Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: April 2019

How to Set a Certificate Validation Policy in IKEv2

You can configure several aspects of how certificates are handled for your IKEv2 system.

Before You Begin

You must become an administrator who is assigned the Network IPsec Management rights profile. You must be typing in a profile shell. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

If you administer remotely, see Example 31, Configuring IPsec Policy Remotely by Using an ssh Connection and How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.3 for secure remote login instructions.

  1. Review the default certificate validation policy.

    Certificate policy is set at installation in the /etc/inet/ike/kmf-policy.xml file. The file is owned by ikeuser and is modified by using the kmfcfg command. The default certificate validation policy is to download CRLs to the /var/user/ikeuser/crls directory. The use of OCSP is also enabled by default. If your site requires a proxy to reach the Internet, you must configure the proxy. See How to Handle Revoked Certificates in IKEv2.

    # pfbash
    # kmfcfg list dbfile=/etc/inet/ike/kmf-policy.xml policy=default
    Policy Name: default
    Ignore Certificate Validity Dates: falseUnknown purposes or applications for the certificate
    Ignore Unknown EKUs: false
    Ignore Trust Anchor in Certificate Validation: false
    Trust Intermediate CAs as trust anchors: false
    Maximum Certificate Path Length: 32
    Certificate Validity Period Adjusted Time leeway: [not set]
    Trust Anchor Certificate: Search by Issuer
    Key Usage Bits: 0Identifies critical parts of certificate
    Extended Key Usage Values: [not set]Purposes or applications for the certificate
    HTTP Proxy (Global Scope): [not set]
    Validation Policy Information:
        Maximum Certificate Revocation Responder Timeout: 10
        Ignore Certificate Revocation Responder Timeout: true
            Responder URI: [not set]
            OCSP specific proxy override: [not set]
            Use ResponderURI from Certificate: true
            Response lifetime: [not set]
            Ignore Response signature: false
            Responder Certificate: [not set]
            Base filename: [not set]
            Directory: /var/user/ikeuser/crls
            Download and cache CRL: true
            CRL specific proxy override: [not set]
            Ignore CRL signature: false
            Ignore CRL validity date: false
    IPsec policy bypass on outgoing connections: true
    Certificate to name mapper name: [not set]
    Certificate to name mapper pathname: [not set]
    Certificate to name mapper directory: [not set]
    Certificate to name mapper options: [not set]
  2. Review the certificate for features that indicate the validation options to modify.

    For example, a certificate that includes a CRL or OCSP URI can use a validation policy that specifies the URI to use to check certificate revocation status. You might also configure timeouts.

  3. Review the kmfcfg(1) man page for configurable options.
  4. Configure the certificate validation policy.

    For a sample policy, see How to Handle Revoked Certificates in IKEv2.