Check Point® VPN-1 Secureclient NG build 53328 for Redhat ...

Introduction 

Check Point® VPN-1 SecureClient 

NG build 53328 

for RedHat Linux 7.2 and 7.3 

Release Notes 

July 7, 2003 

This version of SecureClient for Linux uses a command-line for interaction with the user. 

This version can work either in command-line mode, where the user manually connects 

and disconnects, or in transparent mode, where a connection is triggered automatically by 

the relevant network traffic. 

For site management operations, the operations “add new site”, “update site” and “delete 

site” are also supported via the command line interface. 

Authentication is supported in the following modes: pre-shared secret, hybrid mode and 

certificates. However, currently only PKCS#12 format certificates are supported. UDP 

encapsulation is also supported, as is also Multiple Entry Point (MEP) configuration. 

In This Document 

System Requirements 

Limitations 

Introduction page 1 

System Requirements page 1 

Limitations page 1 

Installation Guide page 2 

User Guide page 3 

Command Line Quick Reference page 5 

OS: RedHat Linux version 6.2, kernel 2.2. 

RedHat Linux version 7.2 & 7.3, kernel versions 2.4.9-7, 2.4.9-33, 2.4.18-5 and 2.4.18-10. 

Note - This version is not supported in the newest kernel versions, such as those of RH 8.0. 

Minimum disk space: 11 MB 

Minimum memory requirements: 64 MB 

1) Office Mode is not supported. 

Last Update — July 7, 2003

2) Secure Client Verification (SCV) is not supported. 

3) Currently only PKCS#12 format certificates are supported. 

Customers using Entrust Digital ID's in the *.epf format must export them to *.p12 

format using the Entrust Entelligence 6.0 'Export' feature. To use the Export feature, 

right click on the Entrust key Tray icon and select Entrust Options. Users must have 

their account configured with suitable export policies by their PKI administrator before 

the PKCS#12 Export feature is enabled in Entrust Entelligence. Please refer to the 

Entrust document Desktop Admin Guide 6.0 for configuration instructions for Entrust/ 

Authority 5.0 and 6.0. Relevant sections are titled Export to PKCS#12 and Enabling the 

Export Certificate Type. 

4) Authentication using SecureID is not supported. 

5) Any Authentication scheme which is Challenge-Response based is not supported. 

Installation Guide 

The installation package contains desktop_53328_36.tar, which contains the following files: 

1) desktop_53328_36.tgz - the installation package of SecureClient 

2) scinstall - a script through which the user should install this build. It opens the 

desktop tgz file, installs SecureClient, and copies customized userc.C file, if exists, to 

the correct locations. 

3) userc.C - an optional topology file. It may be replaced with a customized userc.C file by 

the administrator prior to distributing this package to end-users. 

4) scuninstall - a script that uninstalls SecureClient. 

5) readme.html - this readme file. 

6) license.txt - the Check Point license agreement. 

If a customized userc.C is being used, note that the initial operating mode is determined by 

it as follows: 

In “transparent” mode, both these options are unset (or missing): 

• :connect_mode (false) 

• :connect_api_support (false) 

In command-line mode, both these options must be set: 

• :connect_mode (true) 

• :connect_api_support (true) 

Installing SecureClient 

Note - Run all the installation scripts as super-user (root). 

Check Point SecureClient NG build 53328 for RedHat Linux 7.2 and 7.3 Release Notes. Last Update — July 7, 2003 2

1 Copy the files to a new subdirectory on your machine, and open the 

desktop_53328_28.tgz file. 

2 Run the script scinstall to install the SecureClient package. 

3 Reboot the machine. 

Uninstalling SecureClient 

1 Run the script scuninstall 

2 Reboot your machine. 

Configuring Transparent (un-attended) mode: 

Use transparent mode for un-attended login. Connections will be triggered by network 

traffic with any of the sites in the encryption domain. 

• Issue scc setmode transparent. 

• Set credentials using scc userpass ' 

Note that automatic connection takes the current credentials as previously defined by scc 

userpass. 

Be careful to define the credentials for the same login name as the unattended machine is 

going to use. 

User Guide 

Environment 

To execute the command line, define the following environment variables (for example, 

initialize in your login .bashrc shell): 

export CPDIR=/opt/CPsrsc-50 

export FWDIR=/opt/CPsrsc-50 

export LD_LIBRARY_PATH=$CPDIR/lib:$CPDIR/bin 

PATH=$CPDIR:$PATH 

Authentication 

Prior to any authenticated operation, such as site management and connect request, you 

must insert your credentials, using the scc userpass or scc passcert 

commands. 

Note that these credentials are associated with your effective login name. More specifically, 

different users can define different credentials. For example, if you login as santa, then the 

credentials you set will be used for subsequent connect as santa, but then if you login as 

root you must define another set of credentials, and they will be used whenever you are 

root. Nevertheless, at one time only single user can be connected to one single site. 


Site Management 

Use scc add for defining a new site. You may be asked to approve the site DN 

and fingerprint before adding it. 

Use scc update for downloading a new topology. 

Use scc delete for removing the site. 

Establishing a Connection 

Use scc connect and scc disconnect whenever you want to connect/ 

disconnect. 

Desktop Security Policy 

In command-line mode, when connecting to a site, a logon to its policy server is also 

attempted, and a desktop policy is downloaded if possible. 

Auditing Sessions 

There are several options to view the status of SecureClient: 

• The command scc status gives a brief status. 

• The command scc setpolicy displays whether desktop policy is currently enabled or 

not. 

• The command scc setmode displays the current mode. 

• The file /opt/CPsrsc_50/log/ConnectMgr.log keeps record of the connect/disconnect 

sessions and their results. It also displays “Encrypting” whenever encryption activity is 

going on. You can view it online using tail -f. 

• Use the script /opt/CPsrsc_50/SCStart interactive to re-start SecureClient with 

advanced debugging options. This script redirects the debugging information from 

ScBootlog.txt to the console. Specifically, whenever the SecureClient encrypts, the 

output will contain the following lines (substitute for the “blinking envelope” of the 

windows version): 

fwuserc_post==>Command: 

fwuserc_post==>Command: 

• The file sr_service_tde.log (located in /opt/CPsrsc_50/log) collects debugging 

information during the operation of SecureClient. 

• The file ScBootlog.txt (located in /opt/CPsrsc_50/log) contains more debugging 

information, to complement the information in sr_service_tde.log. 


Command Line Quick Reference 

The SecureClient command line uses the following syntax: 

scc [] 

Command Meaning 

add (*) Add new site 

update 

(*) Update site 

up 

delete 

(*) Delete site 

del 

connect 

(*) Connect and wait with given Connect Mode profile 

c 

connectnowait (*) Connect Asynchronously with given Connect Mode 

cn 

profile 

disconnect 

(*) Disconnect last Connect Mode profile 

d 

status 

Display connection status 

s 

listprofiles 

List all Connect Mode profiles 

p 

numprofiles 

Display number of Connect Mode profiles 

np 

userpass Set credentials: username + password 

unp 

passcert 

Set credentials: password + certificate (full path of certificate 

 

file) 

pc 

erasecreds 

Unset credentials 

ep 

setpolicy [on | off] 

(P) Enable/disable current default policy 

sp [on | off] 

sp Display current policy status 

startsc (P) Start SecureClient services 

stopsc (P) Stop SecureClient services 

setmode (P) Switch SR/SC mode 

where = transparent | cli 

trans | cli 

(cli = Command Line Interface) 

setmode Display current mode 

version 

Display current version 

ver 

(*) = these commands are available only in Command Line mode. 

(P) = these commands need administrator privileges

Check Point® VPN-1 Secureclient NG build 53328 for Redhat ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?