To use public certificates with IKEv2, you must create a PKCS #11 keystore. The most commonly used keystore uses pkcs11_softtoken, which is provided by the Cryptographic Framework feature of Oracle Solaris.
The pkcs11_softtoken keystore for IKEv2 is in a directory that is owned by a special user, ikeuser. The default directory is /var/user/ikeuser. The user ID ikeuser is delivered with the system, but you must create the keystore. When you create the keystore, you create a PIN for the keystore. The IKEv2 service requires this PIN to log in to the keystore.
The pkcs11_softtoken keystore holds the private keys, public keys, and public certificates that are used by IKEv2. These keys and certificates are managed with the ikev2cert command, which is a wrapper for the pktool command. The wrapper ensures that all keys and certificate operations are applied to the pkcs11_softtoken keystore that is owned by ikeuser.
If you have not added the PIN as a property value of the ikev2 service, the following message displays in the /var/log/ikev2/in.ikev2d.log file:
date: (n) No PKCS#11 token "pin" property defined for the smf(5) service: ike:ikev2
If you are not using public key certificates, you can ignore this message.
You must create a keystore if you plan to use public certificates with IKEv2. To use the keystore, you must log in to it. When the in.ikev2d daemon starts, you or an automatic process supplies the PIN to the daemon. If site security permits automatic login, you must configure it. The default is an interactive login to use the keystore.
Before You Begin
You must become an administrator who is assigned the Network IPsec Management rights profile. You must be typing in a profile shell. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
You use the ikev2cert setpin command to create the IKEv2 keystore. This command sets the owner of the PKCS #11 keystore to be ikeuser.
Do not use spaces in the PIN. For example, the value WhatShouldIWrite is valid, but the value "What Should" is not.
% pfbash
# /usr/sbin/ikev2cert setpin
Enter token passphrase: changeme
Create new passphrase: Type strong passphrase
Re-enter new passphrase: xxxxxxxx
Passphrase changed.
Caution - Store this passphrase in a safe location. You need it to use the keystore. |
Automatic login is preferred. If site security policy does not permit automatic login, you must interactively log in to the keystore when the in.ikev2d daemon is restarted.
# svccfg -s ike:ikev2 editprop
A temporary edit window opens.
# setprop pkcs11_token/pin = astring: () Original entry
setprop pkcs11_token/pin = astring: () Uncommented entry
setprop pkcs11_token/pin = astring: PIN-from-Step-1
Leave a space between the colon and the PIN.
# refresh refresh
The pkcs11_token/pin property holds the value that is checked when accessing the keystore owned by ikeuser.
# svccfg -s ike:ikev2 listprop pkcs11_token/pin
pkcs11_token/pin astring PIN
Run this command each time the in.ikev2d daemon starts.
# pfbash
# ikeadm -v2 token login "Sun Metaslot"
Enter PIN for PKCS#11 token 'Sun Metaslot':Type the PIN from Step 1
ikeadm: PKCS#11 operation successful
# ikev2cert tokens Flags: L=Login required I=Initialized X=User PIN expired S=SO PIN expired Slot ID Slot Name Token Name Flags ------- --------- ---------- ----- 1 Sun Crypto Softtoken Sun Software PKCS#11 softtoken LI
The LI in the Flags column indicates that the PIN is set.
# ikeadm -v2 token logout "Sun Metaslot" ikeadm: PKCS#11 operation successful
You might log out to limit communication between two sites to a finite period of time. By logging out, the private key becomes unavailable, so new IKEv2 sessions cannot be initiated. The existing IKEv2 session continues unless you delete the session keys with the ikeadm delete ikesa command. Preshared key rules continue to work. See the ikeadm(1M) man page.