Manualshelf

HP-UX IPSec A.03.02.02 Release Notes HP-UX 11i version 3 (766158-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
11121314151617181920
Host name resolution
If you are using DNS, NIS or NIS+ to resolve hostnames to IP addresses and you have an
IPSec policy that discards, encrypts or authenticates packets to the DNS, NIS or NIS+ server,
you must configure your system to resolve the address for the local hostname and the loopback
name using the /etc/hosts file.
Workaround: Configure the hostname resolution services as follows:
In the /etc/nsswitch.conf file, specify files as the first database for resolving
hostnames. You can then specify other sources (such as DNS) as backup databases, as
shown in the example below:
hosts: files [NOTFOUND=continue] dns
In the /etc/hosts file, add an entry for the local hostname mapped to its IP address,
and an entry for the IP address 127.0.0.1 mapped to localhost and loopback,
as shown in the example below:
192.6.1.1 myhost
127.0.0.1 localhost loopback
OpenSSL CA does not copy extension fields
By default, an OpenSSL Certificate Authority (CA) does not copy extension fields from Certificate
Signing Requests (CSRs) to the signed certificate. To use OpenSSL certificates with HP-UX
IPSec, you must configure the OpenSSL CA to copy the extension fields.
Workaround: One way to force the OpenSSL CA to copy the extension fields is by
uncommenting the following entry in the OpenSSL configuration file:
copy_extensions = copy
ipsec_config requires subject for certificate signing requests
The X.509 version 3 specification does not require the subject field in a certificate if the
subjectAlternativeName field is present. However, because of requirements in library routines
used by HP-UX IPSec, the ipsec_config add csr command always requires the user to
configure information for the subject field.
Distinguished names with multiple Organizational Unit attributes not supported for remote
authentication
If you are using certificate-based IKE authentication and the remote system's certificate has a
Distinguished Name (DN) field with multiple Organizational Unit (OU) attributes, the remote
ID field of the authentication record must not contain an OU attribute. For example, if the
remote system's certificate contains the DN CN=MyHost,C=US,O=HP,OU=West,OU=Blue,
the remote ID cannot include any OU attributes. The remote ID can include other attributes
from the DN (-rid CN=MyHost,C=US,O=HP), if doing so provides sufficient information to
identify the remote system. Alternatively, you can authenticate the identity of the remote system
using another ID type, such as IPv4 address (IPV4).
18 Known problems and limitations