Chapter 1 Installing SunScreen SKIP

An Overview of SunScreen SKIP

SunScreen SKIP is Sun Microsystems' implementation of Simple Key-Management for Internet Protocols (SKIP).

SunScreen SKIP is replacement software and upgrade software for any previous version of SKIP for Solaris.

This chapter provides instructions for installing SunScreen SKIP on Solaris, Versions 2.4, 2.5, or 2.5.1 and Solaris for the Intel Platform. Once SunScreen SKIP is installed, configured, and enabled on the systems requiring its services, IP-layer encryption can begin. SunScreen SKIP runs without further administration effort until new systems need to be added or certificate management is required. This chapter also describes how you can protect your locally stored secrets with a password.

Hardware and Software Requirements

Supported Platforms

SunScreen SKIP is supported on the following platforms:

• Any Sun SPARC workstation running Solaris, Versions 2.4, 2.5, or 2.5.1.

• Any Intel-based PC that is compatible with and running Solaris for the Intel Platform, Versions 2.4 or 2.5.

Hardware Requirements

The hardware requirements are as follows:

• A minimum of 16-MB of RAM is required, 32-MB of RAM is recommended.

• A minimum of 6-MB of free disk space is required for installation, 3-MB of disk space is permanently used.

• One or more supported network interfaces.

• A CD-ROM drive.

• A floppy drive, if planning to install SunCA certificates.

Operating System Requirements

To run SunScreen SKIP, you must

1. Install the Solaris SunCore^TM software group.

   This software group contains the minimum software required to boot and run the Solaris operating system. It includes some networking software and the drivers necessary to run the OpenWindows environment; it does not include the OpenWindows software.

2. Additionally, install the following packages:

   system	SUNWadmr	System & Network Administration Root
   system	SUNWcar	Core Architecture, (Root)
   system	SUNWcsd	Core Solaris Devices
   system	SUNWcsr	Core Solaris, (Root)
   system	SUNWcsu	Core Solaris, (Usr)
   system	SUNWdfb	Dumb Frame Buffer Device Drivers
   system	SUNWesu	Extended System Utilities
   system	SUNWkvm	Core Architecture, (Kvm)
   system	SUNWlibC	SPARCompilers Bundled libC
   system	SUNWlibms	SPARCompilers Bundled shared libm
   system	SUNWtoo	Programming Tools
   system	SUNWvolr	Volume Management, (Root)
   system	SUNWvolu	Volume Management, (Usr)

3. If you plan to use the skiptool GUI, install the packages for OpenWindows.

Protocol Compatibility

SunScreen SKIP supports the following protocol versions:

• SKIP, Version 1, for SunScreen SPF-100/100G compatibility.

• Any platform that has implemented SKIP as described in the ICG Technical Reports listed in Section 1.1.2, including the SunScreen product line, except SunScreen SPF-100, which only implements SKIP, Version 1 (see above).

• Raw mode (also known as ESP/AH, manual keying, or S/WAN) for compliance with RFC 1825: Security Architecture for the Internet Protocol.

• SunScreen SKIP, Release 1.1, is the upgrade for SKIP for Solaris, Release 1.0.

Installation Procedure

Before installing SunScreen SKIP, Release 1.1, be sure that you have the CD-ROM for the base software and any encryption upgrade CD-ROMs or diskettes to which you are entitled.

For the new user, this chapter tells about

1. Installing SunScreen SKIP. ("Installing the Software")

2. Generating and installing an Unsigned Diffie-Hellman (UDH) key pair, if you are using UDH. ("Installing SKIP Unsigned Diffie-Hellman (UDH) Certificates")

3. Installing SunScreen SKIP on your network interface. ("Installing Your Network Interface")

4. Rebooting your system. ("Rebooting Your System")

5. Protecting your locally stored secrets with a passphrase. ("Activating Your Passphrase")

For the user who is upgrading from any version of SKIP for Solaris to this release, this chapter tells about

1. Upgrading to SunScreen SKIP. ("Upgrading From Earlier Versions of SKIP for Solaris")

   • Removing any old version of SKIP for Solaris

   • Preserving or removing previous configurations

   • Installing SunScreen SKIP

2. Generating and installing an Unsigned Diffie-Hellman (UDH) key pair. ("Installing SKIP Unsigned Diffie-Hellman (UDH) Certificates")

3. Installing SunScreen SKIP on your network interface. ("Installing Your Network Interface")

4. Rebooting your system. ("Rebooting Your System")

5. Protecting your locally stored secrets with a passphrase. ("Activating Your Passphrase" )

Installing the Software for the First Time

This section provides instructions for installing SunScreen SKIP on Solaris for SPARC Platforms, Versions 2.4, 2.5, or 2.5.1 and Solaris for the Intel Platform.

To install and run the software, you must be able to become root on your local system and know the IP address of the machine on which SKIP is to be installed. Ask your systems administrator for the IP address of your machine. To install the software for the first time or if you are installing it without saving the configurations, follow these steps:

1. Open a terminal window and become root.

2. Mount the CD-ROM through the file manager by typing

   volcheck

   ---

   Note -

   If you are not using vold on your system, type

   # mount -F hsfs -oro /dev/dsk/c0t6d0s0 /mnt

   The device name or the mount point or both depends on your local system configuration.

   ---

3. Go to the directory on the CD-ROM for your OS. (The examples assume a machine with only one CD-ROM.)

   Solaris for the SPARC Platform:

   cd /cdrom/cdrom0/sparc

   Solaris for the Intel Platform:

   cd /cdrom/cdrom0/x86

   ---

   Note -

   If you have mounted the CD-ROM manually, replace /cdrom/cdrom0 with /mnt.

   ---

4. Type the standard Solaris operating system pkgadd command to add all packages:

   pkgadd -d `pwd`

5. You will be prompted with the following menu of packages to install.

   1 SICGbdcdr SKIP Bulk Data Crypt 1.1-FCS Software (sparc) 1.1-FCS 2 SICGcrc2 SKIP RC2 Crypto Module 1.1-FCS Software (sparc) 1.1-FCS 3 SICGcrc4 SKIP RC4 Crypto Module 1.1-FCS Software (sparc) 1.1-FCS 4 SICGes SKIP End System 1.1-FCS Software (sparc) 1.1-FCS 5 SICGkeymg SKIP Key Manager Tools 1.1-FCS Software (sparc) 1.1-FCS 6 SICGkisup SKIP I-Support module 1.1-FCS Software (sparc) 1.1-FCS Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]:

   Select a (all). As the prompts appear, answer questions with Y (yes) followed with a <Return> if you wish to add the package.

6. When you get back to the same menu of packages, type q followed by a <Return> to quit pkgadd.

7. To eject the CD-ROM from the CD-ROM drive, type

   cd / eject cdrom0

   or eject the CD-ROM from the CD-ROM drive through the file manager.

   ---

   Note -

   If you are not using vold on your system, unmount your CD-ROM by typing

   # cd /

   # umount/mnt

   # eject cdrom0

   ---

8. To add /opt/SUNWicg/bin to your PATH variable in the Bourne shell, type

   PATH=/opt/SUNWicg/bin:$PATH export PATH

9. To add /opt/SUNWicg/man to your MANPATH variable in the Bourne shell, type

   MANPATH=/opt/SUNWicg/man:$MANPATH export MANPATH

10. It will be helpful to add /opt/SUNWicg/bin to the PATH variable in your initialization file (such as: .profile, .cshrc, or .login file), and /opt/SUNWicg/man to the MANPATH variable in the same file.

    Now you are ready to generate and install SKIP Unsigned Diffie-Hellman (UDH) certificates (Section "Installing SKIP Unsigned Diffie-Hellman (UDH) Certificates") or to install SunCA certificates (Chapter 2) and to install SunScreen SKIP on your network interface (Section "Installing Your Network Interface"). After you have completed these two procedures, you must reboot your system (Section "Rebooting Your System").

    You may use SKIP Unsigned Diffie-Hellman certificates and SunCA keys and certificates at the same time on SunScreen SKIP.

Upgrading From Earlier Versions of SKIP for Solaris

Removing the Earlier Versions of the Software

To remove any version of SKIP for Solaris, become root and use the pkginfo and pkgrm packages shown in the following steps.

1. Type

   pkginfo | grep SICG

   to list the SKIP packages that were installed:

   1 SICGbdcdr SKIP Bulk Data Crypt 1.0.3-FCS Software (sparc) 1.0.3-FCS 2 SICGcrc2 SKIP RC2 Crypto Module 1.0.3-FCS Software (sparc) 1.0.3-FCS 3 SICGcrc4 SKIP RC4 Crypto Module 1.0.3-FCS Software (sparc) 1.0.3-FCS 4 SICGes SKIP End System 1.0.3-FCS Software (sparc) 1.0.3-FCS 5 SICGkeymg SKIP Key Manager Tools 1.0.3-FCS Software (sparc) 1.0.3-FCS 6 SICGkisup SKIP I-Support module 1.0.3-FCS Software (sparc) 1.0.3-FCS

2. Type

   pkgrm SIGbdcdr SICGcrc2 SICGcrc4 SICGes SICGkeymg SICGisup

   and answer Y (yes) to questions that the pkgrm program asks. The pkgrm program ends with the statement:

   Removal of <SICGkisup> was successful.

   ---

   Note -

   This is valid only for this example. If moduli of other sizes were used, then the last package remove would be different.

   ---

3. To remove the "/etc/opt/SUNWicg/skip" directory and any configurations that were installed, type

   rm -rf /etc/opt/SUNWicg/skip

   ---

   Caution -

   If you want to preserve previous configurations (access control list [ACL] files, certificates, and the key manager configuration file), do not remove the /etc/opt/SUNWicg/skip directory.

   ---

4. To reboot the machine, type

   init 6

Installing the Software

Become root on your local system and then follow these steps:

1. Open a terminal window and become root.

2. Mount the CD-ROM through the file manager or by typing

   volcheck

   ---

   Note -

   If you are not using vold on your system, type

   # mount -F hsfs -oro /dev/dsk/c0t6d0s0/mnt

   The device name or the mount point or both depends on your local system configuration.

   ---

3. Go to the directory on the CD-ROM for your OS:

   Solaris for the SPARC Platform:

   cd /cdrom/cdrom0/sparc

   Solaris for the Intel Platform:

   cd /cdrom/cdrom0/x86

   ---

   Note -

   If you have mounted the CD-ROM manually, replace /cdrom/cdrom0 with /mnt.

   ---

4. To use the standard Solaris operating system pkgadd command to add all packages, type

   pkgadd -d `pwd`

5. You will be prompted with the following menu of packages to install.

   1 SICGbdcdr SKIP Bulk Data Crypt 1.1-FCS Software (sparc) 1.1-FCS 2 SICGcrc2 SKIP RC2 Crypto Module 1.1-FCS Software (sparc) 1.1-FCS 3 SICGcrc4 SKIP RC4 Crypto Module 1.1-FCS Software (sparc) 1.1-FCS 4 SICGes SKIP End System 1.1-FCS Software (sparc) 1.1-FCS 5 SICGkeymg SKIP Key Manager Tools 1.1-FCS Software (sparc) 1.1-FCS 6 SICGkisup SKIP I-Support module 1.1-FCS Software (sparc) 1.1-FCS Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]:

   Select a (all) or the number of the package. As the prompts appear, answer questions with Y (yes) followed with a <Return>, if you wish to add the package.

   When you get back to the same menu of packages, type q followed by a <Return> to quit pkgadd.

6. When you get back to the same menu of packages, type q to quit.

7. To eject the CD-ROM from the CD-ROM drive, type

   cd / eject cdrom0 eject cdrom0

   or eject the CD-ROM through the file manager.

   ---

   Note -

   If you are not using vold on your system, unmount your CD-ROM by typing

   # cd /

   # umount/mnt

   # eject cdrom0

   ---

   Now you are ready to generate and install SKIP Unsigned Diffie-Hellman (UDH) certificates if you are going to use SKIP UDH certificates.

   You may use SKIP UDH certificates and SunCA keys and certificates at the same time on SunScreen SKIP.

   You are also ready to install SunScreen SKIP on any new or different network interface, if you need to. Generate and install the SKIP UDH certificates (Section "Installing SKIP Unsigned Diffie-Hellman (UDH) Certificates") and install SunScreen SKIP on the network interface (Section "Installing Your Network Interface") before you reboot your system.

   ---

   Note -

   If you are going to use the same keys and certificates and network interface that you used in SKIP for Solaris, Release 1.0, you only need to reboot your system according to the instructions in "Rebooting Your System". This is only true if you did not remove the /etc/opt/SUNWicg/skip directory.

   ---

Installing SKIP Unsigned Diffie-Hellman (UDH) Certificates

Once the SunScreen SKIP software has been installed, you must install at least one local identity (public-private key pair) for this host.

The procedure below creates a SKIP UDH certificate, which is the one you will most likely use. For a more detailed discussion of SKIP UDH certificates, see Appendix C.

Chapter 2 discusses keys, certificates, and hashes in greater detail. If you are installing other kinds of keys and certificates, see the documentation that is supplied with them or contact the vendor. If you are installing keys and certificates from Sun Microsystems' Internet Commerce Group (ICG), see Chapter 3.

The skiplocal command creates and manages all local key types, including UDH certificates, on your system. You can have more than one UDH certificate on your system. Your local identities can also be of different lengths (moduli), depending on the version of SunScreen SKIP that you have. The default will always be the largest modulus you can generate.

Local secret is the term used for an encryption certificate and key.

To generate an UDH key pair locally, type

skiplocal keygen

If you have local identities of different strengths, such 512 (Global), 1024 (Export), and 2048 (U.S. and Canada Only), use the argument -m followed immediately with the bit size of the modulus without an intervening space (Figure 1-1).

When generating an unsigned certificate, no authority exists to certify the identities. This means that each party must verify the name of the certificate over the telephone or some other trusted channel. Without verification through a secure channel, you have no way of knowing if the certificate belongs to the correct party or not.

In Figure 1-1 the skiplocal keygen command was used to generate a local key pair, in this case with a 512-bit modulus.

Figure 1-1 512-bit Modulus

In Figure 1-2 the skiplocal export command is used to print out the local system's current information in a form that can be sent (for example, via e-mail) to other users who wish to communicate with you.

The defaults proposed by skiplocal export work well if you and the party with whom you wish to communicate have one key and one network interface. If you have some other configuration, you should not use skiplocal export.

A safer solution than using skiplocal export is to have each user run skiptool and then call each other on the telephone and type the other person's key ID in the Remote Key ID field in the add window (See Chapter 3).

Figure 1-2 Sending and Loading an ACL Entry

Even when using skiplocal export, make sure you both verify the key ID over the telephone with the other party to make sure no one is impersonating them.

In Figure 1-3, the skiplocal list command is used to list the current local identities.

Figure 1-3 Listing All Local Identities

For more information on the skiplocal command, refer to the man pages for SunScreen SKIP.

If you installed an UDH certificate during installation, the information in Chapter 2 will not apply to you unless you also plan to install SunCA keys and certificates. You may use SKIP UDH certificates and SunCA keys and certificates at the same time on SunScreen SKIP.

Installing Your Network Interface

The skipif command is used to install SunScreen SKIP on a network interface.

If you are adding SunScreen SKIP to a machine with only one interface, make sure that you are root and type

skipif -a

If you are adding SunScreen SKIP to a machine with multiple interfaces, make sure that you are root and type

skipif -i <networkinterface> -a

Replace <networkinterface> with the interface that you wish to specify. If you do not specify the network interface, it attaches to the first network interface that it finds.

You can add SKIP on more than one interface. In that case, you need to run the skipif -a -i <interface> command for each interface on which you want to use SKIP.

If you want to use SKIP on all the network interfaces present in the system, simply use the skipif -a -i all command.

Rebooting Your System

After you have installed the software, generated and installed the local identities, and installed the network interface, you must reboot your system.

To reboot the machine, type

init 6

Passphrase Protection

SunScreen SKIP includes a new, optional feature that allows you to protect your locally stored secrets with a passphrase. A passphrase differs from a password in that it is longer and capitalization counts. It permits you to assign a global passphrase that will be used to encrypt all of your SKIP secret values. Your passphrase should be one that you can remember, but that is hard to guess. You can change the passphrase or delete it at any time. After you set, change, or delete your passphrase, you should run

skipd_restart

to reinitialize your key manager.

Once you have protected your secret values with a passphrase, each time that you reboot you will not be able to run SunScreen SKIP-encrypted connections because your system cannot get to your locally stored secrets with the passphrase. You must run

# skipd_restart

which will then prompt you for your passphrase.

If you forget your passphrase, there is no way to discover it or recover it. Your protected locally stored secrets will no longer be available. If you do not know the passphrase and you want to reinstall or upgrade the software, you must first remove the old software and its locally stored secrets. See Section 2.2.2 Upgrading the Software. The old locally stored secrets will remain encrypted with the old passphrase and will be unavailable.

Once you set a passphrase, you will be prompted for it each time you add a new local identity (through skiplocal add or skiplocal keygen).

Activating Your Passphrase

To activate your passphrase, use the following procedure:

1. Type

   skiplocal passwd

2. You will be prompted as follows:

   You are now assigning a global passphrase which will be used to encrypt all of your SKIP secret values. Please choose a passphrase which you will remember, but will be hard for someone else to guess New global passphrase: <type a new passphrase> again: <type the new passphrase>

3. To reinitialize your key manager, type

   skipd_restart

Changing Your Passphrase

To change your passphrase, use the following procedure:

1. Type

   skiplocal passwd

2. You will be prompted as follows:

   You are now changing the global passphrase which is used to encrypt your SKIP secrets Global passphrase: <type a old passphrase> New Passphrase: <type a new passphrase> again: <type the new passphrase>

3. To reinitialize your key manager, type

   skipd_restart

Removing Your Passphrase

To remove your passphrase, use the following procedure:

1. Type

   skiplocal rmpasswd

2. You will be prompted as follows:

   You are now removing the global passphrase which will be used to encrypt all of your SKIP secrets Global passphrase: <type your passphrase>

   If it matches, all locally stored secrets are decrypted and stored and the passphrase feature is disabled.

3. To reinitialize your key manager, type

   skipd_restart

   You can use delpasswd as an alias for rmpasswd.