Manualshelf

Cluster I/O Protocols (CIP) Configuration and Management Manual (H06.16+, J06.05+)

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series
101102103104105106107108109110
Setting Up Links to the Certificate Revocation List (CRL) and to the Certificate Authority
(CA)
To set up links to the certificate revocation list (CRL) use this command (which executes using open
SSL):
1. Create a TACL macro file called clinks (for example) with these lines (substituting real values
for the parameters):
?tacl macro
CLIMCMD %1% ln -s /etc/racoon/certs/%2% /etc/racoon/certs/`openssl
x509 -noout -hash < /etc/racoon/certs/%2%`.0
CLIMCMD %1% ln -s /etc/racoon/certs/%3% /etc/racoon/certs/`openssl
x509 -noout -hash < /etc/racoon/certs/%2%`.r0
Where:
%1% is the CLIM name
%2% is the CA certificate file name
%3% is the CRL file name
For example:
TACL> clinks DL385C cacert.pem crl2.pem
Configuring Pre-Shared Keys
Pre-shared keys are used by the racoon daemon to establish automatically keyed IPSec security
associations. Use the climconfig psk commands to configure pre-shared keys. These commands
alter the contents of the /etc/racoon/psk.txt file.
NOTE: There are independent pre-shared key configurations for each provider when the
MULTIPROV option is ON for a particular CLIM and the -prov argument must be specified to
select the desired provider's configuration.
DescriptionClimconfig Command
Add pre-shared key informationpsk –add
Delete pre-shared key informationpsk –delete
Display pre-shared keys configuredpsk –info
Configuring Security Policies
Specific security requirements are defined at each node by a list of policies that form the node's
security policy database (SPD). The protection provided to each incoming or outgoing traffic flow
is verified or decided by consulting the SPD. You use the following climconfig commands to configure
the SPD. These commands alter the contents of the /etc/ipsec-tools.conf file.
SP objects added by climconfig are, by default, not immediately added to the active SPD maintained
by the kernel, unless the -load parameter is specified.
The climconfig sp -start command allows all configured SPs to be simultaneously added
to the SPD, allowing you to configure security policies carefully and then activate them as a group.
CLIMs that are rebooted automatically load all configured SPs into the SPD.
The climconfig sp -stop command removes all configured SP objects from the kernel's SPD,
but keeps them configured.
Configuring IPSec (IP CIP) 105