Sun logo      Previous      Contents      Index      Next     

Sun ONE Portal Server, Secure Remote Access 6.2 Administrator's Guide

Appendix A
Configuring SSL Accelerators

This chapter describes how to configure various accelerators for Sun™ Portal Server, Secure Remote Access.

This chapter covers the following topics:

Overview

The Crypto Accelerators are dedicated hardware co-processors that off-load the SSL functions from a server's CPU, thereby freeing the CPU to perform other tasks and increasing the processing speed for SSL transactions.

Sun Crypto Accelerator 1000

The Sun™ Crypto Accelerator 1000 (Sun CA1000) board is a short PCI board that functions as a cryptographic co-processor to accelerate public key and symmetric cryptography. This product has no external interfaces. The board communicates with the host through the internal PCI bus interface. The purpose of this board is to accelerate a variety of computationally intensive cryptographic algorithms for security protocols in eCommerce applications.

Many critical cryptographic functions, such as RSA [7] and Triple-DES (3DES) [8], can be off-loaded from an application to the Sun CA1000 and performed in parallel. This frees the CPU to perform other tasks, increasing the processing speed for SSL transactions.

Enable Crypto Accelerator 1000

Ensure that the Sun™ ONE Portal Server, Secure Remote Access has been installed, and a gateway server certificate (self-signed or issued by any CA) has been installed. The following checklist helps you keep track of the required information before installing the SSL Accelerator.

Table 11-1 lists the Crypto Accelerator 1000 parameters and values. The first column lists the parameter and the second column lists the value.

Table 11-1  Crypto Accelerator 1000 Installation Checklist

Parameter

Value

Secure Remote Access installation base directory

/opt

Secure Remote Access certificate database path

/etc/opt/SUNWps/cert/default

Secure Remote Access server certificate nickname

server-cert

Realm

sra-keystore

Realm user

crypta

Configure Crypto Accelerator 1000

    To Configure Crypto Accelerator 1000
  1. Follow the instructions in the user's guide to install the hardware. See:

    2. http://www.sun.com/products-n-solutions/hardware/docs/pdf/816-2450-11.pdf

  2. Install the following packages from the CD.

    3. SUNWcrypm, SUNWcrypu, SUNWcrysu, SUNWdcar, SUNWcrypr, SUNWcrysl, SUNWdcamn, SUNWdcav

  3. Install the following patches. (You can get them from the http://sunsolve.sun.com)

    4. 110383-01, 108528-05, 112438-01

  4. Make sure that you have the tools pk12util and modutil.

    5. For SRA 6.0, these tools are installed under /opt/SUNWps/bin

    For SRA 6.2, these tools are installed under /usr/lib/mps/secv1/bin

  5. Create the slots file:

    6. vi /etc/opt/SUNWconn/crypto/slots

    and put "crypta@sra" as the first and only line in the file.

  6. Create a realm and a user.

    7. cd /opt/SUNWconn/bin/secadm

    secadm> create realm=sra

    System Administrator Login Required

    Login: root

    Password:

    Realm sra created successfully.

    secadm> set realm=sra

    secadm{srap}> su

    System Administrator Login Required

    Login: root

    Password:

    secadm{root@sra}>create user=crypta

    Initial password:

    Confirm password:

    User crypta created successfully.

    secadm{root@sra}> login user=crypta

    Password:

    secadm{crypta@sra}> show key

    No keys exist for this user.

  7. Load the Sun Crypto module.

    8. For SRA 6.0, the environment variable LD_LIBRARY_PATH must point to /opt/SUNWps/lib/solaris/sparc

    For SRA 6.2 the environment variable LD_LIBRARY_PATH must point to /usr/lib/mps/secv1/

    Type:

    modutil -dbdir /etc/opt/SUNWps/cert/default -add "Sun Crypto Module" -libfile /opt/SUNWconn/crypto/lib/libpkcs11.so

    Use the following command to verify that this module is loaded:

    modutil -list -dbdir /etc/opt/SUNWps/cert /default

  8. Export the gateway certificate and the key to the "Sun Crypto Module".

    9. For SRA 6.0, the environment variable LD_LIBRARY_PATH must point to /opt/SUNWps/lib/solaris/sparc

    For SRA 6.2 the environment variable LD_LIBRARY_PATH must point to /usr/lib/mps/secv1/

    Type:

    pk12util -o servercert.p12 -d /etc/opt/SUNWps/cert/default -n server-cert

    pk12util -i servercert.p12 -d /etc/opt/SUNWps/cert/default -h "crypta@sra"

    Now run the show key command:

    secadm{crypta@sra}> show key

    You should see two keys for this user.

  9. Change the nickname in the /etc/opt/SUNWps/cert/default/.nickname file.

    10. vi /etc/opt/SUWNps/cert/default/.nickname

    replace the server-cert with crypta@sra:server-cert

  10. Select ciphers for acceleration.

    11. SUN CA1000 accelerates RSA functions but supports acceleration only for DES and 3DES ciphers. To enable one of these ciphers do the following

    For SRA 6.0:

    Gateway >> Enable SSL Cipher Selection: >> SSL3 Ciphers: >> SSL3_RSA_WITH_3DES_EDE_CBC_SHA or SSL3_RSA_WITH_DES_CBC_SHA

    For SRA 6.2

    Gateway >> Security >> Enable SSL Cipher Selection: >> SSL3 Ciphers: >> SSL3_RSA_WITH_3DES_EDE_CBC_SHA or SSL3_RSA_WITH_DES_CBC_SHA

  11. Modify the /etc/opt/SUNWps/platform.conf.gateway-profile-name to enable the accelerator:

    12. gateway.enable.accelerator=true

  12. From a terminal window, restart the gateway:

    13. portal-server-install-root/SUNWps/bin/gateway -n gateway-profile-name start

    Note

    Gateway binds to a plain ServerSocket (non SSL) on the port mentioned as https port in the gateway profile.

    No SSL encryption or decryption is done on the incoming client traffic. This is done by the accelerator.

    PDC is not be functional in this mode.

Sun Crypto Accelerator 4000

The Sun™ Crypto Accelerator 4000 board is a Gigabit Ethernet-based network interface card that supports cryptographic hardware acceleration for IPsec and SSL (both symmetric and asymmetric) on Sun servers.

In addition to operating as a standard Gigabit Ethernet network interface card for unencrypted network traffic, the board contains cryptographic hardware to support a higher throughput for encrypted IPsec traffic.

The Crypto Accelerator 4000 board accelerates cryptographic algorithms in both hardware and software. It also supports bulk encryption for ciphers DES and 3DES.

Enable Crypto Accelerator 4000

Ensure that Secure Remote Access has been installed and a gateway server certificate (self-signed or issued by any CA) has been installed. The following checklist helps you keep track of the required information before installing the SSL Accelerator.

Table 11-1 lists the Crypto Accelerator 4000 parameters and values. The first column lists the parameter and the second column lists the value.

.

Table 11-2  Crypto Accelerator 4000 Installation Checklist

Parameter

Value

Secure Remote Access installation base directory

/opt

Secure Remote Access instance

default

Secure Remote Access certificate database path

/etc/opt/SUNWps/cert/default

Secure Remote Access server certificate nickname

server-cert

CA4000 keystore

srap

CA4000 keystore user

crypta

Configure Crypto Accelerator 4000

    To Configure Crypto Accelerator 4000
  1. Follow the instructions in the user's guide to install the hardware and the software packages. See:

    2. http://www.sun.com/products-n-solutions/hardware/docs/pdf/816-2450-11.pdf

  2. Install the following patches. (You can get them from the http://sunsolve.sun.com): 114795
  3. Make sure that you have the tools certutil, pk12util and modutil.

    4. For SRA 6.0, these tools are installed under /opt/SUNWps/bin

    For SRA 6.2, these tools are installed under /usr/lib/mps/secv1/bin

  4. Initialize the board.

    5. Run the /opt/SUNWconn/bin/vcadm tool to initialize the crypto board and set the following values.

    Initial Security Officer Name: sec_officer

    Keystore name: sra-keystore

    Run in FIPS 140-2 Mode: No

  5. Create a user.

    6. vcaadm{vca0@localhost, sec_officer}> create user

    New user name: crypta

    Enter new user password:

    Confirm password:

    User crypta created successfully.

  6. Map token to the key store.

    7. vi /opt/SUNWconn/cryptov2/tokens

    and append/add sra-keystore to the file.

  7. Enable bulk encryption.

    8. touch /opt/SUNWconn/cryptov2/sslreg

  8. Load the Sun Crypto module.

    9. For SRA 6.0, the environment variable LD_LIBRARY_PATH must point to /opt/SUNWps/lib/solaris/sparc

    For SRA 6.2, it should point to /usr/lib/mps/secv1/

    Type:

    modutil -dbdir /etc/opt/SUNWps/cert/default -add "Sun Crypto Module" -libfile /opt/SUNWconn/cryptov2/lib/libvpkcs11.so

    You can verify that this module is loaded using the following command:

    modutil -list -dbdir /etc/opt/SUNWps/cert/default

  9. Export the gateway certificate and the key to the "Sun Crypto Module".

    10. For SRA 6.0, the environment variable LD_LIBRARY_PATH must point to /opt/SUNWps/lib/solaris/sparc

    For SRA 6.2 it should point to /usr/lib/mps/secv1/

    pk12util -o servercert.p12 -d /etc/opt/SUNWps/cert/default -n server-cert

    pk12util -i servercert.p12 -d /etc/opt/SUNWps/cert/default -h "sra-keystore"

    You can verify that the key has been exported using the following command:

    certutil -K -h "sra-keystore" -d /etc/opt/SUNWps/cert/default

  10. Change the nickname in the /etc/opt/SUWNps/cert/default/.nickname file:

    11. vi /etc/opt/SUWNps/cert/default/.nickname

    replace the server-cert with sra-keystore:server-cert

  11. Select ciphers for acceleration.

    12. SUN CA4000 accelerates RSA functions but supports acceleration only for DES and 3DES ciphers. To enable one of these ciphers do the following

    For SRA 6.0:

    Gateway >> Enable SSL Cipher Selection: >> SSL3 Ciphers: >> SSL3_RSA_WITH_3DES_EDE_CBC_SHA or SSL3_RSA_WITH_DES_CBC_SHA

    For SRA 6.2:

    Gateway >> Security >> Enable SSL Cipher Selection: >> SSL3 Ciphers: >> SSL3_RSA_WITH_3DES_EDE_CBC_SHA or SSL3_RSA_WITH_DES_CBC_SHA

  12. From a terminal window, restart the gateway:

    13. portal-server-install-root/SUNWps/bin/gateway -n gateway-profile-name start

    The gateway will prompt you to enter the keystore password.

    Enter Password or Pin for "sra-keystore":crypta:crytpa-password

    Note

    Gateway binds to a plain ServerSocket (non SSL) on the port mentioned as https port in the gateway profile.

    No SSL encryption or decryption is done on the incoming client traffic. This is done by the accelerator.

    PDC is not be functional in this mode.

External SSL Device and Proxy Accelerators

An external SSL device can run in front of Secure Remote Access in open mode. It provides the SSL link between the client and Secure Remote Access.

Enable an External SSL Device Accelerator

Ensure that Secure Remote Access has been installed and a gateway runs in the secure mode (HTTPS mode):

Gateway >> Enable HTTPS Connections

Gateway>> HTTP Port: 880

Table 11-3 lists the external SSL device and proxy accelerator parameters and values. The first column lists the parameters and the second column lists the values.

Table 11-3  External SSL Device and Proxy Accelerators Checklist

Parameter

Value

SRA instance

default

Gateway Mode

https

Gateway Port

880

External Device/Proxy Port

443

Configure an External SSL Device Accelerator

    To Configure External SSL Device Accelerators
  1. Follow the instructions in the user guide to install the hardware and software packages.
  2. Install the required/recommended patches if any.
  3. Enable SSL Device/Proxy support:

    4. vi /etc/opt/SUNWps/platform.conf.default

    gateway.enable.accelerator=true

    If the external device/proxy host name is different from gateway host name:

    gateway.enable.customurl=true

    gateway.httpsurl=external-device.domain.subdomain/proxy-URL

  4. Gateway notification can be configured in two ways:
    • When the Identity Server can contact the gateway machine at port 880 (Session notifications will be in http)

      vi /etc/opt/SUNWps/platform.conf.default

      gateway.protocol=http

      gateway.port=880

    • When the Identity Server can contact the external device/proxy at port 443 (Session notifications will be in HTTPS)

      vi /etc/opt/SUNWps/platform.conf.default

      gateway.host=External Device/Proxy Host Name

      gateway.protocol=https

      gateway.port=443

  5. Make sure that the SSL device/proxy is up and running and configured to tunnel the traffic to the gateway port.
  6. From a terminal window, restart the gateway:

    7. gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start



Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.