How to Use the Sun Crypto Accelerator 1000 Board With IKE

The following procedure assumes that a Sun Crypto Accelerator 1000 board is attached to the system. The procedure also assumes that the software for the board has been installed and that the software has been configured. For instructions, see the Sun Crypto Accelerator 1000 Board Version 1.1 Installation and User's Guide.

1. On the system console, become superuser or assume an equivalent role.

   ---

   Note –

   Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session.

   ---

2. Add the PKCS #11 library path to the /etc/inet/ike/config file.

   pkcs11_path "/opt/SUNWconn/lib/libpkcs11.so"

   The path name must point to a 32-bit PKCS #11 library. If the library is present, IKE uses the library's routines to accelerate IKE public key operations on the Sun Crypto Accelerator 1000 board. When the board handles these expensive operations, operating system resources are free for other operations.

3. Close the file and reboot.

4. After rebooting, check that the library has been linked. Type the following command to determine whether a PKCS #11 library has been linked:

   # ikeadm get stats Phase 1 SA counts: Current: initiator: 0 responder: 0 Total: initiator: 0 responder: 0 Attempted: initiator: 0 responder: 0 Failed: initiator: 0 responder: 0 initiator fails include 0 time-out(s) PKCS#11 library linked in from /opt/SUNWconn/lib/libpkcs11.so #

   Unlike other parameters in the /etc/inet/ike/config file, the pkcs11_path keyword is read only when IKE is started. If you use the ikeadm command to add or reload a new /etc/inet/ike/config file, the pkcs11_path persists. The path persists because the IKE daemon does not clobber data from the Phase 1 exchange. Keys that are accelerated by PKCS #11 are part of Phase 1 data.