Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
21.  Internet Key Exchange IKE Tasks How to Configure IKE With Pre-Shared Keys  Previous   Contents   Next 
   
 

How to Refresh Existing Pre-Shared Keys

This procedure assumes that you want to replace an existing pre-shared key. If you use a strong encryption algorithm, such 3DES, AES, or Blowfish, you may be able to schedule key replacement for when you reboot both machines. This procedure is for machines using an algorithm like DES to secure traffic.

  1. Become superuser on the system console.

    Note - Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.

  2. Generate random keys and choose one.

    On a Solaris system, you can use the od command.

    # od -x </dev/random | head -2
0000000 305e c563 69ca 62c2 ae80 4690 c571 3e18
0000020 be43 9533 d50f ec49 c7fe cf3c 8f13 91c0

  3. Edit the /etc/inet/secret/ike.preshared file on each system, and replace the current key with a new key.

    For example, on the hosts enigma and partym, you would replace the value of key with a new number, like be439533d50fec49c7fecf3c8f1391c0.

  4. Check that the in.iked daemon permits you to change keying material.

    # /usr/sbin/ikeadm get priv
Current privilege level is 0x2, access to keying material enabled

    You can change keying material if the command returns a privilege level of 0x1 or 0x2. Level 0x0 does not permit keying material operations. By default, the in.iked daemon runs at the 0x0 level of privilege.

  5. If the in.iked daemon permits you to change keying material, read in the new version of the ike.preshared file.

    For example,

    # ikeadm read preshared

  6. If the in.iked daemon does not permit you to change keying material, kill the daemon and then restart it.

    When the daemon starts, it reads the new version of the ike.preshared file.

    For example,

    # pkill in.iked
# /usr/lib/inet/in.iked

How to Add New Pre-Shared Keys

On a system running the in.iked daemon, you can add pre-shared keys for interfaces that you have added to the ipsecinit.conf file after the daemon was invoked. This procedure assumes that you have already added the new interfaces to the /etc/hosts file and the /etc/inet/ipsecinit.conf file on both systems, and that you have not yet read the ipsecinit.conf file into each system.

  1. Become superuser on the system console.

    Note - Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.

  2. Check that the in.iked daemon permits you to change keying material.

    # /usr/sbin/ikeadm get priv
Current privilege level is 0x2, access to keying material enabled

    You can change keying material if the command returns a privilege level of 0x1 or 0x2. Level 0x0 does not permit keying material operations. By default, the in.iked daemon runs at the 0x0 level of privilege.

  3. If the in.iked daemon does not permit you to change keying material, kill the daemon and then start it with the correct privilege level.

    For example,

    # pkill in.iked
# /usr/lib/inet/in.iked -p 2
Setting privilege level to 2!

  4. Generate random keys and choose one.

    On a Solaris system, you can use the od command.

    # od -x </dev/random | head -2
0000000 2d86 b6f6 eb7a e8a9 3d83 58b2 cd17 4164
0000020 8be4 fea4 b456 933a 46dd 149a 0a10 b2e4

  5. Type the ikeadm command on each system to add the new keying material.

    For example, if you are on enigma, and add the key for host nemesis, 192.163.55.8:

    # ikeadm
ikeadm> add preshared { localidtype ip localid 192.168.66.1
remoteidtype ip remoteid 192.163.55.8 ike_mode main
key 2d86b6f6eb7ae8a93d8358b2cd174164 }
ikeadm: Successfully created new preshared key.

    On host nemesis, the administrator would add the identical key, as in:
    # ikeadm
ikeadm> add preshared { localidtype ip localid 192.163.55.8
remoteidtype ip remoteid 192.168.66.1 ike_mode main
key 2d86b6f6eb7ae8a93d8358b2cd174164 }
ikeadm: Successfully created new preshared key.

    Note - A message of the form Error: invalid preshared key definition indicates that you have mistyped or omitted a parameter to the add preshared command. Retype the command correctly to add the key.

  6. Exit the ikeadm command mode.

    ikeadm> exit
#

  7. On each system, lower the privilege level of the in.iked daemon.

    # ikeadm set priv base

  8. On each system, activate the ipsecinit.conf file to secure the added interfaces.

    # ipsecconf -a /etc/inet/ipsecinit.conf

    Note - Read the warning when you execute the command. A socket that is already in use (latched) provides an unsecured back door into the system.

How to Configure IKE With Self-Signed Public Certificates

  1. Become superuser on the system console.

    Note - Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.

  2. Use the ikecert certlocal -ks command to add a self-signed certificate to the ike.privatekeys database. For example,

    # ikecert certlocal -ks -m 1024 -t rsa-md5 \
-D "C=US, O=ExampleCompany, OU=US-Example, CN=Example" \
-A IP=192.168.10.242
Generating, please wait...
Certificate: 
Certificate generated.
Certificate added to database.
-----BEGIN X509 CERTIFICATE-----
MIICLTCCAZagAwIBAgIBATANBgkqhkiG9w0BAQQFADBNMQswCQYDVQQGEwJVUzEX
...
6sKTxpg4GP3GkQGcd0r1rhW/3yaWBkDwOdFCqEUyffzU
-----END X509 CERTIFICATE-----

  3. Send the certificate to the communicating system's administrator.

    You can cut-and-paste the certificate into an email, as in:

    To: root@us.example.com
From: root@un.example.com
Message: -----BEGIN X509 CERTIFICATE-----
MIICLTCCAZagAwIBAgIBATANBgkqhkiG9w0BAQQFADBNMQswCQYDVQQGEwJVUzEX
...
6sKTxpg4GP3GkQGcd0r1rhW/3yaWBkDwOdFCqEUyffzU
-----END X509 CERTIFICATE-----

  4. Edit the /etc/inet/ike/config file to recognize the public keys from a communicating system. For example,

    # Explicitly trust the following self-signed certs
# Use the Subject Alternate Name to identify the cert

cert_trust "192.168.10.242"
cert_trust "192.168.11.241"

## Parameters that may also show up in rules.

p1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
p2_pfs 5

{
 label "UN-Example to US-Example"
 local_id_type dn
 local_id "C=US, O=ExampleCompany, OU=UN-Example, CN=Example"
 remote_id_type dn
 remote_id "C=US, O=ExampleCompany, OU=US-Example, CN=Example"

 local_addr 192.168.10.242
 remote_addr 192.168.11.241

 p1_xform
  { auth_method rsa_encrypt oakley_group 2  auth_alg md5  encr_alg des }
}

  5. Do the following substeps to add the communicating system's public key.

    1. Copy the public key from the administrator's email.

    2. Type the ikecert certdb -a command and type <Return>.

      # ikecert certdb -a <Return>

    3. Paste the public key and type <Return>.

      -----BEGIN X509 CERTIFICATE-----
MIICL...
...
KgDid/nxWPlWQU5vMAiwJXfa0sw/A12w448JVkVmEWaf
-----END X509 CERTIFICATE----- <Return>

    4. End the entry by typing <Control-D>.

      <Control-D>

  6. Verify with the other administrator that the keys have not been tampered with.

    For example, you can phone the other administrator to compare the values of the public key hash, as in,

    # ikecert certdb -l
        Certificate Slot Name: 0   Type: if-modn
        Subject Name: <C=US, O=ExampleCo, OU=UN-Example, CN=Example>
        Key Size: 1024
        Public key hash: 2239A6A127F88EE0CB40F7C24A65B818
    other system # ikecert certlocal -l
Local ID Slot Name: 1   Type: if-modn
        Key Size: 1024
        Public key hash: 2239A6A127F88EE0CB40F7C24A65B818

    Note - The public key hash above is different from the one that your systems generate.

 		 
 
  Previous   Contents   Next