test

Sun Directory Server Enterprise Edition 7.0 Installation Guide

Appendix B Working With Sun Cryptographic Framework on Solaris 10 Systems

This appendix briefly explains how to use the Sun Crypto Accelerator cards through the Sun cryptographic framework on Solaris 10 systems with Directory Server and Directory Proxy Server. For more information about the framework, see the respective documentation.

Using Directory Server With Cryptographic Hardware on a Solaris 10 System

This procedure is designed for use with Sun Crypto Accelerator hardware. Perform the following procedure as the same user who runs the Directory Server instance.

ProcedureTo Use Directory Server With Cryptographic Hardware on a Solaris 10 System

  1. Set the PIN used to access the cryptographic framework by typing the pktool setpin command.

    Set the PIN as the same user as the one running Directory Server.

  2. Export the current Directory Server certificate to a PKCS#12 file.

    The following command shows how to perform this step if the Directory Server instance is located under /local/ds/.


    $ dsadm export-cert -o cert-file /local/ds defaultCert

  3. Configure Directory Server to use the appropriate token when accessing the key material.

    Typically, the token is Sun Metaslot.


    $ dsconf set-server-prop 'ssl-rsa-security-device:Sun Metaslot'

  4. Stop Directory Server.


    $ dsadm stop /local/ds

  5. (Optional) If you have no other certificates in the existing certificate database for the Directory Server instance, remove the certificate database.


    $ rm -f /local/ds/alias/*.db

    This optional step ensures that no certificates are stored in the software database.

  6. Create a new certificate database backed by the Solaris cryptographic framework.

    If you have not removed the certificate database, you do not need to run the modutil -create line in this example.


    $ /usr/sfw/bin/64/modutil -create -dbdir /local/ds/alias -dbprefix slapd-
$ /usr/sfw/bin/64/modutil -add "Solaris Kernel Crypto Driver" -libfile \
 /usr/lib/64/libpkcs11.so -dbdir /local/ds/alias -dbprefix slapd-
$ /usr/sfw/bin/64/modutil -enable "Solaris Kernel Crypto Driver" \
 -dbdir /local/ds/alias -dbprefix slapd-

  7. Import the PKCS#12 certificate that you exported.


    $ /usr/sfw/bin/64/pk12util -i cert-file \
 -d /local/ds/alias -P slapd- -h "Sun Metaslot"
$ /usr/sfw/bin/64/certutil -M -n "Sun Metaslot:defaultCert" -t CTu \
 -d /local/ds/alias -P slapd-

    If your accelerator board has a FIPS 140-2 keystore, for added security, make sure that the private key is stored on the device. Sun Crypto Accelerator 4000 and 6000 boards have FIPS 140-2 keystores, for example. The exact process depends on the board.

    Note –

    Make sure that the cryptographic hardware supports the cipher suites that you want to use. Not all the hardwares support all cipher suites. As a workaround, you can use dsconf ssl-cipher-family to set specific suites.

  8. Create a password file that contains the PIN needed to access the cryptographic framework.

    This file is required only when the password is changed in step 1.


    $ echo "Sun Metaslot:password" > /local/dsInst/alias/slapd-pin.txt

    If the password has been changed in step 1, password is the new password, otherwise it is the one currently in use.

  9. Start Directory Server.


    $ dsadm start /local/ds

Using Directory Proxy Server With Cryptographic Hardware on a Solaris 10 System

This procedure is designed for use with Sun Crypto Accelerator hardware. Perform the following procedure as the same user who runs the Directory Proxy Server instance.

ProcedureTo Use Directory Proxy Server With Cryptographic Hardware on a Solaris 10 System

  1. Stop Directory Proxy Server.


    $ dpadm stop /local/dps

  2. Turn off the certificate database password storage.


    $ dpadm set-flags /local/dps cert-pwd-prompt=on
Choose the certificate database password:
Confirm the certificate database password:

  3. Set the PIN used to access the cryptographic framework by typing the pktool setpin command.

    Use the same password that you typedwhen turning off the certificate database password storage.

  4. Generate a key pair by using the cryptographic framework as the key store.


    $ keytool -genkeypair -alias defaultDPScert
 -dname "ou=dps server,dc=example,dc=com" -keyalg RSA -sigalg MD5withRSA
 -validity 3652 -storetype PKCS11 -keystore NONE -storepass pin-password

    pin-password is the password that you set as the PIN with the pktool setpin command.

  5. Edit the Directory Proxy Server configuration file, adding the following attributes to the base entry, cn=config.

    serverCertificateNickName: defaultDPScert
certificateKeyStore: NONE
certificateKeyStoreType: PKCS11

  6. Start Directory Proxy Server.


    $ dpadm start /local/dps