HP StorageWorks 8/80 HP StorageWorks Fabric OS 6.2 administrator guide (5697-0 - Page 153

is used for the creation of the security associations, the switch populates the security association database (SAD) accordingly. Pre-shared keys A pre-shared key is one of the available methods for configuring IKE to use for primary authentication. You can specify the pre-shared keys used in IKE policies. You can also add and delete pre-shared keys (in local database) corresponding to the identity of the IKE peer or group of peers. The ipSecConfig command does not support manipulating pre-shared keys corresponding to the identity of the IKE peer or group of peers. Use the secCertUtil command to import, delete, or display the pre-shared keys in the local switch database. For more information on this procedure, see Chapter 3, "Configuring standard security features" on page 99. Security certificates A security certificate is one of the available methods for configuring IKE to use for primary authentication. You can specify the local public key and private key (in X.509 PEM format) and peer public key (in X.509 format) to be used in a particular IKE policy. Use the secCertUtil import command to import public key, private key, and peer-public key (in X.509 PEM format) into the switch database. For more information on this procedure, see Chapter 3, "Configuring standard security features" on page 99. Static Security Associations Manual Key Entry (MKE) provides the ability to manually add, delete, and flush SA entries in the SADB. Manual SA entries may not have an associated IPsec policy in the local policy database. Manual SA entries are persistent across system reboots. Creating the tunnel Each side of the tunnel must be configured in order for the tunnel to come up. Once you are logged into the switch, do not log off, as each step requires that you be logged in to the switch. IPsec configuration changes take effect upon execution and are persistent across reboots. Configure the following on each side of the tunnel: 1. Determine the authentication protocol and algorithm to be used on the tunnel. See Table 41 on page 148 to determine which algorithm to use in conjunction with a specific authentication protocol. 2. Determine the type of keys to be used on the tunnel. If you are using CA signed keys, you must generate them prior to setting up your tunnels. 3. Enable IPsec. a. Connect to the switch and log in using an account assigned to the admin role. b. Enter the ipsecConfig --enable command to enable IPsec on the switch. 4. Create an IPsec SA policy on each side of the tunnel using the ipSecConfig --add policy ips sa -protocol ah|esp -auth command. The example below creates an IPsec SA policy named AH01, which uses AH protection with MD5. You would run this command on each switch on each side of the tunnel, so that both sides have the same IPsec SA policy. switch:admin> ipsecconfig --add policy ips sa -t AH01 -p ah -auth hmac_md5 5. Create an IPsec proposal on each side of the tunnel using the ipSecConfig --add policy ips sa-proposal -tag name -sa name command. The following example creates an IPsec proposal IPSEC-AH to use AH01 as SA. switch:admin> ipsecconfig --add policy ips sa-proposal -t IPSEC-AH -sa AH01 6. Import the pre-shared key file. Fabric OS 6.2 administrator guide 151