[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

System Management Guide: Communications and Networks


Using the IBM Key Manager Tool

In AIX 4.3.3 and later, the IBM Key Manager tool manages digital certificates. The IBM Key Manager tool is installed when you install the gskit.rte file set from the installation Bonus Pack.

This section describes how to use IBM Key Manager to do the following tasks:

  1. Creating a Key Database
  2. Adding a CA Root Digital Certificate
  3. Establishing Trust Settings
  4. Deleting a CA Root Digital Certificate
  5. Requesting a Digital Certificate
  6. Adding (Receiving) a New Digital Certificate
  7. Deleting a Digital Certificate
  8. Changing a Database Password
  9. Creating IKE Tunnels using Digital Certificates

To set up digital certificates and signature support, at minimum you must do steps 1, 2, 3, 4, 6, and 7. Then, use Web-based System Manager to create an IKE tunnel and associate a policy with the tunnel that uses RSA Signature as the authentication method.

Creating a Key Database

A key database enables VPN endpoints to connect using valid digital certificates. The key database (*.kdb) format is used with IP Security VPNs.

The following types of CA digital certificates are provided with IBM Key Manager:

These signature digital certificates enable clients to attach to servers that have valid digital certificates from these signers. After you create a key database, you can use it as-is to attach to a server that has a valid digital certificate from one of the signers.

If you need to use a signature digital certificate that is not on this list, you must request it from the CA and add it to your key database (see Adding a CA Root Digital Certificate).

Use the following procedure to create a key database:

  1. Start the IBM Key Manager tool by typing:

    certmgr
    
  2. Select New from the Key Database File pull down menu.
  3. Accept the default value, CMS key database file, for the Key database type field.
  4. Enter the following file name in the File Name field:

    ikekey.kdb
    
  5. Enter the following location of the database in the Location field:

    /etc/security
    

    Attention: The key database must be named ikekey.kbd and it must be placed in the /etc/security directory or IP Security cannot function correctly.
  6. Click OK. The Password Prompt screen is displayed.
  7. Enter a password in the Password field, and enter it again in the Confirm Password field.
  8. If you want to change the number of days until the password expires, enter the desired number of days in the Set expiration time? field. The default value for this field is 60 days. If you do not want the password to expire, clear the Set expiration time? field.
  9. To save an encrypted version of the password in a stash file, select the Stash the password to a file? field and enter yes.

    Note: You must stash the password to enable the use of digital certificates with IP Security.
  10. Click OK. A confirmation screen is displayed, verifying that you have created a key database.
  11. Click OK again and you return to the IBM Key Management screen. You can either perform other tasks or exit the tool.

Adding a CA Root Digital Certificate

After you have requested and received a root digital certificate from a CA, you can add it to your database. Most root digital certificates are of the form *.arm, such as the following:

cert.arm

Use the following procedure to add a CA root digital certificate to a database:

  1. Unless you are already using IBM Key Manager, start the tool by typing:

    certmgr
    
  2. From the main screen, select Open from the Key Database File pull down menu.
  3. Highlight the key database file to which you want to add a CA root digital certificate and click Open.
  4. Enter the password and click OK. When your password is accepted, you are returned to the IBM Key Management screen. The title bar now shows the name of the key database file you selected, indicating that the file is now open and ready to be worked with.
  5. Select Signer Certificates from the Personal/Signer Certificates pull down menu.
  6. Click on Add.
  7. Select a data type from the Data type pull down menu, such as:

    Base64-encoded ASCII data
    
  8. Enter a certificate file name and location for the CA root digital certificate, or click Browse to select the name and location.
  9. Click OK.
  10. Enter a label for the CA root digital certificate, such as Verisign Test CA Root Certificate, and click OK. You are returned to the IBM Key Management screen. The Signer Certificates field now shows the label of the CA root digital certificate you just added. You can either perform more tasks or exit the tool.

Establishing Trust Settings

Installed CA certificates are set to trusted by default. The procedure to change the trust setting follows.

  1. Unless you are already using IBM Key Manager, start the tool by typing:

    certmgr
    
  2. From the main screen, select Open from the Key Database File pull down menu.
  3. Highlight the key database file in which you want to change the default digital certificate and click Open.
  4. Enter the password and click OK. After your password is accepted, you are returned to the IBM Key Management screen. The title bar shows the name of the key database file you selected, indicating that the file is now open.
  5. Select Signer Certificates from the Personal/Signer Certificates pull down menu.
  6. Highlight the certificate you want to change and click View/Edit, or double-click on the entry. The Key Information screen is displayed for the certificate entry.
  7. To make this certificate a trusted root certificate, check the box next to Set the certificate as a trusted root and click OK. If the certificate is not trusted, clear the check box instead and click OK.
  8. Click OK from the Signer Certificates screen. You are returned to the IBM Key Management screen. You can either perform other tasks or exit the tool.

Deleting a CA Root Digital Certificate

If you no longer want to support one of the CAs in your signature digital certificate list, you need to delete the CA root digital certificate.

Note: Before deleting a CA root digital certificate, create a backup copy in case you later want to recreate the CA root.

Use the following procedure to delete a CA root digital certificate from a database:

  1. Unless you are already using IBM Key Manager, start the tool by typing:

    certmgr
    
  2. From the main screen, select Open from the Key Database File pull down menu.
  3. Highlight the key database file from which you want to delete a CA root digital certificate and click Open.
  4. Enter the password and click OK. After your password is accepted, you are returned to the IBM Key Management screen. The title bar shows the name of the key database file you selected, indicating that the file is now open and ready to be edited.
  5. Select Signer Certificates from the Personal/Signer Certificates pull down menu.
  6. Highlight the certificate you want to delete and click Delete. The Confirm screen is displayed.
  7. Click Yes. You are returned to the IBM Key Management screen. The label of the CA root digital certificate no longer appears in the Signer Certificates field. You can either perform other tasks or exit the tool.

Requesting a Digital Certificate

To acquire a digital certificate, generate a request using IBM Key Manager and submit the request to a CA. The request file you generate is in the PKCS#10 format. The CA then verifies your identity and sends you a digital certificate.

Use the following procedure to request a digital certificate:

  1. Unless you are already using IBM Key Manager, start the tool by typing:

    certmgr
    
  2. From the main screen, select Open from the Key Database File pull down menu.
  3. Highlight the key database file /etc/security/ikekey.kdb from which you want to generate the request and click Open.
  4. Enter the password and click OK. After your password is accepted, you are returned to the IBM Key Management screen. The title bar shows the name of the key database file you selected, indicating that the file is now open and ready to be edited.
  5. Select Personal Certificate Requests from the Personal/Signer Certificates pull down menu (AIX Version 4) or select Create --> New Certificate Request (SWsym.Version500;).
  6. Click New.
  7. From the following screen, enter a Key Label for the self-signed digital certificate, such as:

    keytest
    
  8. Enter a Common Name (the default is the host name) and Organization, and then select a Country. For the remaining fields, either accept the default values, or choose new values.
  9. Define the Subject Alternate name. There are three optional fields associated with Subject Alternate: email address, IP address, and DNS name. For a tunnel type of IP address, type the same IP address that is configured in the IKE tunnel into the IP address field. For a tunnel ID type of user@FQDN, complete the email address field. For a tunnel ID type of FQDN, type a fully qualified domain name (for example, hostname.companyname.com) in the DNS name field.
  10. At the bottom of the screen, enter a name for the file, such as:

    certreq.arm
    
  11. Click OK. A confirmation screen is displayed, verifying that you have created a request for a new digital certificate.
  12. Click OK. You are returned to the IBM Key Management screen. The Personal Certificate Requests field now shows the key label of the new digital certificate request (PKCS#10) created.
  13. Send the file to a CA to request a new digital certificate.
  14. At this point, you can either perform other tasks or exit the tool.

Adding (Receiving) a New Digital Certificate

After you receive a new digital certificate from a CA, you must add it to the key database from which you generated the request.

Use the following procedure to add (receive) a new digital certificate:

  1. Unless you are already using IBM Key Manager, start the tool by typing:

    certmgr
    
  2. From the main screen, select Open from the Key Database File pull down menu.
  3. Highlight the key database file from which you generated the certificate request and click Open.
  4. Enter the password and click OK. After your password is accepted, you are returned to the IBM Key Management screen. The title bar shows the name of the key database file you selected, indicating that the file is now open and ready to be edited.
  5. Select Personal Certificate Requests from the Personal/Signer Certificates pull down menu.
  6. Click Receive (to add the newly received digital certificate to your database).
  7. Select the data type of the new digital certificate from the Data type pull down menu. The default is Base64-encoded ASCII data.
  8. Enter the certificate file name and location for the new digital certificate, or click Browse to select the name and location.
  9. Click OK.
  10. Enter a descriptive label for the new digital certificate, such as:

    VPN Branch Certificate
    
  11. Click OK. You are returned to the IBM Key Management screen. The Personal Certificates field now shows the label of the new digital certificate you just added.

    If the procedure is successful, you can either perform other tasks or exit the tool.

    If there is an error loading the certificate, check that the certificate file begins with the text -----BEGIN CERTIFICATE----- and ends with the text -----END CERTIFICATE-----.

    For example:

    -----BEGIN CERTIFICATE-----
    ajdkfjaldfwwwwwwwwwwadafdw
    kajf;kdsajkflasasfkjafdaff
    akdjf;ldasjkf;safdfdasfdas
    kaj;fdljk98dafdas43adfadfa
    -----END CERTIFICATE-----
    

    If the text does not match, edit the certificate file so it starts and ends appropriately.

Deleting a Digital Certificate

If you no longer need one of your digital certificates, use the following procedure to delete it from your database.

Note: Before deleting a digital certificate, create a backup copy in case you later want to recreate it.
  1. Unless you are already using IBM Key Manager, start the tool by typing:

    certmgr
    
  2. From the main screen, select Open from the Key Database File pull down menu.
  3. Highlight the key database file from which you want to delete the digital certificate and click Open.
  4. Enter the password and click OK. After your password is accepted, you are returned to the IBM Key Management screen. The title bar shows the name of the key database file you selected, indicating that the file is now open and ready to be edited.
  5. Select Personal Certificate Requests from the Personal/Signer Certificates pull down menu.
  6. Highlight the digital certificate you want to delete and click Delete. The Confirm screen is displayed.
  7. Click Yes. You are returned to the IBM Key Management screen. The label of the digital certificate you just deleted no longer appears in the Personal Certificates field.

    You can either perform other tasks or exit the tool.

Changing a Database Password

To change the key database, follow these steps:

  1. Unless you are already using IBM Key Manager, start the tool by typing:

    certmgr
    
  2. From the main screen, select Change Password from the Key Database File pull down menu.
  3. Enter a new password in the Password field, and enter it again in the Confirm Password field.
  4. If you want to change the number of days until the password expires, enter the desired number of days in the Set expiration time? field. The default value for this field is 60 days. If you do not want the password to expire, clear the Set expiration time? field.
  5. To save an encrypted version of the password in a stash file, select the Stash the password to a file? field and enter yes.

    Note: You must stash the password to enable the use of digital certificates with IP Security.
  6. Click OK. A message in the status bar indicates that the request completed successfully.
  7. Click OK again and you return to the IBM Key Management screen. You can either perform other tasks or exit the tool.

Creating IKE Tunnels using Digital Certificates

To create IKE tunnels that use digital certificates, you must use Web-based System Manager and the IBM Key Manager tool.

To enable the use of digital certificates when defining the key management IKE tunnel policies, you must configure a transform that uses signature mode. Signature mode uses an RSA signature algorithm for authentication. IP Security provides the Web-based System Manager dialog "Add/Change a Transform" to allow you to select an authentication method of RSA Signature or RSA Signature with CRL Checking.

At least one endpoint of the tunnel must have a policy defined that uses a signature mode transform. You can also define other transforms using signature mode through Web-based System Manager.

The IKE key management tunnel types (the Host Identity Type field on the Identification tab) supported by IP Security are:

Host identity types are selectable from the Web-based System Manager Key Management Tunnel Properties - Identification tab. If you select IP Address, FQDN, or user@FQDN, you must enter values in Web-based System Manager and you must give these values to the CA. This information is used as the Subject Alternate Name in the personal digital certificate.

For example, if you choose a host identity type of X.500 Distinguished Name from the Web-based System Manager pull-down list on the Identification tab, and you enter the Host identity as /C=US/O=IBM/OU=SERV/CN=name.austin.ibm.com, the following are the exact values that you must enter in IBM Key Manager when creating a digital certificate request:

The X.500 Distinguished Name entered should be the name set up by your system/LDAP administrator. Entering an organizational unit value is optional. The CA then uses this information when creating the digital certificate.

For another example, if you choose a host identity type of IP Address from the pull-down list, and you enter the host identity as 10.10.10.1, the following are the exact values you must enter in the digital certificate request:

After you create the digital certificate request with this information, the CA uses this information to create the personal digital certificate.

When requesting a personal digital certificate, the CA needs the following information:

See Requesting a Digital Certificate for specific steps using the IBM Key Manager tool to create a certificate request.

Before activating the IKE tunnel, you must add the personal digital certificate you received from the CA into the IBM Key Manager database, ikekey.kdb. See Adding (Receiving) a New Digital Certificate for more information.

The types of personal digital certificate that IP Security supports are:

Subject DN
The Subject Distinguished Name must be in the following format and order:

/C=US/O=IBM/OU=SERV/CN=name.austin.ibm.com

The IBM Key Manager tool allows only one OU value.

Subject DN and Subject Alternate Name as an IP address
The Subject Distinguished Name and Subject Alternate Name can be designated as an IP address, as shown in the following:

/C=US/O=IBM/OU=SERV/CN=name.austin.ibm.com and 10.10.10.1

Subject DN and Subject Alternate Name as FQDN
The Subject Distinguished Name and Subject Alternate Name can be designated as a fully qualified domain name, as shown in the following:

/C=US/O=IBM/OU=SERV/CN=name.austin.ibm.com and bell.austin.ibm.com.

Subject DN and Subject Alternate Name as user@FQDN
The Subject Distinguished Name and Subject Alternate Name can be designated as a user address (user_ID@fully_qualified_domain_name), as shown in the following:

/C=US/O=IBM/OU=SERV/CN=name.austin.ibm.com and name@austin.ibm.com.

Subject DN and multiple Subject Alternate Names
The Subject Distinguished Name can be associated with multiple Subject Alternate Names, as shown in the following:

/C=US/O=IBM/OU=SERV/CN=name.austin.ibm.com and bell.austin.ibm.com, 10.10.10.1, and user@name.austin.ibm.com.


[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]