You must create a keystore if you plan to use public certificates with IKEv2. To use the keystore, you must log in to it. When the in.ikev2d daemon starts, you or an automatic process supplies the PIN to the daemon. If site security permits automatic login, you must configure it. The default is an interactive login to use the keystore.
Before You Begin
You must become an administrator who is assigned the Network IPsec Management rights profile. You must be typing in a profile shell. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
You use the ikev2cert setpin command to create the IKEv2 keystore. This command sets the owner of the PKCS #11 keystore to be ikeuser.
Do not use spaces in the PIN. For example, the value WhatShouldIWrite is valid, but the value "What Should" is not.
% pfbash # /usr/sbin/ikev2cert setpin Enter token passphrase: changeme Create new passphrase: Type strong passphrase Re-enter new passphrase: xxxxxxxx Passphrase changed.
Caution - Store this passphrase in a safe location. You need it to use the keystore.
Automatic login is preferred. If site security policy does not permit automatic login, you must interactively log in to the keystore when the in.ikev2d daemon is restarted.
# svccfg -s ike:ikev2 editprop
A temporary edit window opens.
# setprop pkcs11_token/pin = astring: () Original entry setprop pkcs11_token/pin = astring: () Uncommented entry
setprop pkcs11_token/pin = astring: PIN-from-Step-1
Leave a space between the colon and the PIN.
# refresh refresh
The pkcs11_token/pin property holds the value that is checked when accessing the keystore owned by ikeuser.
# svccfg -s ike:ikev2 listprop pkcs11_token/pin pkcs11_token/pin astring PIN
Run this command each time the in.ikev2d daemon starts.
# pfbash # ikeadm -v2 token login "Sun Metaslot" Enter PIN for PKCS#11 token 'Sun Metaslot':Type the PIN from Step 1 ikeadm: PKCS#11 operation successful
# ikev2cert tokens Flags: L=Login required I=Initialized X=User PIN expired S=SO PIN expired Slot ID Slot Name Token Name Flags ------- --------- ---------- ----- 1 Sun Crypto Softtoken Sun Software PKCS#11 softtoken LI
The LI in the Flags column indicates that the PIN is set.
# ikeadm -v2 token logout "Sun Metaslot" ikeadm: PKCS#11 operation successful
You might log out to limit communication between two sites to a finite period of time. By logging out, the private key becomes unavailable, so new IKEv2 sessions cannot be initiated. The existing IKEv2 session continues unless you delete the session keys with the ikeadm delete ikesa command. Preshared key rules continue to work. See the ikeadm (1M) man page.