Sun™ ONE Certificate Server 4.7

Configuring FIPS-140 Level 3 Support

Updated July 25, 2002




This document provide details for configuring Sun™ ONE Certificate Server 4.7 to work with Hardware Security Modules (HSM) such as those manufactured by Ncipher and Chrysalis. Topics included in this document are:

For detailed information about FIPS 140-2 levels of support, see http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf.




Overview of Configuration Steps

Configuring support for FIPS 140-1 Level 3 security is a two-part process. For Part 1, see the documentation that comes with the HSM. For Part 2, this document provides detailed instructions.

Part 1: Install the HSM.

Part 2: Install and Configure Certificate Server.

    1. Install of Certificate Server.

    2. Link the HSM manufacturer's library to Certificate Server.

    3. Configure Certificate Server




Part 1: Install the HSM

For detailed instructions, see the documentation that comes with HSM, or visit the manufacturer's website.

For detailed information about Ncipher HSM products, go to the Ncipher website at http://www.ncipher.com/safebuilder/codesafe_specs.html

For detailed information about Chysalis HSM products, go to the Chrysalis website at http://www.chrysalis-its.com/trusted_systems/luna_ca3.htm.




Part 2: Install and Configure Certificate Server

In this part, you run the Certificate Server setup program, and then you run the Installation Wizard to create the first administrator.

2a. Install Certificate Server.

  1. Run the Certificate Server installation script.

    • To run the installation script in Windows, open the distribution directory for the system software you are using and double-click the file setup.exe.

    • To run the installation script in Solaris, change to the distribution directory (where you have downloaded the distribution files) and execute the file setup.

  2. Proceed through the Setup program following the instructions in the Installation and Setup Guide. When you reach the end of the program, the first phase of the installation is complete.

Figure 0-1    The Windows version of the Setup program uses a GUI; the Solaris version is text-base.

2b. Link the HSM library to Certificate Server.

In this step, you create the security module database and then add the HSM to that database. The following instructions assume you're using tsch (Solaris) or cmd (Windows).

  1. Go to the admin server config directory of the CMS installation.

    Solaris:  #> cd <server-root>/admin-serv/config

    Windows:  D:\> cd <server-root>\admin-serv\config

  2. Set the LD_LIBRARY_PATH equivalent:

    Solaris:

      #> setenv LD_LIBRARY_PATH <server-root>/lib:$LD_LIBRARY_PATH

    Windows:

      D:\> set PATH=<server-root>\lib;%PATH%

  3. Create the Certificate Server db.

    Solaris:

      #> ../../shared/bin/modutil -dbdir . -nocertdb -create

    Windows:

      D:\> ..\..\shared\bin\modutil -dbdir . -nocertdb -create

  4. Link the HSM library to the Certificate Server db.

    Solaris:

      #> ../../shared/bin/modutil -dbdir . -nocertdb -add     <HSM-manufacturer> -libfile <libraries>/<library>.so

    where <libraries> is the location of the manufacturer's libraries and <library> is the name of the manufacturer's library file.

    Windows:

      D:\> ..\..\shared\bin\modutil -dbdir . -nocertdb -add Chrysalis     -libfile <libraries\library>.dll

    where <libraries> is the location of the manufacturer's dll libraries and <library> is the name of the manufacturer's dll file.

  5. Verify that the HSM tokens are now available:

    Solaris:

      #> ../../shared/bin/modutil -dbdir . -nocertdb -list

    Windows:

      D:\> ..\..\shared\bin\modutil -dbdir . -nocertdb -list

2c. Configure the Cryptographic Tokens.

In this step, you run the Installation Wizard to configure the cryptographic tokens.

  1. To begin running the Installation Wizard, follow these steps:

    1. If iPlanet Console is not running, start it.

    2. On a Windows NT system, click
      Start>Programs>iPlanet Server Products> iPlanet Console

      Alternatively, click the iPlanet Console shortcut in the iPlanet Server Products directory that opens on your desktop after setup completes.

    3. On a Unix system, open a command shell, change to the directory /usr/iPlanet/servers, and execute the file startconsole.

    4. Log in as admin, giving the password <admin password>.

    The main window of iPlanet Console appears. Enter your information, and then click OK.

  2. In the navigation tree at the left, open your computer, then open Server Group.

  3. Select Certificate Server and double-click it; alternatively, you can also click the Open button on the Certificate Server panel on the right.

    After a few moments, the Installation Wizard appears. You use the wizard to get the initial certificates and set the initial configuration for this instance of Certificate Server.

    Introduction. Click Next.

  4. Proceed through the Installation Wizard using the instructions in the Installation and Setup Guide until you get to the following screen:



    1. Determine whether you want to install a Data Recovery Manager subsystem. A Data Recovery Manager performs the long-term archival and recovery of private encryption keys for end entities. If you plan to store keys so that you can recover them in the event a key becomes lost, corrupt, or compromised, then check this box. This is highly recommended. If you do not plan to store keys, then leave the box unchecked.

    2. If you want to co-locate the Certificate Manager and Data Recovery Manager (install instances of both on the same host), then check both of their checkboxes.

    3. If you want to install the Data Recovery Manager as a stand-alone instance, you can uncheck the Certificate Manager.

  5. Continue with the Setup program following instructions in the Installation and Setup Guide until you get to a Key-Pair Information screen. Each time you are prompted for Key-Pair Information (see Figure 0-2), repeat this step. Provide the following information, and then click Next:

    Token: Choose the FIPS Level 3 hardware token that you specified when you installed the HSM.
    FIPS Level 3: Check this checkbox.
    Password (again): Enter the PIN/password for the configured token.
    Key type: Select a value.
    Key length: Select a value.

Figure 0-2   

A Key-Pair Information window.

  1. Proceed through Installation Wizard using the instructions in the Setup and Installation Guide until you get to the Storate Key Creation window (see Figure 0-3). Provide the following information, and then click Next:

    Token: Choose a FIPS 140-1 Level 3 token other than the one you spcified in the Key-Pair Information window.
    FIPS Level 3: Check this checkbox.
    Password: Enter the PIN/password for the configured token.
    Key type: Select a value.
    Key length: Select a value.

Figure 0-3   

The Storage Key Creation window.

  1. Proceed through the Installation Wizard using the instructions in the Setup and Installation Guide until you reach the end.

Keys stored in the HSM will now be used for issuing End Entity certificates.

Last Updated August 09, 2002