Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: September 2018
 
 

Configuring IKEv1 to Find Attached Hardware

Public key certificates can also be stored on attached hardware. The Sun Crypto Accelerator 6000 board provides storage, and enables public key operations to be offloaded from the system to the board.

How to Configure IKEv1 to Find the Sun Crypto Accelerator 6000 Board

Before You Begin

The following procedure assumes that a Sun Crypto Accelerator 6000 board is attached to the system. The procedure also assumes that the software for the board has been installed and that the software has been configured. For instructions, see Sun Crypto Accelerator 6000 Board Product Library Documentation (http://docs.oracle.com/cd/E19321-01/index.html).

You must become an administrator who is assigned the Network IPsec Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

If you administer remotely, see Example 31, Configuring IPsec Policy Remotely by Using an ssh Connection and How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.3 for secure remote login instructions.

  1. Verify that the PKCS #11 library is linked.

    IKEv1 uses the library's routines to handle key generation and key storage on the Sun Crypto Accelerator 6000 board.

    $ ikeadm get stats
    ...
    PKCS#11 library linked in from /usr/lib/libpkcs11.so
    $
  2. Find the token ID for the attached Sun Crypto Accelerator 6000 board.
    $ ikecert tokens
    Available tokens with library "/usr/lib/libpkcs11.so":
    
    "Sun Metaslot                     "

    The library returns a token ID, also called a keystore name, of 32 characters. In this example, you could use the Sun Metaslot token with the ikecert commands to store and accelerate IKEv1 keys.

    For instructions on how to use the token, see How to Generate and Store Public Key Certificates for IKEv1 in Hardware.

    The trailing spaces are automatically padded by the ikecert command.

Example 52  Finding and Using Metaslot Tokens

Tokens can be stored on disk, on an attached board, or in the softtoken keystore that the Cryptographic Framework provides. The softtoken keystore token ID might resemble the following.

$ ikecert tokens
Available tokens with library "/usr/lib/libpkcs11.so":

"Sun Metaslot                   "

To create a passphrase for the softtoken keystore, see the pktool(1) man page.

A command that resembles the following would add a certificate to the softtoken keystore. Sun.Metaslot.cert is a file that contains the CA certificate.

# ikecert certdb -a -T "Sun Metaslot" < Sun.Metaslot.cert
Enter PIN for PKCS#11 token: Type user:passphrase

Next Steps

If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy. For examples of IPsec policy protecting VPNs, see Protecting a VPN With IPsec. For other examples of IPsec policy, see How to Secure Network Traffic Between Two Servers With IPsec.