C H A P T E R 3 |
Administering the Sun Crypto Accelerator 6000 Board |
This chapter provides an overview of administering the board on both Oracle Solaris and Linux platforms with the scamgr and scadiag utilities, and the scad and scakiod service daemons. Additional instructions for Linux platforms are included in the last two sections. Sections include:
The scamgr utility offers a command-line interface to the board. Only users designated as security officers are permitted to use the scamgr utility. When you first connect to a board with scamgr, you are prompted to create an initial security officer and password.
The scamgr command-line syntax is:
Note - When using the -d attribute, mcaN is the board’s device name, where the N corresponds to the Sun Crypto Accelerator 6000 device instance number. |
TABLE 3-1 shows the options for the scamgr utility.
Note - The variable sec-officer is used throughout this document as an example security officer name. |
scamgr can run in one of three modes. These modes differ mainly in how commands are passed into scamgr. The three modes are Single-Command mode, File mode, and Interactive mode.
Note - To use scamgr, you must authenticate as security officer. How often you need to authenticate as security officer is determined by which operating mode you are using. |
In Single-Command mode, you must authenticate as security officer for every command. Once the command is executed, you are logged out of scamgr.
When entering commands in Single-Command mode, you specify the command to be run after all the command-line switches are specified. For example, in Single-Command mode, the following command would show all the users in a given keystore and return the user to the command shell prompt.
All output from Single-Command mode goes to the standard output stream. This output can be redirected using standard UNIX shell-based methods.
In File mode, you must authenticate as security officer for every file you run. You are logged out of scamgr after the commands in the command file are executed.
To enter commands in File mode, you specify a file from which scamgr reads one or more commands. The file must be ASCII text, consisting of one command per line. Begin each comment with a hash (#) character. If the File mode option is set, scamgr ignores any command-line arguments after the last option. The following example runs the commands in the deluser.scr file and answers all prompts in the affirmative:
In Interactive mode, you must authenticate as security officer every time you connect to a board. This is the default operating mode for scamgr. To log out of scamgr in Interactive mode, use the logout command. Refer to Logging In and Out With scamgr.
Interactive mode presents the user with an interface similar to ftp(1), where commands can be entered one at a time. The -y option is not supported in Interactive mode.
When you use scamgr from the command line and specify host, port, and device using the -h, -p, and -d attributes respectively, you are immediately prompted to log in as security officer if a successful network connection was made.
The scamgr utility establishes an encrypted network connection (channel) between the scamgr application and the Sun Crypto Accelerator 6000 firmware running on a specific board.
During setup of the encrypted channel, boards identify themselves by their hardware serial ID address and an RSA public key. A trust database ($HOME/.sunw/sca/trustdb) is created the first time scamgr connects to a board. This file contains all of the boards that are currently trusted by the security officer.
The scamgr prompt in Interactive mode is displayed as follows:
The following table describes the scamgr prompt variables:
If the security officer connects to a new board, scamgr notifies the security officer and prompts with the following options:
1. Abort this connection 2. Trust the board for this session only 3. Trust the board for all future sessions |
If the security officer connects to a board that has a remote access key that has been changed, scamgr will notify the security officer and prompt the following three options:
1. Abort this connection 2. Trust the board for this session only 3. Replace the trusted key with the new key |
Note - The remaining examples in this chapter were created with the Interactive mode of scamgr. |
When connecting to a new board, scamgr must create a new entry in the trust database. The following is an example of logging in to a new board.
When connecting to a board that has a changed remote access key, scamgr must change the entry corresponding to the board in the trust database. The following is an example of logging in to a board with a changed remote access key.
If you are working in Interactive mode, you might want to disconnect from one board and connect to another board without completely exiting scamgr. To disconnect from a board and log out, but remain in Interactive mode, use the logout command:
In the previous example, notice that the scamgr> prompt no longer displays the device instance number, hostname, or security officer name. To log in to another device, type the connect command with the following optional parameters.
scamgr{mcaN@hostname, sec-officer}> logout scamgr> connect host hostname dev mca2 Security Officer Login: sec-officer Security Officer Password: scamgr{mca2@hostname, sec-officer}> |
scamgr does not let you issue the connect command if you are already connected to a board. You must first log out and then issue the connect command.
Each new connection causes scamgr and the target board firmware to renegotiate new session keys to protect the administrative data that is sent.
This section lists the available scamgr commands and describes their usage.
TABLE 3-4 lists the scamgr commands.
The scamgr utility has a command language that must be used to interact with the board. Commands are entered using all or part of a command (enough to uniquely identify that command from any other command). Entering sh instead of show would work, but re is ambiguous because it could be reset or rekey.
The following example shows entering commands using entire words:
scamgr{mcaN@hostname, sec-officer}> show user User Status ----------------------------------------------------- web-admin Enabled Tom Enabled ----------------------------------------------------- |
The same information can be obtained in the previous example using partial words as commands, such as sh us.
An ambiguous command produces an explanatory response:
scamgr has built-in help functions. To get help, you must enter a question mark (?) character following the command you want more help on. If an entire command is entered and a “?” exists anywhere on the line, you get the syntax for the command, for example:
You can also enter a question mark at the scamgr prompt to see a list of all of the scamgr commands and their description, for example:
Two commands allow you to exit from scamgr, quit and exit. The Ctrl-D key sequence also exits from scamgr.
The first step in configuring a board is to initialize it. When you initialize a board it is necessary to create a keystore. (See Web Server Concepts and Terminology.) When you first connect to a board with scamgr, you are prompted to initialize the board with a new keystore or an existing keystore, which is stored in a backup file. scamgr prompts you for all the required information for either type of board initialization.
This section describes how to initialize the board with a new keystore.
1. Initialize the board with the scamgr command.
2. Enter 2 then 1 as shown in the following example:
See Naming Requirements.
4. Select FIPS 140-2 mode or non-FIPS mode.
When in FIPS mode the board is FIPS 140-2, level 3 compliant. FIPS 140-2 is a Federal Information Processing standard that requires tamper-resistance and a high level of data integrity and security. Refer to the FIPS 140-2 document located at:
http://www.nist.gov/dmvp
5. Create an initial security officer name and password.
See Naming Requirements.
6. Verify the configuration information:
If you are adding multiple boards to a single keystore, you might want to initialize all of the boards to use the same keystore information. In addition, you might want to restore a board to the original keystore configuration. This section describes how to initialize a board to use an existing keystore which is stored in a backup file.
You must first create a backup file of an existing board configuration before performing this procedure. Creating and restoring a backup file requires a password to encrypt and decrypt the data in the backup file. (See Back Up the Master Key.)
1. Initialize the board with the scamgr command.
1. Enter 2 as shown in the following example:
2. Enter the path and password to the backup file:
Note - If the backup file was created in Multi-Admin mode, authentication is required by multiple security officers assigned the Multi-Admin role. |
3. Verify the configuration information:
A keystore is a repository for key material. Associated with a keystore are security officers and users. Keystores not only provide storage, but a means for key objects to be owned by user accounts. This enables keys to be hidden from applications that do not authenticate as the owner. Keystores have three components:
Note - A single board must have exactly one keystore. Multiple boards can be configured to collectively work with the same keystore to provide additional performance and fault tolerance. |
Security officer names, user names, and keystore names must meet the following requirements:
63 characters for security officer names and user names.
|
|
Password requirements vary based on the current set passreq setting (low,
med, or high).
This command sets the password character requirements for any password prompted by scamgr. There are three settings for password requirements, as shown in the following table:
2. Type the set passreq command followed by low, med, or high.
The following commands set the password requirements for a board to high:
scamgr{mcaN@hostname, sec-officer}> set passreq high scamgr{mcaN@hostname, sec-officer}> set passreq Password security level (low/med/high): high |
Only security officer passwords may be changed with scamgr. Security officers can change their own password.
scamgr{mcaN@hostname, sec-officer}> set password Enter new security officer password: Confirm password: Security Officer password has been set. |
User passwords may be changed through the PKCS#11 interface with the Sun Java System Web Server modutil utility. Refer to the Sun Java System Web Server documentation for details.
This section describes how to populate and list security officers and users and how to enable, disable, and delete them.
There might be more than one security officer for a keystore. Security officer names are known only within the domain of the board and do not need to be identical to any user name on the host system.
When creating a security officer, the name is an optional parameter on the command line. If the security officer name is omitted, scamgr prompts you for the name. (See Naming Requirements.) For example:
User names are known only within the domain of the board and do not need to be identical to the UNIX user name for the web server process.
2. Type create user user-name.
When creating a user, the user name is an optional parameter on the command line. If the user name is omitted, scamgr prompts you for the user name. (See Naming Requirements.) For example:
Users must use this password when authenticating during a web server startup.
Caution - Users must remember their password so they can access their keys. There is no way to retrieve a lost password. |
Note - The user account is logged out if no commands are entered for more than five minutes. This is a tunable option. See Set the Auto-Logout Time for details. |
You can list users associated with a keystore.Start the scamgr utility.
1. Type the show user command. For example:
scamgr{mcaN@hostname, sec-officer}> show user User Status ----------------------------------------------------- web-admin Enabled Tom Enabled ----------------------------------------------------- |
You can list security officers associated with a keystore.
2. Type the show so command. For example:
Note - Security officers cannot be disabled. Once a security officer is created, it is enabled until it is deleted. |
Users and Security officers are enabled by default. Users may be disabled. Disabled users cannot access their key material with the PKCS#11 interface. Enabling a disabled user restores access to all of that user’s key material.
2. Type disable user user-name.
When enabling or disabling a user, the user name is an optional parameter on the command line. If the user name is omitted, scamgr prompts you for the user name. For example:
scamgr{mcaN@hostname, sec-officer}> disable user Tom User Tom disabled. scamgr{mcaN@hostname, sec-officer}> disable user User name: web-admin User web-admin disabled. |
Enable Users |
2. Type the enable user user-name command. When enabling a user, the user name is optional. For example:
scamgr{mcaN@hostname, sec-officer}> enable user Tom User Tom enabled. scamgr{mcaN@hostname, sec-officer}> enable user User name: web-admin User web-admin enabled. |
2. Type delete user user-name.
When deleting a user, the user name is an optional parameter on the command line. If the user name is omitted, scamgr prompts you for the user name. For example:
When deleting a security officer, the security officer name is an optional parameter on the command line. If the security officer name is omitted, scamgr prompts you for the security officer name. For example:
Keystores are stored on the disk and encrypted in a master key. This master key is stored in the board firmware and can be backed up by a security officer.
The path name can be placed on the command line or if omitted, scamgr prompts you for the path name.
Note - If the following command is executed in Multi-Admin mode, authentication is required by multiple security officers assigned the Multi-Admin role. |
scamgr{mcaN@hostname, sec-officer}> backup /opt/backup-directory-name/bkup.data Enter a password to protect the data: Confirm password: Backup to /opt/SUNWconn/mca/backups/bkup.data successful. |
3. Set a passphrase for the backup data.
This passphrase encrypts the master key in the backup file.
A site might have a strict security policy that does not permit the master key for a board to leave the hardware.
Caution - Once this command is issued, all attempts to back up the master key will fail. This lock persists even if the master key is rekeyed. The only way to clear this setting is to zeroize the board with the zeroizecommand. (See Perform a Software Zeroize on the Board.) |
2. Type set lock. For example:
The scamgr utility includes a special mode of operation called Multi-Admin mode. In this mode, certain commands require multiple security officers to authenticate and approve the command before it can complete successfully. Security officers must be in the Multi-Admin role before they can authenticate Multi-Admin commands.
When a Multi-Admin command is issued, no other general administration on the board can take place until either the command times out, is cancelled by the security officer who started the command, or the command completes successfully. A timeout from 1 to 15 minutes must be set at or before Multi-Admin mode is enabled. See Set a Multi-Admin Command Timeout for more information. Also security officers must set the number of Multi-Admin role members required to authenticate any Multi-Admin command.
When a Multi-Admin command is initiated, the scamgr session from which it is started will wait until one of three conditions occur: The command completes successfully, the command fails, or the command times out. Other Multi-Admin role members will log in to the device using their respective scamgr sessions. During Multi-Admin mode commands, these role members can only authenticate the command in progress. If the initiating security officer’s scamgr session terminates unexpectedly, the security officer can log back in to the device and cancel the command. Otherwise, the board cannot be administered normally until the command times out.
This section describes how to configure and manage Multi-Admin mode with the scamgr utility. First, you must identify your security officers and place them in the Multi-Admin role. You must have enough security officers in that role to satisfy the minimum number set with the set multiadmin minauth command. If the number of Multi-Admin role members is below the minimum threshold, you cannot enable Multi-Admin mode.
2. Type enable authmember so-name.
If executed in Multi-Admin mode, this command requires authentication by multiple security officers assigned the Multi-Admin role. The following command assigns a security officer the Multi-Admin role.
scamgr{mcaN@hostname, sec-officer}> enable authmember sec-officer Added multi-admin role to Security Officer sec-officer. |
2. Type disable authmember so-name.
If executed in Multi-Admin mode, this command requires authentication by multiple security officers assigned the Multi-Admin role. For example:
scamgr{mcaN@hostname, sec-officer}> disable authmember sec-officer Removed multi-admin role from Security Officer rew. |
This command removes security officers from the Multi-Admin role only if they are in addition to the minimum required. This command exits only if a minimum number of security officers are assigned the Multi-Admin role. See Set the Minimum Number of Security Officers Required to Authenticate Multi-Admin Commands.
Set the Minimum Number of Security Officers Required to Authenticate Multi-Admin Commands |
2. Type set multiadmin minauth minimum-role-members.
The minimum-role-members value must be at least two and less than or equal to the total number of security officers on the system. In addition, if Multi-Admin mode is already enabled the new value cannot exceed the number of members with the Multi-Admin role. If executed in Multi-Admin mode, this command requires authentication by multiple security officers assigned the Multi-Admin role.
For example, the following command sets the minimum number of required security officers to authenticate Multi-Admin commands.
scamgr{mcaN@hostname, sec-officer}> set multiadmin minauth 3 Multi-admin mode now requires 3 security officers to authenticate. |
2. Type set multiadmin timeout minutes.
The minutes value must be between 1 and 1440 minutes (1 day). If a value larger than 1440 is specified, the value will be set to 1440. If executed in Multi-Admin mode, this command requires authentication by multiple security officers assigned the Multi-Admin role.
For example, the following command changes the timeout for commands that require Multi-Admin mode authentication.
scamgr{mcaN@hostname, sec-officer}> set multiadmin timeout 3 New multi-admin timeout value is 3 minutes. |
When enabled, certain commands require multiple security officers to authenticate before the command can complete successfully. When this command is executed, the security officer is presented with the current Multi-Admin mode settings and is given the opportunity to change these settings before the command completes. This command does not accept the -y (yes to all) flag.
For example, the following command enables Multi-Admin mode.
This command requires authentication by multiple security officers assigned the Multi-Admin role.
For example, the following command disables Multi-Admin mode.
2. Type enable authmember sec-officerN.
Where N is the number of the security officer.
With the minimum number of required security officers set to three, adding additional security officers requires the authorization of three different security officers, including the initiating security officer, to authenticate before this command can complete.
Execute the following command on the initiating security officer’s scamgr session.
3. Ask other security officers to log in from their respective scamgr sessions and authorize the command.
Cancel a Multi-Admin Command Originated by the Initiating Security Officer |
2. Type disable authmember sec-officerN.
Where N is the number of the security officer.
For example, the following command is cancelled. This command must be entered on the initiating security officer’s scamgr session.
To cancel the command, the initiating security officer must either close the current scamgr session or log in with a second scamgr session.
If the scamgr session from which the command was initiated is still active, the following message is displayed.
3. Ensure other security officers do not authenticate the command.
For example, the following command is issued by security officer.
Log In to a Board During a Multi-Admin Command as a Security Officer Not in the Multi-Admin Role |
Log in as a non-multi-admin security officer.
Attempt to Execute a Multi-Admin Command Without Multi-Admin Role Permissions |
2. Type a command as a security officer without Multi-Admin role permissions.
The command fails. For example:
This section describes how to manage boards with the scamgr utility.
Set the Auto-Logout Time |
Where N is the number of minutes before a security officer is automatically logged out. A value of 0 disables the automatic logout feature. The maximum delay is 1,440 minutes (1 day). A newly initialized board defaults to 5 minutes.
The following command changes the auto-logout time for a security officer to 10 minutes:
Display Board Status |
This command displays the hardware and firmware versions for that board, the MAC address of the network interface, the status (Up, Down, speed, duplex, and so on) of the network interface, and the keystore name and ID. For example:
Load New Firmware |
You can update the firmware for the board as new features are added.
2. Type load firmware path-name.
Where path-name is the path to the firmware file.
A successful update of the firmware requires you to manually reset the board with the reset command. When you reset the board, the currently logged in security officer is logged out.
Reset the Board |
In certain situations, it might be necessary to reset the board. To do this, you must issue the reset command. You are asked if this is what you wish to do. Resetting a board might temporarily cease the acceleration of cryptography on the system unless there are other active board boards able to take over the load. Also, this command automatically logs you out of scamgr, so you must reconnect to the device by logging back into scamgr if you wish to continue administering it.
3. Type y to proceed, type n to cancel.
scamgr{mcaN@hostname, sec-officer}> reset WARNING: Issuing this command will reset the the board and close this connection. Proceed with reset? (Y/Yes/N/No) [No]: y Reset successful. |
Rekey the Board |
If your security policy changes, you might want to use new keys as the master key or remote access key. The rekey command enables you to regenerate either of these keys, or both.
Rekeying the master key also causes the keystore to be reencrypted under the new key, and invalidates older backed up master key files with the new keystore file. Make a backup of the master key whenever it is rekeyed. If you have multiple boards using the same keystore, you need to back up this new master key and restore it to the other boards.
Rekeying the remote access key logs the security officer out, forcing a new connection that uses the new remote access key.
3. Specify which keys to rekey.
You may specify one of three key types when issuing the rekey command:
Rekeys the remote access key. Logs the security officer out. |
|
The following is an example of entering a key type of all with the rekey command:
Perform a Software Zeroize on the Board |
There are two methods of clearing a board of all its key material. The first method is with a hardware jumper (shunt). This form of zeroizing returns the board to its original factory state (Failsafe mode). (See Zeroizing the Sun Crypto Accelerator 6000 Hardware to the Factory State.) The second method is to use the zeroize command.
Note - The zeroize command removes the key material, and leaves any updated firmware intact. This command also logs the security officer out upon successful completion. |
Use the scamgr diagnostics Command |
Diagnostics can be performed from the scamgr utility and from the SunVTS software. The diagnostics command in scamgr covers three major categories in the board hardware - general hardware, cryptographic subsystem, and network subsystem. Tests for general hardware cover DRAM, flash memory, the PCI bus, the DMA controller, and other hardware internals. Tests for the cryptographic subsystem cover random number generators and cryptographic accelerators. Tests on the network subsystem cover the sca device.
The scadiag utility provides a command-line interface to the board that enables superusers to perform administrative tasks without authenticating as security officer. Command-line options determine the actions that scadiag performs.
To access the scadiag utility easily, place the Sun Crypto Accelerator 6000 tools directory in your search path, for example:
The scadiag command-line syntax (described in TABLE 3-8) for both Oracle Solaris and Linux is as follows:
The Oracle Solaris specific command-line syntax for scadiag is as follows:
The Linux specific command-line syntax for scadiag is as follows:
Note - In the scadiag option examples in this section, mcaN is the board’s device name where the N corresponds to the Sun Crypto Accelerator 6000 Board device instance number. |
TABLE 3-8 describes the supported options for the scadiag utility.
The following is an example of the -d option:
The following is an example of the -f option:
The following is an example of the -k option:
The following is an example of the -l option:
The following is an example of the -m option (note that the diag option is Oracle Solaris only):
# scadiag -m diag mca0 Device mca0 is now in diagnostic mode. % scadiag -l mca0 Device mca0 State : Diag Status: Initialized |
The following is an example of the -r option:
# scadiag -r mca0 Resetting device mca0, this may take a minute. Please be patient. Device mca0 reset ok. |
The following is an example of the -s option:
The following is an example of the -u option:
# scadiag -u fw-file mca0 Updating firmware on mca0, this may take a few minutes. Please be patient. Firmware update on mca0 complete. Reset required to activate new firmware. |
The following is an example of the -V option:
# scadiag -V scadiag (Sun Crypto Accelerator 6000) Copyright 2006 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. |
The following is an example of the -z option:
# scadiag -z mca0 Zeroizing device mca0, this may take a few minutes. Please be patient. Device mca0 zeroized. |
Two service daemons are provided for the board: scad and scakiod. The scad service performs administrative I/O functions between the scamgr(1m) utility and the firmware. The scakiod service performs keystore I/O services. The Fault Management Resouce Identifiers (FMRIs) for these two services are svc:/device/scad and svc:/device/scakiod.
Start and Stop the Services |
Use the svcadm(1m) command to start and stop the services. For example:
You can specify both services in a single command to start both simultaneously.
TABLE 3-9 lists and describes the service parameters of the scad service.
TABLE 3-10 lists and describes the service parameters of the scakiod service.
Configuration parameters are under the SMF property group config.
Use the svccfg(1m) command to list service properties. For example:
The following is an example of listing the service properties for the scakiod service:
Use the svccfg(1m) command to modify a property as follows:
For example, the following command defines the hostbind property:
Administering the board on Linux platforms is similar to Oracle Solaris. The differences are given in this section.
The scamgr program is installed in the /opt/sun/sca6000/bin directory. You can put this directory in your path or directly launch the program with the following command:
A newly installed board must be initialized before using (see Initializing the Board With scamgr). In addition, the board must be re-initialized after performing a zeroize (see Appendix E) with the scamgr program (see Using the scamgr Utility).
The board must be stopped and restarted after initialization or a zeroize. Use the following commands to stop and start the board:
The scadiag program is installed in the /opt/sun/sca6000/sbin directory. You can place this directory in your path or directly launch the program with the following command:
The scad and scakiod daemons are installed in /opt/sun/sca6000/sbin directory. Do not start or stop these daemons manually. Stop and start the board to stop and start these daemons.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.