HP Host Intrusion Detection System (HIDS) manual $ IDSgenAdminKeys install

Configuration

Setting Up the HP-UX HIDS Secure Communications

$ IDS_genAdminKeys install

This creates the Root Certification Authority (Root CA) and the administration certificate. They are stored in the directory /etc/opt/ids/certs/admin. The keyword install is optional.

At a later time, if you need to regenerate the administration certificate (for example, if the current certificate has expired) without invalidating the agent certificates you make in substep 1.d, execute the command again with the update option, as in:

$ IDS_genAdminKeys update

If you don’t use the update option, the command also recreates the Root CA, making existing agent certificates no longer trusted by the administration system. You will need to redo substep 1.d and steps 2 and 3 again.

Here’s an example of the install process, run on administration host adminsys:

$ IDS_genAdminKeys

==> Be sure to run this script on the IDS Administration host.

Generating a certificate request for IDS Root CA...

Generating a self-signed certificate for IDS Root CA...

Generating a certificate for the HP-UX Host IDS System Manager...

Generating cert signing request for HP-UX Host IDS System

Manager...

Signing the HP-UX Host IDS System Manager certificate request...

Importing IDS Root CA certificate...

Importing the HP-UX Host IDS System Manager certificate...

************************************************************

*Successfully created certificates for IDS Root CA and for

*the HP-UX Host IDS System Manager.

*Certificate public keys are valid for 700 days and are

*1024 bits in size.

*

*Now you need to create keys for each of the hosts on which

*the Agent software is installed by running the script

*'IDS_genAgentCerts'.

************************************************************

d.Generate the keys for each agent, one bundle of keys per agent system: $ IDS_genAgentCerts

In this process, each host name (or IP address) you enter is checked for validity, using the nslookup command (see nslookup (1)).

If you enter a host name and nslookup returns a single IP address, the host name and IP address are saved in a temporary file and the key bundle is created.

If you enter an IP address and nslookup returns a host name, the host name and IP address are saved in a temporary file and the key bundle is created. Use this method if the agent is multihomed (two or more IP addresses). The IP address should be the value you set for IDS_LISTEN_IFACE in “Configuring a Multihomed Agent System” on page 25.