Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.0

This chapter describes how to configure the Sun Crypto Accelerator 6000 Board for use with Sun Java System servers. Additional instructions for Linux platforms are in the last section. Sections include:

• Administering Security for Sun Java System Web Servers
• Preparing to Configure Sun Java System Web Servers
• Installing and Configuring Sun Java System Web Server 6.1
• Installing and Configuring Sun Java System Web Server on Linux Platforms

---

Administering Security for Sun Java System Web Servers

This section provides an overview of the security features of the board as it is administered with Sun Java System applications.

Web Server Concepts and Terminology

Keystores and users must be created for applications that communicate with the board through a PKCS#11 interface, such as the Sun Java System Applications.

Users

Within the context of the board, users are owners of cryptographic keying material. Each key is owned by a single user. Each user may own multiple keys. A user might want to own multiple keys to support different configurations, such as a production key and a development key (to reflect the organizations the user is supporting).

Keystores

A keystore is a repository for key material. Associated with a keystore are security officers and users. Keystores provide not only storage, but a means for key objects to be owned by user accounts. This enables keys to be hidden from applications that do not authenticate as the owner. Keystores have three components:

• Key objects - Long-term keys that are stored for applications such as the Sun Java System Web Server.
• User accounts - Accounts that provide applications a means to authenticate and access specific keys
• Security officer accounts - Accounts that provide access to key management functions through scamgr.

A typical installation contains a single keystore with three users. For example, such a configuration could consist of a single keystore keystore-name and three users within that keystore, webserv, dirserv, and mailserv. This would enable the three users to own and maintain access control of their server keys within that single keystore. FIGURE 6-1 illustrates an overview of a typical installation.

FIGURE 6-1 Keystore and Users Overview

An administrative tool, scamgr, is used to manage Sun Crypto Accelerator 6000 keystores and users. See Managing Keystores With scamgr.

Slots and Tokens

As discussed in Chapter 5, there are four kinds of slots presented through the Oracle Solaris Cryptographic Framework’s PKCS#11 interface.

The Sun Crypto Accelerator 6000 Keystore slot can also be used for Sun Java System applications. Through a Keystore slot, asymmetric operations are the only mechanisms accelerated by the Sun Crypto Accelerator 6000 board. When there are more than two boards using the same keystore, Keystore slot provides additional performance and fault-tolerance.

Example:

If there are two boards, mca0 and mca1, each is assigned a keystore name (engineering and finance), three slots are presented to the Sun Java System application.

• engineering
• finance
• Sun Software PKCS#11 softtoken

If the server certificate resides in the finance keystore, the possible slots to be used for the Sun Java System application is as follows:

1. metaslot

2. finance (the Keystore slot)

---

Preparing to Configure Sun Java System Web Servers

This section describes assigning passwords, how to populate a keystore, and how to enable the Sun Java System Web Server.

You are asked for several passwords in the course of enabling a Sun Java System Web Server, all of which are described in TABLE 6-2. These passwords are referred to throughout this chapter.

Populating a Keystore

Before you can enable the board for use with a Sun Java System Web Server, you must first initialize the board and populate the board’s keystore with at least one user. The keystore for the board is created during the initialization process. You can also initialize Sun Crypto Accelerator 6000 boards to use an existing keystore. See Initializing the Board With scamgr.

1. Access the scamgr utility with the scamgr command or enter scamgr -h hostname to connect scamgr to a board on a remote host.

See Using the scamgr Utility.

$ scamgr -h hostname

2. Populate the board’s keystore with users.

These user names are known only within the domain of the Sun Crypto Accelerator 6000 board and do not need to be identical to the UNIX user name that the web server process is using. Before attempting to create the user, remember that you must first log in as a scamgr security officer.

3. Create a user with the create user command.

scamgr{mca0@hostname, sec-officer}> create user username
Initial password: 
Confirm password: 
User username created successfully.

The username and password created here collectively make the username:password (See TABLE 6-1). You must use this password when authenticating during a web server startup. This is the keystore password for a single user.

Caution - Users must remember this username:password. Without this password, users cannot access their keys. There is no way to retrieve a lost password.

4. Exit scamgr.

scamgr{mca0@hostname, sec-officer}> exit

---

Installing and Configuring Sun Java System Web Server 6.1

This section describes how to install and configure Sun Java System Web Server 6.1 to use the board. You must perform these procedures in order. Refer to the Sun Java System Web Server documentation for more information about installing and using Sun Java System Web Servers. This section includes the following procedures:

1. Install the Sun Java System Web Server.

2. Create a trust database.

3. Request a certificate.

4. Install the certificate.

5. Configure the Sun Java System Web Server.

Caution - These procedures must be followed in the order given. Failure to do so could result in an incorrect configuration.

Caution - The Sun Java System Web Server Administration Server must be up and running during the configuration process.

1. Download the Sun Java System Web Server 6.1 software.

You can find the web server software at the following URL:
http://www.sun.com

2. Change to the installation directory and extract the web server software.

3. Install the web server with the setup script from the command-line.

The default path name for the server is: /opt/SUNWwbsvr/.

This chapter refers to the default paths. If you decide to install the software in a different location, be sure to note where you installed it.

% ./setup

4. Answer the prompts from the installation script.

Except for the following prompts, you can accept the defaults:

a. Agree to accept the license terms by typing yes.

b. Enter a fully qualified domain name.

c. Enter the Sun Java System Web Server 6.1 Administration Server password twice.

d. Press Return when prompted.

The Sun Java System Web Server Administration Server must be up and running during the configuration process.

1. Start the Sun Java System Web Server 6.1 Administration Server.

Use the following command (instead of running startconsole as setup requests):

% /opt/SUNWwbsvr/https-admserv/start
Sun Java System Web Server 6.1 B08/22/2003 12:37
info: CORE3016: daemon is running as super-user
info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.4.1_03] from [Sun Microsystems Inc.]
info: WEB0100: Loading web module in virtual server [vs-admin] at [/admin-app]
info: HTTP3072: [LS ls1] http://hostname.domain:8888 ready to accept requests
startup: server started successfully

The response provides the URL for connecting to your servers.

2. Start the Administration GUI by opening up a web browser and typing:

http://hostname.domain:admin-port

In the Authentication dialog box, enter the Sun Java System Web Server 6.1 Administration Server user name and password you selected while running setup.

3. Click OK.

The Sun Java System Web Server 6.1 Administration Server window is displayed.

4. Create the trust database for the web server instance.

You might want to enable security on more than one web server instance. If so, repeat the following Step a through Step d for each web server instance.

a. Click the Servers tab in the Sun Java System Web Server 6.1 Administration Server dialog box.

b. Select a server and click the Manage button.

c. Click the Security tab near the top of the page and click the Create Database link.

d. Enter a password in the two dialog boxes and click OK.

See TABLE 6-1 for the web server trust database password information.

Choose a password of at least eight characters. This will be the password used to start the internal cryptographic modules when the Sun Java System Web Server runs in secure mode.

1. Register the Oracle Solaris PKCS#11 library in the security module database of the Sun Java System Web Server using the modutil utility.

% modutil -dbdir /opt/SUNWwbsvr/alias -nocertdb -add "Solaris Cryptographic Framework" -libfile /usr/lib/libpkcs11.so

2. To limit the slots presented to those required to start the web server, disable all slots, except for one slot used by the Sun Java System application.

If the application asks for a password for every known PKCS#11 token, do not provide one.

% modutil -dbdir /opt/SUNWwbsvr/alias -nocertdb -disable "Solaris Cryptographic Framework"
% modutil -dbdir /opt/SUNWwbsvr/alias -nocertdb -enable "Solaris Cryptographic Framework" -slot "keystore-name"

1. Restart the Sun Java System Web Server 6.1 Administration Server by typing the following commands:

% /opt/SUNWwbsvr/https-admserv/stop
% /opt/SUNWwbsvr/https-admserv/start

The response provides the URL for connecting to your servers.

2. Start the Administration GUI by opening up a web browser and typing:

http://hostname.domain:admin-port

In the Authentication dialog box, enter the Sun Java System Web Server 6.1 Administration Server user name and password you selected while running setup.

3. Click OK.

The Sun Java System Web Server 6.1 Administration Server window is displayed.

4. To request the server certificate, select the Servers tab near the top of Sun Java System Web Server 6.1 Administration Server window.

5. Select a server from the drop-down menu and click the Manage button.

The Sun Java System Web Server 6.1 Server Manager window is displayed.

6. Select the Security tab near the top of the Sun Java System Web Server 6.1 Server Manager window.

7. Click the Request a Certificate link on the left panel.

FIGURE 6-2 Sun Java System Web Server 6.1 Administration Server Request a Server Certificate Dialog Box With keystore-name Selected

8. Fill out the form to generate a certificate request, using the following information:

a. Select a New Certificate.

If you can directly post your certificate request to a web-capable certificate authority or registration authority, select the CA URL link. Otherwise, select CA Email Address and enter an email address where you would like the certificate request to be sent.

b. Select the Cryptographic Module you want to use.

Each slot has its own entry in this pull-down menu. For this example, the keystore-name is chosen.

c. In the Key Pair File Password dialog box, provide the password for the user that will own the key.

This password is the username:password (See TABLE 6-1).

d. Type the appropriate information for the requestor information fields in TABLE 6-2.

e. Click OK to submit the information.

9. Use a certificate authority to generate the certificate.

• If you choose to post your certificate request to a CA URL, the certificate request is automatically posted there.
• If you choose the CA Email Address, copy the certificate request that was emailed to you with the headers and hand it off to your certificate authority.

10. Once the certificate is generated, copy it, along with the headers, to the clipboard.

Once your request has been approved by a certificate authority and a certificate has been issued, you must install the certificate in the Sun Java System Web Server.

1. Click the Security tab near the top of the Sun Java System Web Server 6.1 Server Manager window.

2. On the left panel, click the Install Certificate link.

FIGURE 6-3 Sun Java System Web Server 6.1 Administration Server Install a Server Certificate Dialog Box

3. Fill out the form to install your certificate:

4. Paste the certificate you copied from the certificate authority (in Step 10 of the Generate a Server Certificate) into the Message text box.

You are shown some basic information about the certificate.

5. Click OK.

6. If everything looks correct, click the Add Server Certificate button.

On-screen messages tell you to restart the server. This is not necessary because the web server instance has been shut down the entire time.

You are also notified that in order for the web server to use SSL, the web server must be configured to do so. Use the following procedure to configure the web server.

Now that your web server and the Server Certificate are installed, you must enable the web server for SSL.

1. Select the Preferences tab near the top of the page.

2. Select the Edit Listen Sockets link on the left panel.

The main panel lists all the listen sockets set for the web server instance.

a. Click the link under Listen Socket ID for the listen socket you wish to configure.

b. Alter the following fields:

• Port - Set to the port on which you will be running your SSL-enabled web server (usually this is port 443).
• Security - Set to Enabled.

c. Click OK to apply these changes.

3. Click the link under Listen Socket ID again for the listen socket you wish to configure.

4. Enter the username:password to authenticate to the keystore on the system.

5. If you want to change the default set of ciphers, select the cipher suites under the Ciphers heading.

A dialog box is displayed for changing the cipher settings. You can select either Cipher Default settings, SSL2, or SSL3/TLS. If you select the Cipher Default, you are not shown the default settings. The other two choices require you to select the algorithms you want to enable in a pop-up dialog box. Refer to your Sun Java System documentation on cipher selection.

6. Select the certificate for the keystore followed by: Server-Cert (or the name you chose).

Only keys that the appropriate keystore user owns appear in the Certificate Name field. This keystore user is the user that is authenticated with the username:password.

7. When you have chosen a certificate and confirmed all the security settings, click OK.

8. Select the Apply link in the far upper right corner to apply these changes before you start your server.

9. Select the Load Configuration Files link to apply the changes.

You are redirected to a page that allows you to start your web server instance.

If you click the Apply Changes button when the server is off, an authentication dialog box prompts you for the username:password. This window is not resizable, and you might have a problem submitting the change.

There are two workarounds for this problem:

• Select Load Configuration Files instead.
• Start up the web server first, and click Apply Changes.

10. In the Sun Java System Web Server 6.1 Administration Server window, select the On/Off link on the left side of the window.

11. Enter the passwords for the servers and click Server On.

You are prompted for one or more passwords. At the Module Internal prompt, provide the password for the web server trust database.

At the Module keystore-name prompt, enter the username:password.

Enter the username:password for other keystores as prompted.

12. Verify the new SSL-enabled web server at the following URL:

https://hostname.domain:server-port/

---

Configuring Sun Java System Web Servers to Start Up Without User Interaction on Reboot

You can enable the Sun Java System Web Servers to perform an unattended startup at reboot with an encrypted key.

1. Navigate to the config subdirectory for your Sun Java System Web Server instance - for example, /opt/SUNWwbsvr/https-webserver-instance-name/config.

2. Create a password.conf file with only the following lines (See TABLE 6-1 for password definitions):

internal:trust-db-password
token-label:username:password

3. Set the file ownership of the password file to the UNIX user ID that the web server runs as, and set the file permissions to be readable only by the owner of the file:

# chown web-server-UNIX-user-ID password.conf
# chmod 400 password.conf

---

Installing and Configuring Sun Java System Web Server on Linux Platforms

The Sun Java System Web Server for Red Hat Enterprise Linux 4.0 is downloadable at: http://www.sun.com/download/products. The latest release is 6.1 Service Pack 5. Both RHEL 4.0 and SuSE 9 are supported with the Sun Java Web Server software.

The installation and configuration of Sun Java System Web Server on Linux is similar to that on Oracle Solaris. The only difference is the registration of the board with the web server. Refer to Register the Board With the Web Server in this chapter for details.

On Linux platforms, the PKCS#11 library is /usr/local/lib/libopencryptoki.so. Thus, use the following command to register the board with the Sun Java Web Server:

% modutil -dbdir /opt/SUNWwbsvr/alias -nocertdb -add "openCryptoki" -libfile /usr/local/lib/libopencryptoki.so

Use the following commands to disable the openCryptoki slots other than the Sun Crypto Accelerator 6000 slot:

% modutil -dbdir /opt/SUNWwbsvr/alias -nocertdb -disable "openCryptoki"
% modutil -dbdir /opt/SUNWwbsvr/alias -nocertdb -enable "openCryptoki" -slot "slot-name"

For example, for SuSE 9 SP1 the "slot-name" is as follows:

"Linux 2.6.5-7.139-smp Linux (SCA)"

Use the following command to check whether the other slots are disabled:

% modutil -dbdir /opt/SUNWwbsvr/alias -nocertdb -list "openCryptoki"

The output of this command should be similar to the following:

Using database directory /opt/SUNWwbsvr/alias...
-----------------------------------------------------------
Name: openCryptoki
Library file: /usr/local/lib/libopencryptoki.so
Manufacturer: IBM
Description: Meta PKCS11 LIBRARY
PKCS #11 Version 2.11
Library Version: 2.2
Cipher Enable Flags: None
Default Mechanism Flags: None
 
  Slot: Linux 2.6.5-7.139-smp Linux (SCA)
  Slot Mechanism Flags: None
  Manufacturer: Linux 2.6.5-7.139-smp
  Type: Hardware
  Version Number: 0.0
  Firmware Version: 1.1
  Status: Enabled
  Token Name: apisclan1
  Token Manufacturer: SUNWmca
  Token Model: sca6000
  Token Serial Number:
  Token Version: 0.0
  Token Firmware Version: 0.0
  Access: NOT Write Protected
  Login Type: Login required
  User Pin: Initialized
 
  Slot: Linux 2.6.5-7.139-smp Linux (Soft)
  Slot Mechanism Flags: None
  Manufacturer: Linux 2.6.5-7.139-smp
  Type: Software
  Version Number: 0.0
  Firmware Version: 1.1
  Status: DISABLED (user disabled)
  Token Name: IBM OS PKCS#11
  Token Manufacturer: IBM Corp.
  Token Model: IBM SoftTok
  Token Serial Number: 123
  Token Version: 1.0
  Token Firmware Version: 1.0
  Access: NOT Write Protected
  Login Type: Login required
  User Pin: Initialized
-----------------------------------------------------------

Notice the Status: Enabled for Linux 2.6.5-7.139-smp Linux (SCA) slot and Status: DISABLED (user disabled) for Linux 2.6.5-7.139-smp Linux (Soft). If the Linux 2.6.5-7.139-smp Linux (Soft) slot is not disabled (Java System Web Server 6.1 SP4 and SP5 might have this behavior), do the following to remove the Linux 2.6.5-7.139-smp Linux (Soft) slot:

% cd /usr/local/lib/opencryptoki/stdll
% mkdir tmp
% mv libpkcs11_sw.* PKCS11_SW.so tmp

Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.0

819-5536-12

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.