The following procedure assumes that a Sun Crypto Accelerator 1000 card is attached to the system. The procedure also assumes that the software for the card has been installed and that the software has been configured. For instructions, see the Sun Crypto Accelerator 1000 Board Version 1.1 Installation and User's Guide.
On the system console, become superuser or assume an equivalent role.
Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.
The pathname must point to a 32-bit PKCS #11 library. If the library is present, IKE uses the library's routines to accelerate IKE public-key operations on the Sun Crypto 1000 card. When the card handles these expensive operations, operating system resources are free for other operations.
Close the file and reboot.
After rebooting, check that the library has been linked. Type the following command to determine whether a PKCS #11 library has been linked.
# ikeadm get stats Phase 1 SA counts: Current: initiator: 0 responder: 0 Total: initiator: 0 responder: 0 Attempted: initiator: 0 responder: 0 Failed: initiator: 0 responder: 0 initiator fails include 0 time-out(s) PKCS#11 library linked in from /opt/SUNWconn/lib/libpkcs11.so #
Unlike other parameters in the /etc/inet/ike/config file, the pkcs11_path keyword is read only when IKE is started. If you use the ikeadm command to add or reload a new /etc/inet/ike/config file, the pkcs11_path persists. The path persists because the IKE daemon does not clobber Phase 1 data. Keys that are accelerated by PKCS #11 are part of Phase 1 data.