Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.0 Table Of ContentsPrevious ChapterNext ChapterNoIndex

C H A P T E R  8
Diagnostics and Troubleshooting

This chapter describes diagnostic tests and troubleshooting for the Sun Crypto Accelerator 6000 Board software. Additional instructions for Linux are in the last section. Sections include:

Diagnostic Software

The Sun Crypto Accelerator 6000 software provides three interactive utilities for running diagnostics on the board. The first of these utilities, SunVTS, focuses on the system-level network and cryptographic functionality of the Sun Crypto Accelerator 6000 subsystem (driver, firmware, and hardware). The other two utilities, scamgr and scadiag, perform low-level diagnostics on individual hardware components of the Sun Crypto Accelerator 6000 board.

Performing SunVTS Diagnostics

SunVTS is Sun Validation Test Suite software. The core SunVTS wrapper provides test control and a user interface to a suite of system level tests. These tests are delivered with packages SUNWvts and SUNWvtsts to make up a bundle that is contained on the Oracle Solaris 10 Software DVDs, and also available for download at: http://www.sun.com/oem/vts

The Sun Crypto Accelerator 6000 board can be tested with SunVTS 6.2 software that is released with the Oracle Solaris 10 6/06 OS. The SunVTS test, cryptotest, provides diagnostics of the cryptographic circuitry of the board.

Refer to the SunVTS 6.2 test reference manuals (x86 or SPARC), user’s guide, and quick reference card for instructions on how to perform and monitor this diagnostic test. These documents are available at: http://docs.sun.com.

Performing scamgr Diagnostics

The scamgr utility is used by a security officer to test an initialized card and is the recommended interactive diagnostic application. Both scamgr and scadiag invoke the same diagnostics routines on the card, but the scamgr utility provides more information regarding any failures encountered. Details on how to run the scamgr utility are provided in Chapter 3 of this document, and an example of how to run diagnostics using scamgr is provided in Use the scamgr diagnostics Command.

Performing scadiag Diagnostics

The scadiag interface allows the security administrator to perform diagnostics on both an initialized and uninitialized board. The scadiag interface provides less information regarding diagnostic failures then the scamgr interface and is primarily intended to provide a general pass/fail status to someone other than a board security officer. To run scadiag diagnostics, the user invokes the scadiag command with the -D parameter. Details on how to run the scadiag utility are provided in Chapter 3, and an example of how to run diagnostics using scadiag is provided in Using the scadiag Utility.

Disabling Crypto Traffic on Other Hardware Providers in Your System

Sun Metaslot chooses the first hardware slot available in the system for crypto operations. For a system with a crypto chip built into the main CPU, such as the Sun Fire T1000/T2000, the crypto chip often becomes the first hardware slot. In this case, most crypto jobs except for the sensitive token key operation are sent to that crypto chip until the main CPU becomes 100 percent utilized. To avoid this congestion, such hardware providers can be disabled with the cryptoadm(1M) utility. This utility can also direct Sun Metaslot to use the Sun Crypto Accelerator 6000 board for all crypto operations.


procedure icon  Disable Other Hardware Providers

single-step bullet  Type the following command: 


% cryptoadm disable provider=provider-name mechanism=all

Use the kstat(1M) command to verify that the crypto jobs are being processed by the Sun Crypto Accelerator 6000 board.


procedure icon  Reenable Other Hardware Providers

single-step bullet  Type the following command: 


% cryptoadm enable provider=provider-name mechanism=all

Refer to cryptoadm(1M) man page for details.

Using the kstat Utility

The kstat(1m) utility examines and reports available kernel statistics. The following is an example of using the kstat utility with the board: 


root@cas1# kstat -n mca1
module: mca                             instance: 1
name:   mca1                            class:    misc
        3desbytes                       0
        3desjobs                        7
        aesbytes                        0
        aesjobs                         0
        caflowctl                       0
        cahiwater                       124
        calowater                       123
        caringsize                      132
        casubmit                        27
        cbflowctl                       0
        cbhiwater                       124
        cblowater                       123
        cbringsize                      132
        cbsubmit                        0
        crtime                          158.452327536
        dhderive                        0
        dhkeygen                        0
        dsasign                         0
        dsaverify                       0
        fsbytes                         0
        fsjobs                          0
        keygenjobs                      0
        md5bytes                        0
        md5jobs                         0
        mode                            standard
        omflowctl                       0
        omhiwater                       124
        omlowater                       123
        omringsize                      132
        omsubmit                        7
        rngbytes                        540
        rngjobs                         27
        rsaprivate                      0
        rsapublic                       0
        sha1bytes                       0
        sha1jobs                        0
        snaptime                        77620.93607806
        status                          online
        unwrapjobs                      0
        wrapjobs                        0

Determining Cryptographic Activity With the kstat Utility

The Sun Crypto Accelerator 6000 board does not contain lights or other indicators to reflect cryptographic activity on the board. To determine whether cryptographic work requests are being performed on the board, use the kstat(1M) command to display the device usage. The following excerpt shows the various kstat options that can be used to determine cryptographic activity.


Note - The following output has noncryptographic activity omitted. 


# kstat mca:0
module: mca                             instance: 0
name:   mca0                            class:    misc
 
3desbytes                               0
3desjobs                                7
aesbytes                                32
aesjobs                                 1
rsaprivate                              0
rsapublic                               1
dsasign                                 0
dsaverify                               0
dhderive                                0
dhkeygen                                0
md5bytes                                0
md5jobs                                 0
sha1bytes                               0
sha1jobs                                0
fsbytes                                 0
fsjobs                                  0
rngbytes                                60
rngjobs                                 3
keygenjobs                              0
wrapjobs                                0
unwrapjobs                              0


Note - In the previous example, 0 is the instance number of the mca device. This number should reflect the instance number of the board for which you are performing the kstat command.

Displaying the kstat information indicates whether cryptographic requests or “jobs” are being sent to the Sun Crypto Accelerator 6000 Board. A change in the jobs values over time indicates that the board is accelerating cryptographic work requests sent to the Sun Crypto Accelerator 6000 Board. If cryptographic work requests are not being sent to the board, verify your web server configuration per the web server specific configuration.

Determining Cryptographic Activity On Linux Platforms

The Sun Crypto Accelerator 6000 board does not contain lights or other indicators to reflect cryptographic activity on the board. To determine whether cryptographic work requests are being performed on the board, you must use the /proc file system


procedure icon  Determine Cryptographic Activity On Linux Platforms

single-step bullet  Use the following command to display the device usage: 


% cat /proc/driver/mca0

The following excerpt shows the various statistics that can be used to determine cryptographic activity: 


3desbytes                 0
3desjobs                  7
aesbytes                  32
aesjobs                   1
rsaprivate                0
rsapublic                 1
dsasign                   0
dsaverify                 0
dhderive                  0
dhkeygen                  0
md5bytes                  0
md5jobs                   0
sha1bytes                 0
sha1jobs                  0
fsbytes                   0
fsjobs                    0
rngbytes                  60
rngjobs                   3
keygenjobs                0
wrapjobs                  0
unwrapjobs                0
 
mode                      FIPS
status                    online
crtime                    1893.73075636
cbflowctl                 0
cbsubmit                  1
cblowater                 123
cbhiwater                 124
cbringsize                132
caflowctl                 0
casubmit                  5
calowater                 123
cahiwater                 124
caringsize                132
omflowctl                 0
omsubmit                  7
omlowater                 123
omhiwater                 124
omringsize                132



Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.0 819-5536-12 Table Of ContentsPrevious ChapterNext ChapterNoIndex

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.