Sun™ Crypto Accelerator 4000 Board Installation and User’s Guide Sun Microsystems, Inc. 4150 Network Circle Santa Clara, CA 95054 U.S.A. 650-960-1300 Part No. 817-0431-10 May 2003, Revision A Send comments about this document to: docfeedback@sun.
Copyright 2003 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. This product or document is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers.
Declaration of Conformity (Fiber MMF) Compliance Model Number: Product Family Name: Venus-FI Sun Crypto Accelerator 4000 - Fiber (X4012A) EMC USA - FCC Class B This equipment complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: 1) This equipment may not cause harmful interference. 2) This equipment must accept any interference that may cause undesired operation.
EC Type Examination Certificates: EN 60950:2000, 3rd Edition IEC 60950:2000, 3rd Edition Evaluated to all CB Countries UL 60950, 3rd Edition, CSA C22.2 No. 60950-00 Supplementary Information This product was tested and complies with all the requirements for the CE Mark. /S/ Dennis P. Symanski Manager, Compliance Engineering Sun Microsystems, Inc.
EN61000-4-2 EN61000-4-3 EN61000-4-4 EN61000-4-5 EN61000-4-6 EN61000-4-11 6 kV (Direct), 8 kV (Air) 3 V/m 80-1000MHz, 10 V/m 800-960 MHz and 1400-2000 MHz 1 kV AC and DC Power Lines, 0.5 kV Signal Lines, 2 kV AC Line-Gnd, 1 kV AC Line-Line and Outdoor Signal Lines, 0.5 kV Indoor Signal Lines > 10m.
vi Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003
Regulatory Compliance Statements Your Sun product is marked to indicate its compliance class: • • • • Federal Communications Commission (FCC) — USA Industry Canada Equipment Standard for Digital Equipment (ICES-003) — Canada Voluntary Control Council for Interference (VCCI) — Japan Bureau of Standards Metrology and Inspection (BSMI) — Taiwan Please read the appropriate section that corresponds to the marking on your Sun product before attempting to install the product.
ICES-003 Class A Notice - Avis NMB-003, Classe A This Class A digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada. ICES-003 Class B Notice - Avis NMB-003, Classe B This Class B digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada.
BSMI Class A Notice The following statement is applicable to products shipped to Taiwan and marked as Class A on the product compliance label.
x Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003
Contents 1.
Required Patches 10 Apache Web Server Patch 2. Solaris 8 Patches 11 Solaris 9 Patches 11 10 Installing the Sun Crypto Accelerator 4000 Board Handling the Board 13 Installing the Board 14 ▼ To Install the Hardware 14 Installing the Sun Crypto Accelerator 4000 Software ▼ To Install the Software 3.
Noninteractive and Interactive Modes 34 Setting Autonegotiation or Forced Mode ▼ To Disable Autonegotiation Mode 37 Setting Parameters Using the vca.conf File ▼ 36 38 To Set Driver Parameters Using a vca.conf File 38 Setting Parameters for All Sun Crypto Accelerator 4000 vca Devices With the vca.conf File 39 ▼ To Set Parameters for All Sun Crypto Accelerator 4000 vca Devices With the vca.conf File 40 Example vca.
Logging In to a New Board 59 Logging In to a Board With a Changed Remote Access Key vcaadm Prompt 61 Logging Out of a Board With vcaadm Entering Commands With vcaadm 61 63 Getting Help for Commands 64 Quitting the vcaadm Program in Interactive Mode 65 Initializing the Sun Crypto Accelerator 4000 Board With vcaadm ▼ 60 65 To Initialize the Sun Crypto Accelerator 4000 Board With a New Keystore 66 Initializing the Sun Crypto Accelerator 4000 Board to Use an Existing Keystore 67 ▼ To Initialize
Displaying Board Status 77 Loading New Firmware 78 Resetting a Sun Crypto Accelerator 4000 Board 78 Rekeying a Sun Crypto Accelerator 4000 Board 79 Zeroizing a Sun Crypto Accelerator 4000 Board 80 Using the vcaadm diagnostics Command Using vcadiag 5.
Installing and Configuring Sun ONE Web Server 6.0 Installing Sun ONE Web Server 6.0 101 ▼ To Install Sun ONE Web Server 6.0 ▼ To Create a Trust Database ▼ To Generate a Server Certificate ▼ To Install the Server Certificate 101 102 104 107 Configuring Sun ONE Web Server 6.0 for SSL ▼ 6. 108 To Configure the Sun ONE Web Server 6.
▼ Performing the Ethernet FCode Self-Test Diagnostic Troubleshooting the Sun Crypto Accelerator 4000 Board show-devs A. Specifications 132 132 .
E. Manual Pages 161 F. Zeroizing the Hardware 163 Zeroizing the Sun Crypto Accelerator 4000 Hardware to the Factory State ▼ G.
Tables TABLE 1-1 IPsec Cryptographic Algorithms TABLE 1-2 SSL Cryptographic Algorithms TABLE 1-3 Supported SSL Algorithms TABLE 1-4 Front Panel Display LEDs for the MMF Adapter 6 TABLE 1-5 Front Panel Display LEDs for the UTP Adapter 8 TABLE 1-6 Hardware and Software Requirements 10 TABLE 1-7 Required Solaris 8 Patches for Sun Crypto Accelerator 4000 Software TABLE 2-1 Files in the /cdrom/cdrom0 Directory 17 TABLE 2-2 Sun Crypto Accelerator 4000 Directories 19 TABLE 3-1 vca Driver Parame
xx TABLE 3-12 Cryptographic Driver Statistics 43 TABLE 3-13 Ethernet Driver Statistics TABLE 3-14 TX and RX MAC Counters 45 TABLE 3-15 Current Ethernet Link Properties 47 TABLE 3-16 Read-Only vca Device Capabilities 47 TABLE 3-17 Read-Only Link Partner Capabilities TABLE 3-18 Driver-Specific Parameters 49 TABLE 4-1 vcaadm Options TABLE 4-2 vcaadm Prompt Variable Definitions TABLE 4-3 connect Command Optional Parameters 62 TABLE 4-4 Security Officer Name, User Name, and Keystore Name Re
TABLE A-9 Performance Specifications TABLE A-10 Power Requirements 140 TABLE A-11 Interface Specifications 141 TABLE A-12 Environmental Specifications 141 TABLE B-1 SSL Protocols 144 TABLE B-2 Available SSL Ciphers 145 TABLE B-3 SSL Aliases TABLE B-4 Special Characters to Configure Cipher Preference TABLE B-5 SSL Verify Client Levels 148 TABLE B-6 SSL Log Level Values 149 TABLE B-7 Available SSL Options 150 TABLE E-1 Sun Crypto Accelerator 4000 Online Manual Pages 161 140 146 147 T
xxii Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003
Preface The Sun Crypto Accelerator 4000 Board Installation and User’s Guide lists the features, protocols, and interfaces of the Sun™ Crypto Accelerator 4000 board and describes how to install, configure, and manage the board in your system.
■ Chapter 7 describes how to test the Sun Crypto Accelerator 4000 board with the SunVTS diagnostic application and the onboard FCode self-test. This chapter also provides troubleshooting techniques with OpenBoot PROM commands. ■ Appendix A lists the specifications for the Sun Crypto Accelerator 4000 board. ■ Appendix B lists directives for using Sun Crypto Accelerator 4000 software to configure SSL support for Apache Web Servers.
Typographic Conventions Typeface Meaning Examples AaBbCc123 The names of commands, files, and directories; on-screen computer output Edit your .login file. Use ls -a to list all files. % You have mail. AaBbCc123 What you type, when contrasted with on-screen computer output % su Password: AaBbCc123 Book titles, new words or terms, words to be emphasized Read Chapter 6 in the User’s Guide. These are called class options. You must be superuser to do this.
Accessing Sun Documentation Online You can view, print, or purchase a broad selection of Sun documentation, including localized versions, at: http://www.sun.com/documentation Sun Welcomes Your Comments Sun is interested in improving its documentation and welcomes your comments and suggestions. You can email your comments to Sun at: docfeedback@sun.com Please include the part number (817-0431-10) of your document in the subject line of your email.
CHAPTER 1 Product Overview This chapter provides an overview of the Sun Crypto Accelerator 4000 board, and contains the following sections: ■ ■ ■ “Product Features” on page 1 “Hardware Overview” on page 5 “Hardware and Software Requirements” on page 10 Product Features The Sun Crypto Accelerator 4000 board is a Gigabit Ethernet-based network interface card that supports cryptographic hardware acceleration for IPsec and SSL (both symmetric and asymmetric) on Sun servers.
Key Features ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Gigabit Ethernet with either copper or fiber interface Accelerates IPsec and SSL cryptographic functions Session establishment rate: up to 4300 operations per second Bulk encryption rate: up to 800 Mbps Provides up to 2048-bit RSA encryption Delivers up to 10 times faster 3DES bulk data encryption Provides tamper-proof, centralized security key and certificate administration for Sun ONE Web Server for increased security and simplified key management Designed for FIP
Diagnostic Support ■ ■ User-executable self-test using OpenBoot™ PROM SunVTS™ diagnostic tests Cryptographic Algorithm Acceleration The Sun Crypto Accelerator 4000 board accelerates cryptographic algorithms in both hardware and software. The reason for this complexity is that the cost of accelerating cryptographic algorithms is not uniform across all algorithms. Some cryptographic algorithms were designed specifically to be implemented in hardware, others were designed to be implemented in software.
SSL Acceleration TABLE 1-3 shows which SSL accelerated algorithms may be off-loaded to hardware and which software algorithms are provided for Sun ONE and Apache Web Servers.
Hardware Overview The Sun Crypto Accelerator 4000 hardware is a full size (4.2 inches x 12.283 inches) cryptographic accelerator PCI Gigabit Ethernet adapter that enhances the performance of IPsec and SSL on Sun servers. IPsec Hardware Acceleration The Sun Crypto Accelerator 4000 board encrypts and decrypts IPsec packets in hardware, offloading this high-overhead operation from the SPARC™ processor.
Sun Crypto Accelerator 4000 MMF Adapter The Sun Crypto Accelerator 4000 MMF adapter is a single-port Gigabit Ethernet fiber optics PCI bus card. It operates in 1000 Mbps Ethernet networks only. FIGURE 1-1 Sun Crypto Accelerator 4000 MMF Adapter LED Displays See TABLE 1-4. TABLE 1-4 6 Front Panel Display LEDs for the MMF Adapter Label Meaning if Lit Color Fault On when the board is HALTED (fatal error) state or low level hardware initialization failed.
TABLE 1-4 Front Panel Display LEDs for the MMF Adapter (Continued) Label Meaning if Lit Color Init On if the security officer has initialized the board with vcaadm. See “Initializing the Sun Crypto Accelerator 4000 Board With vcaadm” on page 65. Flashing if the ZEROIZE jumper is present. Green FIPS Mode On when operating in FIPS 140-2 level 3 certified mode. Off when in non-FIPS mode. Green Link Link up.
LED Displays See TABLE 1-5. TABLE 1-5 Front Panel Display LEDs for the UTP Adapter Label Meaning if Lit Color Fault On when the board is HALTED (fatal error) state or low level hardware initialization failed. Flashing if an error occurred during the boot process. Red Diag On in POST, DIAGNOSTICS, and FAILSAFE (firmware not upgraded) state. Flashing when running DIAGNOSTICS. Green Operate On in POST, DIAGNOSTICS, and DISABLED (driver not attached) state.
Dynamic Reconfiguration and High Availability The Sun Crypto Accelerator 4000 hardware and associated software provides the capability to work effectively on Sun platforms supporting Dynamic Reconfiguration (DR) and hot-plugging. During a DR or hot-plug operation, the Sun Crypto Accelerator 4000 software layer automatically detects the addition or removal of a board and adjusts the scheduling algorithms to accommodate the change in hardware resources.
Hardware and Software Requirements TABLE 1-6 provides a summary of the hardware and software requirements for the Sun Crypto Accelerator 4000 adapter. TABLE 1-6 Hardware and Software Requirements Hardware and Software Requirements Hardware Sun Fire™ V120, V210, V240, 280R, V480, V880, 4800, 4810, 6800, 12K, 15K; Netra™ 20 (lw4); Sun Blade™ 100, 150, 1000, 2000 Operating Environment Solaris 8 2/02 and future compatible releases (Solaris 9 is required for IPsec acceleration.
Solaris 8 Patches The following tables list required and recommended Solaris 8 patches to use with this product. TABLE 1-7 lists and describes required patches. TABLE 1-7 Required Solaris 8 Patches for Sun Crypto Accelerator 4000 Software Patch-ID Description 110383-01 libnvpair 108528-05 KU-05 (nvpair support) 112438-01 /dev/random Solaris 9 Patches There are currently no required Solaris 9 patches.
12 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003
CHAPTER 2 Installing the Sun Crypto Accelerator 4000 Board This chapter describes how to install the Sun Crypto Accelerator 4000 hardware and software.
Installing the Board Installing the Sun Crypto Accelerator 4000 board involves inserting the board into the system and loading the software tools. The hardware installation instructions include only general steps for installing the board. Refer to the documentation that came with your system for specific installation instructions. ▼ To Install the Hardware 1.
To determine whether the Sun Crypto Accelerator 4000 device properties are listed correctly: from the ok prompt, navigate to the device path and type .properties to display the list of properties. ok cd /pci@8,600000/network@1 ok .
Installing the Sun Crypto Accelerator 4000 Software The Sun Crypto Accelerator 4000 software is included on the Sun Crypto Accelerator 4000 CD. You may need to download patches from the SunSolve web site. See “Required Patches” on page 10 for more information. ▼ To Install the Software 1. Insert the Sun Crypto Accelerator 4000 CD into a CD-ROM drive that is connected to your system.
You see the following files and directories in the /cdrom/cdrom0 directory. TABLE 2-1 Files in the /cdrom/cdrom0 Directory File or Directory Contents Copyright U.S.
2. Install the required software packages by typing: # cd /cdrom/cdrom0/Packages # pkgadd -d . SUNWkcl2r SUNWkcl2u SUNWvcar SUNWvcau SUNWvcaa SUNWvcafw 3. (Optional) To verify that the software is installed properly, run the pkginfo command.
To install all of the optional software packages, type the following: # cd /cdrom/cdrom0/Packages # pkgadd -d . SUNWkcl2a SUNWkcl2m SUNWvcamn SUNWvcav SUNWkcl2o SUNWkcl2i.u Refer to TABLE 2-1 for a description of the package contents of the optional packages in the previous examples. Directories and Files TABLE 2-2 shows the directories created by the default installation of the Sun Crypto Accelerator 4000 software.
/ /etc /opt /opt /SUNWconn /SUNWconn /cryptov2 /vca /keydata Encrypted keys /bin Application executables /include /lib /man /sbin Development support Application libraries Manual pages Daemon executables FIGURE 2-1 /ssl Apache configuration support Sun Crypto Accelerator 4000 Directories and Files Note – Once you have installed the hardware and software of the board, you need to initialize the board with configuration and keystore information.
Removing the Software If you have created keystores (refer to “Managing Keystores With vcaadm” on page 69), you must delete the keystore information that the Sun Crypto Accelerator 4000 board is configured with before removing the software. The zeroize command removes all key material, but does not delete the keystore files which are stored in the filesystem of the physical host in which the Sun Crypto Accelerator 4000 board is installed.
Note – After installing or removing the SunVTS test (SUNWvcav) for the Sun Crypto Accelerator 4000 board, if SunVTS is already running it might be necessary to reprobe the system to update the available tests. See your SunVTS documentation for more information.
CHAPTER 3 Configuring Driver Parameters This chapter describes how to configure the vca device driver parameters used by both the Sun Crypto Accelerator 4000 UTP and MMF Ethernet adapters.
with the remote end of the link (link partner) to select a common mode of operation for the speed, duplex, and link-clock parameters. The link-clock parameter is applicable only if the board is operating at a 1000 Mbps. The vca device can also be configured to operate in forced mode for each of these parameters. Caution – To establish a proper link, both link partners must operate in either autonegotiation or forced mode for each of the speed, duplex, and link-clock (1000 Mbps only) parameters.
TABLE 3-1 vca Driver Parameter, Status, and Descriptions (Continued) Parameter Status Description ipg2 Read and write Interpacket Gap parameter rx-intr-pkts Read and write Receive interrupt blanking values rx-intr-time Read and write Receive interrupt blanking values red-dv4to6k Read and write Random early detection and packet drop vectors red-dv6to8k Read and write Random early detection and packet drop vectors red-dv8to10k Read and write Random early detection and packet drop vectors
The Sun Crypto Accelerator 4000 UTP adapter advertised link parameters are different from those of the Sun Crypto Accelerator 4000 MMF adapter as shown in TABLE 3-2. TABLE 3-2 Operational Mode Parameters Parameter Description The following parameter is for both the Sun Crypto Accelerator 4000 UTP and MMF adapters.
If all of the previous parameters are set to 1, autonegotiation will use the highest speed possible. If all of the previous parameters are set to 0, you will receive the following error message: NOTICE: Last setting will leave vca0 with no link capabilities. WARNING: vca0: Restoring previous setting. Note – In the previous example, vca0 is the Sun Crypto Accelerator 4000 board device name where the string, vca, is used for every Sun Crypto Accelerator 4000 board.
Read-Write Flow Control Keyword Descriptions TABLE 3-3 Keyword Description 1 0 Pauses are transmitted but are not received. 0 1 Pauses are sent and received. 0 1 or 0 adv-pause-cap determines whether the pause capability is on or off. pause-on-threshold Defines the number of 64 byte blocks in the receive (RX) FIFO which causes the board to generate an XON-PAUSE frame.
have enable-ipg0 enabled might not have enough time on the network. You can add the additional delay by setting the ipg0 parameter from 0 to 255, which is the media byte time delay. TABLE 3-5 defines the enable-ipg0 and ipg0 parameters.
Interrupt Parameters TABLE 3-7 describes the receive interrupt blanking values. TABLE 3-7 RX Blanking Register for Alias Read Field Name Values Description rx-intr-pkts 0 to 511 Interrupts after this number of packets have arrived since the last packet was serviced. A value of zero indicates no packet blanking. (Default=3) rx-intr-time 0 to 524287 Interrupts after 4.5 microseconds (usecs) have elapsed since the last packet was serviced. A value of zero indicates no time blanking.
TABLE 3-8 RX Random Early Detecting 8-Bit Vectors (Continued) Field Name Values Description red-dv6to8k 0 to 255 Random early detection and packet drop vectors for when FIFO threshold is greater than 6,144 bytes and less than 8,192 bytes. Probability of drop can be programmed on a 12.5 percent granularity. For example, if bit 8 is set, the first packet out of every eight will be dropped in this region.
PCI Bus Interface Parameters These parameters allow you to modify PCI interface features to gain better PCI interperformance for a given application. TABLE 3-9 PCI Bus Interface Parameters Parameter Description tx-dma-weight Determines the multiplication factor for granting credit to the transmit (TX) side during a weighted round robin arbitration; the values are 0 to 3 (Default=0). Zero means no extra weighting. The other values are power of 2 extra weighting on that traffic.
Setting vca Driver Parameters You can set the vca device driver parameters in two ways: ■ Using the ndd utility ■ Using the vca.conf file If you use the ndd utility, the parameters are valid only until you reboot the system. This method is good for testing parameter settings. To set parameters so they remain in effect after you reboot the system, create a /kernel/drv/vca.conf file and add parameter values to this file when you need to set a particular parameter for a device in the system.
Note – In the examples in this user’s guide, N represents the instance number of the device. The device remains selected until you change the selection. Noninteractive and Interactive Modes You can use the ndd utility in two modes: ■ ■ Noninteractive Interactive In noninteractive mode, you invoke the utility to execute a specific command. Once the command is executed, you exit the utility. In interactive mode, you can use the utility to get or set more than one parameter value.
Using the ndd Utility in Interactive Mode ● To modify a parameter value in interactive mode, specify ndd /dev/vca, as shown below. The ndd utility then prompts you for the name of the parameter: # ndd /dev/vcaN name to get/set? (Enter the parameter name or ? to view all parameters) After typing the parameter name, the ndd utility prompts you for the parameter value (see TABLE 3-1 through TABLE 3-9).
● To list all the parameters supported by the vca driver, type ndd /dev/vca. (See TABLE 3-1 through TABLE 3-9 for parameter descriptions.
By default, autonegotiation mode is enabled for these link parameters. When either of these parameters are in autonegotiation mode, the vca device communicates with the link partner to negotiate a compatible value and flow control capability. When a value other than auto is set for either of these parameters, no negotiation occurs and the link parameter is configured in forced mode. In forced mode, the value for the speed parameter must match between link partners.
Setting Parameters Using the vca.conf File You can also specify the driver parameter properties by adding entries to the vca.conf file in the /kernel/drv directory. The parameter names are the same names listed in “Driver Parameter Values and Definitions” on page 24. Caution – Do not remove any of the default entries in the /kernel/drv/vca.conf file. The online manual pages for prtconf(1) and driver.conf(4) include additional details. The next procedure shows an example of setting parameters in a vca.
The device path name in the first line of the previous example is ”/pci@8,600000/network@1”. Device path names are made up of three parts: device parent name, device node name, and device unit address. See TABLE 3-10. TABLE 3-10 Device Path Name Entire Device Path Name Parent Name Portion Node Name Portion Unit Address Portion "/pci@8,600000/network@1" /pci@8,600000 network 1 "/pci@8,700000/network@1" /pci@8,700000 network 1 To identify a PCI device unambiguously in the vca.
▼ To Set Parameters for All Sun Crypto Accelerator 4000 vca Devices With the vca.conf File 1. Add a line in the vca.conf file to change the value of a parameter for all instances by entering parameter=value;. The following example sets the adv-autoneg-cap parameter to 1 for all instances of all Sun Crypto Accelerator 4000 Ethernet devices: adv-autoneg-cap=1; Example vca.conf File The following is an example vca.conf file: # # Copyright 2002 Sun Microsystems, Inc. All rights reserved.
Enabling Autonegotiation or Forced Mode for Link Parameters With the OpenBoot PROM The following parameters can be configured to operate in autonegotiation or forced mode at the OpenBoot PROM (OBP) interface: TABLE 3-11 Local Link Network Device Parameters Parameter Description speed This parameter can be set to auto, 1000, 100, or 10; the syntax is as follows: • speed=auto (default) • speed=1000 • speed=100 • speed=10 duplex This parameter can be set to auto, full, or half; the syntax is as follows
When the local link is operating in autonegotiation mode for the speed and duplex parameters at 100 Mbps and below and both full and half duplexes, then the link partner uses either the 100 Mbps or 10 Mbps speeds with either duplex. When the speed parameter is operating in forced mode, the value must match the speed value of the link-partner. If the duplex parameter does not match between the local link and the link partner, the link may come up; however, traffic collisions will occur.
To establish a forced mode for a speed of 10 Mbps and an autonegotiation mode for duplex, type the following at the OBP prompt: ok boot net:speed=10,duplex=auto You could also type the following at the OBP prompt to establish the same local link parameters as the previous example: ok boot net:speed=10 Refer to the IEEE 802.3 documentation for further details.
Ethernet Driver Statistics TABLE 3-13 describes the Ethernet driver statistics. TABLE 3-13 44 Ethernet Driver Statistics Parameter Description Stable or Unstable ipackets Number of inbound packets. Stable ipackets64 64-bit version of ipackets. Stable ierrors Total packets received that could not be processed because they contained errors (long). Stable opackets Total packets requested to be transmitted on the interface.
TABLE 3-14 describes the transmit and receive MAC counters. TABLE 3-14 TX and RX MAC Counters Parameter Description Stable or Unstable tx-collisions 16-bit loadable counter increments for every frame transmission attempt that resulted in a collision. Stable tx-first-collisions 16-bit loadable counter increments for every frame transmission that experienced a collision on the first attempt, but was successfully transmitted on the second attempt.
TABLE 3-14 46 TX and RX MAC Counters (Continued) Parameter Description Stable or Unstable tx-underrun 16-bit loadable counter increments after a valid frame has been received from the network. Unstable rx-length-err 16-bit loadable counter increments after a frame, whose length is greater than the value that was programmed in the Maximum Frame Size Register, has been received from the network.
The following Ethernet properties (TABLE 3-15) are derived from the intersection of device capabilities and the link partner capabilities. TABLE 3-15 describes the current Ethernet link properties.
TABLE 3-16 Read-Only vca Device Capabilities (Continued) Parameter Description Stable or Unstable cap-10fdx Local interface full-duplex capability 0 = Not 10 Mbps full-duplex capable 1 = 10 Mbps full-duplex capable Stable cap-10hdx Local interface half-duplex capability 0 = Not 10 Mbps half-duplex capable 1 = 10 Mbps half-duplex capable Stable cap-asm-pause Local interface flow control capability 0 = Not asymmetric pause capable 1 = Asymmetric pause (from the local device) capable (See “Flow Con
TABLE 3-17 Read-Only Link Partner Capabilities (Continued) Parameter Description Stable or Unstable lp-cap-10hdx 0 = No 10 Mbps half-duplex transmission 1 = 10 Mbps half-duplex Stable lp-cap-asm-pause 0 = Not asymmetric pause capable 1 = Asymmetric pause towards link partner capability (See “Flow Control Parameters” on page 27) Stable lp-cap-pause 0 = Not symmetric pause capable 1 = Symmetric pause capable (See “Flow Control Parameters” on page 27) Stable If the link partner is not capable of
TABLE 3-18 Driver-Specific Parameters (Continued) Parameter Description Stable or Unstable tx-queue3 Number of packets queued for transmission on the fourth hardware transmit queue. Unstable Ethernet Receive Counters 50 rx-hdr-pkts Number of packets received that were less than 256 bytes. Unstable rx-mtu-pkts Number of packets received that were greater than 256 bytes and less than 1514 bytes. Unstable rx-split-pkts Number of packets that were split across two pages.
TABLE 3-18 Driver-Specific Parameters (Continued) Parameter Description Stable or Unstable rx-rel-flow Number of times the driver was told to release a flow. Unstable rev-id Revision ID of the Sun Crypto Accelerator 4000 Ethernet device useful for recognition of device being used in the field. Unstable pci-err Sum of all PCI errors. Unstable pci-rta-err Number of target aborts received. Unstable pci-rma-err Number of master aborts received.
Network Configuration This section describes how to edit the network host files after the adapter has been installed on your system. Configuring the Network Host Files After installing the driver software, you must create a hostname.vcaN file for the adapter’s Ethernet interface. Note that in the file name hostname.vcaN, N corresponds to the instance number of the vca interface you plan to use. You must also create both an IP address and a host name for its Ethernet interface in the /etc/hosts file. 1.
To use the vca interface of the example shown in Step 1, create an /etc/hostname.vcaN file, where N corresponds to the instance number of the device which is 0 in this example. If the instance number were 1, the file name would be /etc/hostname.vca1. ■ Do not create an /etc/hostname.vcaN file for a Sun Crypto Accelerator 4000 interface you plan to leave unused. ■ The /etc/hostname.vcaN file must contain the host name for the appropriate vca interface.
54 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003
CHAPTER 4 Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities This chapter provides an overview of the vcaadm and vcadiag utilities.
The vcaadm command-line syntax is: ■ ■ ■ vcaadm [-H] vcaadm [-y] [-h host] [-p port] [-d vcaN] [-f filename] vcaadm [-y] [-h host] [-p port] [-d vcaN] [-s sec_officer] command Note – When using the -d attribute, vcaN is the board’s device name where the N corresponds to the Sun Crypto Accelerator 4000 device instance number. TABLE 4-1 shows the options for the vcaadm utility. TABLE 4-1 vcaadm Options Option Meaning -H Displays help files for vcaadm commands and exit.
Note – To use vcaadm, you must authenticate as security officer. How often you need to authenticate as security officer is determined by which operating mode you are using. Single-Command Mode In Single-Command mode, you must authenticate as security officer for every command. Once the command is executed, you are logged out of vcaadm. When entering commands in Single-Command mode, you specify the command to be run after all the command-line switches are specified.
To enter commands in File mode, you specify a file from which vcaadm reads one or more commands. The file must be ASCII text, consisting of one command per line. Begin each comment with a pound sign (#) character. If the File mode option is set, vcaadm ignores any command-line arguments after the last option. The following example runs the commands in the deluser.scr file and answers all prompts in the affirmative: $ vcaadm -f deluser.
Logging In to a Board With vcaadm If the security officer connects to a new board, vcaadm will notify the security officer and prompt the following options: 1. Abort the connection 2. Trust the connection one time only (no changes to trust database) 3. Trust this board forever (adds the hardware ethernet address and RSA public key to the trust database).
When connecting to a new board, vcaadm must create a new entry in the trust database. The following is an example of logging in to a new board. # vcaadm -h hostname Warning: MAC ID and Public Key Not Found ----------------------------------------------------The MAC ID and public key presented by this board were not found in your trust database. MAC ID: 08:00:20:EE:EE:EE Key Fingerprint: 29FC-7A54-4014-442F-7FD9-5FEA-8411-CFB4 ----------------------------------------------------Please select an action: 1.
vcaadm Prompt The vcaadm prompt in Interactive mode is displayed as follows: vcaadm{vcaN@hostname, sec_officer}> command The following table describes the vcaadm prompt variables: TABLE 4-2 vcaadm Prompt Variable Definitions Prompt Variable Definition vcaN vca is a string that represents the Sun Crypto Accelerator 4000 board. N is the device instance number (unit address) that is in the device path name of the board. Refer to “To Set Driver Parameters Using a vca.
In the previous example, notice the vcaadm> prompt no longer displays the device instance number, hostname, or security officer name. To log in to another device, type the connect command with the following optional parameters. TABLE 4-3 connect Command Optional Parameters Parameter Meaning dev vcaN Connect to the Sun Crypto Accelerator 4000 board with the driver instance number of N. For example -d vca1 connects to the device vca1; this defaults to device vca0.
Entering Commands With vcaadm The vcaadm program has a command language that must be used to interact with the Sun Crypto Accelerator 4000 board. Commands are entered using all or part of a word (enough to uniquely identify that word from any other possibilities). Entering sh instead of show would work, but re is ambiguous because it could be reset or rekey.
Getting Help for Commands vcaadm has built-in help functions. To get help, you must enter a question mark (?) character following the command you want more help on.
When not in vcaadm Interactive mode, the “?” character could be interpreted by the shell in which you are working. In this case, be sure to use the command shell escape character before the question mark. Quitting the vcaadm Program in Interactive Mode Two commands allow you to exit from vcaadm: quit and exit. The Ctrl-D key sequence also exits from vcaadm. Initializing the Sun Crypto Accelerator 4000 Board With vcaadm The first step in configuring a Sun Crypto Accelerator 4000 board is to initialize it.
▼ To Initialize the Sun Crypto Accelerator 4000 Board With a New Keystore 1. Enter vcaadm at a command prompt of the system with the Sun Crypto Accelerator 4000 board installed or enter vcaadm -h hostname if the system is remote, and select 1 to initialize the board: # vcaadm -h hostname This board is uninitialized. You will now initialize the board. You may either completely initialize the board and start with a new keystore or restore the board using a backup file. 1.
Note – Before an essential parameter is changed or deleted, or before a command is executed that may have drastic consequences, vcaadm prompts you to enter Y, Yes, N, or No to confirm. These values are not case sensitive; the default is No. 5.
▼ To Initialize the Sun Crypto Accelerator 4000 Board to Use an Existing Keystore 1. Enter vcaadm at a command prompt of the system with the Sun Crypto Accelerator 4000 board installed or enter vcaadm -h hostname if the system is remote, and select 2 to restore the board from a backup: # vcaadm -h hostname This board is uninitialized. You will now initialize the board. You may either completely initialize the board and start with a new keystore or restore the board using a backup file. 1.
Managing Keystores With vcaadm A keystore is a repository for key material. Associated with a keystore are security officers and users. Keystores not only provide storage, but a means for key objects to be owned by user accounts. This enables keys to be hidden from applications that do not authenticate as the owner. Keystores have three components: ■ Key objects – Long-term keys that are stored for applications such as the Sun ONE Web Server.
Setting the Password Requirements Use the set passreq command to set the password requirements for the Sun Crypto Accelerator 4000 board. This command sets the password character requirements for any password prompted by vcaadm. There are three settings for password requirements: TABLE 4-5 Password Requirement Settings Password Setting Requirements low Does not require any password restrictions. This is the default while the board is in non-FIPS mode.
When creating a security officer, the name is an optional parameter on the command line. If the security officer name is omitted, vcaadm will prompt you for the name. (See “Naming Requirements” on page 69.) vcaadm{vcaN@hostname, sec_officer}> create so Alice Enter new security officer password: Confirm password: Security Officer Alice created successfully.
Note – The user account is logged out if no commands are entered for more than five minutes. This is a tunable option; see “Setting the Auto-Logout Time” on page 76 for details. Listing Users and Security Officers To list users or security officers associated with a keystore, enter the show user or show so commands.
Enabling or Disabling Users Note – Security officers cannot be disabled. Once a security officer is created, it is enabled until it is deleted. By default each user is created in the enabled state. Users may be disabled. Disabled users cannot access their key material with the PKCS#11 interface. Enabling a disabled user will restore access to all of that user’s key material. When enabling or disabling a user, the user name is an optional parameter on the command line.
Deleting Users Issue the delete user command and specify the user to be deleted. When deleting a user, the user name is an optional parameter on the command line. If the user name is omitted, vcaadm will prompt you for the user name. vcaadm{vcaN@hostname, sec_officer}> delete user web_admin Delete user web_admin? (Y/Yes/N/No) [No]: y User web_admin deleted successfully. vcaadm{vcaN@hostname, sec_officer}> delete user User name: Tom Delete user Tom? (Y/Yes/N/No) [No]: y User Tom deleted successfully.
A password must be set for the backup data. This password is used to encrypt the master key that is in the backup file. vcaadm{vcaN@hostname, sec_officer}> backup /opt/SUNWconn/vca/backups/bkup.data Enter a password to protect the data: Confirm password: Backup to /opt/SUNWconn/vca/backups/bkup.data successful. Caution – You should choose a password that is very difficult to guess when making backup files because this password protects the master key for your keystore.
Managing Boards With vcaadm This section describes how to manage Sun Crypto Accelerator 4000 boards with the vcaadm utility. Setting the Auto-Logout Time To customize the amount of time before a security officer is automatically logged out of the board, use the set timeout command. To change the auto-logout time, enter the set timeout command followed by a single number that is the number of minutes before a security officer is automatically logged out.
Displaying Board Status To get the current status of a Sun Crypto Accelerator 4000 board, issue the show status command. This displays the hardware and firmware versions for that board, the MAC address of the network interface, the status (Up versus Down, speed, duplex, and so on.) of the network interface, and the keystore name and ID. vcaadm{vcaN@hostname, sec_officer}> show status Board Status ---------------------------------------------------------------Hardware Version: 1.0 Firmware Version: 1.
Loading New Firmware It is possible to update the firmware for the Sun Crypto Accelerator 4000 board as new features are added. To load firmware, issue the loadfw command and provide a path to the firmware file. A successful update of the firmware requires you to manually reset the board with the reset command. When you reset the board, the currently logged in security officer is logged out.
Rekeying a Sun Crypto Accelerator 4000 Board Over time, it may be necessary because of your security policy to use new keys as the master key or remote access key. The rekey command allows you to regenerate either of these keys, or both. Rekeying the master key also causes the keystore to be reencrypted under the new key, and invalidates older backed up master key files with the new keystore file. It is advisable to make a backup of the master key whenever it is rekeyed.
Zeroizing a Sun Crypto Accelerator 4000 Board In some situations, it might be necessary to clear a board of all its key material. This can be done using two methods. The first method is with a hardware jumper; this form of zeroizing will return the Sun Crypto Accelerator 4000 board to its original factory state (failsafe mode). See “Zeroizing the Sun Crypto Accelerator 4000 Hardware to the Factory State” on page 163. The second method is to use the zeroize command.
bus, the DMA controller, and other hardware internals. Tests for the cryptographic subsystem cover random number generators and cryptographic accelerators. Tests on the network subsystem cover the vca device. vcaadm{vcaN@hostname, sec_officer}> diagnostics Performing diagnostic tests...Done.
TABLE 4-1 shows the options for the vcadiag utility. TABLE 4-7 vcadiag Options Option Meaning -D vcaN Performs diagnostics on the Sun Crypto Accelerator 4000 board. -F vcaN Displays the public key fingerprint used by the Sun Crypto Accelerator 4000 board for securing administration sessions. -K vcaN Displays the public key and the public key fingerprint used by the Sun Crypto Accelerator 4000 board for securing administration sessions.
The following is an example of the -K option: # vcadiag -K vca0 Device: vca0 Key Length: 1024 bits Key Fingerprint: 5f26-b516-83b4-d254-a75f-c70d-0544-4de6 Modulus: b7215a99 8bb0dfe9 389363a0 44dac2b0 7c884161 20ee8c8b d751437d 4e6a5cdb 76fdcb2a ad353c0b 248edc1d 3c76591d dbca5997 f6ee8022 e8bb5a6d 465a4f8c 601d46be 573e8681 506e5d8d f240a0db 11d5c095 2d237061 df27b2de c353900f f531092b 7d9a755b c5d79782 95a1180b e17303bb aca939ef 006c73f7 74469031 Public Exponent: 00010001 The following is an example of t
84 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003
CHAPTER 5 Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board This chapter explains how to configure the Sun Crypto Accelerator 4000 board for use with Sun ONE Web Servers. This chapter includes the following sections: ■ ■ ■ ■ “Administering Security for Sun ONE Web Servers” on page 85 “Configuring Sun ONE Web Servers” on page 89 “Installing and Configuring Sun ONE Web Server 4.1” on page 92 “Installing and Configuring Sun ONE Web Server 6.
Concepts and Terminology Keystores and users must be created for applications that communicate with the Sun Crypto Accelerator 4000 board through a PKCS#11 interface, such as the Sun ONE Web Server. Users, within the context of the Sun Crypto Accelerator 4000, are owners of cryptographic keying material. Each key is owned by a single user. Each user may own multiple keys.
Tokens and Token Files Keystores appear to Sun ONE Web Servers as tokens. Token files are a technique for Sun Crypto Accelerator 4000 administrators to selectively present only specific tokens to a given application. Example There are three keystores, engineering, finance, and legal. The following tokens are presented to the Sun ONE Web Server: ■ ■ ■ engineering finance legal Token Files To override the default case, a token file must exist. Some applications cannot handle multiple tokens.
The following is an example of the contents in a token file: =============================== # This is an example token file engineering # Comments are acceptable on the same line legal # Because the finance keystore is not listed, the Sun Crypto # Accelerator will not present it to the Sun ONE Web Server. ... =============================== Note – Comments are preceded by a pound sign (#) and empty lines are acceptable.
Configuring Sun ONE Web Servers This section describes the following: ■ ■ ■ ■ ■ ■ ■ “Passwords” on page 89 “Populating a Keystore” on page 90 “Overview for Enabling Sun ONE Web Servers” on page 91 “Installing and Configuring Sun ONE Web Server 4.1” on page 92 “Configuring Sun ONE Web Server 4.1 for SSL” on page 99 “Installing and Configuring Sun ONE Web Server 6.0” on page 101 “Configuring Sun ONE Web Server 6.
Populating a Keystore Before you can enable the board for use with a Sun ONE Web Server, you must first initialize the board and populate the board’s keystore with at least one user. The keystore for the board is created during the initialization process. You can also initialize Sun Crypto Accelerator 4000 boards to use an existing keystore. Refer to “Initializing the Sun Crypto Accelerator 4000 Board With vcaadm” on page 65.
4. Create a user with the create user command. vcaadm{vcaN@hostname, sec_officer}> create user username Initial password: Confirm password: User username created successfully. The username and password created here collectively make the username:password (See TABLE 5-1). You must use this password when authenticating during a web server startup. This is the keystore password for a single user. Caution – Users must remember this username:password. Without this password, users cannot access their keys.
Installing and Configuring Sun ONE Web Server 4.1 This section explains how to install and configure Sun ONE Web Server 4.1. This chapter includes the following sections: ■ “Installing Sun ONE Web Server 4.1” on page 92 ■ “Configuring Sun ONE Web Server 4.1 for SSL” on page 99 Installing Sun ONE Web Server 4.1 You must perform these procedures in order. Refer to the Sun ONE Web Server documentation for more information about using Sun ONE Web Servers. ▼ To Install Sun ONE Web Server 4.1 1.
▼ To Create a Trust Database 1. Start the Sun ONE Web Server 4.1 Administration Server. Instead of running startconsole as setup requests, start a Sun ONE Web Server 4.1 Administration Server, use the following command: # /usr/netscape/server4/https-admserv/start SunONE-WebServer-Enterprise/4.1SP9 BB1-08/23/2001 05:50 startup: listening to http://hostname.domain, port 8888 as root The response provides the URL for connecting to your servers. 2.
Note – If you want to run Secure Socket Layer (SSL) on the Sun ONE Web Server 4.1 Administration Server server as well, the process of setting up a trust database is similar. Refer to the iPlanet Web Server, Enterprise Edition Administrator’s Guide at http://docs.sun.com for more information. 5. Execute the following script to enable the Sun Crypto Accelerator 4000 board: # /opt/SUNWconn/bin/iplsslcfg This script prompts you to choose a web server.
8. Type y and press Return when prompted, if you want to proceed. This script will update your Sun ONE Web Server installation in /usr/netscape/server4 to use the Sun Crypto Accelerator You will need to restart your admin server after this has completed. Ok to proceed? [Y/N]: y Using database directory /usr/netscape/server4/alias... Module "Sun Crypto Accelerator 4000" added to database. /usr/netscape/server4 has been configured to use the Sun Crypto Accelerator. 9.
4. To request the server certificate, select the Security tab near the top of the Sun ONE Web Server 4.1 Administration Server window (FIGURE 5-1). The Create Trust Database page is displayed. 5. Select the Request a Certificate link on the left pane (FIGURE 5-1). FIGURE 5-1 Request a Server Certificate Page of the Sun ONE Web Server 4.1 Administration Server 6. Fill out the form to generate a certificate request, using the following information: a. Select a New Certificate.
b. Select the Cryptographic Module you want to use. Each keystore has its own entry in this pull-down menu. Be sure that you select the correct keystore. Do not select SUNW acceleration only. c. In the Key Pair File Password dialog box, provide the password for the user that will own the key. This password is the username:password (TABLE 5-1). d.
▼ To Install the Server Certificate 1. Select the Install Certificate link on the left side of the Sun ONE Web Server 4.1 Administration Server window. Once your request has been approved by a certificate authority and a certificate has been issued, you must install the certificate in the Sun ONE Web Server. 2. Select the Security tab. 3. On the left pane, choose the Install Certificate link. FIGURE 5-2 98 The Install a Server Certificate Page of the Sun ONE Web Server 4.
4. Fill out the form to install your certificate: TABLE 5-3 Fields for the Certificate to Install Fields Description Certificate For This server Cryptographic Module Each keystore has its own entry in this pull-down menu. Be sure to select the correct keystore name. To use the Sun Crypto Accelerator 4000, you must select a module with the same name you assigned the keystore. Key Pair File Password This password is the username:password (TABLE 5-1).
4. Set encryption to On. The Port field in the dialog box should update to the default SSL port number 443. Alter the port number if necessary. 5. Select the OK button. 6. Apply these changes by selecting the Save button. The web server is now configured to run in secure mode. 7. Edit the /usr/netscape/server4/https-hostname/config/magnus.
Note – The default server_port is 443. Installing and Configuring Sun ONE Web Server 6.0 This section explains how to enable the Sun Crypto Accelerator 4000 board for use with Sun ONE 6.0 Web Servers. This section includes the following: ■ “Installing Sun ONE Web Server 6.0” on page 101 ■ “Configuring Sun ONE Web Server 6.0 for SSL” on page 108 Installing Sun ONE Web Server 6.0 You must perform these procedures in order.
c. Enter the Sun ONE Web Server 6.0 Administration Server password twice. d. Press Return when prompted. ▼ To Create a Trust Database 1. Start the Sun ONE Web Server 6.0 Administration Server. To start a Sun ONE Web Server 6.0 Administration Server, use the following command (instead of running startconsole as setup requests): # /usr/iplanet/servers/https-admserv/start SunONE-WebServer-Enterprise/6.0SP1 B08/20/2001 00:58 warning: daemon is running as super-user [LS ls1] http://hostname.
a. Select the Servers tab in the Sun ONE Web Server 6.0 Administration Server window. b. Select a server and select the Manage button. c. Select the Security tab near the top of the page and select the Create Database link. d. Enter a password (web server trust database [TABLE 5-1]) in the two dialog boxes and select OK. Choose a password of at least eight characters. This will be the password used to start the internal cryptographic modules when the Sun ONE Web Server runs in secure mode. 5.
8. Type y and press Return when prompted, if you want to proceed. This script will update your Sun ONE Web Server installation in /usr/iplanet/servers to use the Sun Crypto Accelerator You will need to restart your admin server after this has completed. Ok to proceed? [Y/N]: y Using database directory /usr/iplanet/servers/alias... Module "Sun Crypto Accelerator 4000" added to database. /usr/iplanet/servers has been configured to use the Sun Crypto Accelerator. 9. Type 0 to quit.
4. To request the server certificate, select the Security tab near the top of Sun ONE Web Server 6.0 Administration Server window. The Create Trust Database window is displayed. 5. Select the Request a Certificate link on the left pane of the Sun ONE Web Server 6.0 Administration Server window. FIGURE 5-3 Request a Server Certificate Page of the Sun ONE Web Server 6.0 Administration Server 6. Fill out the form to generate a certificate request, using the following information: a.
b. Select the Cryptographic Module you want to use. Each keystore has its own entry in this pull-down menu. Be sure that you select the correct keystore. Do not select SUNW acceleration only. c. In the Key Pair File Password dialog box, provide the password for the user that will own the key. This password is the username:password (TABLE 5-1). d.
▼ To Install the Server Certificate 1. Select the Install Certificate link on the left side of the Sun ONE Web Server 6.0 Administration Server window. Once your request has been approved by a certificate authority and a certificate has been issued, you must install the certificate in the Sun ONE Web Server. 2. Select the Security tab. 3. On the left pane, choose the Install Certificate link. FIGURE 5-4 Chapter 5 Install a Server Certificate Page of the Sun ONE Web Server 6.
4. Fill out the form to install your certificate: TABLE 5-5 Fields for the Certificate to Install Fields Description Certificate For This server Cryptographic Module Each keystore has its own entry in this pull-down menu. Be sure that you select the correct keystore name. To use the Sun Crypto Accelerator 4000, you must select a module in the form of keystore_name. Key Pair File Password This password is the username:password (TABLE 5-1). Certificate Name In most cases, you can leave this blank.
■ ■ Port: Set to the port on which you will be running your SSL-enabled web server (usually this is port 443). Security: Set to On. b. Select the OK button to apply these changes. In the security field of the Edit Listen Sockets page, there should now be an Attributes link. 3. Select the Attributes link. 4. Enter the username:password to authenticate to the keystore on the system. 5. If you want to change the default set of ciphers, select the cipher suites under the Ciphers heading.
At the Module keystore_name prompt, enter the username:password. Enter the username:password for other keystores as prompted. 12. Verify the new SSL-enabled web server at the following URL: https://hostname.domain:server_port/ Note – The default server_port is 443.
CHAPTER 6 Configuring Apache Web Servers for Use With the Sun Crypto Accelerator 4000 Board This chapter explains how to configure the Sun Crypto Accelerator 4000 board for use with Apache Web Servers.
Enabling the Board for Apache Web Servers This section provides an overview of how to enable the Sun Crypto Accelerator 4000 board for use with Apache Web Servers. Enabling Apache Web Servers Apache Web Server 1.3.26 or later is required for use with the Sun Crypto Accelerator 4000 board. The following instructions are for the 1.3.26 release of Apache Web Server. Refer to the Apache Web Server documentation for more information about using Apache Web Servers. ▼ To Enable the Apache Web Server 1.
4. Select 1 to configure your Apache Web Server to use SSL: Sun Crypto Accelerator Apache Installation --------------------------------------------------------This script will install the Sun Crypto Accelerator cryptographic modules for Apache. Please select what you wish to do: --------------------------------------------------------1. Configure Apache for SSL 2. Work with Apache keys Your selection (0 to quit): 1 5. Provide the directory where the Apache binaries exist.
9. Choose a base name for the key material. This name is appended with different suffixes to distinguish key files, certificate request files and later on, certificate files from one another. Please choose a base name for the key and request file: base_name 10. Provide a key length between 512 and 2048 bits. For most web server applications, 1024 bits is sufficiently strong, but you can choose stronger keys if preferred.
▼ To Create a Certificate 1. Create a certificate request using the keys you created in “To Enable the Apache Web Server” on page 112. You must first enter the password to access your keys.
2. Modify the /etc/apache/httpd.conf file as directed. You are shown information concerning your key and certificate files. You are also instructed on how to modify the/etc/apache/httpd.conf file for use with the Sun Crypto Accelerator 4000 software. The keyfile is stored in /etc/apache/keys/base_name-key.pem. The certificate request is in /etc/apache/keys/base_name-certreq.pem. You will need to edit /etc/apache/httpd.
3. If you chose not to set up a VirtualHost, you must place the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile directives in the httpd.conf file, just above the SSLPassPhraseDialog directive. You may need a virtual host directive similar to what is shown below: SSLEngine on SSLCertificateFile /etc/apache/keys/base_name-cert.pem SSLCertificateKeyFile /etc/apache/keys/base_name-key.
5. Copy your certificate request with the headers from /etc/apache/keys/base_name-certreq.pem (where base_name was set in Step 9 of “To Enable the Apache Web Server” on page 112) and hand it off to your certificate authority. 6. Once the certificate is generated, create the certificate file /etc/apache/keys/base_name-cert.pem and paste your certificate into it. 7. Start the Apache Web Server. This assumes your Apache binary directory is /usr/apache/bin.
CHAPTER 7 Diagnostics and Troubleshooting This chapter describes diagnostic tests and troubleshooting for the Sun Crypto Accelerator 4000 software.
Installing SunVTS netlbtest and nettest Support for the vca Driver TABLE 7-1 shows the method of updating installed SunVTS software to provide SunVTS netlbtest and nettest support for the vca driver. TABLE 7-1 SunVTS netlbtest and nettest Required Software for the vca Driver Required Replacement Package Required Overlay Patch Base Solaris Software Base SunVTS Software Solaris 8 7/01 SunVTS4.4 111854-04 Solaris 8 10/01 SunVTS4.5 112250-04 Solaris 8 2/02 SunVTS4.6 SunVTS5.
Using the patchadd command to install patch 113614-11 is the equivalent of replacing the previously installed SunVTS packages with the SunVTS5.1ps2 packages. The replacement packages are available at: http://www.sun.com/oem/products/vts/ The overlay patches are available at: http://sunsolve.sun.com/ Note – The required SunVTS packages and any required patches must be installed before the SUNWvcav package is installed. The SUNWvcav package contains the SunVTS test vcatest.
Note – Physical mode is supported; however, this procedure assumes you are using Logical mode. 3. Disable all tests by clearing their check boxes. 4. Select the check box for Cryptography, then select the plus box for Cryptography to display all tests in the Cryptography group. 5. Clear check boxes in the Cryptography group that are not named vcatest. ■ If a vcatest is displayed, then go to Step 6.
Test Parameter Options for vcatest TABLE 7-2 describes the vcatest subtests. TABLE 7-2 vcatest Subtests Test Name Description CDMF Tests CDMF bulk encryption. DES Tests DES bulk encryption. 3DES Tests 3DES bulk encryption RSA Tests RSA public and private keys DSA Tests DSA signature verification MD5 Tests MD5 Message Digest/Digital Signature. SHA1 Tests SHA1 Digest Key Creation.
The following is an example of invoking vcatest in 64-bit mode from the SunVTS infrastructure. The following command tests RSA, DSA, and MD5 on vca2: # /opt/SUNWvts/bin/sparcv9/vcatest -f -o dev=vca2,tl=RSA+DSA+MD5 When performing vcatest from the command line, omission of an option produces the default behavior for that option, as stated in TABLE 7-3. TABLE 7-3 ▼ vcatest Command-Line Syntax Option Description dev=vcaN Specifies the instance of the device to test such as vca0 or vca2.
5. Clear check boxes in the Network group that are not named vcaN(netlbtest). Note that N specifies the placement of the instance number of the device under test. ■ If a vcaN(netlbtest) is displayed, then go to Step 6. ■ If a vcaN(netlbtest) is not displayed, probe the system to find it by selecting Reprobe system in the Commands drop-down menu. Refer to the SunVTS user’s guide for the exact procedure. When the probe completes and a vcaN(netlbtest) is displayed, continue to Step 6. 6.
Refer to the SunVTS user’s guide for detailed startup instructions. The following instructions assume that SunVTS was started using the CDE user interface. 2. On the SunVTS Diagnostic main window, set the System Map to Logical mode. Note – Physical mode is also supported; however, this procedure assumes you are using Logical mode. 3. Disable all tests by clearing their check boxes. 4. Select the check box for Network, then select the plus box for Network to display all tests in the Network group. 5.
This action removes the dialog box and returns you to the SunVTS Diagnostic main window. 8. Select one of the instances of vcaN(nettest), then right-click and drag to display the Test Execution Options dialog box. An alternate method of displaying Test Execution Options dialog box is to select the Options drop-down main menu; then select Test Executions. These options are generic SunVTS controls that affect all tests. Refer to the SunVTS user’s guide for detailed information. 9.
Using kstat to Determine Cryptographic Activity The Sun Crypto Accelerator 4000 board does not contain lights or other indicators to reflect cryptographic activity on the board.
Note – If the nostats property is defined in the /kernel/drv/vca.conf file, the capture and display of statistics will be disabled. This property may be used to help prevent traffic analysis. Using the OpenBoot PROM FCode SelfTest The following tests are available to help identify problems with the adapter if the system does not boot. You can invoke the FCode self-test diagnostics by using the OpenBoot PROM (OBP) test or test-all commands.
3. Reset the system. ok reset-all 4. Type show-nets to display the list of devices and enter a selection: You should see a list of devices, similar to the example below, specific to the adapter: ok show-nets a) /pci@8,600000/network@1 b) /pci@8,700000/network@5,1 q) NO SELECTION Enter Selection, q to quit: a /pci@8,600000/network@1 has been selected. Type ^Y ( Control-Y ) to insert it in the command line. e.g.
Note – The Sun Crypto Accelerator 4000 UTP adapter self-test for a 1000 Mbps connection is not supported for use with an external loopback cable because the link-clock cannot be reconciled. For this test, the local and remote ports must reconcile as clock master and clock slave. If an external loopback cable is used, both the local and remote ports are identical. Hence, the single port cannot be both a clock master and a clock slave, which causes the PHY link-up to always fail.
Troubleshooting the Sun Crypto Accelerator 4000 Board This section describes the commands available at the OBP level for troubleshooting the board. Refer to the OpenBoot Command Reference Manual for more information on the commands described in the following subsections. show-devs To determine whether the Sun Crypto Accelerator 4000 device is listed in the system: from the OBP prompt, type show-devs to display the list of devices.
.properties To determine whether the Sun Crypto Accelerator 4000 device properties are listed correctly: from the OBP prompt, type .properties to display the list of properties. ok .properties assigned-addresses d-fru-len d-fru-off d-fru-dev s-fru-len s-fru-off s-fru-dev compatible reg address-bits max-frame-size network-interface-type device_type name local-mac-address version 2.
watch-net To monitor a network connection: from the OBP prompt, type the apply watchnet command with the device path: ok apply watch-net /pci@8,600000/network@1 /pci@8,600000/network@1: 1000 Mbps full duplex link up Watch ethernet packets ’.’ is a good packet and ’X’ is a bad packet Press any key to stop .....X...X......X..... The system monitors network traffic, displaying “.
APPENDIX A Specifications This appendix lists the specifications for the Sun Crypto Accelerator 4000 MMF and UTP adapters. It contains the following sections: ■ ■ “Sun Crypto Accelerator 4000 MMF Adapter” on page 135 “Sun Crypto Accelerator 4000 UTP Adapter” on page 138 Sun Crypto Accelerator 4000 MMF Adapter This section provides the specifications for the Sun Crypto Accelerator 4000 MMF adapter. Connectors FIGURE A-1 shows the connector for the Sun Crypto Accelerator 4000 MMF adapter.
FAULT DIAG OPERATE OWNED FIPS LINK PA P FIGURE A-1 Sun Crypto Accelerator 4000 MMF Adapter Connector TABLE A-1 lists the characteristics of the SC connector (850 nm). TABLE A-1 136 SC Connector Link Characteristics (IEEE P802.3z) Characteristic 62.
Physical Dimensions TABLE A-2 Physical Dimensions Dimension Measurement Metric Measurement Length 12.283 inches 312.00 mm Width 4.200 inches 106.
Interface Specifications TABLE A-5 Interface Specifications Feature Specification PCI clock 33 MHz or 66 MHz Host interface PCI 2.1 with support for 33 MHz or 66 MHz clock rate and 3.3V or 5V power.
FAULT DIAG OPERATE OWNED FIPS LINK PA P FIGURE A-2 Sun Crypto Accelerator 4000 UTP Adapter Connector TABLE A-7 lists the characteristics of the Cat-5 connector used by the Sun Crypto Accelerator 4000 UTP adapter.
Physical Dimensions TABLE A-8 Physical Dimensions Dimension Measurement Metric Measurement Length 12.283 inches 312.00 mm Width 4.200 inches 106.
Interface Specifications TABLE A-11 Interface Specifications Feature Specification PCI clock 33 MHz or 66 MHz Host interface PCI 2.1 with support for 33 MHz or 66 MHz clock rate and 3.
142 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003
APPENDIX B SSL Configuration Directives for Apache Web Servers This appendix lists directives for using Sun Crypto Accelerator 4000 software to configure SSL support for Apache Web Servers. Configure directives in your http.conf file. Refer to the Apache Web Server documentation for more information. 1. SSLPassPhraseDialog exec:program Context: Global This directive informs the Apache Web Server that the specified program should be executed to collect the password for key file.
/etc/apache/servername:port.keytype.pass. If this file is not present, then the file /etc/apache/default.pass is used. These password files contain only the unencrypted password on a line by itself. Note – Password files should be protected by permissions so that only the UNIX user that the web server runs as can read the file. This user should be the same user as configured with the standard Apache User directive. If not specified, the default behavior uses an internal prompting mechanism.
Using the plus (+) or minus (-) signs, protocols can be added or removed. For example, to disable support for SSLv2, the following directive could be used: SSLProtocol all -SSLv2 The preceding statement is equivalent to: SSLProtocol +SSLv3 +TLSv1 4. SSLCipherSuite cipher-spec Context: Global, virtual host, directory, .htaccess The SSLCipherSuite directive is used to configure which SSL ciphers are available for use and their preference.
TABLE B-2 Available SSL Ciphers (Continued) Cipher-Tag Protocol Key Exchange Auth.
TABLE B-3 SSL Aliases (Continued) Alias Description ADH All ciphers using anonymous Diffie-Hellman key exchange DSS All ciphers using DSS authentication NULL All ciphers using no encryption The preference of ciphers can be configured using the special characters listed and described in TABLE B-4.
Certificates in the chain are assumed to be valid for client authentication as well, when client authentication (SSLVerifyClient) is used. 8. SSLCACertificateFile file Context: Global, virtual host This directive specifies the location of a file containing the concatenation of the certificates for certification authorities (CAs) used for client authentication. 9.
This directive specifies a log file where SSL-specific information will be logged. If not specified (default), then no SSL-specific information will be logged. 13. SSLLogLevel level Context: Global, virtual host This directive specifies the verbosity of the information logged in the SSL log file. Values for level are listed and described in TABLE B-6.
Options are listed and described in TABLE B-7. TABLE B-7 Available SSL Options Options Description StdEnvVars Standard set of SSL-related CGI/SSI environment variables are created—there is a performance penalty for this. ExportCertData Causes the SSL_SERVER_CERT, SSL_CLIENT_CERT and SSL_CLIENT_CERT_CHAINn (n = 0, 1, ...) environment variables to be exported. These variables contain PEM-encoded certificates for the client and server.
APPENDIX C Building Applications for Use With the Sun Crypto Accelerator 4000 Board This appendix describes the software supplied with the Sun Crypto Accelerator 4000, which can be used to build OpenSSL-compatible applications to take advantage of the cryptographic acceleration features of the Sun Crypto Accelerator 4000 board. Not all OpenSSL applications will benefit from being compiled in this fashion (as opposed to being built with the stock OpenSSL library, which can be downloaded from www.openssl.
Additionally, the linker must be directed to include references to the appropriate libraries. Most OpenSSL-compatible applications reference either or both of the libcrypto.a and libssl.a libraries. The Sun cryptographic libraries must also be included.
APPENDIX D Software Licenses This appendix provides the Sun Binary Code License Agreement and third-party software notices and licenses. Note – The third-party licenses and notices provided in this appendix are included exactly as they are provided by the owners of the software licenses and notices. Sun Microsystems, Inc.
licensed or intended for use in the design, construction, operation or maintenance of any nuclear facility. Sun disclaims any express or implied warranty of fitness for such uses. No right, title or interest in or to any trademark, service mark, logo or trade name of Sun or its licensors is granted under this Agreement. 3. LIMITED WARRANTY.
9. GOVERNING LAW. Any action related to this Agreement will be governed by California law and controlling U.S. federal law. No choice of law rules of any jurisdiction will apply. 10. SEVERABILITY. If any provision of this Agreement is held to be unenforceable, this Agreement will remain in effect with the provision omitted, unless omission would frustrate the intent of the parties, in which case this Agreement will immediately terminate. 11. INTEGRATION.
Third Party License Terms OPENSSL LICENSE ISSUES The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org. OpenSSL License Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the rouines from the library being used are not cryptographic related :-). 4.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by Ralf S. Engelschall for use in the mod_ssl project (http://www.modssl.org/)." 4.
160 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003
APPENDIX E Manual Pages This appendix provides descriptions of the Sun Crypto Accelerator 4000 board commands and lists the online manual pages for each. The commands in this appendix are included with the Sun Crypto Accelerator 4000 software. The online manual pages can be viewed with the following command: man -M /opt/SUNWconn/man page TABLE E-1 lists and describes the available online manual pages.
TABLE E-1 162 Sun Crypto Accelerator 4000 Online Manual Pages (Continued) man page Description kcl2(7d) The kcl2 device driver is a multithreaded loadable kernel module providing support for Sun cryptographic provider drivers. The kcl2 driver requires the presence of layered software for applications and kernel clients to access the provided services. apsslcfg(1m) apsslcfg is the configuration utility for Apache Web Servers.
APPENDIX F Zeroizing the Hardware This appendix describes how to zeroize the Sun Crypto Accelerator 4000 board to the factory state which is the failsafe mode for the board. Caution – You should use the procedures described in this appendix only if it is absolutely necessary. The zeroize command in vcaadm is appropriate if you need to remove all key material. Refer to “Zeroizing a Sun Crypto Accelerator 4000 Board” on page 80 for details on the zeroize command.
▼ To Zeroize the Sun Crypto Accelerator 4000 Board With the Hardware Jumper 1. Power off the system. Note – For some systems, you can use dynamic reconfiguration (DR) to remove and replace the board as necessary for this procedure instead of powering off the system. Refer to the documentation delivered with your system for the correct DR procedures. Caution – The board must not receive any electrical power while adjusting the jumper. 2.
4. Power on the system. Caution – When you power on the system after adjusting the Sun Crypto Accelerator 4000 board jumper, all firmware, key material, and configuration information is deleted. This process returns the board to the factory state and places the board in failsafe mode. 5. Power off the system. 6. Remove the jumper from pins 0 and 1 of the jumper block and store the jumper in the original location. 7. Power on the system. 8. Connect to the Sun Crypto Accelerator 4000 board with vcaadm.
166 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003
APPENDIX G Frequently Asked Questions How Do I Configure the Web Server to Startup Without User Interaction on Reboot? You can enable both Sun ONE and Apache Web Servers to perform an unattended startup at reboot with an encrypted key. ▼ To Create an Encrypted Key for Automatic Startup of Apache Web Servers on Reboot 1. Verify that the following entry exists in the httpd.
Example: For a server named webserv101 running SSL on port 443 with an RSA key, you create the following file in /etc/apache: webserv101:443.RSA.pass It is recommended to change the permissions and ownership of the password file as follows: # chmod 400 server_name:port.KEYTYPE.pass # chown root server_name:port.KEYTYPE.pass Refer to the mod_SSL and OpenSSL documentation for more information. ▼ To Create an Encrypted Key for Automatic Startup of Sun ONE Web Servers on Reboot 1.
▼ To Assign Different MAC Addresses From a Terminal Window 1. Enter the following command: # eeprom ”local-mac-address?”=true Note – With the “local-mac-address?” parameter set to true, all nonintegrated network interface devices use the local MAC address assigned to the product at the manufacturing facility. 2. Reboot the system. ▼ To Assign Different MAC Addresses From the OpenBoot PROM Level 1.
■ For Sun Crypto Accelerator 1000 version 1.0 software – Patch ID 112869-02 ■ For Sun Crypto Accelerator 1000 version 1.1 software – Patch ID 113355-01 To configure the Sun Crypto Accelerator 1000 for use with Apache 1.3.26 on a Solaris 9 system with the SUNWkcl2a package installed, you need the following patches: ■ For Apache 1.3.26 – Patch ID 113146-01 or later ■ For Sun Crypto Accelerator 1000 version 1.
Index SYMBOLS $HOME/.vcaadm/trustdb, 58 .properties command, 133 .u extension, 17 /etc/apache/default.pass, 144 /etc/apache/ servername.port.keytype.pass, 144 /etc/driver_aliases file, 38 /etc/hostname.vcaN file, 53 /etc/hosts file, 53 /etc/opt/SUNWconn/vca/keydata, 19 /etc/path_to_inst file, 38 /kernel/drv/vca.
SSLRequireSSL, 150 SSLVerifyClient, 148 SSLVerifyDepth, 148 enabling, 112 enabling the board, 112 applications, building, 151 assigning an IP address, 52 auto-boot? configuration variable, 129, 131 autonegotiation, 23, 27 disabling, 37 pause capability, 27 setting, 23, 37 transmit and receive, 27 B blanking register for alias read, 30 blanking values, 25, 30 building applications libcrypto.a, 152 libssl.a, 152 C commands .properties, 133 driver.
enable-ipg0, 28 enable-ipg0 parameter, 28 enabling Apache Web Servers, 112 Sun ONE Web Servers, 89 enabling Sun ONE Web Servers, 91 etc/apache/default.pass, 144 etc/apache/ servername.port.keytype.pass, 144 etc/hostname.vcaN file, 53 etc/hosts file, 53 etc/path_to_inst file, 38 Ethernet driver operating statistics, 43 driver statistics, 44 FCode self-test diagnostic, 129 link properties, 47 MMF, 23 PCI properties, 51 properties, 47 receive counters, 50 transmit counters, 49 UTP, 23 example vca.
K kernel statistic values, 128 kernel/drv/vca.conf file, 129 key length, 114 key objects, 69 keystore data, 19 keystores, 66, 67, 86 managing with vcaadm, 69 kstat command, 43, 51, 128 L libcrypto.a parameter, 152 libraries, cryptographic, 152 libssl.
P packages optional, 17 required, 17 parallel-detection, 42 parameter values how to modify and display, 34 parameters, 25 8-bit vectors, 30 adv-asmpause-cap, 27 adv-autoneg-cap, 24 adv-pause-cap, 27 driver-specific, 49 early detecting 8-bit vectors, 30 early drop, 30 enable-ipg0, 28 flow control, 27 forced mode, 28 Gigabit forced mode parameter, 28 infinit-burst, 25 interpacket gap, 28 interrupt, 30 ipg0, 28 ipg1, 28 ipg2, 28 libcrypto.a, 152 libssl.
required patches, 10 RSA keypair, 113 RX blanking register for alias read, 30 RX MAC counters, 45 RX random early detecting 8-bit vectors, 30 rx-intr-pkts, 25, 30 rx-intr-pkts parameter, 25, 30 rx-intr-time, 30 rx-intr-time parameter, 30 S security officer accounts, 69 security officers, 70 self-test, 129 server certificate, 96, 105 setenv auto-boot?, 129 setting vca driver parameters using ndd, 33, 38 using vca.
software, 10 Solaris operating environments, 10 SSL algorithms, 4 T token files, 87 tokens, 87 transmit and receive pause capability, 27 transmit counters, 49 transmit MAC counters, 45 troubleshooting, 132 trust database creating Sun ONE Web Server 4.1, 93 Sun ONE Web Server 6.
W watch-net command, 134 Z zeroize command, 163 zeroizing the hardware, 163 178 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003
