test

SunScreen 3.2 Installation Guide

Setting Up a Remote Administration Station Using IKE

The following procedure describes using the command-line interface to create the IKE self-generated certificates on the Administration Station and firewall Screen. In the case of Trusted Solaris 8, the Administration Station is also a Screen.

Create an IKE Certificate on the Administration Station

The first step ijn this process is to create an IKE certificate on the remote Administration Station and to export it to a file.

To Create the Certificate on a Trusted Solaris 8 Administrative Screen

  1. Open a terminal window and become root, if not already.

  2. Create the IKE self-generated certificate.


    # ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US, 
O=YOUR_ORG, CN=admin_name"

  3. Export the Administration Station's certificate to a file.


    # ssadm certdb -I -e "C=US, O=YOUR_ORG, 
CN=admin_name" > /tmp/admin_cert

  4. Set up the Screen.

To Create the Certificate on a Solaris 9 Administration Station

  1. Open a terminal window and become root, if not already.

  2. Create the IKE self-generated certificate.


    # ikecert certlocal  -ks -m 512 -t rsa-md5 -D "C=US, 
O=YOUR_ORG, CN=admin_name"

  3. Export the Administration Station's certificate to a file.


    # ikecert certdb  -e "C=US, O=YOUR_ORG, 
CN=admin_name" > /tmp/admin_cert

  4. Set up the Screen.

Setting Up the Screen

This section describes how you set up a Screen to use IKE to communicated with a remote Administration Station. Much of the instructions are given using command line examples while others use the administration GUI. In each case, the easiest method of performing the required task was chosen.

If you need further instructions on how to perform a specific task, try looking at the SunScreen Administration Guide and also the SunScreen Configuration Examples for detailed instructions.

To Set Up IKE on the Firewall Screen

After adding certificates on the administrative Screen or Administration Station, you create the IKE certificate on the firewall Screen.

  1. Create the IKE self-generated certificate.


    # ssadm certlocal -Iks -m 512 -t rsa-md5 -D 
"C=US, O=YOUR_ORG, CN=screen_name"

  2. Export the firewall Screen's IKE certificate to a file by typing.


    # ssadm certdb -I -e "C=US, O=YOUR_ORG,  
CN=screen_name" > /tmp/screen_cert

  3. Import the administrative Screen's certificate by typing.


    # ssadm certdb -I -a < /tmp/admin_cert

  4. Create certificate objects for the certificates


    # ssadm edit PolicyName
then using ssadm edit
edit> add certificate admin_cert SINGLE IKE "C=US, 
O=SUN, CN=admin_name"
edit> add certificate screen_cert SINGLE IKE "C=US, 
O=SUN, CN=screen_name"

  5. Mark the imported certificate as trusted.


    Using ssadm edit
edit>add member certificate "IKE manually 
verified certificates" "admin_cert"

  6. Start the Administration GUI.

    From this point on, it is easier to use the administration GUI to do the remaining steps.


    http://localhost:3852

    After you log in, edit the appropriate policy then continue with the following steps.

  7. Add the Administration Station's IP address as an address object.

  8. Add the Administration Station as a screen object and allow routing traffic and naming service.

  9. Edit the firewall Screen's screen object by selecting the primary/secondary tab and establishing the Administration Station's IP address as the administrative IP address in the IKE administrative certificate field, and add the firewall Screen's certificate.

  10. Stealth Mode Only - Return to the miscellaneous tab and make sure routing traffic and name service are No or None (certificate discovery is on).

  11. From a command line, mark the administrative certificate as trusted by typing:


    # ssadm edit PolicyName  
then, using ssadm edit
edit>add member certificate "IKE manually 
verified certificates" "admin_cert"

  12. From th GUI, add a remote access rule by selecting the administrative access tab and under the Access rules for remote administration table, click the add new rule button.


    screen: screen name
address object: remote admin address
user: admin
access level: all
encryption: IPSEC IKE

  13. Select the one algorithm that matches the packet filtering rule on the firewall Screen's source certificate: screen cert.

  14. Click on the Options tab, source screen: screen name.

    When done, you have a remote access rule like the following: 


    1 SCREEN "screen_name" USER "admin" "admin_addr" 
IPSEC ESP("DES-CBC", "MD5") AH("SHA1") IKE("DES-CBC", "MD5", 
1, RSA-SIGNATURES, "screen_cert") PERMISSION ALL

  15. Activate the policies.

  16. Finish the Administration Station.

Finish the Administration Station

Finishing a Trusted Solaris 8 Administration Station

  1. Import the firewall Screen's certificate.


    # ssadm certdb -I -a < /tmp/screen_cert

  2. Create certificate objects for the certificates.


    # ssadm edit PolicyName
edit> add certificate admin-cert SINGLE IKE "SUBJECT=C=US, O=SUN, 
CN=admin_DN"
edit> add certificate screen-cert SINGLE IKE "SUBJECT=C=US, O=SUN, 
CN=screen_DN"

  3. Mark the imported certificate as trusted.


    Using ssadm edit
edit>add member certificate "IKE manually 
verified certificates" "screen_cert"
    Note -

    The Group name "IKE manually verified certificates" is reserved for a trusted Certificate Group.

  4. Create an address object for the Screen.


    Using ssadm edit
edit>add address nameofscreen ipaddressofscreen

  5. Add a packet filter rule like the following:


    1 "remote administration" "admin_address"  
"screen_address" IPSEC ESP("DES-CBC", "MD5") AH("SHA1")  
IKE("DES-CBC", "MD5", 1, RSA-SIGNATURES, "admin_cert", 
"screen_cert") ALLOW

    See "Packet Filtering Rules" in the SunScreen 3.2 Administration Guide.

  6. Activate the policies.

Finishing a Solaris 9 Administration Station

  1. Import the firewall Screen's certificate.


    # ikecert certdb  -a < /tmp/screen_cert

  2. Set Up the IKE rules.

    You have to edit the IKE configuration files to set up encrypted communication between the Administration Station and the Screen. For information on editing these files, see the Solaris 9 IKE documentation.

    1. Edit the /etc/inet/ipsecinit.remote file.

      The following file provides an example of how you would set up communication between an Administration Station with an IP address of 172.16.2.3 and a Screen's administrative interface with an address of 172.16.2.1


      {sport 500} bypass {dir out}  
{dport 500} bypass {dir in}   
{saddr 172.16.2.3 daddr 172.16.2.1} apply {encr_algs des encr_auth_algs sha1 sa shared}   
{saddr 172.16.2.1 daddr 172.16.2.3} permit {encr_algs des encr_auth_algs sha1 sa shared}

    2. Edit the /etc/inet/config file.

      This file contains instructions to amrk the Screens certificate as trusted as well as encryption parameters.


      # Example remote admin config file 
 # IKE manually verified self-signed certs   
cert_trust "SUBJECT=CN=DNofScreensCert-rsa-sha1-4096, O=Sun, C=US"   
# Outgoing IKE rule for remote admin 
{label "outgoing" 
local_id_type DN 
local_id "SUBJECT=CN=RemoteAdminCert-rsa-sha1-4096, O=Sun, 
C=US"  
remote_id "SUBJECT=CN=ScreenCert-rsa-sha1-4096, O=Sun, C=US"          
local_addr 172.16.2.3 
remote_addr  172.16.2.1
p1_xform {auth_method rsa_sig oakley_group 1 auth_alg sha1 encr_alg des }  
}

  3. Reload IKE and it's associated components.

    Issue commands similar to the following:

    # pkill iked # ipsecconf -f # ipseckey flush # ipsecconf -a /etc/inet/ipsecinit.remote # /usr/lib/inet/in.iked -f /etc/inet/ike/config.remote

The remote Administration Station is now ready to communicate with the Screen.