test

SunScreen 3.2 Configuration Examples

Installing a Remote Administration Station

These instruction apply to using SunScreen on a Solaris--based system only. Because the Solaris operating environment does not yet support IKE, there is no built-in facility for generating IKE certificates on a remote Administration Station. So, you must install the Screen packages as well as the administration packages on your system.

On the Screen

  1. Install the full Screen software. Create a self-signed Screen certificate using the GUI, or use the command line editor, as follows:


    # ssadm certlocal -Iks -m 1024 -t rsa-sha1 -D "C=US, O=Your_Org, CN=screen_name"

  2. Export the Screen certificate to a file using the GUI, or the command line editor:


    # ssadm certdb -Ie "C=US, O=Your_Org, CN=screen_name" > /tmp/screen_cert

  3. Import Administration Station certificate using the GUI, or the command line editor and add the Certificate objects into the SunScreen configuration:


    # ssadm certdb -Ia < /tmp/admin_cert

  4. Edit the SunScreen policy for certificates.


    # ssadm edit policyname
edit> add certificate admin_cert SINGLE IKE "C=US, O=YourOrg, CN=admin_name"
edit> add certificate screen_cert SINGLE IKE "C=US, O=YourOrg,CN=screen_name"
edit> add address admin_addr HOST ip.address
edit> add accessremote screen "screen_name" USER "admin"  "admin_addr" IPSEC ESP 
 ("DES-CBC", "MD5") AH ("SHA1") IKE("DES-CBC", "MD5", 1, 
RSA-SIGNATURES, "screen_cert") PERMISSION ALL SCREEN "screen_name"
edit> add screen "screen_name" ADMIN_IP "admin_addr" IKE(screen_cert) RIP
    Note -

    The DN must be entered correctly including the space after the commas. Also, no packet filtering rule is required on the Screen.

  5. Save and activate policy.

On the Remote Administration Station

  1. Install the full Screen software

  2. Create a self-signed Screen Certificate:


    # ssadm certlocal -Iks -m 1024 -t rsa-sha1 -D "C=US, O=Your_Org, CN=admin_name"

  3. Export the Administration Certificate to a file using the GUI or use the command line editor as follows:


    # ssadm certdb -Ie "C=US, O=YOUR_ORG, CN=admin_name" > /tmp/admin_cert

  4. Import Screen Certificate using the GUI or command line editor:


    # ssadm certdb -I -a < /tmp/screen_cert

  5. Edit the SunScreen policy for certificates:


    # ssadm edit policyname
edit > add certificate admin_cert SINGLE IKE "C=US, O=YourOrg, CN=admin_name"
edit > add certificate screen_cert SINGLE IKE "C=US,O=YourOrg, CN=screen_name"
edit > add address admin_addr HOST ip.address
edit > add address screen_addr HOST ip.address

  6. Add a packet filter rule like the following:


    edit > add rule "remote administration" "admin_addr" 
"screen_addr" IPSEC ESP("DES-CBC", "MD5") AH("SHA1") IKE("DES-CBC", "MD5",
 1, RSA-SIGNATURES, "admin_cert", "screen_cert") ALLOW