Key Management - HP SN3000B Administrator's Manual
Brocade fabric os administrator's guide - supporting fabric os v7.0.1 (53-1002446-01, march 2012)
Hide thumbs
Also See for SN3000B:
- Troubleshooting manual (138 pages) ,
- Reference manual (70 pages) ,
- Quickspecs (21 pages)
Table of Contents
Advertisement
Key management
The IPsec key management supports Internet Key Exchange or Manual key/SA entry. The Internet
Key Exchange (IKE) protocol handles key management automatically. SAs require keying material
for authentication and encryption. The managing of keying material that SAs require is called key
management.
The IKE protocol secures communication by authenticating peers and exchanging keys. It also
creates the SAs and stores them in the SADB.
The manual key/SA entry requires the keys to be generated and managed manually. For the
selected authentication or encryption algorithms, the correct keys must be generated using a third
party utility on your LINUX system. The key length is determined by the algorithm selected.
Linux IPsec-tools 0.7 provides tools for manual key entry (MKE) and automatic keyed connections.
The LINUX setKey command can be used for manually keyed connections, which means that all
parameters needed for the setup of the connection are provided by you. Based on which protocol,
algorithm, and key used for the creation of the security associations, the switch populates the
security association database (SAD) accordingly.
Pre-shared keys
A pre-shared key has the .psk extension and is one of the available methods IKE can be configured
to use for primary authentication. You can specify the pre-shared keys used in IKE policies; add and
delete pre-shared keys (in local database) corresponding to the identity of the IKE peer or group of
peers.
The ipSecConfig command does not support manipulating pre-shared keys corresponding to the
identity of the IKE peer or group of peers. Use the secCertUtil command to import, delete, or display
the pre-shared keys in the local switch database. For more information on this procedure, refer to
Chapter 6, "Configuring
Security certificates
A certificate is one of the available methods IKE can be configured to use for primary
authentication. You can specify the local public key and private key (in X.509 PEM format) and peer
public key (in X.509 format) to be used in a particular IKE policy.
Use the secCertUtil import command to import public key, private key and peer-public key (in X.509
PEM format) into the switch database. For more information on this procedure, refer to
"Configuring
ATTENTION
The CA certificate name must have the IPSECCA.pem name.
Static Security Associations
Manual Key Entry (MKE) provides the ability to manually add, delete and flush SA entries in the
SADB. Manual SA entries may not have an associated IPsec policy in the local policy database.
Manual SA entries are persistent across system reboots.
Fabric OS Administrator's Guide
53-1002446-01
Protocols".
Protocols".
Management interface security
7
Chapter 6,
171
Advertisement
Table of Contents
