test

IPsec and IKE Administration Guide

How to Configure IKE With Self-Signed Public Key Certificates

  1. On the system console, become superuser or assume an equivalent role.

    Note –

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session.

  2. Add a self-signed certificate to the ike.privatekeys database. 


    # ikecert certlocal -ks|-kc -m keysize -t keytype \
-D dname -A altname
    -ks

    Creates a self-signed certificate.

    -kc

    Creates a certificate request. For the procedure, see How to Configure IKE With Certificates Signed by a CA.

    keysize

    Is the size of the key. The keysize can be 512, 1024, 2048, 3072, or 4096.

    keytype

    Specifies the type of algorithm to use. The keytype can be rsa-sha1, rsa-md5, or dsa-sha1.

    dname

    Is the X.509 distinguished name for the certificate subject. The dname typically has the form: C=country, O=organization, OU=organizational unit, CN=common name. Valid tags are C, O, OU, and CN.

    altname

    Is the alternate name for the certificate. The altname is in the form of tag=value. Valid tags are IP, DNS, EMAIL, URI, DN, and RID.

    1. For example, the command on the partym system would appear similar to the following:


      # ikecert certlocal -ks -m 1024 -t rsa-md5 \
> -D "C=US, O=PartyCompany, OU=US-Partym, CN=Partym" \
> -A IP=192.168.13.213
Creating software private keys.
  Writing private key to file /etc/inet/secret/ike.privatekeys/0.
Enabling external key providers - done.
Acquiring private keys for signing - done.
Certificate: 
 Proceeding with the signing operation.
 Certificate generated successfully (…/publickeys/0)
Finished successfully.
Certificate added to database.
-----BEGIN X509 CERTIFICATE-----
MIICLTCCAZagAwIBAgIBATANBgkqhkiG9w0BAQQFADBNMQswCQYDVQQGEwJVUzEX
…
6sKTxpg4GP3GkQGcd0r1rhW/3yaWBkDwOdFCqEUyffzU
-----END X509 CERTIFICATE-----

    2. The command on the enigma system would appear similar to the following:


      # ikecert certlocal -ks -m 1024 -t rsa-md5 \
> -D "C=JA, O=EnigmaCo, OU=JA-Enigmax, CN=Enigmax" \
> -A IP=192.168.116.16
Creating software private keys.
  …
Certificate added to database.
-----BEGIN X509 CERTIFICATE-----
MIICKDCCAZGgAwIBAgIBATANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzEV
…
jpxfLM98xyFVyLCbkr3dZ3Tvxvi732BXePKF2A==
-----END X509 CERTIFICATE-----

  3. Save the certificate, and send it to the remote system.

    You can paste the certificate into an email.

    1. For example, you would send the following partym certificate to the enigma administrator:


      To: admin@ja.enigmaexample.com
From: admin@us.partyexample.com
Message: -----BEGIN X509 CERTIFICATE-----
MIICLTCCAZagAwIBAgIBATANBgkqhkiG9w0BAQQFADBNMQswCQYDVQQGEwJVUzEX
…
6sKTxpg4GP3GkQGcd0r1rhW/3yaWBkDwOdFCqEUyffzU
-----END X509 CERTIFICATE-----

    2. The enigma administrator would send you the following enigma certificate:


      To: admin@us.partyexample.com
From: admin@ja.enigmaexample.com
Message: -----BEGIN X509 CERTIFICATE-----
MIICKDCCAZGgAwIBAgIBATANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzEV
…
jpxfLM98xyFVyLCbkr3dZ3Tvxvi732BXePKF2A==
-----END X509 CERTIFICATE-----

  4. On each system, edit the /etc/inet/ike/config file to recognize the certificates.

    The administrator of the remote system provides the values for the cert_trust, remote_addr, and remote_id parameters.

    1. For example, on the partym system, the ike/config file would appear similar to the following:


      # Explicitly trust the following self-signed certs
# Use the Subject Alternate Name to identify the cert

cert_trust "192.168.13.213"
cert_trust "192.168.116.16"

## Parameters that may also show up in rules.

p1_xform 
  { auth_method preshared oakley_group 5 auth_alg sha encr_alg des }
p2_pfs 5

{
 label "US-partym to JA-enigmax"
 local_id_type dn
 local_id "C=US, O=PartyCompany, OU=US-Partym, CN=Partym"
 remote_id "C=JA, O=EnigmaCo, OU=JA-Enigmax, CN=Enigmax"

 local_addr  192.168.13.213
 remote_addr 192.168.116.16

 p1_xform
  {auth_method rsa_encrypt oakley_group 2 auth_alg md5 encr_alg 3des}
}

    2. On the enigma system, add enigma values for local parameters in the ike/config file.

      For the remote parameters, use partym values. Ensure that the value for the label keyword is unique. The value must be different from the remote system's label value.


      …
{
 label "JA-enigmax to US-partym"
 local_id_type dn
 local_id "C=JA, O=EnigmaCo, OU=JA-Enigmax, CN=Enigmax"
 remote_id "C=US, O=PartyCompany, OU=US-Partym, CN=Partym"

 local_addr  192.168.116.16
 remote_addr 192.168.13.213
…

  5. On each system, add the certificate that you received.

    1. Copy the public key from the administrator's email.

    2. Type the ikecert certdb –a command and press the Return key.

      No prompts display when you press the Return key.


      # ikecert certdb -a
Press the Return key

    3. Paste the public key. Then press the Return key. To end the entry, press Control-D.


      -----BEGIN X509 CERTIFICATE-----
MIIC…
…
----END X509 CERTIFICATE-----
Press the Return key
<Control>-D

  6. Verify with the other administrator that the keys have not been tampered with.

    For example, you can phone the other administrator to compare the values of the public key hash. The public key hash for the shared certificate should be identical on the two systems.

    1. For example, on the partym system, list the stored certificates.


      partym # ikecert certdb -l
Certificate Slot Name: 0   Type: rsa-md5
    Subject Name: <C=US, O=PartyCompany, OU=US-Partym, CN=Partym>
    Key Size: 1024
    Public key hash: B2BD13FCE95FD27ECE6D2DCD0DE760E2

Certificate Slot Name: 1   Type: rsa-md5
    (Private key in certlocal slot 0)
    Subject Name: <C=JA, O=EnigmaCo, OU=JA-Enigmax, CN=Enigmax>
    Key Size: 1024
    Public key hash: 2239A6A127F88EE0CB40F7C24A65B818

    2. On the enigma system, list the stored certificates.


      enigma # ikecert certdb -l
Certificate Slot Name: 4   Type: rsa-md5
    Subject Name: <C=JA, O=EnigmaCo, OU=JA-Enigmax, CN=Enigmax>
    Key Size: 1024
    Public key hash: DF3F108F6AC669C88C6BD026B0FCE3A0

Certificate Slot Name: 5   Type: rsa-md5
    (Private key in certlocal slot 4)
    Subject Name: <C=US, O=PartyCompany, OU=US-Partym, CN=Partym>
    Key Size: 1024
    Public key hash: 2239A6A127F88EE0CB40F7C24A65B818
    Note –

    In this example, the public key hash is different from the public key hash that your systems generate.