test

SunScreen 3.2 Configuration Examples

Using CA Signed Certificates

A more secure method than using preshared keys is using CA signed X.509 certificates. These certificates must be digitally signed by a Certificate Authority (CA) supported by both the Windows 2000 system and the SunScreen system. Currently, Microsoft supports certificates signed by its own Windows 2000 Server CA as well as a number of public CA authorities (see the Trusted CA Authorities list on Windows 2000, all of these vendors qualify as Root CAs). You can also use non-public CA's like Netscape Certificate server, if you import the CA's root Ccertificate into the Windows 2000 Trusted Root Certificate store. Self signed certificates are not supported by Microsoft

Each side must be able to follow each signed certificate up its certificate chain to the Root CA. They accomplish verification by having the Root CA's certificate in a special certificate store (the IKE root CA certificates GROUP certificate object on the Screen and the Trusted Root Certificate store on the Windows 2000 system). Because both systems must use certificates signed by a CA common to both systems, you cannot use self signed DH certificates to interoperate with Windows 2000.

Note -

Certificates are necessary in order to have a Windows 2000 system act as a remote Administration Station managing a Screen.

Configuring the Screen to Use CA Signed Certificates

The following sections describe how you would set up the Screen and the Windows 2000 system to interoperate.

Set Up the Screen

  1. Generate a Certificate Signing Request

    1. From the Common Objects panel, select Generate IKE Certificate

    2. When the IKE Certificate dialog appears, click the Generate CA Request button; see Figure 9-4

      Figure 9-4 Generate CA Signing Request

      Graphic

    3. Fill in the required fields.

      Type in a Distinguished Name and make sure that the Encryption Type and Key Size match the related parameters used by the Windows 2000 system for its own certificate.

    4. Click the Generate button.

      SunScreen generates a Certificate Signing Request (CSR) and also creates and stores a private key. The following figure shows the CSR.

      Figure 9-5 IKE CA Certificate Signing Request

      Graphic

      You can copy the text or save into a file for use in your signing request.

  2. Present the CSR to the CA.

    Have the certificate signed and acquire the new certificate.

  3. Import the CA signed certificate into the Screen

    1. From the common Objects panel, choose Import IKE Certificate. The Import IKE Certificate screen appears

    2. Specify a name and description.

    3. Choose an import method

      Click the appropriate button and then either specify a file to import or paste the signed certificate into the text area.

    4. Click the Install Certificate button.

  4. Add the IKE Root CA Certificate to the Screen.

    You accomplish this task by adding the Root CA certificate to the IKE root CA Certificates GROUP object.

    1. Acquire the Root CA certificate and import it into the Screen's certificate store.

    2. After you finish the import, in the Common Objects panel, search for the IKE root CA certificates object.

      When you find the object, select it and click the edit button. The Certificates object dialog appears. See Figure 9-6.

      Figure 9-6 Import Root CA

      Graphic

    3. Select the Root CA certificate you want and add it to the Include List.

    4. Click OK to finish the task.

  5. Edit the Root CA certificate object.

    A requirement of Windows 2000 for IKE interoperability is that you must specify the Root CA certificate by its ISSUER Distinguished Name.

    1. Search for the Root CA certificate object.

      When you find the correct object click the Edit button.

    2. Edit the Distinguished Name.

      In the Distinguished Name, change the first qualifier from SUBJECT to ISSUER. Keep the value of the qualifier the same, only change the handle.

Configuring Windows 2000 to Use CA Signed Certificates

The following section describes in general terms how you would set up a Windows 2000 system to interoperate with a Screen. This section only provides general steps. For specific instructions on setting up the Windows 2000 system see the Windows 2000 online help and also refer to these White Papers which are available on the Microsoft web site.

Set Up the Windows 2000 System

  1. Obtain a private key and certificate signed by the same CA used by the Screen with whom you wish to communicate.

  2. Make sure that the CA Root certificate is in the Trusted Root CA Certificate store.

  3. Create an IPSec security policy.

    Create an IKE rule that allows communication between the Screen and the Windows 2000 system.

  4. Be aware of the following interoperability requirements:

    • The Authentication Method should be Certificate Authority and the Root CA list must contain the common Root CA certificate.

    • The filter action should be Negotiate Security and it should only specify one security method.

Using the Encryption Action on the Screen

To set up a packet filtering rule on the Screen use the same procedure as would be used with any IKE encryption rule. However, you must be aware of the following interoperability requirements: