Public key certificates can also be stored on attached hardware. The Sun Crypto Accelerator 6000 board provides storage and enables public key operations to be offloaded from the system to the board.
Generating and storing public key certificates on hardware is similar to generating and storing public key certificates on your system. On hardware, the ikev2cert gencert token=hw-keystore command is used to identify the hardware keystore.
Before You Begin
This procedure assumes that a Sun Crypto Accelerator 6000 board is attached to the system. The procedure also assumes that the software for the board has been installed and that the hardware keystore has been configured. For instructions, see the Sun Crypto Accelerator 6000 Board Product Library Documentation (http://docs.oracle.com/cd/E19321-01/index.html). These instructions include setting up the keystore.
You must become an administrator who is assigned the Network IPsec Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
If you administer remotely, see Example 31, Configuring IPsec Policy Remotely by Using an ssh Connection and How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.3 for secure remote login instructions.
# pfbash # ikev2cert tokens Flags: L=Login required I=Initialized X=User PIN expired S=SO PIN expired Slot ID Slot Name Token Name Flags ------- --------- ---------- ----- 1 sca6000 sca6000 LI 2 n2cp/0 Crypto Accel Bulk 1.0 n2cp/0 Crypto Accel Bulk 1.0 3 ncp/0 Crypto Accel Asym 1.0 ncp/0 Crypto Accel Asym 1.0 4 n2rng/0 SUNW_N2_Random_Number_Ge n2rng/0 SUNW_N2_RNG 5 Sun Crypto Softtoken Sun Software PKCS#11 softtoken LI
Choose one of the following options:
# ikev2cert gencert token=sca6000 keytype=rsa \ hash=sha256 keylen=2048 \ subject="CN=FortKnox, C=US" serial=0x6278281232 label=goldrepo Enter PIN for sca6000: See Step 3
# ikev2cert gencsr token=sca6000 -i > keytype= > hash= > keylen= > subject= > serial= > label= > outcsr= Enter PIN for sca6000 token: See Step 3
For a description of the arguments to the ikev2cert command, see the pktool(1) man page.
If the Sun Crypto Accelerator 6000 board is configured with a user admin whose password is inThe%4ov, you would type the following:
Enter PIN for sca6000 token: admin:inThe%4ov -----BEGIN X509 CERTIFICATE----- MIIBuDCCASECAQAwSTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDFBhcnR5Q29tcGFu … oKUDBbZ9O/pLWYGr -----END X509 CERTIFICATE-----
Choose one of the following options:
You can paste the certificate into an email message.
Follow the instructions of the CA to submit the CSR. For a more detailed discussion, see Using Public Key Certificates in IKE.
Import the certificates that you received from the CA and provide the user and PIN from Step 3.
# ikev2cert import token=sca6000 infile=/tmp/DCA.ACCEL.CERT1 Enter PIN for sca6000 token: Type user:password # ikev2cert import token=sca6000 infile=/tmp/DCA.ACCEL.CA.CERT Enter PIN for sca6000 token: Type user:password
Automatic login is preferred. If site security policy does not permit automatic login, you must interactively log in to the keystore when the in.ikev2d daemon is restarted.
For a description of this property, see IKEv2 Service.
# svccfg -s ike:ikev2 editprop
A temporary edit window opens.
# setprop pkcs11_token/uri = () Original entry setprop pkcs11_token/uri = pkcs11:token=sca6000
# setprop pkcs11_token/pin = () Original entry setprop pkcs11_token/pin = admin:PIN-from-Step-3
# refresh refresh
# svccfg -s ikev2 listprop pkcs11_token pkcs11_token/pin astring username:PIN pkcs11_token/uri astring pkcs11:token=sca6000
Run this command each time the in.ikev2d daemon starts.
# pfexec ikeadm -v2 token login sca6000 Enter PIN for sca6000 token: admin:PIN-from-Step-3 ikeadm: sca6000 operation successful
If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy. For examples of IPsec policy protecting VPNs, see Protecting a VPN With IPsec. For other examples of IPsec policy, see How to Secure Network Traffic Between Two Servers With IPsec.