test

IPsec and IKE Administration Guide

Using Hardware With IKE (Task Map)

Task 

Description 

For Instructions 

Off-load IKE key operations to the Sun Crypto Accelerator 1000 board 

Involves setting the path to the PKCS#11 library. 

How to Use the Sun Crypto Accelerator 1000 Board With IKE

Off-load IKE key operations and store the keys on the Sun Crypto Accelerator 4000 board 

Involves setting the path to the PKCS#11 library, and listing the available token IDs. 

How to Use the Sun Crypto Accelerator 4000 Board With IKE

How to Use the Sun Crypto Accelerator 1000 Board With IKE

Note –

The following procedure assumes that a Sun Crypto Accelerator 1000 board is attached to the system. The procedure also assumes that the software for the board has been installed and that the software has been configured. For instructions, see the Sun Crypto Accelerator 1000 Board Version 1.1 Installation and User's Guide.

  1. On the system console, become superuser or assume an equivalent role.

    Note –

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session.

  2. Add the PKCS #11 library path to the /etc/inet/ike/config file.


    pkcs11_path "/opt/SUNWconn/lib/libpkcs11.so"

    The path name must point to a 32-bit PKCS #11 library. If the library is present, IKE uses the library's routines to accelerate IKE public key operations on the Sun Crypto Accelerator 1000 board. When the board handles these expensive operations, operating system resources are free for other operations.

  3. Close the file and reboot.

  4. After rebooting, check that the library has been linked. Type the following command to determine whether a PKCS #11 library has been linked:


    # ikeadm get stats
Phase 1 SA counts:
Current:   initiator:          0   responder:          0
Total:     initiator:          0   responder:          0
Attempted: initiator:          0   responder:          0
Failed:    initiator:          0   responder:          0
           initiator fails include 0 time-out(s)
PKCS#11 library linked in from /opt/SUNWconn/lib/libpkcs11.so
#

    Unlike other parameters in the /etc/inet/ike/config file, the pkcs11_path keyword is read only when IKE is started. If you use the ikeadm command to add or reload a new /etc/inet/ike/config file, the pkcs11_path persists. The path persists because the IKE daemon does not clobber data from the Phase 1 exchange. Keys that are accelerated by PKCS #11 are part of Phase 1 data.

How to Use the Sun Crypto Accelerator 4000 Board With IKE

Note –

The following procedure assumes that a Sun Crypto Accelerator 4000 board is attached to the system. The procedure also assumes that the software for the board has been installed and that the software has been configured. For instructions, see the Sun Crypto Accelerator 4000 Board Installation and User's Guide. The guide is available from the Sun Hardware Documentation web site, under Network and Security Products.

  1. On the system console, become superuser or assume an equivalent role.

    Note –

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session.

  2. Add the PKCS #11 library path to the /etc/inet/ike/config file.


    pkcs11_path "/opt/SUNWconn/lib/libpkcs11.so"

    The path name must point to a 32-bit PKCS #11 library. If the library is present, IKE uses the library's routines to handle key generation and key storage on the Sun Crypto Accelerator 4000 board.

  3. Close the file and reboot.

  4. After rebooting, check that the library has been linked. Type the following command to determine whether a PKCS #11 library has been linked:


    $ ikeadm get stats
…
PKCS#11 library linked in from /opt/SUNWconn/lib/libpkcs11.so
$

    Unlike other parameters in the /etc/inet/ike/config file, the pkcs11_path keyword is read only when IKE is started. If you use the ikeadm command to add or reload a new /etc/inet/ike/config file, the pkcs11_path persists. The path persists because the IKE daemon does not clobber Phase 1 data.

    Note –

    The Sun Crypto Accelerator 4000 board supports keys up to 2048 bits for RSA. For DSA, this board supports keys up to 1024 bits.

  5. Find the token ID for the attached Sun Crypto Accelerator 4000 board.


    $ ikecert tokens
Available tokens with library "/opt/SUNWconn/lib/libpkcs11.so":

"SUN-1000-accel                 "
"SUN-4000-stor                  "

    The library returns a token ID, also called a keystore name, of 32 characters. In this example, you could use the SUN-4000-stor token with the ikecert commands to store IKE keys

    For instructions on how to use the token, see How to Generate and Store Public Key Certificates on Hardware.

    The trailing spaces are automatically padded by the ikecert command.