| Sun ONE Portal Server, Secure Remote Access 6.1 Administrator's Guide |
Appendix A
Configuring the SSL AcceleratorThis chapter introduces you to the SSL Accelerator and explains its configuration.
This chapter covers the following topics:
Overview of the SSL AcceleratorUsing a hardware accelerator speeds up the execution of cryptographic algorithms, thereby increasing the performance speed.
The Sun™ Crypto Accelerator 1000 board is a short PCI board that functions as a cryptographic co-processor to accelerate public key and symmetric cryptography. This product has no external interfaces. The board communicates with the host through the internal PCI bus interface. The purpose of this board is to accelerate a variety of computationally intensive cryptographic algorithms for security protocols in eCommerce applications.
Enabling SSL Hardware Support for the Sun™ ONE Portal Server, Secure Remote AccessEnsure that the Sun™ ONE Portal Server, Secure Remote Access has been installed, and a gateway server certificate (self-signed or issued by any CA) has been installed. The following checklist helps you keep track of the required information before installing the SSL Accelerator. Table 6-4 has two columns. The first column lists the parameter and the second column lists the value.
To Configure the SSL Accelerator
- Follow the instructions in the hardware user's guide to install the hardware.
- Install the following packages from the Sun™ Crypto Accelerator 1000 install CD.
- Install the following patches:
- 110383-01
- 108528-05
- 112438-01
You can get the patches from the http://sunsolve.sun.com
- Ensure that you have the tools pk12util and modutil.
These tools can be found under InstallDir/SUNWps/bin when you install Secure Remote Access.
- Create the slots file as follows:
vi /etc/opt/SUNWconn/crypto/slots
- Include the following single line in the slots file:
crypta@srap
- Create a realm and a user using the following commands:
cd InstallDir/SUNWconn/bin
./secadm
secadm> create realm=srap
System Administrator Login Required
Login: root
Password:
Realm srap created successfully.
secadm> set realm=srap
secadm{srap}> su
System Administrator Login Required
Login: root
Password:
secadm{root@srap}# create user=crypta
Initial password:
Confirm password:
User crypta created successfully.
secadm{root@srap}# login user=crypta
Password:
See the Sun Crypto Accelerator 1000 Board Installation and User’s Guide for details on realms and users.
- Run the show key command to verify that no keys exist for the user you created.
secadm{crypta@srap}> show key
No keys exist for this user.
- Load the Sun Crypto module as follows:
cd InstallDir/SUNWps/bin
setenv LD_LIBRARY_PATH InstallDir/SUNWps/lib/solaris/sparc
modutil -dbdir /etc/opt/SUNWps/cert -add "Sun Crypto Module" -libfile InstallDir/SUNWconn/crypto/lib/libpkcs11.so
- Verify that the Sun Crypto module has been loaded as follows:
modutil -list -dbdir /etc/opt/SUNWps/cert
- Export the certificate and the key to the Sun Crypto module as follows:
cd InstallDir/SUNWps/bin
setenv LD_LIBRARY_PATH InstallDir/SUNWps/lib/solaris/sparc
pk12util -o servercert.p12 -d /etc/opt/SUNWps/cert -n server-cert
pk12util -i servercert.p12 -d /etc/opt/SUNWps/cert -h "crypta@srap" -K password -W password
- Run the show key command as shown in step 8.
You should see 2 keys for this user.
- Change the nickname in the /etc/opt/SUWNps/cert/.nickname file.
vi /etc/opt/SUWNps/cert/.nickname
Replace server-cert with crypta@srap:server-cert
- Restart the gateway.
The gateway is now enabled with the Sun Crypto Hardware Accelerator 1000 support.
