How to Create and Use a Keystore for IKEv2 Public Key Certificates

Language:

You must create a keystore if you plan to use public certificates with IKEv2. To use the keystore, you must log in to it. When the in.ikev2d daemon starts, you or an automatic process supplies the PIN to the daemon. If site security permits automatic login, you must configure it. The default is an interactive login to use the keystore.

Before You Begin

You must become an administrator who is assigned the Network IPsec Management rights profile. You must be typing in a profile shell. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

Set the PIN for the IKEv2 keystore.
You use the ikev2cert setpin command to create the IKEv2 keystore. This command sets the owner of the PKCS #11 keystore to be ikeuser.

Do not use spaces in the PIN. For example, the value WhatShouldIWrite is valid, but the value "What Should" is not.
```
%  pfbash
# /usr/sbin/ikev2cert setpin
Enter token passphrase: changeme
Create new passphrase: Type strong passphrase
Re-enter new passphrase: xxxxxxxx
Passphrase changed.
```
Caution - Store this passphrase in a safe location. You need it to use the keystore.
Log in to the keystore automatically or interactively.
Automatic login is preferred. If site security policy does not permit automatic login, you must interactively log in to the keystore when the in.ikev2d daemon is restarted.
- Configure the keystore to enable automatic login.
  1. Add the PIN as the value for the pkcs11_softtoken/pin service property.
```
# svccfg -s ike:ikev2 editprop
```
    A temporary edit window opens.
  2. Uncomment the setprop pkcs11_token/pin = line.
```
# setprop pkcs11_token/pin = astring: () Original entry
setprop pkcs11_token/pin = astring: () Uncommented entry
```
  3. Replace the parentheses with the PIN from Step 1.
```
setprop pkcs11_token/pin = astring: PIN-from-Step-1
```
    Leave a space between the colon and the PIN.
  4. Uncomment the refresh line at the bottom of the file, then save your changes.
```
# refresh
refresh
```
  5. (Optional) Verify the value of the pkcs11_token/pin property.
    The pkcs11_token/pin property holds the value that is checked when accessing the keystore owned by ikeuser.
```
# svccfg -s ike:ikev2 listprop pkcs11_token/pin
pkcs11_token/pin     astring  PIN
```
- When automatic keystore login is not configured, log in to the keystore manually.
  Run this command each time the in.ikev2d daemon starts.
```
# pfbash
# ikeadm -v2 token login "Sun Metaslot"
Enter PIN for PKCS#11 token 'Sun Metaslot':Type the PIN from Step 1
ikeadm: PKCS#11 operation successful
```

(Optional) Verify that a PIN has been set in the keystore.

# ikev2cert tokens
Flags: L=Login required  I=Initialized  X=User PIN expired  S=SO PIN expired
Slot ID     Slot Name                   Token Name                        Flags 
-------     ---------                   ----------                        ----- 
1           Sun Crypto Softtoken        Sun Software PKCS#11 softtoken    LI

The LI in the Flags column indicates that the PIN is set.

To manually log out of the pkcs11_softtoken, use the ikeadm command.
```
# ikeadm -v2 token logout "Sun Metaslot"
ikeadm: PKCS#11 operation successful
```
You might log out to limit communication between two sites to a finite period of time. By logging out, the private key becomes unavailable, so new IKEv2 sessions cannot be initiated. The existing IKEv2 session continues unless you delete the session keys with the ikeadm delete ikesa command. Preshared key rules continue to work. See the ikeadm (1M) man page.