following fields:
-
Type the name of the Screen in the Hostname field.
-
Select Whole Packet in the Secure field.
-
Make the appropriate selection in the Remote Key ID field.
For UDH self-generated certificates on the Administration Station, select MD5 (DH Public Value). For CA-issued certificates, select IPv4.
-
Type the Screen's MKID in the ID: field.
The correct Remote Key ID is found in the AdminSetup.readme file.
-
Make the appropriate selection in the Local Key ID field.
For UDH self-generated certificates on the Administration Station, select MD5 (DH Public Value). For CA-issued certificates, select IPv4.
-
Select the Administration Station's MKID in the ID: field.
-
Select the appropriate Key encryption, Traffic encryption, and Authentication algorithms for this connection.
These algorithms must match those specified for the Screen in the AdminSetup.readme file.
-
-
-
Click Apply to load your entry into the list.
-
Select enabled from the pull-down menu for "Access control is," which is located at the top of the skiptool window.
Note -When you select enabled, a window appears when you save the configuration. To prevent these acquired systems, which are part of the default configuration, from showing up in the Authorized Systems window, click Cancel.
-
In the skiptool window, select Save from the File menu.
Note -After configuring SKIP, check that the encryption parameters and the certificate ID (MKID) values match on both the Administration Station and the Screen.
- © 2010, Oracle Corporation and/or its affiliates