HP-UX IPSec A.03.02.02 Release Notes HP-UX 11i version 3 Abstract This document provides information about the A.03.02.02 release of HP-UX IPSec for HP-UX 11i v3 (B.11.31). HP Part Number: 766158-001 Published: April 2014 Edition: 1.
© Copyright 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents HP secure development lifecycle......................................................................5 1 HP-UX IPSec overview.................................................................................6 2 New and changed features.........................................................................7 New and changed features in A.03.02.02...................................................................................7 New and changed features in A.03.01.01.................................
Known problems and limitations.................................................................17 5 Compatibility and installation requirements..................................................19 Operating system and version compatibility...............................................................................19 Software requirements.............................................................................................................19 Disk requirements........................................
HP secure development lifecycle Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides the ability to authenticate HP-UX software. Software delivered through this release has been digitally signed using HP's private key. You can now verify the authenticity of the software before installing the products, delivered through this release. To verify the software signatures in signed depot, the following products must be installed on your system: • B.11.31.
1 HP-UX IPSec overview HP-UX IPSec provides transparent encryption for IP-based applications. It also enhances the privacy of Internet communications. HP-UX IPSec supports PKI-based authentication, rule-based access control, and the Internet Key Exchange (IKE) protocol. It also serves as a framework for open standards networking, requires no application modification to take advantage of network-level security, and can be a component of the HP Virtual Private Network (VPN) solution.
2 New and changed features New and changed features in A.03.02.02 HP-UX-IP Sec A.03.02.02 release adheres with RFC4868 to support HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 both for IKE and ESP (Encapsulating Security Payload). It also supports the new encryption algorithms AES-CBC-192 and AES-CBC-256 along with the currently supported AES-CBC-128 transforms that exist in A.03.01.01 version (RFC3602). HP-UX IPSec A.03.02.02 has a dependency on PHNE_43412 patch. The A.03.02.
protocol was defined by the Internet Engineering Task Force (IETF) and is used for setting up a security association (SA) in the IPsec protocol suite. The D-H group 24 is described in RFC 5114. For more information, see the RFC 5114 at the following IETF web page: http://tools.ietf.org/html/rfc5114 • New option for configuration of D-H group 24 The HP-UX IPSec ipsec_config command has been enhanced to allow you to configure D-H group 24.
-alt-ipv4 ipv4_addr argument accordingly. For example, the following specifies three IPv4 addresses: -alt-ipv4 192.6.2.2 -alt-ipv4 192.6.2.3 -alt-ipv4 192.6.2.5 -alt-fqdn fqdn Specifies the Fully Qualified Domain Name (FQDN) you want in the subjectAlternativeName field of the certificate, such as myhost.acme.com. The FQDN is also referred to as the Domain Name Service or DNS name. You can specify up to 20 FQDNs by repeating the -alt-fqdn fqdn argument accordingly.
• • • 10 ◦ “IKEv1 Perfect Forward Secrecy supported with keys only” (page 12) ◦ “IKE support for multiple hash, encryption, and group values” (page 12) ◦ “IKE support for Diffie-Hellman groups 5 and 14” (page 12) ◦ “IKE support for AES128-CBC encryption” (page 12) “Authentication record changes” (page 12) ◦ “Authentication records are mandatory” (page 12) ◦ “Authentication records specify the IKE (key management protocol) version” (page 12) ◦ “Authentication records include a priority alue
IKE policy changes The following sections describe product changes related to IKE policies. Support for IKE version 2 HP-UX IPSec now supports IKE version 2 (IKEv2) in addition to IKE version 1 (IKEv1). IKEv1 and IKEv2 policies replace IKE policies Policies for ike are replaced by ikev1 and ikev2 policies. The migration utility converts each existing ike policy to an ikev1 policy as follows: • The IKE authentication (-auth) value is ignored.
IKEv1 Perfect Forward Secrecy supported with keys only HP-UX IPSec now supports IKE Perfect Forward Secrecy (PFS) with key protection only. This enables IKE to reuse an existing IKE SA to negotiate a new IPsec SA pair and establish new keying information when negotiating the IPsec SA pair. In releases prior to A.03.00, HP-UX IPSec provided a form of PFS when the IKE maximum quick modes value (-maxqm) was 1.
You can specify both IKE versions. The IKE daemon uses the first version for all negotiations it initiates, and responds to negotiations for both versions. Authentication records support the AUTOCONF flag Authentication records now support the AUTOCONF flag for address autoconfiguration clients, such as DHCP and DHCPv6 clients. The AUTOCONF flag was configured in host policies in previous releases. Support for the AUTOCONF flag in host policies is deprecated (supported but not documented).
Support for IP Address ranges in tunnel policies You can specify IP address ranges in the end-to-end source and destination arguments (-source and -destination) for IPsec tunnel policies. Port numbers and services are ignored in tunnel policies Port numbers and service names are ignored in end-to-end source and destination arguments for IPsec tunnel policies. They are no longer documented.
Support for multiple level Public Key Infrastructures HP-UX IPSec can authenticate a peer using multiple-level Public Key Infrastructures (PKIs) with multiple Certificate Authorities (CAs) if the local system and the peer share a common root CA. You must install a certificate for the root CA and a certificate for each intermediate CA in the path from the local system to the root CA, and for each intermediate CA in the path from the peer to the root CA.
3 Known problems fixed in the release Known problems fixed in IPSec A.03.02.02 The Table 1 (page 16) lists the known problems and fixes in the A.03.02.02 release of HP-UX IPSec. Table 1 Fixes in HP-UX IPSec A.03.02.02 Defect ID QXCR1001217559 Description "ipsec_config export" does not collect 'bypass' rule. Known problems fixed in IPSec A.03.00.01 The following table lists the known problems and fixes in the A.03.00.01 release of HP-UX IPSec. Table 2 Fixes in HP-UX IPSec A.03.00.
4 Known problems and limitations This section provides a list of known problems and limitations as known to HP at the time of publication. If workarounds are available, they are described. • The following error messages appear in /var/adm/syslog/syslog.
• Host name resolution If you are using DNS, NIS or NIS+ to resolve hostnames to IP addresses and you have an IPSec policy that discards, encrypts or authenticates packets to the DNS, NIS or NIS+ server, you must configure your system to resolve the address for the local hostname and the loopback name using the /etc/hosts file. Workaround: Configure the hostname resolution services as follows: ◦ In the /etc/nsswitch.conf file, specify files as the first database for resolving hostnames.
5 Compatibility and installation requirements This section describes the compatibility information and installation requirements for this release. For specific installation instructions, see the latest version of HP-UX IPSec version A.03.02.02 Administrator's Guide . Operating system and version compatibility HP-UX 11i v3 supports HP-UX IPSec A.03.02.02, A.03.01.01, and A.03.00.01.
Privacy-Enhanced Mail (PEM) base64 encoding. This CSR format is typically used for “copy and paste” certificate requests. If you are using a CA or PKI utility to create the key pair and CSR, the CA must provide the certificate for the local system and the private key in a PKCS#12 encoded file. ◦ Certificates: The CA must provide X.
6 Migrating to HP-UX IPSec A.03.0x The following sections contain information for migrating from HP-UX IPSec version A.02.01 to A.03.0x. NOTE: If you are using a version of HP-UX IPSec prior to A.02.01, you must upgrade to HP-UX IPSec A.02.01 or A.02.01.01 first, then migrate to HP-UX IPSec A.03.0x. For information on migrating from previous versions to A.02.01 or A.02.01.01, see HP-UX IPSec A.02.01 Administrator's Guide (J4256-90015).
3. 4. Check if you need to make any additional changes to the configuration database. See “Additional configuration tasks” (page 22) for more information. Start HP-UX IPSec: ipsec_admin -start Additional configuration tasks The ipsec_migrate utility changes object types and values when converting a configuration database for HP-UX IPSec A.03.0x. Check the following list for additional changes that may be needed after running ipsec_migrate: • Check the IKEv1 policies.
0x and are using it with a release prior to A.03.00, the key values will not match. Change the preshared key values on both systems. • Configure the AUTOCONF flag in authentication records for autoconfiguration clients. In previous releases, the AUTOCONF flag was set in host policies. The use of the AUTOCONF flag in host policies is deprecated and might be removed in future product releases. Certificate files Beginning with release A03.00, HP-UX IPSec stores certificate and CRL files in new locations.
7 Support and other resources Contacting HP HP encourages your comments concerning this document. We are truly committed to providing documentation that meets your needs. To make comments and suggestions about product documentation, send a message to: http://www.hp.com/bizsupport/feedback/ww/webfeedback.html Please include document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document.
[ ] The contents are optional in formats and command descriptions. { } The contents are required in formats and command descriptions. | Separates items in a list of choices. In the following example, you must specify either item-a or item-b: {item-a | item-b} \ The continuous line symbol. find(1) HP-UX manpage. In this example, “find” is the manpage name and “1” is the manpage section. Enter The name of a keyboard key. Note that Return and Enter both refer to the same key.