Product Overview

C H A P T E R 1

Product Overview

This chapter provides an overview of the Sun Crypto Accelerator 6000 Board. Sections include:

Product Features

Hardware Overview

Hardware and Software Requirements

Product Features

The Sun Crypto Accelerator 6000 Board is an 8 lane PCI Express based host bus adapter (HBA) that combines IPsec and SSL cryptographic acceleration with Hardware Security Module (HSM) features. The board provides improved performance, additional security features, and support for new Oracle Solaris OS on SPARC and x86 and x86 AMD Opteron platforms running Linux. The combination of a dedicated HSM, advanced cryptographic security, and secure key management specifically meets the security and performance needs for financial services.

Once installed, the board is initialized and configured with the scamgr utility, which manages the keystore and user information and determines the level of security in which the board operates. Once a keystore and security officer account are configured, Java and PKCS#11 applications such as Sun Java System Application Server software, and OpenSSL applications such as Apache can be configured to use the board for cryptographic acceleration.

Key Features

Low profile, half length PCI-express, 8 lane (bi-8)

Support for Oracle Solaris Cryptographic Framework

Accelerates IPsec and SSL cryptographic functions

Session establishment rate - up to 13,000 operations per second

Bulk encryption rate - up to 1 Gbps

Provides up to 2048-bit RSA encryption

Provides tamper-resistant, centralized security key and certificate administration for Sun Java System Web Server for increased security and simplified key management

FIPS 140-2 Level 3 certification

Low CPU utilization - frees up server system resource and bandwidth

Secure private key storage and management

Dynamic reconfiguration (DR), and redundancy and failover support on Sun’s midframe and high-end servers

Support for Oracle Solaris 10 and future compatible releases

Support for Oracle Solaris Cryptographic Framework

Support for Linux Red Hat EL 4.0, SuSE Enterprise 9.0

Support for openCryoptoki software

Support for Sun’s Predictive Self-Healing

Support for the Service Management Facility (SMF), which is an improved mechanism for controlling system startup and the relationship between services.

Multi-Admin keystore security, supporting the requirement of multiple security officers to authenticate keystore backup and restore operations.

Serial port for direct input adminstration interface

USB port for keystore backup/restore to USB mass storage devices

Financial Services Support

The board supports PIN and credit card related functionality, ensuring the security of sensitive customer data by performing the entire operation within the secure cryptographic boundary of the board. Specialized key management capabilities and a new user library (libfinsvcs.so) and associated application interface are provided to support this feature. See Chapter 4 for details.

Supported Applications

Java application

Sun Java System servers

Apache Web Server

PKCS11 applications

Supported Cryptographic Protocols and Algorithms

The board supports the following protocols:

SSLv2

SSLv3

TLSv1

The board accelerates the following IPsec encapsulating security payload (ESP) algorithms.

TABLE 1-1 IPsec ESP Cryptographic Algorithms
Type	Algorithm
Symmetric	DES, 3DES, AES (encryption and decryption)

The board accelerates the following SSL algorithms.

TABLE 1-2 SSL ESP Cryptographic Algorithms
Type	Algorithm
Symmetric	DES, 3DES, AES (encryption and decryption)
Asymmetric	Diffie-Hellman and RSA (up to 2048 bit key), DSA

The board accelerates the following SSL functions:

Secure establishment of a set of cryptographic parameters and secret keys between a client and a server.

Secure key storage on the board - keys are encrypted if they leave the board.

Diagnostic Support

SunVTS diagnostic tests

Security officer initiated diagnostics (scadiag and scamgr)

Cryptographic Algorithm Acceleration

Together with the Oracle Solaris Cryptographic Framework, the board accelerates cryptographic algorithms in both hardware and software. The reason for this complexity is that the cost of accelerating cryptographic algorithms is not uniform across all algorithms. Some cryptographic algorithms were designed specifically to be implemented in hardware, others were designed to be implemented in software. For hardware acceleration, there is the additional cost of moving data from the user application to the hardware acceleration device, and moving the results back to the user application. Note that a few cryptographic algorithms can be performed by highly tuned software as quickly as they can be performed in dedicated hardware.

Hardware Overview

The Sun Crypto Accelerator 6000 hardware is a low profile, half length (6.6 inches [1.67.64 mm] by 2.54 inches [64.41 mm]) 8 lane PCI-Express based HBA that enhances the performance of IPsec and SSL and provides robust security features. FIGURE 1-1 provides an illustration of the board.

FIGURE 1-1 Sun Crypto Accelerator 6000 Board

LED Displays

TABLE 1-3 describes the LED displays.

TABLE 1-3 Front Panel LEDs
Label	Color	Indication
STATUS	Green/Red	Off when bootstrap firmware executes Green in POST, and DISABLED states (driver not attached) Flashing green in IDLE, OPERATIONAL, and FAILSAFE states (heart beat) Red when board is in the HALTED (fatal error) state or when a low-level hardware initialization failure occurs Flashing red if an error occurrs during the boot process
FIPS	Green/Yellow	Off in non-FIPS mode Green when operating in FIPS mode Flashing yellow when zeroize jumper is present
INIT	Green/Yellow	Off if the board has not been initialized Green if the card has been initialized by a security officer Yellow in POST, DIAGNOSTICS, and FAILSAFE (firmware not upgraded) states Flashing yellow when running DIAGNOSTICS

FIGURE 1-2 shows the location of the LEDs.

FIGURE 1-2 LED Locations

Direct Input Devices

The Sun Crypto Accelerator 6000 Board has three direct input devices: an RJ-11 serial port, a USB port, and a point of presence button.

Serial Port

The six wire RJ-11 port connector enables direct input adminstration. The port operates at a baud rate of 9600-8N1. The pinout specifications are described in TABLE 1-4 and shown in FIGURE 1-3.

TABLE 1-4 RJ-11 Port Connector Pins and Signals
Pin	Signal	Definition
1	PWR	5 volt DC power
2	NC	Not connected
3	NC	Not connected
4	XMIT	Transmit data
5	RECV	Data receive
6	GND	Signal ground

Suggested Serial Device

Any device with a properly configured serial port and cable can be used for direct input administration the device. However, for maximum security it is suggested that a stateless hand-held device be used to ensure sensitive information and keying material are not compromised. One such device tested and suggested is the Termiflex OT/30 Hand-held Terminal from Warner Power. A Termiflex OT/30 Terminal has been configured specifically for use with the board and can be ordered directly from Warner Power using part number
99-3619-04001 (http://ec.transcendusa.com/)

FIGURE 1-3 RJ-11 Port Connector Pins

USB Port

The standard size USB connector enables you to backup and restore the onboard keystore. The port is USB 1.1 compliant and is compatible with standard USB mass storage devices (bulk-only).

Suggested USB Device

Although other USB mass-storage devices work, only the JetFlash 2.0 USB Flash drive from Transcend has been fully tested and qualified for use with the board. Before using another device for backup and restore operations, verify that diagnostics run successfully with the USB device installed. Choose devices with high transfer speeds and quick response times for the best compatibility with the board (http://www.termiflex.com/).

Point Of Presence Button

The point of presence button provides physical presence verification when pressed. The physical pressing of this button cannot be emulated remotely.

Dynamic Reconfiguration and High Availability

The Sun Crypto Accelerator 6000 hardware and associated software provide the capability to work effectively on SPARC platforms supporting dynamic reconfiguration (DR) and hot-plugging. During a DR or hot-plug operation, the Sun Crypto Accelerator 6000 software layer automatically detects the addition or removal of a board, and adjusts the scheduling algorithms to accommodate the change in hardware resources.

Note - DR is supported on SPARC platforms only.

For High Availability (HA) configurations, multiple Sun Crypto Accelerator 6000 boards can be installed within a system or domain to insure that hardware acceleration is continuously available. In the unlikely event of a Sun Crypto Accelerator 6000 hardware failure, the software layer detects the failure and removes the failed board from the list of available hardware cryptographic accelerators. Sun Crypto Accelerator 6000 software adjusts the scheduling algorithms to accommodate the reduction in hardware resources. Subsequent cryptographic requests are scheduled to the remaining boards.

Note that the Sun Crypto Accelerator 6000 hardware provides a source for high-quality entropy for the generation of long-term keys. If all the Sun Crypto Accelerator 6000 boards within a domain or system are removed, long-term keys are generated with lower-quality entropy.

Load Sharing

The Sun Crypto Accelerator 6000 software enables the distribution of load across as many boards as are installed within the Oracle Solaris domain or system. Incoming cryptographic requests are distributed across the boards based on fixed-length work queues. Cryptographic requests are directed to the first board, and subsequent requests stay directed to the first board until it is running at full capacity. Once the first board is running at full capacity, further requests are queued to the next board available that can accept the request of this type. The queueing mechanism optimizes throughput by facilitating request coalescing at the board.

Hardware and Software Requirements

TABLE 1-5 provides a summary of the hardware and software requirements for the Sun Crypto Accelerator 6000 Board.

TABLE 1-5 Hardware and Software Requirements
Hardware and Software	Requirements
Hardware	Sun Fire T1000, T2000, x2100 Sun Ultra 40, 20
Operating System	Oracle Solaris 10, Red Hat EL 4.0, SuSE Enterprise 9.0, and future compatible releases of these operating systems.

*Note - 1 Gbyte of memory is suggested for Linux operating systems.

Oracle Solaris 10 on SPARC and x86 Platforms

The board supports the Oracle Solaris 10 operating system on both SPARC and x86 AMD Opteron Linux platforms. The board acts as a cryptographic service provider to the Oracle Solaris Cryptographic Framework, allowing applications to access the board’s functionality with PKCS11, OpenSSL, and JAVA (J2SE).

Linux on x86 AMD Opteron Linux Platforms

The openCryptoki software interface is used based on support by both the Red Hat EL 4.0 and SuSE Enterprise 9.0 Linux distributions. openCryptoki provides a user level interface that allows selecting specific cryptographic providers.

Note - IPsec cryptographic hardware acceleration is not supported on the current Linux distributions.

Required Patches

Refer to the Sun Crypto Accelerator 6000 Board Product Notes for Version 1.0 for detailed required patch information.