test

SunScreen 3.2 Installation Guide

Finish the Administration Station

Finishing a Trusted Solaris 8 Administration Station

  1. Import the firewall Screen's certificate.


    # ssadm certdb -I -a < /tmp/screen_cert

  2. Create certificate objects for the certificates.


    # ssadm edit PolicyName
edit> add certificate admin-cert SINGLE IKE "SUBJECT=C=US, O=SUN, 
CN=admin_DN"
edit> add certificate screen-cert SINGLE IKE "SUBJECT=C=US, O=SUN, 
CN=screen_DN"

  3. Mark the imported certificate as trusted.


    Using ssadm edit
edit>add member certificate "IKE manually 
verified certificates" "screen_cert"
    Note -

    The Group name "IKE manually verified certificates" is reserved for a trusted Certificate Group.

  4. Create an address object for the Screen.


    Using ssadm edit
edit>add address nameofscreen ipaddressofscreen

  5. Add a packet filter rule like the following:


    1 "remote administration" "admin_address"  
"screen_address" IPSEC ESP("DES-CBC", "MD5") AH("SHA1")  
IKE("DES-CBC", "MD5", 1, RSA-SIGNATURES, "admin_cert", 
"screen_cert") ALLOW

    See "Packet Filtering Rules" in the SunScreen 3.2 Administration Guide.

  6. Activate the policies.

Finishing a Solaris 9 Administration Station

  1. Import the firewall Screen's certificate.


    # ikecert certdb  -a < /tmp/screen_cert

  2. Set Up the IKE rules.

    You have to edit the IKE configuration files to set up encrypted communication between the Administration Station and the Screen. For information on editing these files, see the Solaris 9 IKE documentation.

    1. Edit the /etc/inet/ipsecinit.remote file.

      The following file provides an example of how you would set up communication between an Administration Station with an IP address of 172.16.2.3 and a Screen's administrative interface with an address of 172.16.2.1


      {sport 500} bypass {dir out}  
{dport 500} bypass {dir in}   
{saddr 172.16.2.3 daddr 172.16.2.1} apply {encr_algs des encr_auth_algs sha1 sa shared}   
{saddr 172.16.2.1 daddr 172.16.2.3} permit {encr_algs des encr_auth_algs sha1 sa shared}

    2. Edit the /etc/inet/config file.

      This file contains instructions to amrk the Screens certificate as trusted as well as encryption parameters.


      # Example remote admin config file 
 # IKE manually verified self-signed certs   
cert_trust "SUBJECT=CN=DNofScreensCert-rsa-sha1-4096, O=Sun, C=US"   
# Outgoing IKE rule for remote admin 
{label "outgoing" 
local_id_type DN 
local_id "SUBJECT=CN=RemoteAdminCert-rsa-sha1-4096, O=Sun, 
C=US"  
remote_id "SUBJECT=CN=ScreenCert-rsa-sha1-4096, O=Sun, C=US"          
local_addr 172.16.2.3 
remote_addr  172.16.2.1
p1_xform {auth_method rsa_sig oakley_group 1 auth_alg sha1 encr_alg des }  
}

  3. Reload IKE and it's associated components.

    Issue commands similar to the following:

    # pkill iked # ipsecconf -f # ipseckey flush # ipsecconf -a /etc/inet/ipsecinit.remote # /usr/lib/inet/in.iked -f /etc/inet/ike/config.remote

The remote Administration Station is now ready to communicate with the Screen.