Appendix A Command Line Installation

This appendix contains SunScreen 3.2 installation procedures performed using the command line. You can use these procedures when installing SunScreen 3.2 in routing or stealth modes.

Topics covered include:

• "Routing and Stealth Mode Installation Summary"

• "Required SunScreen Software Packages"

• "Configuring a Default Screen Installation Through the Command Line"

• "Installing the Administration Packages"

• "Creating Encryption Certificates"

Expert system administrators can use the command-line installation as an alternative to using the installer. Before installing the software, review the SunScreen 3.2 Release Notes for the latest information about this product.

Be sure to make a map of your network before you begin this installation. See "Determining Your Security Policy" in the SunScreen 3.2 Installation Guide appendix for worksheets and instructions to aid you in determining your network configuration and your desired security level.

The following procedures describing how to install the software and create the certificates use the same order as demonstrated in "Installing in Routing Mode With Remote Administration" in the SunScreen 3.2 Installation Guide and in "Installing in Stealth Mode With Remote Administration" in the SunScreen 3.2 Installation Guide. The installation scenario is a three-step process that requires you to first install the appropriate software on the remote administrative Screen or Administration Station, then install the appropriate software on the Screen designated as the firewall, and last, establish encrypted communication between the remote administrative Screen and the firewall Screen using IKE or between the Administration Station and the Screen using SKIP.

Command line procedures for upgrading your system to SunScreen 3.2 from SunScreen SPF-200, SunScreen EFS 1.1, 2.0, 3.0, SunScreen 3.0, SunScreen 3.1, SunScreen 3.1 Lite, and SunScreen 3.2 Lite are in "Upgrading Your System" in this manual.

Routing and Stealth Mode Installation Summary

See "Routing and Stealth Mode Installation Summary" for information on an IKE and SKIP routing mode installation and "Routing Mode Installation Summary" for a SKIP routing mode installation. Also, "Stealth Mode Installation Summary" for a SKIP stealth mode installation.

When installing a Screen in stealth mode, when asked if you want to harden the Screen, understand that hardening is an option and if chosen automatically removes any Solaris software files and packages that might otherwise make your system vulnerable to an attack. The hardening process can be performed during installation or at a later time by running the script on the command line: /usr/lib/sunscreen/lib/harden_os.

Once you harden your Screen, it becomes a dedicated firewall and cannot be used for any other purpose without first reinstalling the Solaris software.

Required SunScreen Software Packages

The following list shows the SunScreen packages followed by the numbers of the required packages.

Change to the directory containing the SunScreen 3.2 product.

#cd /cdrom/cdrom0/Solaris_9/ExtraValue/CoBundled/SunScreen_3.2/sparc

For a list of the available packages, type:

# pkgadd -d .

                    
  1  SUNW3des      SKIP 3DES Crypto Module
                   (sparc) 1.5.1
  2  SUNW3desx     SKIP 3DES Crypto Module (64-bit)
                   (sparc) 1.5.1
  3  SUNWbdc       SKIP Bulk Data Crypt
                   (sparc) 1.5.1
  4  SUNWbdcx      SKIP Bulk Data Crypt (64-bit)
                   (sparc) 1.5.1
  5  SUNWdes       SKIP DES Crypto Module
                   (sparc) 1.5.1
  6  SUNWdesx      SKIP DES Crypto Module (64-bit)
                   (sparc) 1.5.1
  7  SUNWes        SKIP End System
                   (sparc) 1.5.1
  8  SUNWesx       SKIP End System (64-bit)
                   (sparc) 1.5.1
  9  SUNWfwcnv     SunScreen tools for migration from Firewall-1
                   (sparc) 3.2,REV=40
 10  SUNWkdsup     SKIP D-Support module
                   (sparc) 1.5.1
 11  SUNWkeymg     SKIP Key Manager Tools
                   (sparc) 1.5.1
 12  SUNWrc2       SKIP RC2 Crypto Module
                   (sparc) 1.5.1
 13  SUNWrc4       SKIP RC4 Crypto Module
                   (sparc) 1.5.1
 14  SUNWrc4s      SKIP RC4-128 Crypto Module
                   (sparc) 1.5.1
 15  SUNWrc4sx     SKIP RC4-128 Crypto Module (64-bit)
                   (sparc) 1.5.1
 16  SUNWrc4x      SKIP RC4 Crypto Module (64-bit)
                   (sparc) 1.5.1
 17  SUNWsafe      SKIP SAFER Crypto Module
                   (sparc) 1.5.1
 18  SUNWsafex     SKIP SAFER Crypto Module (64-bit)
                   (sparc) 1.5.1
 19  SUNWsfwau     SunScreen Administrative Software
                   (sparc) 3.2,REV=40
 20  SUNWsfwd      SunScreen Online Documentation
                   (sparc) 3.2,REV=40
 21  SUNWsfwf      SunScreen Full Functionality
                   (sparc) 3.2,REV=40
 22  SUNWsfwg      SunScreen Administrative GUI
                   (sparc) 3.2,REV=40
 23  SUNWsfwi      SunScreen Interim IKE Software
                   (sparc) 3.2
 24  SUNWsfwm      SunScreen On-Line Manual Pages
                   (sparc) 3.2,REV=40
 25  SUNWsfwr      SunScreen Firewall, (Root)
                   (sparc) 3.2,REV=40
 26  SUNWsfwu      SunScreen Firewall, (Usr)
                   (sparc) 3.2,REV=40
 27  SUNWsman      SKIP Man Pages
                   (sparc) 1.5.1
For SPARC Platform Edition Systems: Select the package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]

Never add the end-system SKIP packages SUNWes and SUNWesx to the Screen.

• For a Screen, specify: 1-6 and 10-27.

• For a Remote Administration Station, specify: 1-8, 10-19, 24, and 27.

Configuring a Default Screen Installation Through the Command Line

The following describes installing the SunScreen default installation through the command line.

To Configure a Screen Locally in Routing Mode Through the Command Line

For the following procedure to work, you must have already installed the prerequisite Solaris packages; added the SunScreen packages, and rebooted your system.

1. To begin the configuration after rebooting your system, as root, type the following:

   # ssadm configure

   A message appears: Checking for required packages.

2. Press ENTER to continue if the prerequisite Solaris packages were installed, the SunScreen packages added, and you rebooted your system; otherwise, press Control-C to abort the installation.

   You are asked which type of Screen you want to install: 1 (routing, the default entry) or 2.

3. Specify 1, Routing, as the Screen Type.

   The Screen can be set up as a router or as a bridge providing stealth. Which type of Screen you employ affects how the interfaces are initialized. For routing Screens, each interface is set up as a routing interface. For a stealth Screen, there is only one interface available, which is dedicated to Screen administration.

   You are asked which type of administration you want to install: 1 (routing, the default entry) or 2.

4. Specify 1, Local administration.

   When using (1) local administration, all administration is performed on the Screen itself. When administering the Screen from a (2) remote Administration Station, you need to install the SunScreen administration packages, IKE or SKIP certificates, and a local key onto the Administration Station before continuing. When appropriate, you can also specify both Local and Remote.

   You are asked which level of security you want to install.

5. Specify 3, Permissive, as the security level.

   There are three possible security levels and each security level corresponds to a different set of permitted services to, from, and through the Screen. The permissive security level is the default and can be used for the initial configuration and changed at any time after installation.

   The security levels are as follow:

   1. Permissive - This level allows most traffic, including inbound connections to the Screen itself and all traffic through the Screen. This security level is for installing the Screen onto a host that has multiple network interfaces and that acts as a router, or on a host that is acting as a server (for example, for NFS, NIS, or WWW).

   2. Restrictive - This level of security disallows all traffic to, from, and through the Screen, except for encrypted administration traffic. This level is best for deploying the Screen in an unsecured network environment. It requires that static routing and name resolution are configured on the host.

   3. Secure (routing Screens only) - This level disallows all traffic to and through the Screen, except for encrypted administration traffic, common services from the Screen, name server resolution traffic (like DNS and NIS), and routing (RIP). This level is a good starting point for getting a Screen up and running on a secure network, where the Screen cannot be a standalone system and depends on NIS, DNS, or NFS to function properly.

   ---

   Note -

   With the exception of the Restrictive security level, no IP spoofing protection is provided until the system is properly configured.

   ---

   A message appears: The following name resolution method was detected on this machine: None or Static name resolution from the /etc/hosts file.

6. Specify 1, YES, to accept the Name Resolution as detected, if this is the name service that you want to use on this machine.

   ---

   Note -

   Make sure this is the name service that you want to use on this system (see "Preparing to Install High Availability" in SunScreen 3.2 Administration Guide).

   ---

7. When the system configuration completes, reboot the system for your changes to take effect.

Installing the Administration Packages

When installing the administration packages, the following limitations and requirements are present

The following is a list of limitations and requirements:

• To correct a known problem on the screen address object in the administration GUI, use the command line to revise the addr.

• Remote administration is affected by a known fragmentation problem on locally generated packets. To correct this problem, change the screen admin interface mtu to 1400.

• You must use the command-line interface to create IKE self-generated certificates on an administrative Screen.

• Due to a known problem in stealth mode in a temporary kmcookies file that causes the compiler to not create an ike config file, you must manually create an ike config file.

• If you are using SKIP CA-issued certificates for encryption, you need all of your certificate diskettes.

• Before proceeding, clean the state on both systems using the -f and -fs statetables.

To Install the Administration Packages

1. Open a terminal window on your system and become root, if not already.

2. Go to the location of the SunScreen software.

   #cd /cdrom/cdrom0/Solaris_9/ExtraValue/CoBundled/SunScreen_3.2/sparc

3. Add the software by typing:

   # pkgadd -d .

4. Select the adm9nistration packages.

   For a Remote Administration Station, specify: 1-8, 10-19, 24, and 27.

5. Type q to quit pkgadd.

6. Reboot by typing:

   # sync; init 6

After installing the software packages, set up encrypted communication between the Administration Station and the Screen.

Both the Administration Station and the Screen need certificates before encrypted communication can begin.

Creating Encryption Certificates

This section describes how to set up encrypted communication between the Administration Station and the Screen.

The following is a list of limitations and requirements:

• There is a GUI problem on the screen address object that causes the remote admin rule to use the wrong address, which forces you to fix the addr.

• There is a fragmentation issue on locally generated packets that also affects the remote administrative Screen or remote Administration Station, which forces you to change the screen admin interface mtu to 1400.

• Clean the state using statetables -f, -fs on both systems.

• When temporary kmcookies files are touched, the compiler used in a stealth system does not generate the IKE configuration, which forces you to manually create an IKE configuration file.

After installing the appropriate software on both systems, create the IKE self-generated certificates on the systems as described in the following sections.

To Create Certificates on the Administration Station

1. When using IKE self-generated certificates, after installing the appropriate SunScreen software on both Screens, create the certificates on the systems (see "To Create SKIP UDH Key and Certificates").

2. When using SKIP UDH keys and certificates to encrypt the communication between the Administration Station and the Screen (see "To Create SKIP UDH Key and Certificates").

3. When using SKIP CA-issued private keys and certificates (see "To Load SKIP CA-Issued Private Key and Certificates").

To Create Remote Administration Screen IKE Self-Generated Certificates

1. On the Remote Administrative Screen, create the IKE self-generated certificate by typing:

   # ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US, O=YOUR_ORG, CN=admin_name"

2. Export the administrative Screen's certificate to a file by typing:

   # ssadm certdb -I -e "C=US, O=YOUR_ORG, CN=admin_name" > /tmp/admin_cert

3. Import the firewall Screen's certificate by typing:

   # ssadm certdb -I -a < /tmp/screen_cert then, using ssadm edit edit > add certificate admin_cert SINGLE IKE "C=US, O=SUN, CN=admin_name" edit > add certificate screen_cert SINGLE IKE "C=US, O=SUN, CN=screen_name"

4. Add a packet filter rule like the following:

   1 "remote administration" "admin_address" "screen_address" IPSEC ESP("DES-CBC", "MD5") AH("SHA1") IKE("DES-CBC", "MD5", 1, RSA-SIGNATURES, "admin_cert", "screen_cert") ALLOW

   See "Packet Filtering Rules" in SunScreen 3.2 Administration Guide.

5. Mark the Screen's certificate as trusted by typing:

   > add member certificate "IKE manually verified certificates" "screen_cert"

6. Activate the policies.

To Create the Firewall Screen's IKE self-Generated Certificate

1. On the firewall Screen, create the IKE self-generated certificate by typing:

   # ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US, O=YOUR_ORG, CN=screen_name"

2. Export the firewall Screen's IKE certificate to a file by typing.

   # ssadm certdb -I -e "C=US, O=YOUR_ORG, CN=screen_name" > /tmp/screen_cert

3. Import the administrative Screen's certificate by typing.

   # ssadm certdb -I -a < /tmp/admin_cert then using ssadm edit edit > add certificate admin_cert SINGLE IKE "C=US, O=SUN, CN=admin_name" edit > add certificate screen_cert SINGLE IKE "C=US, O=SUN, CN=screen_name"

4. Add the administrative Screen's IP address to address object.

5. Add the administrative Screen as a screen object and allow routing traffic and naming service.

6. Edit the firewall Screen's screen object by selecting the primary/secondary tab and making the remote administrative Screen's IP address the administrative IP address in the IKE administrative certificate field, and add the firewall Screen's certificate.

7. Mark the administrative certificate as trusted by typing:

   > add member certificate "IKE manually verified certificates" "admin_cert"

8. Add a remote add rule by selecting the administrative access tab and under Access rules for remote administration table, click the add new rule button.

   screen: screen name address object: remote admin address user: admin access level: all encryption: IPSEC IKE

9. Select the one algorithm that matches the packeting filtering rule on the remote firewall Screen's source certificate: screen cert.

10. Click on the Options tab, source screen: screen name.

    When finished, you should have a remote access rule like the following:

    1 SCREEN "screen_name" USER "admin" "admin_addr" IPSEC ESP("DES-CBC", "MD5") AH("SHA1") IKE("DES-CBC", "MD5", 1, RSA-SIGNATURES, "screen_cert") PERMISSION ALL

    ---

    Note -

    No packet filtering rule is required on the firewall Screen.

    ---

11. Activate the policies.

The following command-line interface examples demonstrate how to use the SunScreen command line to use IKE in this release:

• To find instructions on adding an IPsec key, see "IPsec Key" in the SunScreen 3.2 Administration Guide.

• To find instructions on creating, importing, and exporting IKE certificates and pre-shared keys, see "Certificate Objects" in the SunScreen 3.2 Administration Guide.

• Also, to find an example of an encryption scenario that uses IKE, see "Setting Up Remote Administration with IKE" in the SunScreen 3.2 Configuration Examples manual.

To Use IPses Manual Keying

The following is an example of adding manual IPsec rules:

1. Add manual keys on both Screens using ssadm edit or the administration GUI.

   edit> add key "key_des" SINGLE "1234567812345678" edit> add key "key_ah" SINGLE "1234567890abcdef1234567890abcdef"

2. Add rules like the following using keys added on both Screens.

   1. On Screen1:

      1 "telnet" "screen1_host" "screen2_host" IPSEC ESP(0x123, "DES-CBC", "key_des") AH(0x345, "MD5", "key_ah") SOURCE_SCREEN "screen1" ALLOW 2 "telnet" "screen2_host" "screen1_host" IPSEC ESP(0x123, "DES-CBC", "key_des") AH(0x345, "MD5", "key_ah") DESTINATION_SCREEN "screen1" ALLOW

   2. On Screen2:

      1 "telnet" "screen2_host" "screen_host1" IPSEC ESP(0x123, "DES-CBC", "key_des") AH(0x345, "MD5", "key_ah") SOURCE_SCREEN "screen2" ALLOW 2 "telnet" "screen1_host" "screen2_host" IPSEC ESP(0x123, "DES-CBC", "key_des") AH(0x345, "MD5", "key_ah") DESTINATION_SCREEN "screen2" ALLOW

   The hex values 0x123, 0x345 are spi values and are between 0x000 and 0xFFF. If you choose different algorithms like 3DES-CBC or SHA1, you must define manual keys of the proper length. In hex strings, the lengths are respectively.

   • DES-CBC 16

   • 3DES-CBC 48

   • MD5 32

   • SHA1 40

3. Save and activate the policy.

To Use IKE Rules With Pre-Shared Key

1. Add the pre-shared secret key on both Screens.

   edit> add key "shared-secret" SINGLE "shared_secret"

2. Add rules like the following using keys added on both Screens.

   • On Screen1:

     1 "telnet" "screen1_host" "screen2_host" IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, PRE-SHARED, "shared-secret") SOURCE_SCREEN "screen1" ALLOW 2 "telnet" "screen2_host" "screen1_host" IPSEC IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, PRE-SHARED, "shared-secret") DESTINATION_SCREEN "screen1" ALLOW

   • On Screen2:

     1 "telnet" "screen2_host" "screen1_host" IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, PRE-SHARED, "shared-secret") SOURCE_SCREEN "screen2" ALLOW 2 "telnet" "screen1_host" "screen2_host" IPSEC IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, PRE-SHARED, "shared-secret") DESTINATION_SCREEN "screen2" ALLOW

3. Save and activate policy.

To Use Windows 2000 to Communicate With Solaris SunScreen Using an IKE Pre-Shared Key

The following procedure describes how to configure IPSEC and IKE on a windows 2000 system.

1. Start MMC console: start, run, and type mmc.

   MMC console menu appears.

2. Select Add/Remove snap-in (Ctrl+m).

3. Under Add/Remove snap-in window, click on Add.

4. Scroll down and select IP Security Policy Management, and click on Add.

   The Select Computer window appears.

5. In the Select Computer window, click Finish, then click Close to close the Add standalone snap-in window.

6. On the Add/Remove snap-in window, click OK to close it.

   The original Console Root window reappears.

7. In the Console Root window, select IP Security Policies on Local Machine.

8. Click the menu (right) mouse button to bring up a menu where you select Create IP Security Policy.

   The IP Security Policy Wizard window appears.

9. In the IP Security Policy Wizard window, click Next to continue.

   The IP Security Policy Name window appears.

10. In the IP Security Policy Name window, fill in the name of the policy you want, and click Next to continue.

    The Request for Secure Communication appears.

11. In the Request for Secure Communication window, click Next to continue.

    The Default Response Rule Authentication Method window appears.

12. In the Default Response Rule Authentication Method window, select Use this string ... and enter 'ABCEFGHI' in the field, and click Next, then click Finish.

    The Mypolicy Properties with the Rules panel appears.

    ---

    Note -

    The pre-shared key used on SunScreen is 4142434445464748, hence on windows it maps to 'ABCEFGHI.'

    ---

13. In the Mypolicy Properties window, click on Add.

    The Security Rule Wizard window appears.

14. In the Security Rule Wizard window, click Next to continue.

    The Tunnel Endpoint window appears.

15. Do not change the Tunnel Endpoint window, except to click on Next to continue.

    The Network Type window appears.

16. Do not change the Network Type window, except to click on Next to continue.

    The Authentication Method window appears.

17. In the Authentication Method window, select Use this string ... and enter 'A' in the field, and click Next to continue.

    The IP Filter List window appears.

18. In the IP Filter List window, click Add to bring up the next window in which you enter the name of the filter.

19. Under the Name field, enter the name of the IP filter you want and click Add.

    The IP Filter Wizard window appears. Click Next.

20. In the IP Filter Wizard window, click Next to continue.

    The IP Traffic Source window appears.

21. Leave the IP Traffic Source window set to 'my IP address,' and click Next to continue.

    The IP Traffic Destination window appears.

22. In the IP Traffic Destination window, select a specific IP address from the pull-down menu and fill in the IP address of the host with which you want to establish a transport path, and click Next to continue.

    The IP Protocol Type window appears.

23. Do not change the IP Protocol Type window, except to click on Next to continue.

24. Then, in the IP Protocol Type window, click Finish.

25. Then, in the IP Protocol Type window, click Close.

    The IP Filter List window appears with the filter you just added listed.

26. In the IP Filter List window, enter the name of the IP filter you want and click Next to continue.

    The Filter Action window appears.

27. In the Filter Action window, select Require Security and click Next to continue.

    The last window of the Security Rule Wizard appears. Click Next

28. In this last window of the Security Rule Wizard, click Next to continue.

    The Mypolicy Properties window appears with both myfilter and Dynamic selected under the IP Filter List.

29. In the Mypolicy Properties window, deselect Dynamic and click Close.

    The original Console Root window appears.

30. In the Console Root window, select the entry IP security on Local Machine showing on the left panel under the console root tree.

31. Select the mypolicy entry that shows in the right side of the window.

    Right Click. And Select Assign. Now the policy will become assigned. On window 2K, only one policy can be assigned at one time.

The above completes setting up an IPSEC policy on win2K, using IKE with pre-shared key 'A' to setup an transport mode protected path between win2K machine, and SunScreen protected machine.

To Generate IKE Rules With Self-Generated Certificates

1. Generate certificates or private keys on both Screens using ssadm certlocal:

   1. On Screen1:

      # ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US,O=YourOrg, CN=screen1_name"

   2. On Screen2:

      # ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US,O=YourOrg, CN=screen2_name"

2. Export the certificates to the other Screen.

   1. On Screen1:

      # ssadm certdb -I -e "SUBJECT=C=US, O=YourOrg, CN=screen1_name" > /tmp/cert1

   2. On Screen2:

      # ssadm certdb -I -e "SUBJECT=C=US, O=YourOrg, CN=screen2_name" > /tmp/cert2

3. Securely transport the file /tmp/cert1 to the Screen1 and /tmp/cert2 to Screen2.

4. Import the exported certificate to the Screen certificate database.

   1. On Screen2:

      # ssadm certdb -I -a < /tmp/cert1

   2. On Screen1:

      # ssadm certdb -I -a < /tmp/cert2

5. Add Certificate objects on both systems:

   > add certificate "screen1_cert" SINGLE IKE "C=US, O=YourOrg,CN=screen1_name" > add certificate "screen2_cert" SINGLE IKE "C=US, O=YourOrg,CN=screen2_name"

6. Mark the certificate you imported in Steps 3 and 4 as trusted on both systems using ssadm edit:

   1. On Screen1:

      > add member certificate "IKE manually verified certificates" "screen2_cert"

   2. On Screen 2:

      > add member certificate "IKE manually verified certificates" "screen1_cert"

      ---

      Note -

      The Group name "IKE manually verified certificates" is reserved for a trusted Certificate Group.

      ---

7. Add Packet Filtering rules on both Screens.

   1. On Screen1:

      1."telnet" "screen1_host" "screen2_host" IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, RSA-SIGNATURES, "screen1_cert", "screen2_cert") ALLOW 2 "telnet" "screen2_host" "screen1_host" IPSEC IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, RSA-SIGNATURES, "screen2_cert", "screen1_cert") ALLOW

   2. On Screen2:

      1."telnet" "screen2_host" "screen1_host" IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, RSA-SIGNATURES, "screen2_cert", "screen1_cert") ALLOW 2 "telnet" "screen1_host" "screen2_host" IPSEC IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, RSA-SIGNATURES, "screen1_cert", "screen2_cert") ALLOW

8. Save and activate the policy.

   Refer to the man page of ssadm-certlocal(1M) and ssadm-certdb(1M) for more information.

To Generate IKE Rules With Issued Certificates

1. Generate keys and certificate requests on each Screen.

   1. On Screen1:

      # ssadm certlocal -Ikc -m 512 -t rsa-md5 -D "C=US, O=YourOrg,CN=screen1_issued"

   2. On Screen2:

      # ssadm certlocal -Ikc -m 512 -t rsa-md5 -D "C=US, O=YourOrg,CN=screen2_issued"

2. Bring the requests to a certificate server and have them signed. You receive three certificate files from the CA:

   • screen1_issued.cert: screen1's cert

   • screen2_issued.cert: screen2's cert

   • root.cert: the CA's cert

   Further detailed instructions on this step depends on your certificate server.

3. Securely transport the files to each machines under /tmp and import them. Import three certificates on each Screen:

   # ssadm certdb -I -a < /tmp/screen1_issued.cert # ssadm certdb -I -a < /tmp/screen2_issued.cert # ssadm certdb -I -a < /tmp/root.cert

   In this example, assume you are using a certificate server with CA 's subject DN = "C=US, O=YourOrg.com, OU=sunscreen, CN=Certificate Manager".

4. Add Certificate objects on each Screen and mark the root CA as trusted. On each Screen:

   edit> add certificate root_cert SINGLE IKE "C=US, O=YourOrg.com, OU=sunscreen, CN=Certificate Manager" edit> add certificate screen2_issued_cert SINGLE IKE "C=US, O=YourOrg, CN=screen2_issued" edit> add certificate screen1_issued_cert SINGLE IKE "C=US, O=YourOrg, CN=screen1_issued" edit> add_member certificate "IKE root CA certificates" root_cert

   ---

   Note -

   The Group name "IKE root CA certificates" is reserved for a trusted Certificate Group.

   ---

5. Add Packet Filtering rules on both Screens.

   1. On Screen1:

      1."telnet" "screen1_host" "screen2_host" IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, RSA-SIGNATURES, "screen1_issued_cert", "screen2_issued_cert") ALLOW 2 "telnet" "screen2_host" "screen1_host" IPSEC IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, RSA-SIGNATURES, "screen2_issued_cert", "screen1_issued_cert") ALLOW

   2. On Screen2:

      1."telnet" "screen2_host" "screen1_host" IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, RSA-SIGNATURES, "screen1_issued_cert", "screen2_issued_cert") ALLOW 2 "telnet" "screen1_host" "screen2_host" IPSEC IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, RSA-SIGNATURES, "screen2_issued_cert", "screen1_issued_cert") ALLOW

6. Save and activate the policy.

To Install a Remote Administration Station Using IKE

These instruction apply to using SunScreen on a Solaris-based system only. Because the Solaris operating environment does not yet support IKE, there is no built-in facility for generating IKE certificates on a remote Administration Station. So, you must install the Screen packages as well as the administration packages on your system.

1. On the Screen

   1. Install the full Screen software Create self-generated screen certificate using the GUI, or use the command line editor, as follows:

      # ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US, O=YOUR_ORG, CN=screen_name"

   2. Export the Screen certificate to a file using the GUI, or the command line editor:

      # ssadm certdb -Ie "C=US, O=YOUR_ORG, CN=screen_name" > /tmp/screen_cert

   3. Import Administration Station certificate using the GUI, or the command line editor and add the Certificate objects into the SunScreen configuration:

      # ssadm certdb -Ia < /tmp/admin_cert

   4. Mark the administrative certificate as trusted and edit the SunScreen policy for certificates.

      # ssadm edit edit> add certificate admin_cert SINGLE IKE "C=US, O=YourOrg, CN=admin_name" edit> add certificate screen_cert SINGLE IKE "C=US, O=YourOrg, CN=screen_name" edit> add member certificate "IKE manually verified certificates" "admin_cert" edit> add address admin_addr HOST edit> add accessremote USER "admin" "admin_addr" IPSEC ESP ("DES-CBC", "MD5") AH ("SHA1") IKE("DES-CBC", "MD5", 1, RSA-SIGNATURES, "screen_cert") PERMISSION ALL SCREEN "screen_name" edit> add screen "screen_name" ADMIN_IP "admin_addr" IKE(screen_cert) RIP

      ---

      Note -

      No packet filtering rule is required on the Screen.

      ---

   5. Save and activate policy.

2. On the Remote Administration Station

   1. Install the full Screen software

   2. Create a self-generated Screen Certificate:

      # ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US, O=YOUR_ORG, CN=admin_name"

   3. Export the Administration Certificate to a file using the GUI or use the command line editor as follows:

      # ssadm certdb -Ie "C=US, O=YOUR_ORG, CN=admin_name" > /tmp/admin_cert

   4. Import Screen Certificate using the GUI or command line editor:

      # ssadm certdb -I -a < /tmp/screen_cert

   5. Edit the SunScreen policy for certificates:

      # ssadm edit edit> add certificate admin_cert SINGLE IKE "C=US, O=YourOrg, CN=admin_name" edit> add member certificate "IKE manually verified certificates" "admin_cert" edit> add certificate screen_cert SINGLE IKE "C=US, O=YourOrg, CN=screen_name" edit> add address admin_addr HOST edit> add address screen_addr HOST

   6. Add a packet filter rule like the following:

      edit> add rule "remote administration" "admin_addr" "admin_addr" IPSEC ESP("DES-CBC", "MD5") AH("SHA1") IKE("DES-CBC", "MD5", 1, RSA-SIGNATURES, "admin_cert", "screen_cert") ALLOW

   7. Save and activate the policy.

      Unless you have just done a fresh SunScreen install, clear the state and SADB using ssadm lib/statetables -fs on both systems.

      ---

      Note -

      There is a problem on stealth Administration Stations using IKE where the compiler does not generate the IKE configuration, which forces you to manually create an IKE configuration file.

      ---

To Create SKIP UDH Key and Certificates

The SKIP command to run on the Administration Station is displayed at the end of the AdminSetup.readme file, which is found in the /etc/sunscreen directory. Write this command down for use in the following procedure.

If you trust that the network between the Screen and the Administration Station is secure, you can use ftp to send the AdminSetup.readme file, which contains the identitydb.obj file, from the Screen to the Administration Station. This saves you the task of writing down the information that is required in the next procedure. To find information regarding creating SKIP UDH key and certificates, see "To Distribute the identitydb.obj File" in the SunScreen 3.2 Administration Guide.

1. Open a terminal window and create the required SKIP directories by typing:

   # skiplocal -i

2. Create the SKIP UDH key and certificate on the Administration Station by typing:

   # skiplocal -k -f -V

   The local certificate ID appears. It is the Administration Station's 32-character certificate ID (MKID).

3. Write down the certificate ID, which begins with `Ox.'

4. Add SunScreen SKIP to all the interfaces by typing:

   # skipif -a

5. Reboot to complete the installation by typing:

   # sync; init 6

The Administration Station's certificate ID has been generated. You next move to the Screen to install the SunScreen 3.2 software.

To Load SKIP CA-Issued Private Key and Certificates

The SKIP command to run on the Administration Station is displayed at the end of the AdminSetup.readme file, which is found in the /etc/sunscreen directory. Write this command down for use in the following procedure.

If you trust that the network between the Screen and the Administration Station is secure, you can use ftp to send the AdminSetup.readme file, which contains the identitydb.obj file, from the Screen to the Administration Station. This saves you the task of writing down the information that is required in the next procedure. (See "To Distribute the identitydb.obj File" in SunScreen 3.2 Administration Guide.

For this procedure, you need your SKIP CA-Issued Private Key and Certificate diskette.

1. Open a terminal window on your system and become root, if not already.

2. Load the required SKIP directories by typing:

   # skiplocal -i

3. Insert the SKIP CA-Issued Key and Certificate diskette into your system's diskette drive.

4. Install the SKIP keys by typing:

   # install_skip_keys -icg /floppy/floppy0

5. Start the SKIP daemon by typing:

   # skipd_restart

6. Eject the SKIP CA-Issued Key and Certificate diskette by typing:

   # eject floppy0

7. Write down the certificate ID, which is eight characters long.

8. Add SKIP to all the interfaces by typing:

   # skipif -a

9. Reboot to complete the installation by typing:

   # sync; init 6

   The Administration Station's certificate ID has been installed. You next move to the Screen to install the SunScreen 3.2 software.

To Complete the Installation When Using SKIP

To complete the installation when using SKIP for encryption, perform the following steps on the Administration Station.

1. On the Administration Station, open a terminal window and become root.

2. To enable unencrypted communication from the Administration Station to all hosts other than the Screen, type:

   # skiphost -a default

3. Add a rule so that encrypted communication is possible between the Administration Station and the Screen by typing:

   # skiphost command_from_ssadm_configure

   This command is in the AdminSetup.readme file. The command is in the following form, which has been divided into lines for readability:

   skiphost -a name_of_Screen -r NSID_type

   -R Screen's_certificate_ID -s NSID_type

   -S Administration_Station's_certificate_ID

   -k key_encryption_algorithm

   -t data_encryption_algorithm -m MAC_algorithm

4. Turn on SKIP by typing:

   If Screen has only one interface: # skiphost -o on If Screen has more than one interface, for each interface: # skiphost -i name_of_interface -o on

   ---

   Note -

   To display the interfaces, type: ifconfig -a

   ---

5. Save the SKIP settings by typing:

   # skipif -i all -s

6. Restart the SKIP daemon by typing:

   # skipd_restart

   Refer to the SunScreen SKIP User's Guide, Release 1.5.1 for more information on operating SunScreen SKIP, if needed.

   ---

   Note -

   After configuring SKIP, check that the encryption parameters and 32-character certificate ID (MKID) values match on both the Administration Station and the Screen.

   ---

7. To configure and manage your Screen from your Administration Station, run a Java-enabled Web browser compliant with JDK 1.1.3 or later, and launch the administration GUI by typing the following URL:

   http://Name_of_Screen:3852/

See the SunScreen 3.2 Administration Guide for instructions on how to use the administration GUI.

Using IKE With SunScreen

The following information describes the IKE syntax and options as well as providing command line examples of policy rules that use IKE. You can also find administration GUI instructions for using IKE in the SunScreen 3.2 Administration Guide. Additionally, see the SunScreen 3.2 Configuration Examplesmanual for examples of using IKE for encryption.

IKE usage within SunScreen has three components:

• The authentication header (AH)

• The encryption header (ESP)

  ---

  Note -

  Either the AH or ESP option can be omitted, but at least one must be present that has within it an authentication option (called a combined transform)

  ---

  In addition, the ESP header has within it an authentication option (called a combined transform).

• (Required) The IKE negotiation

  Possible combinations are:

  • IPSEC AH(authalg1) IKE(...)

  • IPSEC ESP(encralg1) IKE(...)

  • IPSEC ESP(encralg1, authalg2) IKE(...)

  • IPSEC AH(authalg1) ESP(encralg1) IKE(...)

  • IPSEC AH(authalg1) ESP(encralg1, authalg2) IKE(...)

Unlike SKIP syntax, the IPsec and IKE parameter lists use parentheses to contain them.

The possible values for authalgN and encralgN are:

For authalg*:

• MD5

• SHA1

For encralg*:

• DES-CBC

• 3DES-CBC

• AES

• BLOWFISH

• NULL

The NULL algorithm is generally only used for testing because it exercises most of the normal code paths. However, it does not obscure the data; that is, NULL allows what is inside to be easily seen.

The AH and ESP options control the cryptographic means that are used to protect the DATA portions of network traffic. They are functional equivalents of the DATA and MAC algorithms used in SKIP.

The IKE option performs the functional equivalent of the rest of the options in SKIP, including the KEY algorithm and the naming of the certified cryptographic data to be used for configuring and securing the traffic.