You can configure several aspects of how certificates are handled for your IKEv2 system.
Before You Begin
You must become an administrator who is assigned the Network IPsec Management rights profile. You must be typing in a profile shell. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
If you administer remotely, see Example 31, Configuring IPsec Policy Remotely by Using an ssh Connection and How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.3 for secure remote login instructions.
Certificate policy is set at installation in the /etc/inet/ike/kmf-policy.xml file. The file is owned by ikeuser and is modified by using the kmfcfg command. The default certificate validation policy is to download CRLs to the /var/user/ikeuser/crls directory. The use of OCSP is also enabled by default. If your site requires a proxy to reach the Internet, you must configure the proxy. See How to Handle Revoked Certificates in IKEv2.
# pfbash # kmfcfg list dbfile=/etc/inet/ike/kmf-policy.xml policy=default Policy Name: default Ignore Certificate Validity Dates: falseUnknown purposes or applications for the certificate Ignore Unknown EKUs: false Ignore Trust Anchor in Certificate Validation: false Trust Intermediate CAs as trust anchors: false Maximum Certificate Path Length: 32 Certificate Validity Period Adjusted Time leeway: [not set] Trust Anchor Certificate: Search by Issuer Key Usage Bits: 0Identifies critical parts of certificate Extended Key Usage Values: [not set]Purposes or applications for the certificate HTTP Proxy (Global Scope): [not set] Validation Policy Information: Maximum Certificate Revocation Responder Timeout: 10 Ignore Certificate Revocation Responder Timeout: true OCSP: Responder URI: [not set] OCSP specific proxy override: [not set] Use ResponderURI from Certificate: true Response lifetime: [not set] Ignore Response signature: false Responder Certificate: [not set] CRL: Base filename: [not set] Directory: /var/user/ikeuser/crls Download and cache CRL: true CRL specific proxy override: [not set] Ignore CRL signature: false Ignore CRL validity date: false IPsec policy bypass on outgoing connections: true Certificate to name mapper name: [not set] Certificate to name mapper pathname: [not set] Certificate to name mapper directory: [not set] Certificate to name mapper options: [not set]
For example, a certificate that includes a CRL or OCSP URI can use a validation policy that specifies the URI to use to check certificate revocation status. You might also configure timeouts.
For a sample policy, see How to Handle Revoked Certificates in IKEv2.