HP UX IPSec Software manual Determining MC/ServiceGuard Cluster Information

Page 249

HP-UX IPSec and MC/ServiceGuard

Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard

“Configuring Host IPSec Policies for ServiceGuard Manager” on page 251

“Configuring Host IPSec Policies for Cluster Object Manager (COM)” on page 253

“Summary: MC/ServiceGuard Port Numbers and Protocols” on page 254

Determining MC/ServiceGuard Cluster Information

Before configuring IPSec policies, determine the following information about the MC/ServiceGuard cluster:

Heartbeat IP addresses

The heartbeat IP address for each cluster node is specified using the HEARTBEAT_IP parameter in the node definitions section of the cluster configuration file.

Package addresses

The package addresses are configured using the IP[i] statements in the package control script.

Configuring Host IPSec Policies for Package Addresses

On the cluster nodes, configure host IPSec policies with source IP address set to the package addresses.

On the cluster clients, configure host ipsec policies with the destination address set to the package addresses.

Configuring PASS Host IPSec Policies for Heartbeat IP Addresses

Configure a PASS host IPSec policy (host IPSec policy with -action PASS) for each pair of heartbeat IP addresses in the cluster to ensure that MC/ServiceGuard heartbeat and intracluster control messages pass in clear text.

Since the IPSec configuration database is the same for all cluster nodes, you must configure a PASS host IPSec policy for each heartbeat IP address pair in the cluster.

Chapter 8

245

Page 248 Page 250
Image 249
Page 248 Page 250
Contents Manufacturing Part Number J4256-90009 June HP-UX IPSec version A.02.00 Administrator’s GuideLegal Notices Contents Configuring HP-UX IPSec Contents Using Certificates with HP-UX IPSec Troubleshooting HP-UX IPSec Viii HP-UX IPSec and IPFilter HP-UX IPSec and HP-UX Mobile IPv6 HP-UX IPSec and MC/ServiceGuard Xii HP-UX IPSec and Linux Migrating from Previous Versions of HP-UX IPSec Glossary Xvi Tables Xviii Figures Figure C-2. Example 1 telnet BA New and Changed Documentation in This Edition Intended AudienceXxii Publishing History What’s in This DocumentHP-UX IPSec and HP-UX Mobile IPv6 Use this chapter to learn Typographical Conventions Related DocumentsHP Encourages Your Comments Xxvi OpenSSL Copyright NoticeXxvii Xxviii HP-UX IPSec Overview HP-UX IPSec Overview Introduction Introduction Authentication Header AH Transport Mode Symmetric Key AuthenticationTransport and Tunnel Modes Host aAH in Transport Mode AH in Tunnel Mode Tunnel ModeEncapsulating Security Payload ESP ESP EncryptionSymmetric Key Cryptosystem ESP header can be used in transport mode or tunnel mode ESP Encryption in Transport Mode ESP in Tunnel ModeIP data or payload e.g., TCP or UDP packet Authenticated ESP ESP with Authentication and EncryptionIPv6 Nested ESP in AHInternet Key Exchange IKE Security Associations SAs and IKE PhasesSA Establishment Generating Shared Keys Diffie-Hellman10 Diffie-Hellman Key Generation IKE Primary AuthenticationIKE Preshared Key Authentication Re-using NegotiationsIKE Automatic Re-keying Digital SignaturesManual Keys HP-UX IPSec Topologies Host-to-Host TopologyHost-to-Gateway Topology 13 Host-to-Host Tunnel Topology Host-to-Host Tunnel Topology14 IPSec Gateway-to-Gateway Topology Gateway-to-Gateway TopologyHP-UX IPSec Configuration and Management Features HP-UX IPSec Configuration and Management Features HP-UX IPSec Configuration and Management Features Chapter Installing HP-UX IPSec Installing HP-UX IPSec Security Certificate Configuration Utility Requirements HP-UX IPSec Product RequirementsDisk Requirements Chapter Loading the HP-UX IPSec Software Do not run the HP-UX IPSec product when the system is booted Setting the HP-UX IPSec Password Re-establishing the HP-UX IPSec PasswordIpsecadmin -newpasswd Completing Post-Installation Migration Requirements Configuring HP-UX IPSec Configuring HP-UX IPSec Maximizing Security Bypass ListStrong End System Model Ndd -set /dev/ip ipstrongesmodel General Syntax Information Argument DelimitersLine Continuation Character \ Batch File Syntax Batch File ProcessingProfile File Ipsecconfig deleteUsing a Profile File with a Batch File Profile File StructureCreating a Customized Profile File Dynamic Deletions Dynamic Configuration UpdatesConfiguration Overview Start-up options Configuration Overview Configuring Host IPSec Policies Default Host IPSec PolicyPolicy Order and Selection Ipsecconfig add host hostpolicyname Automatic Priority IncrementAction PASSDISCARDtransformlist -flags flags Ipaddr/prefix/portnumberservicename HostpolicynameSource and -destination Service Port Protocol Name Ipsecconfig Service NamesProtocolprotocolid Ipsecconfig Service NamesDefault ALL PriorityprioritynumberTunneltunnelpolicyname Transformname/lifetimeseconds/lifetimekbytes ActionIpsecconfig Transforms TransformnameTransform Name Description ESP3DES Ipsecconfig TransformsIpsecconfig add host Flags Flags flagsFlag Description Host IPSec Policy Configuration Examples Configuring Host IPSec Policies Ipsecconfig add tunnel tunnelpolicyname Configuring Tunnel IPSec PoliciesDefault None TunnelpolicynameTsource and -tdestination tunneladdress Ipaddr/prefix/portnumberservicename Subnet address filter TCP UDP Icmp ICMPV6 Igmp Actiontransformlist Tunnel IPSec Policy Configuration Example LifetimesecondsLifetimekbytes Configuring Tunnel IPSec Policies Configuring IKE Policies Lifelifetimeseconds -maxqmmqmaxquickmodes Add ike ikepolicynameIkepolicyname Remoteipaddr/prefix Authenticationauthenticationtype Acceptable ValuesGroup Hash MD5SHA1 LifelifetimesecondsMaxqmmaxquickmodes Default Ipsecconfig add IKE Command ExamplesConfiguring Preshared Keys Using Authentication Records Configuring IKE ID Information with Preshared KeysRemote Multi-homed Systems Ipsecconfig add auth authname Remoteipaddr/prefix -presharedpresharedkeyAdd auth authname Ipaddr/prefix AuthnameHowever, HP strongly recommends that you configure an Authentication Record Configuration ExamplesUnique preshared key PresharedkeyConfiguring Preshared Keys Using Authentication Records Configuring Certificates Configuring the Bypass List Local IPv4 Addresses Logical InterfacesExample Maximizing Security Ipsecconfig add bypass ipaddressBypass List Example Node1 Node2Bypass Configuration Example Add bypass ipaddressIpaddress Verify Batch File Syntax Ipsecconfig batch batchfilename -nocommitIpsecconfig show all Ipsecconfig batch batchfilenameIpsecreport -cache Ipsecadmin -statusIpsecreport -all 108 Configuring HP-UX IPSec to Start Automatically Ipsecconfig add startup -autoboot onAdd startup -autoboot on 110 VeriSign Configuration Files Baltimore Configuration Files112 Using Certificates with HP-UX 114 Overview Security Certificates and Public Key CryptographyPublic Key Distribution IKE Public Key Distribution Digital SignaturesRequirements Overview Using VeriSign CertificatesVeriSign Certificate Tasks VeriSign PKI Data FlowStep Verifying Prerequisites Configuring Web Proxy Server Parameters IpsecmgrExport DISPLAY=displaydevice0.0 Registering the Administrator Requesting and Receiving Certificates 124 Chapter 125 Baltimore Certificate Tasks Using Baltimore CertificatesChapter 127 Requesting the Baltimore Certificate Configuring the Baltimore Certificate 130 Chapter 131 132 Chapter 133 Configuring Authentication Records with IKE IDs Chapter 135 Determining the IPv4 Address in the SubjectAlternativeName VeriSign SubjectAlternativeNameSyntax Add auth authname -remoteipaddr/prefix Lvalue localid LtypelocalidtypeRidremoteid RtyperemoteidtypeExamples CN=commonName,O=organization,C=country,OU=organizationUnitAdd auth Black -remote 10.10.10.10 -ltype IPV4 \ -lid Retrieving the Certificate Revocation List CRL VeriSignBaltimore Manually Retrieving a CRL for VeriSign or Baltimore 144 Troubleshooting HP-UX IPSec 146 Authenticate Identities Authenticate Each Peer’s IdentityIPSec Operation Establishing Security Associations SAsEstablish IPSec/QM SAs Establish ISAKMP/MM SAOutbound Processing Internal ProcessingOutbound Data Query the Kernel Policy Engine Query the Policy Manager DaemonEstablish an ISAKMP/MM SA Inbound Data AH or ESP Packet Add IPSec/QM SAs to the Kernel SA Database152 Clear Text Packet Establishing Tunnel Security AssociationsProcessing Inbound Tunnel Packets 154 Troubleshooting Utilities Overview Getting General Information Getting SA InformationGetting Policy Information Ipsecconfig show gateway Ipsecreport -host configuredConfigured Ipsecconfig show tunnelGetting Interface Information Viewing and Configuring Audit InformationEnabling and Disabling Tracing Troubleshooting Procedures Checking StatusIpsecreport -all -file filename Chapter 161 Ipsecadmin -traceon tcp udp igmp all Isolating HP-UX IPSec Problems from Upper-layerChecking Policy Configuration Using ipsecpolicyExamining the Policy Cache and Policy Entries Audit Level Configuring HP-UX IPSec AuditingDynamically Setting Audit Parameters Ipsecadmin -maxsize maxauditfilesizeIpsecadmin -al auditlevel -au auditdirectory Audit Files and DirectoryIpsecconfig add startup -autoboot Onoff Configuring Startup Audit ParametersViewing Audit Files Auditlvlauditlevel -auditdirauditdirectoryFiltering Audit File Output by Entity Where entityname is one of the following namesRecorded by specified entities Ipsecreport -audit auditfile -entity entitynameOutput from ipsecadmin -status Output from ipsecreport -all Reporting ProblemsChapter 169 Troubleshooting Scenarios ProblemHP-UX IPSec Incorrectly Passes Packets Solution SymptomsHP-UX IPSec Attempts to Encrypt/Authenticate and Fails Ipsecreport -mad Ipsecreport -audit file Additional InformationIpsecreport -audit /var/adm/ipsec/auditdateinfo.log Processing failed, MM negotiation timeout ISAKMP/MM SA Negotiation Fails Main ModeChapter 175 Isakmp Primary Authentication Fails with Certificates Isakmp Primary Authentication with Preshared Key FailsDetails ISAKMP/MM SA Negotiation Succeeded, IPSec/QM SAManual Keys Fail Invalid Sadbadd Nettl -ss Streams Logging Messages and Additional Audit File EntriesNettl -log e d -e streams Netfmt /var/adm/nettl.LOG000 mylogoutputIpsecadmin -auditlvl warning HP-UX Will Not Start ipsecadmin -startFails182 Corrupt or Missing Configuration Database Using the Skeleton Database File Ipsecmigrate -s oldconfigfile -d newconfigfileAdministrator Cannot Get a Local VeriSign Certificate Autoboot is Not Working Properly186 Security Policy Database Limit Exceeded Kernel 188 HP-UX IPSec and IPFilter 190 IPFilter and IPSec Basics IPFilter and IPSecIPFilter Scenario One 192 IPFilter Scenario Two IPSec UDP Negotiation194 Scenario Three When Traffic Appears to be BlockedAllowing Protocol 50 and Protocol 51 Traffic Packet with Encrypted TCP DataPacket with IPSec-Encrypted TCP Data Scenario Four Protocol 51 traffic, then IPSec traffic will not get throughIPSec Gateways HP-UX IPSec and HP-UX Mobile 200 Care-of Address Mobile Node and Home AddressCorrespondent Nodes Home AgentHome Agents and Basic Operation Mobile IPv6 Basic Operation Correspondent Node to MobileNode Route Optimization Mobile IPv6 Basic Operation Mobile Node to CorrespondentMobile IPv6 Route Optimization Acknowledgement messages Securing Mobile IPv6 with HP-UX IPSecPrefix Discovery Messages Binding Messages Between the Home Agent and Mobile NodeChapter 205 Payload Packets Routed Through the Home Agent Chapter 207 Gateway IPSec Policies Understanding Gateway IPSec PoliciesConfiguration Procedure Using Manual KeysUsing the HP-UX Strong Random Number Generator Troubleshooting Manual Key Problems210 Syntax Inand -outmanualkeysaspecification SourcehomeagentaddrActiontransformname Chapter 213 Mobile IPv6 Home Test Init and Home Test Packets 2B, 2C Home Agent Mobile NodeReturn Routability Messages Configuring Gateway IPSec Policy for Home AgentCorrespondent Node Segments 216 Tunnelrrtunnelname Tunnel rrtunnelname -action Forward -flags MIPV6218 Chapter 219 220 Chapter 221 222 Action Forward -flags MIPV6 Protocol ALL -priority prioritynumber224 Tunnelpayloadtunnelname Ipsecconfig add tunnel payloadtunnelname Binding Messages Mobile IPv6 Configuration ExampleReturn Routability Messages 3ffe83fffef71111Optional Prefix Discovery Messages Gateway IPSec Policy for Home Agent Mobile Node SegmentsReturn Routability Tunnel IPSec Policy Payload Gateway IPSec Policies Optional Payload Messages Routed Through the Home AgentAdd gateway mn2222payloadtocn \ Protocol ALL -pri 300 -action Forward -flags MIPV6Payload Tunnel IPSec Policy Batch File Template 232 Chapter 233 234 HP-UX IPSec 236 MC/ServiceGuard Cluster Package Clients Not Using HP-UX IPSec A.01.07 or Later Using HP-UX IPSec with MC/ServiceGuardChapter 239 MC/ServiceGuard Heartbeat Requirement Recommendation Configuration Steps 242 Configuring a Common HP-UX IPSec Password Configuring HP-UX Host IPSec Policies for MC/ServiceGuard Configuring Host IPSec Policies for Package Addresses Determining MC/ServiceGuard Cluster InformationPrivate Dedicated Heartbeat Networks Cluster Node IPSec Policies for Quorum Server 10.0.0.0/81238 Address or Server WildcardQuorum Server IPSec Policies Cluster Node IPSec Policies for Remote Command ExecutionServer Address Address or Wildcard Source IP Destination Protocol Address IP Address PortAddress or Command Wildcard Client address 514 Command Address Client address Or wildcard Configuring Host IPSec Policies for ServiceGuard ManagerCluster Node Host IPSec Policies for ServiceGuard Manager ServiceGuard Manager Host IPSec PoliciesSource IP Destination Protoco Address IP Address Port COM System Host IPSec Policies Cluster Node Host IPSec Policies for COMMC/ServiceGuard Port Numbers and Protocols Summary MC/ServiceGuard Port Numbers ProtocolsPort Protocols Service 5303Chapter 255 256 Configuring HP-UX IPSec IKE policies Cluster IKE policiesCluster Client IKE policies Configuring Authentication Records for Preshared Keys Preshared Key Configuration on Cluster NodesPreshared Key Configuration on Client Nodes Preshared Keys Configuration on Client1 Preshared Keys Configuration on Cluster NodesPreshared Keys Configuration on Client2 Remote IP Address Key260 Authentication Records and IKE ID Information Configuring Authentication Records for CertificatesCluster Clients Chapter 263 IKE ID Configuration on Client1 and Client2 IKE ID Configuration on Cluster NodesIpsecpolicy -sa 15.1.1.1 -da Verifying and Testing the HP-UX IPSec ConfigurationConfiguring HP-UX IPSec Start-up Options Distributing HP-UX IPSec Configuration Files 268 Cluster Configuration Configuring MC/ServiceGuardPackage Configuration Package Control ScriptMonitor Script Polling Interval Adding a Node to a Running Cluster Starting HP-UX IPSec MC/ServiceGuard272 HP-UX IPSec and Linux 274 Chapter 275 Configuration Example Product Specifications Appendix a IPSec RFCs RFC 3776 Mandatory SupportRFC Number RFC Title 280 Isakmp Limitations Product RestrictionsIPv4 Icmp Messages IPv6 Icmp Messages HP-UX IPSec Transforms Authentication AlgorithmsComparative Key Lengths Algorithm Key LengthESP-DES Encryption AlgorithmsTransform Lifetime Negotiation Migrating from Previous Versions Appendix B MD5 Version Compatibility Pre-Installation Migration InstructionsMigrating from Versions Prior to A.01.03 Ipsecreport -auditauditfilename -fileoutputfilenameNot Re-using Configuration Files Configuration File Post-Installation Migration InstructionsUsr/sbin/ipsecmigrate -s configfile -d newconfigfile Ipsecadmin -start292 HP-UX IPSec Configuration Examples Appendix C Example 1 telnet Between Two Systems Figure C-1 Example 1 telnet AB Apple ConfigurationBanana Configuration Authentication Record with Preshared KeyIKE Policy 298 Figure C-3 Example 2 Network IPSec Policy with Exceptions Example 2 Authenticated ESP with ExceptionsCarrot Configuration Authentication Record Ipsecconfig Batch File EntriesExample 3 Host to Gateway Blue ConfigurationHost IPSec Policy Priority 100 -action Pass -tunnel torouterAdd auth torouter -rem 16.6.6.6 -psk Hello Tunnel IPSec PolicyDog Configuration Cat ConfigurationExample 4 Manual Keys Asymmetric keys, public/private keys GlossaryEncapsulating Security Payload ESP Diffie-HellmanGlossary 307 Preshared Key 309 Numerics310 311 312 313 314
Related manuals
Manual 48 pages 5.99 Kb Manual 8 pages 43.6 Kb

UX IPSec Software specifications

HP-UX IPSec Software is an integral component of the HP-UX operating system, providing robust and secure communication capabilities for enterprise environments. As organizations increasingly rely on secure networking solutions, HP-UX IPSec stands out with its comprehensive set of features and technologies designed to safeguard sensitive data.

One of the core characteristics of HP-UX IPSec Software is its implementation of the Internet Protocol Security (IPSec) framework. This technology secures Internet Protocol (IP) communications through authentication and encryption, ensuring the integrity and confidentiality of data transmissions. By leveraging IPSec, HP-UX provides a secure method for connecting remote users and secure sites over untrusted networks, such as the internet.

A notable feature of the HP-UX IPSec Software is its support for both transport and tunnel modes. The transport mode encrypts only the payload of the IP packet, whereas the tunnel mode encapsulates the entire IP packet within a new packet, allowing for secure communications between entire networks. This flexibility enables organizations to tailor their security strategies based on specific use cases and requirements.

HP-UX IPSec also emphasizes interoperability and compliance with industry standards. The software supports various encryption algorithms and authentication methods, including those defined by the Internet Engineering Task Force (IETF). This commitment to open standards ensures that HP-UX can seamlessly integrate with a diverse range of networking infrastructures and security solutions.

In addition to its security features, HP-UX IPSec Software offers administration tools that simplify the configuration and management of IPSec policies. The software includes a user-friendly command-line interface, allowing system administrators to specify security associations and policies efficiently. Moreover, comprehensive logging and monitoring capabilities help organizations keep track of their security posture and detect potential vulnerabilities.

Another essential characteristic of HP-UX IPSec Software is its scalability. Designed to accommodate the needs of both small and large enterprises, it can handle increased loads and adapt to changing security demands without compromising performance.

In conclusion, HP-UX IPSec Software stands as a vital solution for organizations seeking to protect their data transmissions over IP networks. With its core technologies, such as transport and tunnel modes, adherence to industry standards, user-friendly administration tools, and scalability, it provides a formidable layer of security in an increasingly interconnected world. This makes it a preferred choice for enterprises aiming to enhance their network security frameworks.
Top Page Image Contents