93 lines
6.1 KiB
HTML
93 lines
6.1 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Digital certificates for VPN connections" />
|
||
|
<meta name="abstract" content="Review this information to learn how to use certificates as part of configuring a Virtual Private Network (VPN) connection." />
|
||
|
<meta name="description" content="Review this information to learn how to use certificates as part of configuring a Virtual Private Network (VPN) connection." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4aagetstarteddcm.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="../rzaja/rzajacreatevpncon.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzahuvpn_certs_and_vpns" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Digital certificates for VPN connections</title>
|
||
|
</head>
|
||
|
<body id="rzahuvpn_certs_and_vpns"><a name="rzahuvpn_certs_and_vpns"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Digital certificates for VPN connections</h1>
|
||
|
<div><p>Review this information to learn how to use certificates
|
||
|
as part of configuring a Virtual Private Network (VPN) connection.</p>
|
||
|
<p>You can use digital certificates as a means of establishing an <span class="keyword">iSeries™</span> VPN connection. Both endpoints
|
||
|
of a dynamic VPN connection must be able to authenticate each other before
|
||
|
activating the connection. Endpoint authentication is done by the Internet
|
||
|
Key Exchange (IKE) server on each end. After successful authentication, the
|
||
|
IKE servers then negotiate the encryption methodologies and algorithms they
|
||
|
will use to secure the VPN connection. </p>
|
||
|
<p>One method that the IKE servers can use to authenticate each other is a
|
||
|
pre-shared key. However, the use of a pre-shared key is less secure because
|
||
|
you must communicate this key manually to the administrator of the other endpoint
|
||
|
for your VPN. Consequently, there is a possibility that the key could be exposed
|
||
|
to others during the process of communicating the key. </p>
|
||
|
<p>You can avoid this risk by using digital certificates to authenticate the
|
||
|
endpoints instead of using a pre-shared key. The IKE server can authenticate
|
||
|
the other server's certificate to establish a connection to negotiate the
|
||
|
encryption methodologies and algorithms the servers will use to secure the
|
||
|
connection. </p>
|
||
|
<p>You can use Digital Certificate Manager (DCM) to manage the certificates
|
||
|
that your IKE server uses for establishing a dynamic VPN connection. You must
|
||
|
first decide whether to use public certificates versus issuing private certificates
|
||
|
for your IKE server. </p>
|
||
|
<p>Some VPN implementations require that the certificate contain alternative
|
||
|
subject name information, such as a domain name or an e-mail address, in addition
|
||
|
to the standard distinguished name information. When you use the Local CA
|
||
|
in DCM to issue a certificate you can specify alternative subject name information
|
||
|
for the certificate. Specifying this information ensures that your VPN connection
|
||
|
is compatible with other VPN implementations that may require it for authentication. </p>
|
||
|
<div class="p">To learn more about how to manage certificates for your VPN connections,
|
||
|
review these resources: <ul><li>If you have never used DCM to manage certificates before, these topics
|
||
|
will help you get started: <ul><li><a href="rzahurzahu4anactingownca.htm#rzahu4an-acting_own_ca">Creating
|
||
|
and operating a Local, private CA</a> describes how to use DCM to issue
|
||
|
private certificates for your applications.</li>
|
||
|
<li><a href="rzahurzahu66cdcminternetcertsr4.htm#rzahu66c-dcm_internet_certs_r4">Managing
|
||
|
certificates from a public Internet CA</a> describes how to use DCM to
|
||
|
work with certificates from a public CA.</li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
<li>If you currently use DCM to manage certificates for other applications,
|
||
|
review these resources to learn how to specify that an application use an
|
||
|
existing certificate and which certificates the application can accept and
|
||
|
authenticate: <ul><li><a href="rzahumngsyscertapp.htm#mng_sys_cert_app">Managing the certificate
|
||
|
assignment for an application</a> describes how to use DCM to assign an
|
||
|
existing certificate to an application, such as your IKE server. </li>
|
||
|
<li><a href="rzahumngcaapptrust.htm#mng_ca_app_trust">Defining a CA trust
|
||
|
list for an application</a> describes how to specify which CAs an application
|
||
|
can trust when the application accepts certificates for client (or VPN) authentication. </li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahu4aagetstarteddcm.htm" title="Use this information to help you decide how and when you might use digital certificates to meet your security goals. Use this information to learn about any prerequisites you need to install, as well as other requirements that you must consider before using DCM.">Plan for DCM</a></div>
|
||
|
</div>
|
||
|
<div class="relinfo"><strong>Related information</strong><br />
|
||
|
<div><a href="../rzaja/rzajacreatevpncon.htm">Configuring a VPN connection</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|