Sun Java System Portal Server 6 2004Q2 Secure Remote Access Administration Guide |
Chapter 13
Configuring SSL AcceleratorsThis chapter describes how to configure various accelerators for Sun Java System Portal Server Secure Remote Access.
This chapter covers the following topics:
OverviewExternal accelerators are dedicated hardware co-processors that off-load the SSL functions from a server's CPU, thereby freeing the CPU to perform other tasks and increasing the processing speed for SSL transactions.
Sun Crypto Accelerator 1000The Sun Crypto Accelerator 1000 (Sun CA1000) board is a short PCI board that functions as a cryptographic co-processor to accelerate public key and symmetric cryptography. This product has no external interfaces. The board communicates with the host through the internal PCI bus interface. The purpose of this board is to accelerate a variety of computationally intensive cryptographic algorithms for security protocols in eCommerce applications.
Many critical cryptographic functions, such as RSA [7] and Triple-DES (3DES) [8], can be off-loaded from an application to the Sun CA1000 and performed in parallel. This frees the CPU to perform other tasks, increasing the processing speed for SSL transactions.
Enable Crypto Accelerator 1000
Ensure that Portal Server Secure Remote Access has been installed, and a gateway server certificate (self-signed or issued by any CA) has been installed. See the Certificates chapter for details.
Table 13-1 is a checklist to help you keep track of the required information before installing the SSL Accelerator.lists the Crypto Accelerator 1000 parameters and values.
Configure Crypto Accelerator 1000
To Configure Crypto Accelerator 1000
- Follow the instructions in the user's guide to install the hardware. See:
http://www.sun.com/products-n-solutions/hardware/docs/pdf/816-2450-11.pdf
- Install the following packages from the CD.
SUNWcrypm, SUNWcrypu, SUNWcrysu, SUNWdcar, SUNWcrypr, SUNWcrysl, SUNWdcamn, SUNWdcav
- Install the following patches. (You can get them from the http://sunsolve.sun.com)
110383-01, 108528-05, 112438-01
- Make sure you have the tools pk12util and modutil.
These tools are installed under /usr/sfw/bin. If the tools are not available in the /usf/sfw/bin directory, you need to manually add the SUNWtlsu package from the Sun Java System distribution media:
Solaris_[sparc/x86]/Product/shared_components/
- Create the slots file:
vi /etc/opt/SUNWconn/crypto/slots
and put "crypta@sra" as the first and only line in the file.
- Create and set a realm.
- Create a user:
- Login as the user you created.
secadm{root@sra}> login user=crypta
Password:
secadm{crypta@sra}> show key
No keys exist for this user.
- Load the Sun Crypto module.
The environment variable LD_LIBRARY_PATH must point to /usr/lib/mps/secv1/
Type:
modutil -dbdir /etc/opt/SUNWps/cert/default -add "Sun Crypto Module" -libfile /opt/SUNWconn/crypto/lib/libpkcs11.so
Use the following command to verify that this module is loaded:
modutil -list -dbdir /etc/opt/SUNWps/cert /default
- Export the gateway certificate and the key to the "Sun Crypto Module".
The environment variable LD_LIBRARY_PATH must point to /usr/lib/mps/secv1/
Type:
pk12util -o servercert.p12 -d /etc/opt/SUNWps/cert/default -n server-cert
pk12util -i servercert.p12 -d /etc/opt/SUNWps/cert/default -h "crypta@sra"
Now run the show key command:
secadm{crypta@sra}> show key
You should see two keys for this user.
- Change the nickname in the /etc/opt/SUNWps/cert/default/.nickname file.
vi /etc/opt/SUNWps/cert/default/.nickname
replace the server-cert with crypta@sra:server-cert
- Enable ciphers for acceleration.
SeeEnable SSL Cipher Selection
SUN CA1000 accelerates RSA functions but supports acceleration only for DES and 3DES ciphers.
- Modify the /etc/opt/SUNWps/platform.conf.gateway-profile-name to enable the accelerator:
gateway.enable.accelerator=true
- From a terminal window, restart the gateway:
portal-server-install-root/SUNWps/bin/gateway -n gateway-profile-name start
Sun Crypto Accelerator 4000The Sun Crypto Accelerator 4000 board is a Gigabit Ethernet-based network interface card that supports cryptographic hardware acceleration for IPsec and SSL (both symmetric and asymmetric) on Sun servers.
In addition to operating as a standard Gigabit Ethernet network interface card for unencrypted network traffic, the board contains cryptographic hardware to support a higher throughput for encrypted IPsec traffic.
The Crypto Accelerator 4000 board accelerates cryptographic algorithms in both hardware and software. It also supports bulk encryption for ciphers DES and 3DES.
Enable Crypto Accelerator 4000
Ensure that SRA has been installed and a gateway server certificate (self-signed or issued by any CA) has been installed. The following checklist helps you keep track of the required information before installing the SSL Accelerator.
Table 13-1 lists the Crypto Accelerator 4000 parameters and values..
Configure Crypto Accelerator 4000
To Configure Crypto Accelerator 4000
- Follow the instructions in the user's guide to install the hardware and the software packages. See:
http://www.sun.com/products-n-solutions/hardware/docs/pdf/816-2450-11.pdf
- Install the following patch. (You can get them from the http://sunsolve.sun.com): 114795
- Make sure that you have the tools certutil, pk12util and modutil.
These tools are installed under /usr/sfw/bin
If the tools are not available in the /usf/sfw/bin directory, you need
to manually add the SUNWtlsu package from the Sun Java System distribution media:
Solaris_[sparc/x86]/Product/shared_components/
- Initialize the board.
Run the /opt/SUNWconn/bin/vcadm tool to initialize the crypto board and set the following values.
Initial Security Officer Name: sec_officer
Keystore name: sra-keystore
Run in FIPS 140-2 Mode: No
- Create a user.
vcaadm{vca0@localhost, sec_officer}> create user
New user name: crypta
Enter new user password:
Confirm password:
User crypta created successfully.
- Map token to the key store.
vi /opt/SUNWconn/cryptov2/tokens
and append sra-keystore to the file.
- Enable bulk encryption.
touch /opt/SUNWconn/cryptov2/sslreg
- Load the Sun Crypto module.
The environment variable LD_LIBRARY_PATH must point to /usr/lib/mps/secv1/
Type:
modutil -dbdir /etc/opt/SUNWps/cert/default -add "Sun Crypto Module" -libfile /opt/SUNWconn/cryptov2/lib/libvpkcs11.so
You can verify that this module is loaded using the following command:
modutil -list -dbdir /etc/opt/SUNWps/cert/default
- Export the gateway certificate and the key to the "Sun Crypto Module".
The environment variable LD_LIBRARY_PATH must point to /usr/lib/mps/secv1/
pk12util -o servercert.p12 -d /etc/opt/SUNWps/cert/default -n server-cert
pk12util -i servercert.p12 -d /etc/opt/SUNWps/cert/default -h "sra-keystore"
You can verify that the key has been exported using the following command:
certutil -K -h "sra-keystore" -d /etc/opt/SUNWps/cert/default
- Change the nickname in the /etc/opt/SUNWps/cert/default/.nickname file:
vi /etc/opt/SUNWps/cert/default/.nickname
replace the server-cert with sra-keystore:server-cert
- Enable the ciphers for acceleration.
See Enable SSL Cipher Selection
- From a terminal window, restart the gateway:
portal-server-install-root/SUNWps/bin/gateway -n gateway-profile-name start
The gateway will prompt you to enter the keystore password.
Enter Password or Pin for "sra-keystore":crypta:crytpa-password
External SSL Device and Proxy AcceleratorsAn external SSL device can run in front of Sun Java System Portal Server Secure Remote Access (SRA) in open mode. It provides the SSL link between the client and SRA.
Enable an External SSL Device Accelerator
Ensure that SRA has been installed and a gateway is running in secure mode (HTTPS mode):
Gateway >> Enable HTTPS Connections
Gateway>> HTTP Port: 880
Table 13-3 lists the external SSL device and proxy accelerator parameters and values.
Table 13-3 External SSL Device and Proxy Accelerators Checklist
Parameter
Value
SRA instance
default
Gateway Mode
https
Gateway Port
880
External Device/Proxy Port
443
Configure an External SSL Device Accelerator
To Configure External SSL Device Accelerators
- Follow the instructions in the user guide to install the hardware and software packages.
- Install the required patches, if any.
- Enable SSL Device/Proxy support by entering values in the platform.conf file:
vi /etc/opt/SUNWps/platform.conf.default
gateway.enable.accelerator=true
If the external device/proxy host name is different from the gateway host name:
gateway.enable.customurl=true
gateway.httpsurl=external-device.domain.subdomain/proxy-URL
- Gateway notification can be configured in two ways:
- Make sure that the SSL device/proxy is up and running and configured to tunnel the traffic to the gateway port.
- From a terminal window, restart the gateway:
gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start