IKE-PKI white paper in CA, EM and NE
发表于:2024-12-02 作者:千家信息网编辑
千家信息网最后更新 2024年12月02日,1. MDM PKI Interface with SSM In order to setup, query and remove the Ipsec/IKE and PKI on the local
千家信息网最后更新 2024年12月02日IKE-PKI white paper in CA, EM and NE1. MDM PKI Interface with SSM In order to setup, query and remove the Ipsec/IKE and PKI on the local workstation, both MDM and SSM will manipulate the solaris IP security database. The interface between MDM and SSM is mainly on the Solaris Ipsec IKE and PKI config files and its daemon. The behaviours of MDM and SSM manipulation are compatible with Solaris standard in term of the file format and patterns used. 1.1 Provisioning Interface 1.1.1 ike.config The /etc/inet/ike/config file, which is configuration file for IKE policy, contains rules for matching inbound IKE requests. It also contains rules for preparing outbound IKE requests. The ike.config is the most important interface between MDM and SSM: · Either MDM or SSM could create, duplicated, append, removal, chmod etc. · MDM will create this file if it does not exist (at IKE preshared key), else, it will append/edit it. · SSM could create it for MDM at rsasig if it does not exit. · Shared the items definition and values 1.1.1.1 Interaction overview
1.1.1.2 Interaction details
1.1.1.3 Scenario 1: Create ike.config if does not exist The in.iked refuses to start if this file is missed. MDM ike scripts will create this file at first with permission 755 if it does not exist. SSM will create this file when putting data to it( such as generate/install certs) 1.1.1.4 Scenario 2: IKE PSK only Here is the sample file after MDM Ike phase1 provisioned with preshared: p1_lifetime_secs 86400
p1_nonce_len 20
########
{
label INDEXID_1
local_id_type ip
local_addr 47.154.135.86
remote_addr 47.154.136.69
p2_pfs 2 p2_lifetime_secs 28800
p1_xform { auth_method preshared oakley_group 2 auth_alg md5 encr_alg 3des}
} 1.1.1.5 Scenario 3 : certs installed by SSM when IKE PSK already provisioned If the ike phase1 preshared key provisioned already, using the SSM GUI to generate and install certs for MDM, here is the ike.config should look like: p1_nonce_len 20
## Global parameters
cert_root "CN=PKBRoot0000, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
cert_trust "CN=PKBRoot0000, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
ignore_crls
#
## Phase 1 tranform defaults
p1_lifetime_secs 28800 #
## Defaults that individual rules can override.
p1_xform
{ auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des }
p2_pfs 0
--->The following is used by MDM: #
{
label INDEXID_1
local_id_type ip
local_addr 47.154.135.86
remote_addr 47.154.136.69
p2_pfs 2 p2_lifetime_secs 28800
p1_xform { p1_lifetime_secs 86400 auth_method preshared oakley_group 2 auth_alg md5 encr_alg 3des}
}
~ 1.1.1.6 Scenario 4: IKE rsasig provisioned from none security Here is the example if the MDM IKE rsasig provisioned from none security p1_nonce_len 20
## Global parameters
cert_root "CN=PKBRoot0000, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
cert_trust "CN=PKBRoot0000, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
ignore_crls
#
## Phase 1 tranform defaults
p1_lifetime_secs 28800
#
## Defaults that individual rules can override.
p1_xform
{ auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des }
p2_pfs 0
#
{
label INDEXID_1
local_id_type dn
local_addr 47.154.135.85
local_id "CN=SSM0 47.154.135.85, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
remote_addr 47.154.136.135
remote_id ""
p2_pfs 2 p2_lifetime_secs 28800
p1_xform { p1_lifetime_secs 86400 auth_method rsa_sig oakley_group 2 auth_alg sha1 encr_alg des}
} 1.1.1.7 Scenario 5: IKE transition from PSK to rsasig The config file, ike.config used the same as the IKE rsasig provisioned from none security 1.1.1.8 Scenario 6: IKE rsasig with IKE PSK co-existence IKE PSK and IKE rsasig together after MDM ike phase1 provisioned, Here the IKE rsasig and preshared rule refers to the different remote entries p1_nonce_len 20
########
## Global parameters
cert_root "CN=PKBRoot01, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
cert_trust "CN=PKBRoot01, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
ignore_crls
#
## Phase 1 tranform defaults
p1_lifetime_secs 28800
#
## Defaults that individual rules can override.
p1_xform
{ auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des }
p2_pfs 0
#
{
label INDEXID_1
local_id_type ip
local_addr 47.154.135.86
remote_addr 47.154.135.81
p2_pfs 2 p2_lifetime_secs 28800
p1_xform { p1_lifetime_secs 86400 auth_method preshared oakley_group 1 auth_alg sha1 encr_alg des}
} {
label INDEXID_2
local_id_type dn
local_addr 47.154.135.86
local_id "CN=SSM0 47.154.135.86, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
remote_addr 47.154.136.69
remote_id ""
p2_pfs 1
p1_xform { p1_lifetime_secs 86400 auth_method rsa_sig oakley_group 1 auth_alg sha1 encr_alg des}
}
~ 1.1.2 Public keys used by MDM Public keys used by MDM are stored at /etc/inet/ike/publickeys The /etc/inet/ike/publickeys directory contains the public part of a public-private key pair and its certificate in files, or "slots", which is protected at 0755(not changeable other than root). The "ikecert certdb" command to populate the directory. MDM ike_add_phase1 (at rsasig mode) will check the existence of the public keys by /usr/sbin/ikecert certdb -l before it's going further on the config of IKE phase 1 rules. This dir is filled by SSM when generation certs for MDM. These files should get updated by SSM if the certs were replaced /deleted. 1.1.3 Private keys used by MDM MDM's private keys are stored at /etc/inet/secret/ike.privatekeys. The ike.privatekeys directory holds private key files that are part of a public-private key pair, keying material for ISAKMP SAs. The directory is protected at 0700. The private key in this database must have a public key counterpart in the publickeys database.The ikecert certlocal command populates this directory. Private keys are not effective until their public key counterparts, self-signed certificates or CAs, are installed in the /etc/inet/ike/publickeys directory. MDM application does not populate it explicitly, it relies on the SSM at the succession PKI framework (with CM) to own it(create/remove and permission). This dir is filled by SSM when generation certs for MDM. These files should get updated by SSM if the certs replaced/deleted. 1.1.4 in.iked in.iked is the Solaris ike daemon shared by MDM, SSM so far. In order to get the privilege to manipulate the IKE database, when provisioning IKE between MDM and MSS such as adding ike phase1 and removal of them. MDM would restart the in.iked with privilege 2if it's not running or running without proper right. 1.1.4.1 To get the privilege: "/usr/sbin/ikeadm get priv", The privilege level should be 2(can access keying materials), if not, MDM will kill and start it again. 1.1.4.2 To kill it: /usr/bin/pkill in.iked 1.1.4.3 To start it: IKE daemon is started with privilege 2 as the following: /usr/lib/inet/in.iked -p 2 1.1.5 ipsec config file The ipsecconf file, located at /etc/inet/ipsecinit.conf, is shareable between MDM and SSM. At MDM: Used for manual key SAs config (mdm_pki_initial and ipsec***) and IKE phase2 policies At SSM: Used for config IKE phase 2 policies SSM is enhanced to support the 2 patterns of ipsec policy entry: pattern1 and pattern2, so the Ipsec policies, provisioned by MDM, will be displayed correctly at SSM GUI. These two ipsec policy entry: pattern1 and pattern as:
5d00f90ce14b3e188991360d7
add esp spi 690 proto 6 dst 47.154.135.141 dport 829 src 47.154.136.69 encralg aes encrkey d70c26a909cb52e41432e42ce1eea9a9 authalg sha1 authkey 66ea64653dea86a
5d00f90ce14b3e188991360d7
#
#ident "@(#)ipseckeys.sample 1.1 01/09/28 SMI"
#
# Copyright (c) 2001 by Sun Microsystems, Inc.
# All rights reserved.
# # ipseckeys - This file takes the file format documented in ipseckey(1m).
# Note that naming services might not be available when this file
# loads, just like ipsecinit.conf.
#
# This file should be copied into /etc/inet/secret/ipseckeys to load the
# IPsec Security Association Database (SADB). A side-effect of this is that
# IPsec kernel modules will load. =====End of example Content /etc/inet/secret/ipseckeys===== 1.2 Messages Follow There are no messages flowing within MDM and SSM tool. They both invoked PKBClient to communication with CM. 2. MDM PKI Interface with MSS 2.1 Supported IKE parameters and their scope 2.1.1 IKE attribute supported 2.1.1.1 For phase1 rule: Following is the attributes and their values supported by ike phase1:
2.1.1.2 For phase2 rule: Following is the attributes and their values supported by ike phase2:
2.1.1.3 Attributes Combination Here is their combination supported from MSS design doc [CD5054 MD-2004.0387]: For Phase 1, authentication has to be there as per the RFC. The MSS IKE supports the following combinations for encryption-authentication for the Phase 1 transforms:, and MDM1 with IPaddress , MDM2 with IPaddress for redundancy. These steps should be put in pki_initial_script. add -s vr/0 ip pmm ip , daddr add -s vr/0 ip spd/1 pol/20 sport 22, action bypass, dir out, proto tcp, daddr , saddr , daddr add -s vr/0 ip spd/1 pol/40 sport 22, action bypass, dir out, proto tcp, daddr , saddr # for pki messaging from the two mdms add -s vr/0 ip spd/1 pol/100 proto tcp, sport pki, saddr , daddr add -s vr/0 ip spd/1 pol/101 proto tcp, dport pki, daddr , saddr add -s vr/0 ip spd/1 pol/102 proto tcp, sport pki, saddr , daddr add -s vr/0 ip spd/1 pol/103 proto tcp, dport pki, daddr , saddr # added the ipsec SAs for the two em_pmm mdms a -s vr/0 ip spd/1 pol/100 sa/,esp,700 a -s vr/0 ip spd/1 pol/101 sa/,esp,701 a -s vr/0 ip spd/1 pol/102 sa/,esp,702 a -s vr/0 ip spd/1 pol/103 sa/,esp,703 set vr/0 ip spd/1 pol/100 sa/,esp,700 manespsa encAlg aes, encKey , authAlg sha1, authKey set vr/0 ip spd/1 pol/101 sa/,esp,701 manespsa encAlg aes, encKey , authAlg sha1, authKey set vr/0 ip spd/1 pol/102 sa/,esp,702 manespsa encAlg aes, encKey , authAlg sha1, authKey set vr/0 ip spd/1 pol/103 sa/,esp,703 manespsa encAlg aes, encKey , authAlg sha1, authKey 2.2.2 Add ike with rsasig These steps should be handled by IKE_Add_Phase1 and IKE_MSS_Commissioning The operator would provide the and the (RSA_SIG) in the Commandline. # Add IKE bypass policies add -s vr/0 ip spd/1 pol/50 proto udp, dport ike, action bypass, saddr , daddr add -s vr/0 ip spd/1 pol/60 proto udp, sport ike, action bypass, daddr , saddr , dir out add -s vr/0 ip spd/1 pol/70 proto udp, dport ike, action bypass, saddr , daddr add -s vr/0 ip spd/1 pol/80 proto udp, sport ike, action bypass, daddr , saddr , dir out # Add IKE with the ip address of the OAM port on mss add -s vr/0 ip spd/1 ike srcIpAddress , dstIpAddress a -s vr/0 ip spd/1 pol/201 action apply, dir outbound, ikePolicy Vr/0 Ip Spd/1 Ike Policy/1, srcIpAddress , dstIpAddress a -s vr/0 ip spd/1 prop/1 ipSecPolicyList vr/0 ip spd/1 pol/200 vr/0 ip spd/1 pol/201 s Vr/0 Ip Spd/1 Proposal/1 Transform/1 diffieHellmanGroup gp1, antiReplay on 2.3 Messages Format and Walk through The message Interface residents within MDM EM_PMM, its south-bound named MSS PMM, and the north bound is CM. The messages that are supported between EM PMM and MSS PMM are the following: · Certification Request · Certification Response · Key Recovery Request · Key Recovery Response · Error Message · Confirmation · Certificate Announcement Please refer NM0542 Design Specification [5] for more of the CMP messages definition. 2.4 IKE stack interactive between Solaris and MSS MSS communicate with Solaris IKE where MDM residents directly, MDM does not change the behaviour, however, since the limitation of the Solaris IKE implementation, there are two interactive issues found and addressed: 2.4.1 IKE SA flush During the IKE negotiation, the remote entity will reset their SAs and yet the local Solaris maintains the existing SAs until they have expired). When the connection with MSS is lost, the local Phase2 SAs should be flushed as well as the phase1 SA. As a result of that, SFM is enhanced to monitor the connections using ping against with all remote IKE entries, SFM identifies the remote entries through IKE phase1 SAs or phase2 SAs, then ping them one by one. If un-pingable, the local SAs will be flushed via ike_sa_refresh. The traffic will trigger the re-negotiation of SAs automatically when needed. It applies to IKE both rsasig and preshared. 2.4.2 in.iked restarted The solaris in.iked still refers to the old certs information when the device certs got replaced either from CM GUI or MSS. That will cause the authentication failure for IKE phase1 negotiation, as the result of that, the datapath will be down after the phase2 SAs expiration. The solution is to restart in.iked at MDM each time the device certs got replaced. (CM/SSM has restarted the in.iked when revoked the MDM certs). 1. MSS sends CMP error with 123321 error code to indicate the MSS certs replacement occurred, thus the ike daemon at MDM is required to be restarted. 2. MDM receives the CMP error message then restarts the in.iked 3. At the redundant MDM, since there is no CMP error message arrived, the SFM is enhanced to take this action (restart in.iked) when the remote is unreachable. 3. MDM PKI Interface with CM When talking about the PKI interface with CM, MDM acts as the proxy CA to MSS, 3.1 Provisioning Interface None 3.2 Application Programming Interface See details for pkclient.jar within path com.nortel.sspfssec.pkclient, which is the distribution part of the CM. See Table 20, Table 21 at CM DSUM [6] page 120 and Page 121. 3.3 Messages Follow EM_PMM will communication with CM via it's distribution part: PKBClient, Please refer NM0542 Design Specification [5] for more of the CMP messages definition. 4. MDM PKI Interface with Solaris 4.1 Provisioning Interface The provisioning interface, is for the config files of Solaris IP security, see above on MDM PKI interface with SSM. 4.2 Application Programming Interface 4.2.1 ikeadm The ikeadm utility retrieves information from and manipulates the configuration of the IKE protocol daemon, which is the interface for IKE polices database as well. Here is the command used by ike provisioned scripts and the argues (please see Solaris man page for details): /usr/sbin/ikeadm get priv /usr/sbin/ikeadm dump rule /usr/sbin/ikeadm get rule /usr/sbin/ikeadm get preshared /usr/sbin/ikeadm get p1 /usr/sbin/ikeadm del p1 /usr/sbin/ikeadm get stats 4.2.2 ikecert certdb To get the local DNX509 cert information: "/usr/sbin/ikecert certdb -l -v", then get the subject-name from the "CA: FALSE" flagged entry. 4.2.3 ipsecconf Ipsecconf is used to config Solaris system wide Ipsec policies. MDM uses it with the following way: /usr/sbin/ipsecconf /usr/sbin/ipsecconf -l -n /usr/sbin/ipsecconf -f /usr/sbin/ipsecconf -a /etc/inet/ipsecinit.conf /usr/sbin/ipsecconf -d dst /usr/sbin/ipseckey delete esp spi dst /usr/sbin/ipseckey dump 4.3 Messages Follow
| ike.config items | definition | Impact SSM | Impact MDM |
| Global parameters shared by MDM and SSM | |||
| p1_nonce_len | Nonce length of Phase1 negotiation | Y | Y |
| ######## ## Global parameters | cert_root and cert_trust required for MDM/MSS IKE rsasig. . | Y | Y |
| cert_root "CN=PKBRoot01, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20" | |||
| cert_trust "CN=PKBRoot01, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20" | |||
| ignore_crls | To ignore the CRL( Cert Revocation List) ignore_crls for root CAs | Y | Y |
| # ## Phase 1 transform defaults | |||
| p1_lifetime_secs 28800 | IKE phase1 SAs lifetime | Y | Y |
| SSM appended entries ( for instance, default phase1 xform) | |||
| # ## Defaults that individual rules can override. p1_xform { auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des } p2_pfs 0 | Default Phase1 transform | Y | N |
| MDM appended IKE preshared rules | |||
| { label INDEXID_1 | Label used as the search string. for in.iked to looks up phase 1 policy rules | Y | Y |
| local_id_type ip | The type of local address. | SS N** (SSM could display it at M GUI) | |
| local_addr 47.154.135.86 | local Ip address | ||
| remote_addr 47.154.135.81 | remote ip address | ||
| p2_pfs 2 p2_lifetime_secs 28800 | oakley group and the phase2 SAs lifetime, used for P2 negotiation, | ||
| p1_xform { p1_lifetime_secs 86400 auth_method preshared oakley_group 1 auth_alg sha1 encr_alg des} } | The transform of phase1 with authenticated by preshared | ||
| MDM appended IKE rsasig rules | |||
| { label INDEXID_2 | Label used as the search string. for in.iked to looks up phase 1 policy rules | Y | Y |
| local_id_type dn | The local id type, "dn" means the DNX.509 distinguished name | N | Y |
| local_addr 47.154.135.86 | local IP address | ||
| local_id "CN=SSM0 47.154.135.86, ST=North Carolina , C=US, L=Research Triangle Park, O=Security, OU=3X20" | The DNX.509 distinguished name | Y | |
| remote_addr 47.154.136.69 | IP address of the remote entry with IPv4 format | N | |
| remote_id "" | Use remote_addr for access control. when null means "take any," | ||
| p2_pfs 1 | oakley group used for P2 negotiation, | ||
| p1_xform { p1_lifetime_secs 86400 auth_method rsa_sig oakley_group 1 auth_alg sha1 encr_alg des} } | P1's transform information ; | ||
| ike.config items | definition | Interaction details/Issues | Solution |
| Global parameters shared by MDM and SSM | |||
| p1_nonce_len 20 | Nonce length of Phase1 negotiation | MSS requires 20 for MDM-MSS IKE rsasig relationship. SSM sets it to 40 as SPFS required. | MDM forces it to 20 SSM must not overwrite it if it's not null. |
| cert_root "CN=PKBRoot01, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20" cert_trust "CN=PKBRoot01, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20" | cert_root and cert_trust required for MDM/MSS IKE rsasig. . | Appended by SSM after the certs generated/installed for MDM. Removed by SSM after the MDM certs were removed | MDM does not touch it |
| ignore_crls | To ignore the CRL( Cert Revocation List) ignore_crls for root CAs (as given in cert_root) | SSM appended it. | If not exist, MDM will append it. |
| p1_lifetime_secs 28800 | IKE phase1 SAs lifetime, it's global and could be override by values in the rule entry | SSM sets it to 28800, MDM requires 86400 by default. | If does not exist, MDM will append that item with 86400. No matter the value, MDM sets p1_lifetime to 86400 per IKE rule locally. |
| SSM appended entries ( for instance, default phase1 xform) | |||
| p1_xform { auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des } p2_pfs 0 | # ## Defaults that individual rules can override. | Added by SSM. It is from SSPFS installation | No action required for MDM |
| MDM appended IKE preshared rules | |||
| { label INDEXID_1 | Label used as the search string. for in.iked to looks up phase 1 policy rules | SSM required INDEXID_x, where x is the integer identical among this file. | MDM follows SSM's rule. |
| local_id_type ip | The type of local address. | No action required for SSM | MDM always set to "ip" if IKE preshared |
| local_addr 47.154.135.86 | local Ip address | These values are set by MDM ike scripts, either from the operator input or the system derived. | |
| remote_addr 47.154.135.81 | remote ip address | ||
| p2_pfs 2 p2_lifetime_secs 28800 | oakley group and the phase2 SAs lifetime, used for P2 negotiation, | ||
| p1_xform { p1_lifetime_secs 86400 auth_method preshared oakley_group 1 auth_alg sha1 encr_alg des} } | The transform of phase1 with authenticated by preshared | ||
| { | The IKE rsasig rule added by MDM IKE provisioning scripts | These IKE rules appended would be displayed by SSM GUI. | Added by MDM Removed by MDM when deletion |
| MDM appended IKE rsasig rules | |||
| label INDEXID_2 | See above for label | ||
| local_id_type dn | The local id type, "dn" means the DNX.509 distinguished name | No action required for SSM SSM should not touch it. | MDM always set it to "dn" if at rsasig. |
| local_addr 47.154.135.86 | local IP address | ||
| local_id "CN=SSM0 47.154.135.86, ST=North Carolina , C=US, L=Research Triangle Park, O=Security, OU=3X20" | The DNX.509 distinguished name | SSM must modify it when MDM certs were replaced/revoked. | MDM sets its value firstly by retrieving it from the local workstation Removed by MDM when delete IKE rules |
| remote_addr 47.154.136.69 | IP address of the remote entry with IPv4 format | No action required for SSM. SSM should not touch it. | Set by MDM |
| remote_id "" | Use remote_addr for access control. when null means "take any" | No action required for SSM SSM should not touch it. | Set by MDM |
| p2_pfs 1 | oakley group used for P2 negotiation | No action required for SSM SSM should not touch it. | this value is set by MDM ike scripts( the operator) |
| p1_xform { p1_lifetime_secs 86400 auth_method rsa_sig oakley_group 1 auth_alg sha1 encr_alg des} } | P1's transform information | No action required for SSM SSM should not modify them. | All these name-value pairs are set by MDM IKE scripts. MDM sets p1_lifetime locally here at rule entry. |
p1_nonce_len 20
########
{
label INDEXID_1
local_id_type ip
local_addr 47.154.135.86
remote_addr 47.154.136.69
p2_pfs 2 p2_lifetime_secs 28800
p1_xform { auth_method preshared oakley_group 2 auth_alg md5 encr_alg 3des}
} 1.1.1.5 Scenario 3 : certs installed by SSM when IKE PSK already provisioned If the ike phase1 preshared key provisioned already, using the SSM GUI to generate and install certs for MDM, here is the ike.config should look like: p1_nonce_len 20
## Global parameters
cert_root "CN=PKBRoot0000, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
cert_trust "CN=PKBRoot0000, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
ignore_crls
#
## Phase 1 tranform defaults
p1_lifetime_secs 28800 #
## Defaults that individual rules can override.
p1_xform
{ auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des }
p2_pfs 0
--->The following is used by MDM: #
{
label INDEXID_1
local_id_type ip
local_addr 47.154.135.86
remote_addr 47.154.136.69
p2_pfs 2 p2_lifetime_secs 28800
p1_xform { p1_lifetime_secs 86400 auth_method preshared oakley_group 2 auth_alg md5 encr_alg 3des}
}
~ 1.1.1.6 Scenario 4: IKE rsasig provisioned from none security Here is the example if the MDM IKE rsasig provisioned from none security p1_nonce_len 20
## Global parameters
cert_root "CN=PKBRoot0000, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
cert_trust "CN=PKBRoot0000, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
ignore_crls
#
## Phase 1 tranform defaults
p1_lifetime_secs 28800
#
## Defaults that individual rules can override.
p1_xform
{ auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des }
p2_pfs 0
#
{
label INDEXID_1
local_id_type dn
local_addr 47.154.135.85
local_id "CN=SSM0 47.154.135.85, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
remote_addr 47.154.136.135
remote_id ""
p2_pfs 2 p2_lifetime_secs 28800
p1_xform { p1_lifetime_secs 86400 auth_method rsa_sig oakley_group 2 auth_alg sha1 encr_alg des}
} 1.1.1.7 Scenario 5: IKE transition from PSK to rsasig The config file, ike.config used the same as the IKE rsasig provisioned from none security 1.1.1.8 Scenario 6: IKE rsasig with IKE PSK co-existence IKE PSK and IKE rsasig together after MDM ike phase1 provisioned, Here the IKE rsasig and preshared rule refers to the different remote entries p1_nonce_len 20
########
## Global parameters
cert_root "CN=PKBRoot01, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
cert_trust "CN=PKBRoot01, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
ignore_crls
#
## Phase 1 tranform defaults
p1_lifetime_secs 28800
#
## Defaults that individual rules can override.
p1_xform
{ auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des }
p2_pfs 0
#
{
label INDEXID_1
local_id_type ip
local_addr 47.154.135.86
remote_addr 47.154.135.81
p2_pfs 2 p2_lifetime_secs 28800
p1_xform { p1_lifetime_secs 86400 auth_method preshared oakley_group 1 auth_alg sha1 encr_alg des}
} {
label INDEXID_2
local_id_type dn
local_addr 47.154.135.86
local_id "CN=SSM0 47.154.135.86, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
remote_addr 47.154.136.69
remote_id ""
p2_pfs 1
p1_xform { p1_lifetime_secs 86400 auth_method rsa_sig oakley_group 1 auth_alg sha1 encr_alg des}
}
~ 1.1.2 Public keys used by MDM Public keys used by MDM are stored at /etc/inet/ike/publickeys The /etc/inet/ike/publickeys directory contains the public part of a public-private key pair and its certificate in files, or "slots", which is protected at 0755(not changeable other than root). The "ikecert certdb" command to populate the directory. MDM ike_add_phase1 (at rsasig mode) will check the existence of the public keys by /usr/sbin/ikecert certdb -l before it's going further on the config of IKE phase 1 rules. This dir is filled by SSM when generation certs for MDM. These files should get updated by SSM if the certs were replaced /deleted. 1.1.3 Private keys used by MDM MDM's private keys are stored at /etc/inet/secret/ike.privatekeys. The ike.privatekeys directory holds private key files that are part of a public-private key pair, keying material for ISAKMP SAs. The directory is protected at 0700. The private key in this database must have a public key counterpart in the publickeys database.The ikecert certlocal command populates this directory. Private keys are not effective until their public key counterparts, self-signed certificates or CAs, are installed in the /etc/inet/ike/publickeys directory. MDM application does not populate it explicitly, it relies on the SSM at the succession PKI framework (with CM) to own it(create/remove and permission). This dir is filled by SSM when generation certs for MDM. These files should get updated by SSM if the certs replaced/deleted. 1.1.4 in.iked in.iked is the Solaris ike daemon shared by MDM, SSM so far. In order to get the privilege to manipulate the IKE database, when provisioning IKE between MDM and MSS such as adding ike phase1 and removal of them. MDM would restart the in.iked with privilege 2if it's not running or running without proper right. 1.1.4.1 To get the privilege: "/usr/sbin/ikeadm get priv", The privilege level should be 2(can access keying materials), if not, MDM will kill and start it again. 1.1.4.2 To kill it: /usr/bin/pkill in.iked 1.1.4.3 To start it: IKE daemon is started with privilege 2 as the following: /usr/lib/inet/in.iked -p 2 1.1.5 ipsec config file The ipsecconf file, located at /etc/inet/ipsecinit.conf, is shareable between MDM and SSM. At MDM: Used for manual key SAs config (mdm_pki_initial and ipsec***) and IKE phase2 policies At SSM: Used for config IKE phase 2 policies SSM is enhanced to support the 2 patterns of ipsec policy entry: pattern1 and pattern2, so the Ipsec policies, provisioned by MDM, will be displayed correctly at SSM GUI. These two ipsec policy entry: pattern1 and pattern as:
pattern_name_value_pair1 ::= saddr / | src / | srcaddr / | smask | sport | daddr / | dst / | dstaddr / | dmask | dport | ulp | proto pattern_name_value_pair2 ::= raddr / | remote / | rport | laddr / | local / | lport | ulp | 1.1.6 ipseckeys Ipsec Keys, one of the config file for manual Ipsec, located at /etc/inet/secret/. SSM does not make use of it since it does not support manual key Ipsec. MDM manipulates it as the following MDM scripts: PKI involved (used for protection TCP829 for CMP messages) · mdm_pki_initial_script · pki_decommissioning_script The example of the /etc/inet/secret/ipseckeys after the mdm_pki_initial looks like: =====example Content of /etc/inet/secret/ipseckeys===== add esp spi 691 proto 6 src 47.154.135.141 sport 829 dst 47.154.136.69 encralg aes encrkey d70c26a909cb52e41432e42ce1eea9a9 authalg sha1 authkey 66ea64653dea86a5d00f90ce14b3e188991360d7
add esp spi 690 proto 6 dst 47.154.135.141 dport 829 src 47.154.136.69 encralg aes encrkey d70c26a909cb52e41432e42ce1eea9a9 authalg sha1 authkey 66ea64653dea86a
5d00f90ce14b3e188991360d7
#
#ident "@(#)ipseckeys.sample 1.1 01/09/28 SMI"
#
# Copyright (c) 2001 by Sun Microsystems, Inc.
# All rights reserved.
# # ipseckeys - This file takes the file format documented in ipseckey(1m).
# Note that naming services might not be available when this file
# loads, just like ipsecinit.conf.
#
# This file should be copied into /etc/inet/secret/ipseckeys to load the
# IPsec Security Association Database (SADB). A side-effect of this is that
# IPsec kernel modules will load. =====End of example Content /etc/inet/secret/ipseckeys===== 1.2 Messages Follow There are no messages flowing within MDM and SSM tool. They both invoked PKBClient to communication with CM. 2. MDM PKI Interface with MSS 2.1 Supported IKE parameters and their scope 2.1.1 IKE attribute supported 2.1.1.1 For phase1 rule: Following is the attributes and their values supported by ike phase1:
| Parameters | Values |
| -p1_pfs | <1|2> |
| -p1_lifetime | <1800-172800> seconds |
| -enc_alg | |
| -auth_alg | |
| -p2_pfs | <0|1|2> |
| -p2_lifetime | <1800-172800> seconds |
| Parameters | Values |
| -proto | |
| -srcPort -dstPort | Port must be one of: any, ftpdata, ftp, telnet, ntp, snmp, ike, pki, rip, radius, fmip, 1-19, 22-24, 124-160, 162-499, 501-519, 521-828, 830-1811, 1813-5927, 5929-65535 |
| -enc_alg | |
| -auth_alg | |
| -p2_pfs | <0|1|2> |
| -p2_lifetime | <1800-172800> seconds |
| -antiReplay |
- DES-SHA1
- DES-MD5
- 3DES-SHA1
- 3DES-MD5
- none-SHA1
- none-MD5
- DES-SHA1
- DES-MD5
- 3DES-SHA1
- 3DES-MD5
- AES-SHA1 1
MDM does not have IKE messages interactions with local solaris
e.g.
数据库的安全要保护哪些东西
数据库安全各自的含义是什么
生产安全数据库录入
数据库的安全性及管理
数据库安全策略包含哪些
海淀数据库安全审计系统
建立农村房屋安全信息数据库
易用的数据库客户端支持安全管理
连接数据库失败ssl安全错误
数据库的锁怎样保障安全
北方服务器品牌
零基础学软件开发报名
可以开单人生存的宝可梦服务器
两台电脑一台做服务器
数据库创建主键语法
思迅前台怎么连接数据库
普陀区软件开发技术指导
网络安全助力强军兴军板报
周口网络技术推荐厂家
江西节费网络技术
苹果手机网络安全密码学习
邯郸办公系统软件开发机构
第七个首都网络安全日宣传片
武威软件开发公司哪家好
气质质谱数据库
河源无限软件开发价钱
ios web服务器
服务器安全维护措施
宁波鄞州区手机游戏软件开发
武汉扬成互联网科技有限公司
网络安全漏洞教学
隐藏数据库列
联盟测试服无法连接服务器
服务器奔溃错误代码974
网络安全上市公司分析
桓台采购软件开发服务
网络安全购物的高中英语作文
数据库快招监视器的缺省输出
腾讯云服务器连接uniapp
国家网络安全书签图片
