中文网站
  Advanced Search
Read the latest Blogs from IT professionals in the field. Read and write community created documents. Need IT help? Ask our staff. Connect with your peers. Check our Tech Shop for posters, books and software tools. Home
HomeNetworking TechnologiesNetworking TCP/IPAn IPv6 Deployment Guide Chapter 5: Integration and Transition

5.5.6.2 DSTM using TSP-SSL (in a VPN scenario) on FreeBSD(1)

Installation and Setup

Please refer to the previous section about how to install DSTM on a FreeBSD host.

In order to use SSL with TSP, some certificates are needed:

• Certificates with authority to sign other certificates (CA).
• Certificates (cert) and corresponding private keys, signed by some known CA.

For both server and client the following files and certificates are needed:

1) local cert: A file containing a certificate for the local machine and the corresponding private key.In the following example configuration this file will be /etc/dstmd/cert.pem. The certificate is signed by some CA. This CA must be known by any correspondent (the other side of a TSP connection) in its CA file (see below).

Both the certificate and key are in PEM format, the certificate is the first data in the file.

The file contains:

The certificate’s key may be protected (crypted) with a password/pass phrase. If the certificate’s key is not encrypted, some measures should be taken to protect the file /etc/dstmd/cert.pem as a whole, i.e:

# chown root /etc/dstmd/cert.pem; chmod 400 /etc/dstmd/cert.pem

3) CA: A file containing all CAs used for signing certificates of correspondents, and also the CA signing the CA of this file (if there is a chain of certification), concatenated in some file, e.g.

# cat .../*CA*pem > /etc/dstmd/cacert.pem

Each CA is in PEM format, the file contains:

4) Accepted cert list: If you want to restrict access to only some certificates.

One local cert is needed for the server and one for each client, but they may be the same - if the security risk of sharing is accepted. Note: cert key may protected by a password; if you use a password, it must be passed (clear text) to dstmd/rpcdstmd in a file (protected! use chmod 400). If you do not use a password, the key/cert file should be protected (chmod 400).

To obtain a certificate, either use a certificate issued by some authority (it seems that standard certificates are sufficient, no special “role” is needed), or use the easiest way and create one using the program openssl as described in the ‘How to create CA and certs, using openssl’ section of the README-SSL file provided with the SSL version of DSTM available on ENST’s website.
‹ 5.5.6.1 A DSTM Experiment with FreeBSD 4.5(3)up5.5.6.2 DSTM using TSP-SSL (in a VPN scenario) on FreeBSD(2) ›