The following procedure describes using the command-line interface to create the IKE self-generated certificates on the Administration Station and firewall Screen. In the case of Trusted Solaris 8, the Administration Station is also a Screen.
The first step ijn this process is to create an IKE certificate on the remote Administration Station and to export it to a file.
Create the IKE self-generated certificate.
# ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US, O=YOUR_ORG, CN=admin_name" |
Export the Administration Station's certificate to a file.
# ssadm certdb -I -e "C=US, O=YOUR_ORG, CN=admin_name" > /tmp/admin_cert |
Set up the Screen.
Create the IKE self-generated certificate.
# ikecert certlocal -ks -m 512 -t rsa-md5 -D "C=US, O=YOUR_ORG, CN=admin_name" |
Export the Administration Station's certificate to a file.
# ikecert certdb -e "C=US, O=YOUR_ORG, CN=admin_name" > /tmp/admin_cert |
Set up the Screen.
This section describes how you set up a Screen to use IKE to communicated with a remote Administration Station. Much of the instructions are given using command line examples while others use the administration GUI. In each case, the easiest method of performing the required task was chosen.
If you need further instructions on how to perform a specific task, try looking at the SunScreen Administration Guide and also the SunScreen Configuration Examples for detailed instructions.
After adding certificates on the administrative Screen or Administration Station, you create the IKE certificate on the firewall Screen.
Create the IKE self-generated certificate.
# ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US, O=YOUR_ORG, CN=screen_name" |
Export the firewall Screen's IKE certificate to a file by typing.
# ssadm certdb -I -e "C=US, O=YOUR_ORG, CN=screen_name" > /tmp/screen_cert |
Import the administrative Screen's certificate by typing.
# ssadm certdb -I -a < /tmp/admin_cert |
Create certificate objects for the certificates
# ssadm edit PolicyName then using ssadm edit edit> add certificate admin_cert SINGLE IKE "C=US, O=SUN, CN=admin_name" edit> add certificate screen_cert SINGLE IKE "C=US, O=SUN, CN=screen_name" |
Mark the imported certificate as trusted.
Using ssadm edit edit>add member certificate "IKE manually verified certificates" "admin_cert" |
Start the Administration GUI.
From this point on, it is easier to use the administration GUI to do the remaining steps.
http://localhost:3852 |
After you log in, edit the appropriate policy then continue with the following steps.
Add the Administration Station's IP address as an address object.
Add the Administration Station as a screen object and allow routing traffic and naming service.
Edit the firewall Screen's screen object by selecting the primary/secondary tab and establishing the Administration Station's IP address as the administrative IP address in the IKE administrative certificate field, and add the firewall Screen's certificate.
Stealth Mode Only - Return to the miscellaneous tab and make sure routing traffic and name service are No or None (certificate discovery is on).
From a command line, mark the administrative certificate as trusted by typing:
# ssadm edit PolicyName then, using ssadm edit edit>add member certificate "IKE manually verified certificates" "admin_cert" |
From th GUI, add a remote access rule by selecting the administrative access tab and under the Access rules for remote administration table, click the add new rule button.
screen: screen name address object: remote admin address user: admin access level: all encryption: IPSEC IKE |
Select the one algorithm that matches the packet filtering rule on the firewall Screen's source certificate: screen cert.
Click on the Options tab, source screen: screen name.
When done, you have a remote access rule like the following:
1 SCREEN "screen_name" USER "admin" "admin_addr" IPSEC ESP("DES-CBC", "MD5") AH("SHA1") IKE("DES-CBC", "MD5", 1, RSA-SIGNATURES, "screen_cert") PERMISSION ALL |
Activate the policies.
Finish the Administration Station.
Import the firewall Screen's certificate.
# ssadm certdb -I -a < /tmp/screen_cert |
Create certificate objects for the certificates.
# ssadm edit PolicyName edit> add certificate admin-cert SINGLE IKE "SUBJECT=C=US, O=SUN, CN=admin_DN" edit> add certificate screen-cert SINGLE IKE "SUBJECT=C=US, O=SUN, CN=screen_DN" |
Mark the imported certificate as trusted.
Using ssadm edit edit>add member certificate "IKE manually verified certificates" "screen_cert" |
The Group name "IKE manually verified certificates" is reserved for a trusted Certificate Group.
Create an address object for the Screen.
Using ssadm edit edit>add address nameofscreen ipaddressofscreen |
Add a packet filter rule like the following:
1 "remote administration" "admin_address" "screen_address" IPSEC ESP("DES-CBC", "MD5") AH("SHA1") IKE("DES-CBC", "MD5", 1, RSA-SIGNATURES, "admin_cert", "screen_cert") ALLOW |
See "Packet Filtering Rules" in the SunScreen 3.2 Administration Guide.
Activate the policies.
Import the firewall Screen's certificate.
# ikecert certdb -a < /tmp/screen_cert |
Set Up the IKE rules.
You have to edit the IKE configuration files to set up encrypted communication between the Administration Station and the Screen. For information on editing these files, see the Solaris 9 IKE documentation.
Edit the /etc/inet/ipsecinit.remote file.
The following file provides an example of how you would set up communication between an Administration Station with an IP address of 172.16.2.3 and a Screen's administrative interface with an address of 172.16.2.1
{sport 500} bypass {dir out} {dport 500} bypass {dir in} {saddr 172.16.2.3 daddr 172.16.2.1} apply {encr_algs des encr_auth_algs sha1 sa shared} {saddr 172.16.2.1 daddr 172.16.2.3} permit {encr_algs des encr_auth_algs sha1 sa shared} |
Edit the /etc/inet/config file.
This file contains instructions to amrk the Screens certificate as trusted as well as encryption parameters.
# Example remote admin config file # IKE manually verified self-signed certs cert_trust "SUBJECT=CN=DNofScreensCert-rsa-sha1-4096, O=Sun, C=US" # Outgoing IKE rule for remote admin {label "outgoing" local_id_type DN local_id "SUBJECT=CN=RemoteAdminCert-rsa-sha1-4096, O=Sun, C=US" remote_id "SUBJECT=CN=ScreenCert-rsa-sha1-4096, O=Sun, C=US" local_addr 172.16.2.3 remote_addr 172.16.2.1 p1_xform {auth_method rsa_sig oakley_group 1 auth_alg sha1 encr_alg des } } |
Reload IKE and it's associated components.
Issue commands similar to the following:
# pkill iked # ipsecconf -f # ipseckey flush # ipsecconf -a /etc/inet/ipsecinit.remote # /usr/lib/inet/in.iked -f /etc/inet/ike/config.remote
The remote Administration Station is now ready to communicate with the Screen.