Manualshelf

Cluster I/O Protocols (CIP) Configuration and Management Manual (H06.16+, J06.05+)

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series
41424344454647484950
In CIP, Modify by using the...DescriptionFile
climconfig.sp Description
(page 364) and
IPSec Security Policies (SPs)
and manually configured
ipsec-tools.conf
climconfig.sa Description"Security Associations (manual
SAs). (page 354)climconfig.sa
Description” (page 362)and
climconfig.sp Description
(page 372)
psk.txt– pre-shared secret key for racoon IKE phase 1
The pre-shared secret keys are contained in the file psk.txt. This file consists of the IP addresses
or fully qualified domain names (FQDNs) of the remote machines with the corresponding secret
key.
A sample psk.txt file is:
# IPv4/IPv6 Adresses
192.168.2.100 simple psk
5.0.0.1 0xe10bd52b0529b54aac97db63462850f3
# USER_FQDN
joe@doe.net This is a psk for an email address
# FQDN
The secret key is a hexadecimal number or text. Any text or any hexadecimal number can be
specified as the pre-shared key.
Security Certificates – Public and Private Key Certificates
Instead of the pre-shared key mechanism, you can also use security certificates for the key exchanges
during the racoon phase-1 IKE (Internet key exchange) establishment. The security certificates are
X.509 generated public and private keys. These files are placed under the directory
/etc/racoon/certs/. These security files are generated by the use of tools which generate a
certificate signing request and are certified by the root certificate authorities like Verisign or Thawte
with the use of these tools. The generation of the certificates is not done by the IPSec configuration
tools. For procedures for using CIP IPSec, see “Using IPSec” (page 107).
Commands for Controlling Virtual Private Networks
The set of commands that allow you to activate and deactivate VPN connections are:
saspvpn
Xstart
Xstatus
XXstop
See “Climconfig (Man Pages)” (page 301) for the command syntax and options for these commands.
Name Resolution
Name resolution for NonStop host system applications is processed by the NonStop operating
system socket library either by using the HOSTS and IPNODES files or by using the Domain Name
System (DNS). You configure the Guardian environment to use the HOSTS file (which invokes
IPNODES, if necessary) by specifying a DEFINE for =TCPIP^HOST^FILE.
When the DEFINE for =TCPIP^HOST^FILE is not set, the NonStop host system uses DNS. The
name server accessed is defined in the $SYSTEM.ZTCPIP.RESCONF file.
50 Overview