Manualshelf

Cluster I/O Protocols (CIP) Configuration and Management Manual (H06.16+, J06.05+)

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series
101102103104105106107108109110
Configuring IPSec (IP CIP)
Internet protocol security (IPSec) provides application-transparent encryption services for IP network
traffic. You can set up IPSec on an IP-address-to-IP-address basis, and optionally on a UDP or TCP
port, but you cannot establish IPSec on a per interface basis.
NOTE: In CIP, limited SCTP security is provided.
IPSec is configured on the CLIM using the climconfig command tool. See “Climconfig (Man Pages)”
(page 301) for detailed syntax of the IPSec configuration commands.
The IPSec configuration is not failed over and must be identical on the home and failover CLIMs
for addresses that can fail over between them.
Installing X.509 Certificates
Obtain certificates from a certificate authority (CA) and install them on the NonStop console by
following the instructions from your CA. Move the certificates, the private key files, and the certificate
revocation lists, which are stored in PEM format, to the /etc/racoon/certs directory on the
CLIM.
NOTE: While there are independent IPSec configurations for each provider, they all look for
certificates from this common directory (/etc/racoon/certs).
If the certificate of the peer is to be checked against a certificate authority, the certificate of the
CA also has to be stored in this directory. For OpenSSL to find the certificate it has to be linked
using the hashed name:
ln -s CAfile.pem 'openssl x509 -noout -hash < CAfile.pem'.0
If the certificate additionally is to be checked against a certificate revocation file (CRL) the CRL
must be stored in the same directory (/etc/racoon/certs) using a similar linked hashed name:
ln -s CRLfile.pem 'openssl x509 -noout -hash < CAfile.pem'.r0
Once the certificates are on the console, transfer them to the CLIM by using secure FTP from the
PuTTY application. You can find the PuTTY SFTP application (psftp.exe) on the console in C:\
Documents and Settings\Administrator\Desktop\putty\psftp.exe. From the DOS
comand prompt, run psftp.exe as follows:
psftp root@clim eth0 ip-address
NOTE: Use PuTTY only for transferring files between the CLIM and the console, not for CLIM
commands.
At the psftp prompt use the lcd command to go to the NonStop console folder where the certs
are located and the cd command to change directories to /etc/racoon/certs. Then use the
put command to transfer the files.
104 CIP Configuration and Management