Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: April 2019

Initializing the Keystore to Store Public Key Certificates for IKEv2

To use public certificates with IKEv2, you must create a PKCS #11 keystore. The most commonly used keystore uses pkcs11_softtoken, which is provided by the Cryptographic Framework feature of Oracle Solaris.

The pkcs11_softtoken keystore for IKEv2 is in a directory that is owned by a special user, ikeuser. The default directory is /var/user/ikeuser. The user ID ikeuser is delivered with the system, but you must create the keystore. When you create the keystore, you create a PIN for the keystore. The IKEv2 service requires this PIN to log in to the keystore.

The pkcs11_softtoken keystore holds the private keys, public keys, and public certificates that are used by IKEv2. These keys and certificates are managed with the ikev2cert command, which is a wrapper for the pktool command. The wrapper ensures that all keys and certificate operations are applied to the pkcs11_softtoken keystore that is owned by ikeuser.

If you have not added the PIN as a property value of the ikev2 service, the following message displays in the /var/log/ikev2/in.ikev2d.log file:

date: (n)  No PKCS#11 token "pin" property defined 
for the smf(5) service: ike:ikev2

If you are not using public key certificates, you can ignore this message.

How to Create and Use a Keystore for IKEv2 Public Key Certificates

You must create a keystore if you plan to use public certificates with IKEv2. To use the keystore, you must log in to it. When the in.ikev2d daemon starts, you or an automatic process supplies the PIN to the daemon. If site security permits automatic login, you must configure it. The default is an interactive login to use the keystore.

Before You Begin

You must become an administrator who is assigned the Network IPsec Management rights profile. You must be typing in a profile shell. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Set the PIN for the IKEv2 keystore.

    You use the ikev2cert setpin command to create the IKEv2 keystore. This command sets the owner of the PKCS #11 keystore to be ikeuser.

    Do not use spaces in the PIN. For example, the value WhatShouldIWrite is valid, but the value "What Should" is not.

    %  pfbash
    # /usr/sbin/ikev2cert setpin
    Enter token passphrase: changeme
    Create new passphrase: Type strong passphrase
    Re-enter new passphrase: xxxxxxxx
    Passphrase changed.


    Caution  -  Store this passphrase in a safe location. You need it to use the keystore.

  2. Log in to the keystore automatically or interactively.

    Automatic login is preferred. If site security policy does not permit automatic login, you must interactively log in to the keystore when the in.ikev2d daemon is restarted.

    • Configure the keystore to enable automatic login.
      1. Add the PIN as the value for the pkcs11_softtoken/pin service property.
        # svccfg -s ike:ikev2 editprop

        A temporary edit window opens.

      2. Uncomment the setprop pkcs11_token/pin = line.
        # setprop pkcs11_token/pin = astring: () Original entry
        setprop pkcs11_token/pin = astring: () Uncommented entry
      3. Replace the parentheses with the PIN from Step 1.
        setprop pkcs11_token/pin = astring: PIN-from-Step-1

        Leave a space between the colon and the PIN.

      4. Uncomment the refresh line at the bottom of the file, then save your changes.
        # refresh
      5. (Optional) Verify the value of the pkcs11_token/pin property.

        The pkcs11_token/pin property holds the value that is checked when accessing the keystore owned by ikeuser.

        # svccfg -s ike:ikev2 listprop pkcs11_token/pin
        pkcs11_token/pin     astring  PIN
    • When automatic keystore login is not configured, log in to the keystore manually.

      Run this command each time the in.ikev2d daemon starts.

      # pfbash
      # ikeadm -v2 token login "Sun Metaslot"
      Enter PIN for PKCS#11 token 'Sun Metaslot':Type the PIN from Step 1
      ikeadm: PKCS#11 operation successful
  3. (Optional) Verify that a PIN has been set in the keystore.
    # ikev2cert tokens
    Flags: L=Login required  I=Initialized  X=User PIN expired  S=SO PIN expired
    Slot ID     Slot Name                   Token Name                        Flags 
    -------     ---------                   ----------                        ----- 
    1           Sun Crypto Softtoken        Sun Software PKCS#11 softtoken    LI    

    The LI in the Flags column indicates that the PIN is set.

  4. To manually log out of the pkcs11_softtoken, use the ikeadm command.
    # ikeadm -v2 token logout "Sun Metaslot"
    ikeadm: PKCS#11 operation successful

    You might log out to limit communication between two sites to a finite period of time. By logging out, the private key becomes unavailable, so new IKEv2 sessions cannot be initiated. The existing IKEv2 session continues unless you delete the session keys with the ikeadm delete ikesa command. Preshared key rules continue to work. See the ikeadm(1M) man page.