JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Securing the Network in Oracle Solaris 11.1     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  Using Link Protection in Virtualized Environments

2.  Tuning Your Network (Tasks)

3.  Web Servers and the Secure Sockets Layer Protocol

4.  IP Filter in Oracle Solaris (Overview)

5.  IP Filter (Tasks)

6.  IP Security Architecture (Overview)

7.  Configuring IPsec (Tasks)

8.  IP Security Architecture (Reference)

9.  Internet Key Exchange (Overview)

10.  Configuring IKE (Tasks)

11.  Internet Key Exchange (Reference)

IKE Service

IKE Daemon

IKE Configuration File

ikeadm Command

IKE Preshared Keys Files

IKE Public Key Databases and Commands

ikecert tokens Command

ikecert certlocal Command

ikecert certdb Command

ikecert certrldb Command

/etc/inet/ike/publickeys Directory

/etc/inet/secret/ike.privatekeys Directory

/etc/inet/ike/crls Directory

Glossary

Index

IKE Public Key Databases and Commands

The ikecert command manipulates the local system's public key databases. You use this command when the ike/config file requires public key certificates. Because IKE uses these databases to authenticate the Phase 1 exchange, the databases must be populated before activating the in.iked daemon. Three subcommands handle each of the three databases: certlocal, certdb, and certrldb.

The ikecert command also handles key storage. Keys can be stored on disk, on an attached Sun Crypto Accelerator 6000 board, or in a softtoken keystore. The softtoken keystore is available when the metaslot in the Cryptographic Framework is used to communicate with the hardware device. The ikecert command uses the PKCS #11 library to locate key storage.

For more information, see the ikecert(1M) man page. For information about metaslot and the softtoken keystore, see the cryptoadm(1M) man page.

ikecert tokens Command

The tokens argument lists the token IDs that are available. Token IDs enable the ikecert certlocal and ikecert certdb commands to generate public key certificates and certificate requests. The certificates and certificate requests can also be stored by the Cryptographic Framework in the softtoken keystore, or on an attached Sun Crypto Accelerator 6000 board. The ikecert command uses the PKCS #11 library to locate certificate storage.

ikecert certlocal Command

The certlocal subcommand manages the private key database. Options to this subcommand enable you to add, view, and remove private keys. This subcommand also creates either a self-signed certificate or a certificate request. The -ks option creates a self-signed certificate. The -kc option creates a certificate request. Keys are stored on the system in the /etc/inet/secret/ike.privatekeys directory, or on attached hardware with the -T option.

When you create a private key, the options to the ikecert certlocal command must have related entries in the ike/config file. The correspondences between ikecert options and ike/config entries are shown in the following table.

Table 11-1 Correspondences Between ikecert Options and ike/config Entries

ikecert Option
ike/config Entry
Description
-A subject-alternate-name
cert_trust subject-alternate-name
A nickname that uniquely identifies the certificate. Possible values are an IP address, an email address, or a domain name.
-D X.509-distinguished-name
X.509-distinguished-name
The full name of the certificate authority that includes the country (C), organization name (ON), organizational unit (OU), and common name (CN).
-t dsa-sha1
auth_method dsa_sig
An authentication method that is slightly slower than RSA.
-t rsa-md5 and

-t rsa-sha1

auth_method rsa_sig
An authentication method that is slightly faster than DSA.

The RSA public key must be large enough to encrypt the biggest payload. Typically, an identity payload, such as the X.509 distinguished name, is the biggest payload.

-t rsa-md5 and

-t rsa-sha1

auth_method rsa_encrypt
RSA encryption hides identities in IKE from eavesdroppers, but requires that the IKE peers know each other's public keys.

If you issue a certificate request with the ikecert certlocal -kc command, you send the output of the command to a PKI organization or to a certificate authority (CA). If your company runs its own PKI, you send the output to your PKI administrator. The PKI organization, the CA, or your PKI administrator then creates certificates. The certificates that the PKI or CA returns to you are input to the certdb subcommand. The certificate revocation list (CRL) that the PKI returns to you is input for the certrldb subcommand.

ikecert certdb Command

The certdb subcommand manages the public key database. Options to this subcommand enable you to add, view, and remove certificates and public keys. The command accepts, as input, certificates that were generated by the ikecert certlocal -ks command on a remote system. For the procedure, see How to Configure IKE With Self-Signed Public Key Certificates. This command also accepts the certificate that you receive from a PKI or CA as input. For the procedure, see How to Configure IKE With Certificates Signed by a CA.

The certificates and public keys are stored on the system in the /etc/inet/ike/publickeys directory. The -T option stores the certificates, private keys, and public keys on attached hardware.

ikecert certrldb Command

The certrldb subcommand manages the certificate revocation list (CRL) database, /etc/inet/ike/crls. The CRL database maintains the revocation lists for public keys. Certificates that are no longer valid are on this list. When PKIs provide you with a CRL, you can install the CRL in the CRL database with the ikecert certrldb command. For the procedure, see How to Handle a Certificate Revocation List.

/etc/inet/ike/publickeys Directory

The /etc/inet/ike/publickeys directory contains the public part of a public-private key pair and its certificate in files, or slots. The directory is protected at 0755. The ikecert certdb command populates the directory. The -T option stores the keys on the Sun Crypto Accelerator 6000 board rather than in the publickeys directory.

The slots contain, in encoded form, the X.509 distinguished name of a certificate that was generated on another system. If you are using self-signed certificates, you use the certificate that you receive from the administrator of the remote system as input to the command. If you are using certificates from a CA, you install two signed certificates from the CA into this database. You install a certificate that is based on the certificate signing request that you sent to the CA. You also install a certificate of the CA.

/etc/inet/secret/ike.privatekeys Directory

The /etc/inet/secret/ike.privatekeys directory holds private key files that are part of a public-private key pair. The directory is protected at 0700. The ikecert certlocal command populates the ike.privatekeys directory. Private keys are not effective until their public key counterparts, self-signed certificates or CAs, are installed. The public key counterparts are stored in the /etc/inet/ike/publickeys directory or on supported hardware.

/etc/inet/ike/crls Directory

The /etc/inet/ike/crls directory contains certificate revocation list (CRL) files. Each file corresponds to a public certificate file in the /etc/inet/ike/publickeys directory. PKI organizations provide the CRLs for their certificates. You can use the ikecert certrldb command to populate the database.