Product Overview

C H A P T E R 1

Product Overview

This chapter provides an overview of the Sun Crypto Accelerator 6000 board, and contains the following sections:

Product Features

Hardware Overview

Hardware and Software Requirements

Product Features

The Sun Crypto Accelerator 6000 board is an 8-lane PCI Express based host bus adapter (HBA) that combines IPsec and SSL cryptographic acceleration with hardware security module (HSM) features. The Sun Crypto Accelerator 6000 board provides improved performance, additional security features, and support for new Oracle Solaris OS on SPARC and x86 platforms, and x86 AMD Opteron platforms running Linux. The combination of a dedicated HSM, advanced cryptographic security, and secure key management specifically meets the security and performance needs for financial services.

Once installed, the board is initialized and configured with the scamgr utility, which manages the keystore and user information, and determines the level of security in which the board operates. Once a keystore and security officer account are configured, Java and PKCS#11 applications such as Sun Java System server software, and OpenSSL applications such as Apache can be configured to use the board for cryptographic acceleration.

New Features in the 1.1 Release

Centralized key management (see Chapter 4 for details)

Multiple keystore support (see Chapter 3 for details)

Firmware based ECC

Firmware based SHA-512

Improved keystore backup (see Chapter 3 for details)

Improved Auditing (see Chapter 3 for details)

Key Features

Low-profile, half-length PCE Express, 8-lane (bi-8)

Support for Oracle Solaris Cryptographic Framework

Accelerates IPsec and SSL cryptographic functions

Session establishment rate - up to 13,000 operations per second

Bulk encryption rate - up to 1 Gbps

Provides up to 2048-bit RSA encryption

Provides tamper-resistant secure key storage and crypto acceleration benefits for PKCS#11-aware applications such as Sun Java System Server products

Provides centralized keystore support, enabling multiple machines to access a common key repository

FIPS 140-2 Level 3 certification

Low CPU utilization - frees up server system resource and bandwidth

Secure private key storage and management

Dynamic reconfiguration (DR), and redundancy and failover support on Sun’s midframe and high-end servers

Support for Oracle Solaris 10 OS and future compatible releases

Support for Linux: Red Hat EL 4.0, Red Hat EL Server 5, SuSE Enterprise 10 SP 1

Support for openCryoptoki software

Support for the Service Management Facility (SMF), which is an improved mechanism for controlling system startup and the relationship between services.

Multi-Admin keystore security, supporting the requirement of multiple security officers to authenticate keystore backup and restore operations.

Serial port for direct input adminstration interface

USB port for keystore backup and restore to USB mass storage devices

Note - IPsec cryptographic hardware acceleration is not supported on the current Linux distributions.

Financial Services Support

The Sun Crypto Accelerator 6000 board supports PIN and credit card related functionality, ensuring the security of sensitive customer data by performing the entire operation within the secure cryptographic boundary of the board. Specialized key management capabilities, and a new user library (libfinsvcs.so) and associated application interface are provided to support this feature. See Chapter 5 for details.

Supported Applications

Java applications

Sun Java System Servers

Apache Web Server

PKCS#11 applications

Supported Cryptographic Protocols and Algorithms

The board supports the following protocols:

SSLv2

SSLv3

TLSv1

IPsec

The board accelerates the following cryptographic algorithms.

TABLE 1-1 Cryptographic Algorithms
Type	Algorithm
Symmetric	DES, 3DES, AES, SHA1, SHA512, and MD5
Asymmetric	Diffie-Hellman, RSA (up to 2048 bit key), DSA, and ECC The following is a list of the supported ECC curves: `nistp256/prime256v1/secp256r1, nistp384/secp384r1` `nistp521/secp521r, nistk163/sect163k1` `nistb163/sect163r2, nistk233/sect233k1` `nistb233/sect233r1, nistk283/sect283k1` `nistb283/sect283r1, nistk409/sect409k1` `nistb409/sect409r1, nistk571/sect571k1` `nistb571/sect571r1, nistp192/secp192r1` `nistp224/secp224r1`

The board accelerates the following SSL functions:

Secure establishment of a set of cryptographic parameters, and secret keys between a client and a server.

Secure key storage on the board. Keys are encrypted if they leave the board.

Diagnostic Support

SunVTS diagnostic tests

Security officer initiated diagnostics (scadiag and scamgr)

Cryptographic Algorithm Acceleration

Together with the Oracle Solaris Cryptographic Framework, the board accelerates cryptographic algorithms in both hardware and software. The reason for this complexity is that the cost of accelerating cryptographic algorithms is not uniform across all algorithms. Some cryptographic algorithms were designed specifically to be implemented in hardware, others were designed to be implemented in software. For hardware acceleration, there is the additional cost of moving data from the user application to the hardware acceleration device, and moving the results back to the user application. Note that a few cryptographic algorithms can be performed by highly tuned software as quickly as they can be performed in dedicated hardware.

Hardware Overview

The Sun Crypto Accelerator 6000 hardware is a low-profile, half-length (6.6 inches [1.67.64 mm] by 2.54 inches [64.41 mm]) 8-lane PCI Express based HBA that enhances the performance of IPsec and SSL, and provides robust security features. FIGURE 1-1 provides an illustration of the board.

FIGURE 1-1 Sun Crypto Accelerator 6000 Board

LED Displays

TABLE 1-2 describes the LED displays.

TABLE 1-2 Front Panel LEDs
Label	Color	Indication
STATUS	Green/Red	Off when bootstrap firmware executes Green in POST, and DISABLED states (driver not attached) Flashing green in IDLE, OPERATIONAL, and FAILSAFE states (heart beat) Red when board is in the HALTED (fatal error) state or when a low-level hardware initialization failure occurs Flashing red if an error occurrs during the boot process
FIPS	Green/Yellow	Off in non-FIPS mode Green when operating in FIPS mode Flashing yellow when zeroize jumper is present
INIT	Green/Yellow	Off if the board has not been initialized Green if the card has been initialized by a security officer Yellow in POST, DIAGNOSTICS, and FAILSAFE (firmware not upgraded) states Flashing yellow when running DIAGNOSTICS

FIGURE 1-2 shows the location of the LEDs.

FIGURE 1-2 LED Locations

Direct Input Devices

The Sun Crypto Accelerator 6000 board has three direct input devices: an RJ-11 serial port, a USB port, and a Point of Presence button.

Serial Port

The six-wire RJ-11 port connector enables direct input adminstration. The port operates at a baud rate of 9600-8N1. The pinout specifications are described in TABLE 1-3 and shown in FIGURE 1-3.

TABLE 1-3 RJ-11 Port Connector Pins and Signals
Pin	Signal	Definition
1	PWR	5 volt DC power
2	NC	Not connected
3	NC	Not connected
4	XMIT	Transmit data
5	RECV	Data receive
6	GND	Signal ground

Serial Device

Any device with a properly configured serial port and cable can be used for direct input administration of the device. However, for maximum security a stateless hand-held device ensures that sensitive information and keying material are not compromised. One such device tested is the Termiflex OT/30 hand-held terminal from Warner Power. A Termiflex OT/30 terminal has been configured specifically for use with the Sun Crypto Accelerator 6000 board and can be ordered directly from Warner Power using part number 99-3619-04001 (http://www.termiflex.com/).

FIGURE 1-3 RJ-11 Port Connector Pins

USB Port

The standard size USB connector enables you to back up and restore the on-board keystore. The port is USB 1.1 compliant and is compatible with standard USB mass storage devices (bulk-only).

USB Device

Although other USB mass-storage devices will work, only a few devices have been fully tested and qualified for use with the Sun Crypto Accelerator 6000 board. Before using another device for backup and restore operations, verify that diagnostics run successfully with the USB device installed. Choose devices with high transfer speeds and quick response times for the best compatibility with the board.

The following devices have been verified to work with the board:

JetFlash 2.0 USB Flash Drive from Transcend

DataTravler 100 USB Flash Drive from Kingston

Attache Optima Pro High Speed USB 2.0 Drive from PNY

Point of Presence Button

The Point of Presence button provides physical presence verification when pressed. The physical pressing of this button cannot be emulated remotely.

Dynamic Reconfiguration and High Availability

The Sun Crypto Accelerator 6000 hardware and associated software provide the capability to work effectively on SPARC platforms supporting dynamic reconfiguration (DR) and hot-plugging. During a DR or hot-plug operation, the Sun Crypto Accelerator 6000 software layer automatically detects the addition or removal of a board, and adjusts the scheduling algorithms to accommodate the change in hardware resources.

Note - DR is supported on SPARC platforms only.

For High Availability (HA) configurations, multiple Sun Crypto Accelerator 6000 boards can be installed within a system or domain to insure that hardware acceleration is continuously available. In the unlikely event of a Sun Crypto Accelerator 6000 hardware failure, the software layer detects the failure and removes the failed board from the list of available hardware cryptographic accelerators. Sun Crypto Accelerator 6000 software adjusts the scheduling algorithms to accommodate the reduction in hardware resources. Subsequent cryptographic requests are scheduled to the remaining boards.

The Sun Crypto Accelerator 6000 hardware provides a source for high-quality entropy for the generation of long-term keys. If all the Sun Crypto Accelerator 6000 boards within a domain or system are removed, long-term keys are generated with lower-quality entropy.

Load Sharing

The Sun Crypto Accelerator 6000 software enables the distribution of load across as many boards as are installed within the Oracle Solaris domain or system. In order to use load sharing, each board must be configured to use the same keystore. See Chapter 4.

Hardware and Software Requirements

TABLE 1-4 provides a summary of the hardware and software requirements for the Sun Crypto Accelerator 6000 board.

TABLE 1-4 Hardware and Software Requirements
Hardware and Software	Requirements
Hardware	Sun Fire T1000, T2000, x2100, x2200, x4200, x4600 servers Sun SPARC Enterprise T5120 and T5220 servers Sun Ultra 40, 20
Operating system	Oracle Solaris 10, Red Hat EL 4.0, Red Hat EL Server 4 and 5, and SuSE Enterprise 10 SP1 Linux*, and future compatible releases of these operating systems.

*Note - 1 Gbyte of memory is suggested for Linux operating systems.

Oracle Solaris 10 OS on SPARC and x86 Platforms

The Sun Crypto Accelerator 6000 board supports the Oracle Solaris 10 Operating System on both SPARC and x86 AMD Opteron Linux platforms. The board acts as a cryptographic service provider to the Oracle Solaris Cryptographic Framework, allowing applications to access the board’s functionality with PKCS#11, OpenSSL, and Java (J2SE).

x86 AMD Opteron Platforms Running Linux

The openCryptoki software interface is used in Linux environments to access the Sun Crypto Accelerator 6000 board. The openCryptoki software provides a user level interface that enables selecting specific cryptographic providers.

Required Patches

Refer to the Sun Crypto Accelerator 6000 Board Product Notes for Version 1.1 for required patch information.