beautypg.com

Nortel Networks NN46120-104 User Manual

Page 83

background image

83

>> Groups# /cfg/sys/user

>> User# edit cert_admin

>> User cert_admin# password

Enter admin’s current password:

(

admin

user password)

Enter new password for cert_admin:

(

cert_admin

user

password)

Re-enter to confirm:

(reconfirm

cert_admin

user password)

7

Apply the changes.

>> User cert_admin# apply

Changes applied successfully.

8

Let the Certificate Administrator user define an export
passphrase.

This step is only necessary if you want to fully separate the
Certificate Administrator user role from the Administrator user
role. If the

admin

user is removed from the

certadmin

group,

a Certificate Administrator export passphrase (

caphrase

) must

be defined.

As long as the

admin

user is a member of the

certadmin

group (the default configuration), the

admin

user is prompted

for an export passphrase each time a configuration backup
that contains private keys is sent to a TFTP/FTP/SCP/SFTP
server (command:

/cfg/ptcfg

). When the

admin

user is not

a member of the

certadmin

group, the export passphrase

defined by the Certificate Administrator is used instead to
encrypt private keys in the configuration backup. The encryption
of private keys using the export passphrase defined by the
Certificate Administrator is performed transparently to the user,
without prompting. When the configuration backup is restored,
the Certificate Administrator must enter the correct export
passphrase.

Note 1: If the export passphrase defined by the Certificate
Administrator is lost, configuration backups made by the

admin

user while he or she was not a member of the

certadmin

group cannot be restored.

Note 2: When using the

/cfg/ptcfg

command on an ASA

310-FIPS, private keys are always encrypted using the wrap
key that was generated when the first HSM card in the cluster
was initialized.

The export passphrase defined by the Certificate
Administrator remains the same until changed by using
the

/cfg/sys/user/caphrase

command. For users who are

not members of the

certadmin

group, the

caphrase

command

in the User menu is hidden. Only users who are members of

Nortel VPN Gateway

User Guide

NN46120-104

02.01

Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

.