ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahu_5.4.0.1/rzahurzahuvpncertsandvpns.htm

93 lines
6.1 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Digital certificates for VPN connections" />
<meta name="abstract" content="Review this information to learn how to use certificates as part of configuring a Virtual Private Network (VPN) connection." />
<meta name="description" content="Review this information to learn how to use certificates as part of configuring a Virtual Private Network (VPN) connection." />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4aagetstarteddcm.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzaja/rzajacreatevpncon.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahuvpn_certs_and_vpns" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Digital certificates for VPN connections</title>
</head>
<body id="rzahuvpn_certs_and_vpns"><a name="rzahuvpn_certs_and_vpns"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Digital certificates for VPN connections</h1>
<div><p>Review this information to learn how to use certificates
as part of configuring a Virtual Private Network (VPN) connection.</p>
<p>You can use digital certificates as a means of establishing an <span class="keyword">iSeries™</span> VPN connection. Both endpoints
of a dynamic VPN connection must be able to authenticate each other before
activating the connection. Endpoint authentication is done by the Internet
Key Exchange (IKE) server on each end. After successful authentication, the
IKE servers then negotiate the encryption methodologies and algorithms they
will use to secure the VPN connection. </p>
<p>One method that the IKE servers can use to authenticate each other is a
pre-shared key. However, the use of a pre-shared key is less secure because
you must communicate this key manually to the administrator of the other endpoint
for your VPN. Consequently, there is a possibility that the key could be exposed
to others during the process of communicating the key. </p>
<p>You can avoid this risk by using digital certificates to authenticate the
endpoints instead of using a pre-shared key. The IKE server can authenticate
the other server's certificate to establish a connection to negotiate the
encryption methodologies and algorithms the servers will use to secure the
connection. </p>
<p>You can use Digital Certificate Manager (DCM) to manage the certificates
that your IKE server uses for establishing a dynamic VPN connection. You must
first decide whether to use public certificates versus issuing private certificates
for your IKE server. </p>
<p>Some VPN implementations require that the certificate contain alternative
subject name information, such as a domain name or an e-mail address, in addition
to the standard distinguished name information. When you use the Local CA
in DCM to issue a certificate you can specify alternative subject name information
for the certificate. Specifying this information ensures that your VPN connection
is compatible with other VPN implementations that may require it for authentication. </p>
<div class="p">To learn more about how to manage certificates for your VPN connections,
review these resources: <ul><li>If you have never used DCM to manage certificates before, these topics
will help you get started: <ul><li><a href="rzahurzahu4anactingownca.htm#rzahu4an-acting_own_ca">Creating
and operating a Local, private CA</a> describes how to use DCM to issue
private certificates for your applications.</li>
<li><a href="rzahurzahu66cdcminternetcertsr4.htm#rzahu66c-dcm_internet_certs_r4">Managing
certificates from a public Internet CA</a> describes how to use DCM to
work with certificates from a public CA.</li>
</ul>
</li>
<li>If you currently use DCM to manage certificates for other applications,
review these resources to learn how to specify that an application use an
existing certificate and which certificates the application can accept and
authenticate: <ul><li><a href="rzahumngsyscertapp.htm#mng_sys_cert_app">Managing the certificate
assignment for an application</a> describes how to use DCM to assign an
existing certificate to an application, such as your IKE server. </li>
<li><a href="rzahumngcaapptrust.htm#mng_ca_app_trust">Defining a CA trust
list for an application</a> describes how to specify which CAs an application
can trust when the application accepts certificates for client (or VPN) authentication. </li>
</ul>
</li>
</ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahu4aagetstarteddcm.htm" title="Use this information to help you decide how and when you might use digital certificates to meet your security goals. Use this information to learn about any prerequisites you need to install, as well as other requirements that you must consider before using DCM.">Plan for DCM</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzaja/rzajacreatevpncon.htm">Configuring a VPN connection</a></div>
</div>
</div>
</body>
</html>