Creating IKE tunnels using digital certificates
To create IKE tunnels that use digital certificates, you must specify RSA signatures as the authentication mode in the IKE tunnel transform policy file.
<!-- define the policy for IKE tunnel -->
<IKEProtection
IKE ProtectionName="ike_3des_sha">
<IKETTransform
IKE AuthenticationMethod="RSA_signatures"
IKE Encryption="3DES-CBC"
IKE Hash="SHA"
IKE DHGroup="1"/>
</IKEProtection>
- IP address
- Fully Qualified Domain Name (FQDN)
- user@FQDN
- X.500 Distinguished Name
- Key identifier
<IKETunnel>
IKE TunnelName="Key_Tunnel"
IKE ProtectionRef="ike_3des_sha">
<IKELocalIdentity>
<ASN1_DN Value="/C=US/O=ABC/OU=SERV/CN=localname.austin.ibm.com">
</ASN1_DN>
</IKELocalIdentity>
<IKERemoteIdentity>
<ASN1_DN Value="/C=US/O=ABC/OU=SERV/CN=remotename.austin.ibm.com">
</ASN1_DN>
</IKERemoteIdentity>
</IKETunnel>- Common name
- name.austin.ibm.com
- Organization
- ABC
- Organizational unit
- SERV
- Country
- US
The X.500 Distinguished Name that is entered is the name that is typically set up by your system or LDAP administrator. The organizational unit value is optional.
- Common name
- name.austin.ibm.com
- Organization
- ABC
- Organizational unit
- SERV
- Country
- US
- Subject alternate IP address field
- 10.10.10.1
After you create the digital certificate request with this information, the CA uses this information to create the personal digital certificate.
When requesting a personal digital certificate, the CA needs the following information:
- You are requesting an X.509 certificate.
- The signature format is MD5 with RSA encryption.
- Whether you are specifying Subject Alternate Name. Alternate
name types are provided in the following list:
- IP address
- Fully qualified domain name (FQDN)
- user@FQDN
The following subject alternate-name information is included in the certificate request file.
- Your planned key use (the digital signature bit must be selected).
- The Key Manager digital certificate request file (in PKCS#10 format).
For specific steps that explain how to use the Key Manager tool to create a certificate request, see Requesting a digital certificate.
Before you activate the IKE tunnel, you must add the personal digital certificate that you received from the CA into the Key Manager database, ikekey.kdb. For more information, see Adding (Receiving) a new digital certificate.
IP Security supports the following types of personal digital certificates:
- Subject DN
- The Subject Distinguished Name must be in the following format
and order:
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.comThe Key Manager tool allows only one OU value.
- Subject DN and Subject Alternate Name as an IP address
- The Subject Distinguished Name and Subject Alternate Name can
be designated as an IP address, as shown in the following:
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com and 10.10.10.1
- Subject DN and Subject Alternate Name as FQDN
- The Subject Distinguished Name and Subject Alternate Name can
be designated as a fully qualified domain name, as shown in the following:
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com and bell.austin.ibm.com.
- Subject DN and Subject Alternate Name as user@FQDN
- The Subject Distinguished Name and Subject Alternate Name can
be designated as a user address (user_ID@fully_qualified_domain_name), as shown in the following:
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com and name@austin.ibm.com.
- Subject DN and multiple Subject Alternate Names
- The Subject Distinguished Name can be associated with multiple
Subject Alternate Names, as shown in the following:
/C=US/O=ABC/OU=SERV/CN=name.austin.ibm.com and bell.austin.ibm.com, 10.10.10.1, and user@name.austin.ibm.com.