[ Previous | Next | Table of Contents | Index | Library Home |
Legal |
Search ]
System Management Guide: Communications and Networks
In AIX 4.3.3 and later, the IBM Key Manager tool manages
digital certificates. The IBM Key Manager tool is installed when you
install the gskit.rte file set from the installation Bonus
Pack.
This section describes how to use IBM Key Manager to do the following
tasks:
- Creating a Key Database
- Adding a CA Root Digital Certificate
- Establishing Trust Settings
- Deleting a CA Root Digital Certificate
- Requesting a Digital Certificate
- Adding (Receiving) a New Digital Certificate
- Deleting a Digital Certificate
- Changing a Database Password
- Creating IKE Tunnels using Digital Certificates
To set up digital certificates and signature support, at minimum you must
do steps 1, 2, 3, 4, 6, and 7. Then, use Web-based System Manager to
create an IKE tunnel and associate a policy with the tunnel that uses RSA
Signature as the authentication method.
A key database enables VPN endpoints to connect using valid digital
certificates. The key database (*.kdb) format is used with IP
Security VPNs.
The following types of CA digital certificates are provided with IBM Key
Manager:
- RSA Secure Server Certification Authority
- Thawte Personal Premium Certification Authority
- Thawte Personal Freemail Certification Authority
- Thawte Personal Basic Certification Authority
- Thawte Personal Server Certification Authority
- Thawte Server Certification Authority
- Verisign Class 1 Public Primary Certification Authority
- Verisign Class 2 Public Primary Certification Authority
- Verisign Class 3 Public Primary Certification Authority
- Verisign Class 4 Public Primary Certification Authority
These signature digital certificates enable clients to attach to servers
that have valid digital certificates from these signers. After you
create a key database, you can use it as-is to attach to a server that has a
valid digital certificate from one of the signers.
If you need to use a signature digital certificate that is not on this
list, you must request it from the CA and add it to your key database (see Adding a CA Root Digital Certificate).
Use the following procedure to create a key database:
- Start the IBM Key Manager tool by typing:
certmgr
- Select New from the Key Database File pull down
menu.
- Accept the default value, CMS key database file, for the
Key database type field.
- Enter the following file name in the File Name field:
ikekey.kdb
- Enter the following location of the database in the Location
field:
/etc/security
Attention: The key database must be named
ikekey.kbd and it must be placed in the
/etc/security directory or IP Security cannot function
correctly.
- Click OK. The Password Prompt screen is
displayed.
- Enter a password in the Password field, and enter it again in
the Confirm Password field.
- If you want to change the number of days until the password expires, enter
the desired number of days in the Set expiration time?
field. The default value for this field is 60 days. If you do
not want the password to expire, clear the Set expiration time?
field.
- To save an encrypted version of the password in a stash file, select the
Stash the password to a file? field and enter
yes.
Note: You must stash the password to enable the use of
digital certificates with IP Security.
- Click OK. A confirmation screen is displayed, verifying
that you have created a key database.
- Click OK again and you return to the IBM Key
Management screen. You can either perform other tasks or exit the
tool.
After you have requested and received a root digital certificate from a CA,
you can add it to your database. Most root digital certificates are of
the form *.arm, such as the following:
cert.arm
Use the following procedure to add a CA root digital certificate to a
database:
- Unless you are already using IBM Key Manager, start the tool by
typing:
certmgr
- From the main screen, select Open from the Key Database
File pull down menu.
- Highlight the key database file to which you want to add a CA root digital
certificate and click Open.
- Enter the password and click OK. When your password is
accepted, you are returned to the IBM Key Management screen.
The title bar now shows the name of the key database file you selected,
indicating that the file is now open and ready to be worked with.
- Select Signer Certificates from the Personal/Signer
Certificates pull down menu.
- Click on Add.
- Select a data type from the Data type pull down menu, such
as:
Base64-encoded ASCII data
- Enter a certificate file name and location for the CA root digital
certificate, or click Browse to select the name and
location.
- Click OK.
- Enter a label for the CA root digital certificate, such as Verisign
Test CA Root Certificate, and click OK. You are
returned to the IBM Key Management screen. The Signer
Certificates field now shows the label of the CA root digital
certificate you just added. You can either perform more tasks or exit
the tool.
Installed CA certificates are set to trusted by default.
The procedure to change the trust setting follows.
- Unless you are already using IBM Key Manager, start the tool by
typing:
certmgr
- From the main screen, select Open from the Key Database
File pull down menu.
- Highlight the key database file in which you want to change the default
digital certificate and click Open.
- Enter the password and click OK. After your password is accepted,
you are returned to the IBM Key Management screen. The title
bar shows the name of the key database file you selected, indicating that the
file is now open.
- Select Signer Certificates from the Personal/Signer
Certificates pull down menu.
- Highlight the certificate you want to change and click
View/Edit, or double-click on the entry. The Key
Information screen is displayed for the certificate entry.
- To make this certificate a trusted root certificate, check the box next to
Set the certificate as a trusted root and click
OK. If the certificate is not trusted, clear the check box
instead and click OK.
- Click OK from the Signer Certificates screen.
You are returned to the IBM Key Management screen. You can
either perform other tasks or exit the tool.
If you no longer want to support one of the CAs in your signature digital
certificate list, you need to delete the CA root digital certificate.
Note: Before deleting a CA root digital certificate, create a
backup copy in case you later want to recreate the CA root.
Use the following procedure to delete a CA root digital certificate from a
database:
- Unless you are already using IBM Key Manager, start the tool by
typing:
certmgr
- From the main screen, select Open from the Key Database
File pull down menu.
- Highlight the key database file from which you want to delete a CA root
digital certificate and click Open.
- Enter the password and click OK. After your password is
accepted, you are returned to the IBM Key Management screen.
The title bar shows the name of the key database file you selected, indicating
that the file is now open and ready to be edited.
- Select Signer Certificates from the Personal/Signer
Certificates pull down menu.
- Highlight the certificate you want to delete and click
Delete. The Confirm screen is displayed.
- Click Yes. You are returned to the IBM Key
Management screen. The label of the CA root digital certificate
no longer appears in the Signer Certificates field. You can
either perform other tasks or exit the tool.
To acquire a digital certificate, generate a request using IBM Key Manager
and submit the request to a CA. The request file you generate is in the
PKCS#10 format. The CA then verifies your identity and sends you a
digital certificate.
Use the following procedure to request a digital certificate:
- Unless you are already using IBM Key Manager, start the tool by
typing:
certmgr
- From the main screen, select Open from the Key Database
File pull down menu.
- Highlight the key database file /etc/security/ikekey.kdb
from which you want to generate the request and click Open.
- Enter the password and click OK. After your password is
accepted, you are returned to the IBM Key Management screen.
The title bar shows the name of the key database file you selected, indicating
that the file is now open and ready to be edited.
- Select Personal Certificate Requests from the
Personal/Signer Certificates pull down menu (AIX Version 4) or
select Create --> New Certificate Request
(SWsym.Version500;).
- Click New.
- From the following screen, enter a Key Label for the
self-signed digital certificate, such as:
keytest
- Enter a Common Name (the default is the host name) and
Organization, and then select a Country. For the
remaining fields, either accept the default values, or choose new
values.
- Define the Subject Alternate name. There are three
optional fields associated with Subject Alternate: email
address, IP address, and DNS name. For a tunnel type of IP address,
type the same IP address that is configured in the IKE tunnel into the IP
address field. For a tunnel ID type of user@FQDN, complete the email
address field. For a tunnel ID type of FQDN, type a fully qualified
domain name (for example,
hostname.companyname.com) in the DNS name
field.
- At the bottom of the screen, enter a name for the file, such as:
certreq.arm
- Click OK. A confirmation screen is displayed, verifying
that you have created a request for a new digital certificate.
- Click OK. You are returned to the IBM Key
Management screen. The Personal Certificate Requests
field now shows the key label of the new digital certificate request (PKCS#10)
created.
- Send the file to a CA to request a new digital certificate.
- At this point, you can either perform other tasks or exit the tool.
After you receive a new digital certificate from a CA, you must add it to
the key database from which you generated the request.
Use the following procedure to add (receive) a new digital
certificate:
- Unless you are already using IBM Key Manager, start the tool by
typing:
certmgr
- From the main screen, select Open from the Key Database
File pull down menu.
- Highlight the key database file from which you generated the certificate
request and click Open.
- Enter the password and click OK. After your password is
accepted, you are returned to the IBM Key Management screen.
The title bar shows the name of the key database file you selected, indicating
that the file is now open and ready to be edited.
- Select Personal Certificate Requests from the
Personal/Signer Certificates pull down menu.
- Click Receive (to add the newly received digital certificate to
your database).
- Select the data type of the new digital certificate from the Data
type pull down menu. The default is Base64-encoded ASCII
data.
- Enter the certificate file name and location for the new digital
certificate, or click Browse to select the name and
location.
- Click OK.
- Enter a descriptive label for the new digital certificate, such as:
VPN Branch Certificate
- Click OK. You are returned to the IBM Key
Management screen. The Personal Certificates field now
shows the label of the new digital certificate you just added.
If the procedure is successful, you can either perform other tasks or exit
the tool.
If there is an error loading the certificate, check that the certificate
file begins with the text -----BEGIN
CERTIFICATE----- and ends with the text
-----END CERTIFICATE-----.
For example:
-----BEGIN CERTIFICATE-----
ajdkfjaldfwwwwwwwwwwadafdw
kajf;kdsajkflasasfkjafdaff
akdjf;ldasjkf;safdfdasfdas
kaj;fdljk98dafdas43adfadfa
-----END CERTIFICATE-----
If the text does not match, edit the certificate file so it starts and ends
appropriately.
If you no longer need one of your digital certificates, use the following
procedure to delete it from your database.
Note: Before deleting a digital certificate, create a backup
copy in case you later want to recreate it.
- Unless you are already using IBM Key Manager, start the tool by
typing:
certmgr
- From the main screen, select Open from the Key Database
File pull down menu.
- Highlight the key database file from which you want to delete the digital
certificate and click Open.
- Enter the password and click OK. After your password is
accepted, you are returned to the IBM Key Management screen.
The title bar shows the name of the key database file you selected, indicating
that the file is now open and ready to be edited.
- Select Personal Certificate Requests from the
Personal/Signer Certificates pull down menu.
- Highlight the digital certificate you want to delete and click
Delete. The Confirm screen is displayed.
- Click Yes. You are returned to the IBM Key
Management screen. The label of the digital certificate you just
deleted no longer appears in the Personal Certificates
field.
You can either perform other tasks or exit the tool.
To change the key database, follow these steps:
- Unless you are already using IBM Key Manager, start the tool by
typing:
certmgr
- From the main screen, select Change Password from the Key
Database File pull down menu.
- Enter a new password in the Password field, and enter it again
in the Confirm Password field.
- If you want to change the number of days until the password expires, enter
the desired number of days in the Set expiration time?
field. The default value for this field is 60 days. If you do
not want the password to expire, clear the Set expiration time?
field.
- To save an encrypted version of the password in a stash file, select the
Stash the password to a file? field and enter
yes.
Note: You must stash the password to enable the use of
digital certificates with IP Security.
- Click OK. A message in the status bar indicates that the
request completed successfully.
- Click OK again and you return to the IBM Key
Management screen. You can either perform other tasks or exit the
tool.
To create IKE tunnels that use digital certificates, you must use Web-based
System Manager and the IBM Key Manager tool.
To enable the use of digital certificates when defining the key management
IKE tunnel policies, you must configure a transform that uses signature
mode. Signature mode uses an RSA signature algorithm for
authentication. IP Security provides the Web-based System Manager
dialog "Add/Change a Transform" to allow you to select an authentication
method of RSA Signature or RSA Signature with CRL Checking.
At least one endpoint of the tunnel must have a policy defined that uses a
signature mode transform. You can also define other transforms using
signature mode through Web-based System Manager.
The IKE key management tunnel types (the Host Identity Type
field on the Identification tab) supported by IP Security are:
- IP address
- Fully Qualified Domain Name (FQDN)
- user@FQDN
- X.500 Distinguished Name
- Key identifier
Host identity types are selectable from the Web-based System
Manager Key Management Tunnel Properties - Identification
tab. If you select IP Address, FQDN, or
user@FQDN, you must enter values in Web-based System Manager and
you must give these values to the CA. This information is used as the
Subject Alternate Name in the personal digital certificate.
For example, if you choose a host identity type of X.500
Distinguished Name from the Web-based System Manager pull-down list on
the Identification tab, and you enter the Host identity
as
/C=US/O=IBM/OU=SERV/CN=name.austin.ibm.com,
the following are the exact values that you must enter in IBM Key Manager when
creating a digital certificate request:
- Common name:
name.austin.ibm.com
- Organization: IBM
- Organizational unit: SERV
- Country : US
The X.500 Distinguished Name entered should be the name
set up by your system/LDAP administrator. Entering an organizational
unit value is optional. The CA then uses this information when creating
the digital certificate.
For another example, if you choose a host identity type of IP
Address from the pull-down list, and you enter the host identity as
10.10.10.1, the following are the exact values
you must enter in the digital certificate request:
- Common name:
name.austin.ibm.com
- Organization: IBM
- Organizational unit: SERV
- Country : US
- Subject alternate IP address field:
10.10.10.1
After you create the digital certificate request with this information, the
CA uses this information to create the personal digital certificate.
When requesting a personal digital certificate, the CA needs the following
information:
See Requesting a Digital Certificate for
specific steps using the IBM Key Manager tool to create a certificate
request.
Before activating the IKE tunnel, you must add the personal digital
certificate you received from the CA into the IBM Key Manager database,
ikekey.kdb. See Adding
(Receiving) a New Digital Certificate for more information.
The types of personal digital certificate that IP Security supports
are:
- Subject DN
- The Subject Distinguished Name must be in the following format and
order:
/C=US/O=IBM/OU=SERV/CN=name.austin.ibm.com
The IBM Key Manager tool allows only one OU value.
- Subject DN and Subject Alternate Name as an IP address
- The Subject Distinguished Name and Subject Alternate Name can be
designated as an IP address, as shown in the following:
/C=US/O=IBM/OU=SERV/CN=name.austin.ibm.com
and 10.10.10.1
- Subject DN and Subject Alternate Name as FQDN
- The Subject Distinguished Name and Subject Alternate Name can be
designated as a fully qualified domain name, as shown in the following:
/C=US/O=IBM/OU=SERV/CN=name.austin.ibm.com
and bell.austin.ibm.com.
- Subject DN and Subject Alternate Name as user@FQDN
- The Subject Distinguished Name and Subject Alternate Name can be
designated as a user address
(user_ID@fully_qualified_domain_name), as shown in the
following:
/C=US/O=IBM/OU=SERV/CN=name.austin.ibm.com
and name@austin.ibm.com.
- Subject DN and multiple Subject Alternate Names
- The Subject Distinguished Name can be associated with multiple Subject
Alternate Names, as shown in the following:
/C=US/O=IBM/OU=SERV/CN=name.austin.ibm.com
and bell.austin.ibm.com,
10.10.10.1, and
user@name.austin.ibm.com.
[ Previous | Next | Table of Contents | Index |
Library Home |
Legal |
Search ]