Securing the Network in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

Initializing the Keystore to Store Public Key Certificates for IKEv2

To use public certificates with IKEv2, you must create a PKCS #11 keystore. The most commonly used keystore uses pkcs11_softtoken, which is provided by the Cryptographic Framework feature of Oracle Solaris.

The pkcs11_softtoken keystore for IKEv2 is in a directory that is owned by a special user, ikeuser. The default directory is /var/user/ikeuser. The user ID ikeuser is delivered with the system, but you must create the keystore. When you create the keystore, you create a PIN for the keystore. The IKEv2 service requires this PIN to log in to the keystore.

The pkcs11_softtoken keystore holds the private keys, public keys, and public certificates that are used by IKEv2. These keys and certificates are managed with the ikev2cert command, which is a wrapper for the pktool command. The wrapper ensures that all keys and certificate operations are applied to the pkcs11_softtoken keystore that is owned by ikeuser.

If you have not added the PIN as a property value of the ikev2 service, the following message displays in the /var/log/ikev2/in.ikev2d.log file:

date: (n)  No PKCS#11 token "pin" property defined 
for the smf(5) service: ike:ikev2

If you are not using public key certificates, you can ignore this message.