Cluster I/O Protocols (CIP) Configuration and Management Manual (H06.16+, J06.05+)
IPSec security associations (SAs) can either be configured to be manually added to the security
association database (SAD), with fixed predetermined secret keys, or can be configured to be
automatically negotiated with the remote node.
Since manually added SAs pose a security risk over a period of time, HP discourages this practice,
and recommends configuration of automatically negotiated SAs instead.
CLIM runs a daemon process called racoon, which establishes automatically keyed IPSec security
associations and supports authentication using pre-shared keys or X.509 security certificates.
Whenever an application sends network data, the CLIM kernel checks whether there are security
policies in the security policy database (SPD) matching with the source and destination IP addresses.
If a security policy is found, and there is no security association corresponding to this security
policy, the kernel triggers the racoon daemon to establish the security association.
To accomplish this, racoon queries "remote" and automatic SA objects configured by climconfig
to determine the parameters for the Internet Key Exchange (IKE).
The climconfig remote objects tell racoon how to authenticate the remote peer and what parameters
to use for the security assocations for IKE phase 1. The climconfig automatic SA objects tell racoon
the SAs that need to be established with IKE phase 2, and added to the SAD for further
communication over the IPSec connection.
The application data is then transferred over the newly created IPSec connection.
IPSec Related Files
This section details the set of configuration files related to IPSec (setkey and racoon).
If the automatic SA establishment is preferred, either the mechanism of configuring the pre-shared
secret key or providing X.509 security certificates can be used for Internet key exchange (IKE).
IPSec Configuration Files
Files containing configuration details reside on the CLIM. The IPSec configuration commands are
used to edit the contents of these files. The IPSec configuration files are:
CAUTION: The IPSec configuration files must not be edited directly. Use the climconfig commands
to change them.
NOTE: For CLIMs with MULTIPROV ON, a separate copy of each one of the files listed here is
maintained for each provider.
In CIP, Modify by using the...DescriptionFile
“climconfig.psk Description”
(page 349)
Pre-shared secret key for
racoon IKE phase 1
psk.txt
These are generated by the
use of tools which generate a
Security certificates to be used
instead of pre-shared key for
/etc/racoon/certs/security-certificates
certificate signing request.the key exchanges during the
See “Security Certificates –racoon phase-1 IKE
establishment Public and Private Key
Certificates” (page 50) and
“Installing X.509 Certificates”
(page 104)
“climconfig.remote
Description” (page 343) and
Racoon configuration,
containing configured
racoon.conf
“climconfig.sa Description”"remote" and "automatic SA"
(page 354)“climconfig.saconfigurations to direct
Description” (page 362)and
climconfig.remote(1)
racoon on the parameters for
IKE negotiations.
The CIP Subsystem for Internet Protocols (IP CIP) 49