HP-UX IPSec A.03.02.02 Release Notes HP-UX 11i version 3 (766158-001, April 2014)
Support for multiple level Public Key Infrastructures
HP-UX IPSec can authenticate a peer using multiple-level Public Key Infrastructures (PKIs) with
multiple Certificate Authorities (CAs) if the local system and the peer share a common root CA.
You must install a certificate for the root CA and a certificate for each intermediate CA in the path
from the local system to the root CA, and for each intermediate CA in the path from the peer to
the root CA. Each CA certificate and CRL must be contained in a separate file or directory object;
HP-UX cannot store multiple certificates or CRLs from a single file or directory object.
Certificate revocation list cron file change
The name and location of the file containing a cron script to retrieve a certificate revocation list
(CRL) changed. The new file path is /var/adm/ipsec/util/crl.cron. The file path in previous
releases was /var/adm/ipsec_gui/cron/crl.cron.
If you have an entry in a crontab file that references the /var/adm/ipsec_gui/cron/
crl.cron file, you do not need to modify it. The migration utility creates a softlink from /var/
adm/ipsec_gui/cron/crl.cron to /var/adm/ipsec/util/crl.cron.
In previous releases, HP-UX IPSec also stored information about the location of the LDAP server for
the CRL from the /var/adm/ipsec/cainfo.txt file. This information is now stored in files in
the /var/adm/ipsec/crl_cron directory.
Support for RFC 4301 security processing for ICMP errors
The ipsec_config startup configuration argument -icmp_error_process enables or
disables RFC 4301 security processing for ICMP errors. When this feature is enabled, an IPsec
SA used to secure a normal network session is also used to secure any ICMP or ICMPv6 error
messages generated by that session. By default, this feature is disabled.
Profile file changes
The ipsec_config profile file format changed.
The default location for the HP-UX IPSec profile file is /var/adm/ipsec/.ipsec_profile. If
this file exists when you install HP-UX IPSec A.03.00, the installation script installs the A.03.00
profile file under the file name /var/adm/ipsec/.ipsec_profile.blank. When you run
the ipsec_migrate utility, ipsec_migrate saves the existing /var/adm/ipsec/
.ipsec_profile file in the /var/adm/ipsec/backup directory before moving the /var/
adm/ipsec/.ipsec_profile.blank file to /var/adm/ipsec/.ipsec_profile.
If you use customized settings in your profile file, edit the /var/adm/ipsec/
.ipsec_profile.blank file with your customized settings before running ipsec_migrate.
Mobile IPv6 support is obsolete
HP-UX IPSec cannot secure Mobile IPv6 packets that the local system forwards when acting as a
Home Agent. HP-UX IPSec can still secure packets to a Mobile IPv6 client when the local node is
acting as a Correspondent Node. The MH (Mobility Header) protocol type in host and tunnel policies
is obsolete. The MIPV6 flag in host policies is obsolete.
Gateway policies are obsolete
IPsec gateway policies are obsolete. The ipsec_config add gateway and related gateway
commands are not supported.
New and changed features in A.03.00.00 15