| Sun Crypto Accelerator 1000 Board Version 2.0 Release Notes |     |
| Sun Crypto Accelerator 1000 Board Version 2.0 Release Notes | |
|
Sun Crypto Accelerator 1000 Board Version 2.0 Release Notes |
These release notes provide information not available at the time the Sun Crypto Accelerator 1000 Board Version 2.0 Installation and User's Guide was completed.
For the latest version of this document, please refer to:
For the latest patches, updates, and requirements, refer to the product web pages at:
The patches listed in this document are available at: http://sunsolve.sun.com. Solaris Operating System update releases contain patches to previous releases. Use the showrev -p command to determine whether the required patches have already been installed.
Install the latest version of the patches. The dash number (-01, for example) becomes higher with each new revision of the patch. If the version on the web site is higher than that shown in this document, it is a later version.
If the patch you need is not available at the SunSolveSM web site, contact your local sales or service representative.
The following table lists the required patches available for Solaris 10:
|
Note - Always check for the latest revision of the patch, -01, -02, and so on. |
The Sun Crypto Accelerator 1000 Version 2.0 CD-ROM contains both Versions 1.1 and 2.0 of the software.
|
Caution - Version 1.1 is for Solaris 8 and 9. Version 2.0 is supported on Solaris 10 only. |
The install script path is changed as follows:
/cdrom/cdrom0/Sun_Cryto_Acc_1000_1_1
/cdrom/cdrom0/Sun_Cryto_Acc_1000_2_0
The respective installation scripts are located in these directories.
The Sun Crypto Accelerator 500/1000 1.0 and 1.1 releases do not take advantage of the new Sun Cryptographic Framework provided in Solaris 10. Because of this, the Sun Crypto Accelerator 500/1000 1.0 and 1.1 releases are not supported with the Solaris 10 Operating System.
The Sun Crypto Accelerator 500/1000 2.0 release uses this new framework, and is available as a free upgrade to current Sun Crypto Accelerator 500/1000 users planning to use Solaris 10. Contact Sun Enterprise Services or your local sales channel to obtain the free upgrade. Additional information is available on the Sun Crypto Accelerator 500/1000 Web page:
http://www.sun.com/products/networking/sslaccel/suncryptoaccel1000/
AES256 cipher suites are not supported for the board, but might still appear. This issue does not occur if the SUNWcry and SUNWcryr packages are installed. This issue occurs because, although AES256 cipher suites are disabled, some consumers of the libssl library, such as Apache mod_ssl, are still finding AES256 ciphers.
Workaround: For Apache, update the mod_ssl configuration section in the httpd.conf file with as follows:
SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL |
C_OpenSession returns CKR_OK instead of CKR_TOKEN_WRITE_PROTECTED
vcatest could fail on the first pass when performed on a Sun Fire 15K with error messages similar to the following:
When a hardware provider, such as the Sun Crypto Accelerator, unregisters from the kEF (Solaris Cryptographic Framework), the kEF fails to remove the provider entry from the provider tables when some cryptographic operations are scheduled on the provider.
The provider table size is hardcoded to be 512, and when reloading of the driver happens more than 512 times, it might fill up the provider table and make the driver unloadable. With SunVTS, the symptom is the Slot Info being NULL. With other applications, the Venus slot is simply not seen.
|
Note - Sun ONE Web Servers were previously named iPlanet Web Servers. |
The Sun ONE provided utility, pk12util, exports certificates and keys from internal software databases and imports them to external hardware databases. However, the pk12util utility cannot export certificates or keys from an external hardware database, such as the Sun Crypto Accelerator board:
In configuring Sun ONE Web Server 6.0, after selecting the Cipher Default settings, selecting the certificate, clicking the OK button and selecting the Apply link in the far upper right corner to apply the ciphers, the user@realm-name entry may be removed if the steps are not executed in the exact order as prescribed in the Sun Crypto Accelerator 1000 Board Version 2.0 Installation and User's Guide.
This entry is required for the web server to start up correctly with the Sun Crypto Accelerator 1000 board. You may see this when steps are executed in the following order:
If you think you have executed these steps and the web server does not start up correctly, use the following workaround:
Sun Metaslot, when enabled system-wide, can be controlled on a per process basis by setting the environment variable ${METASLOT_ENABLED} to true or false.
There is currently no way to set this environment variable so that an instance of the web server can override the system-wide setting.
Because of how Diffie Hellman related ciper suites are implemented in OpenSSL, using Apache with metaslot could cause poor performance and significant CPU idling on the server.
The default cipher suite, EDH-RSA-DES-CBC3-SHA, and all Diffie Hellman related cipher suites can cause this problem.
Workaround: Modify the SSLCipherSuite line in the /etc/apache/httpd.conf file to exclude Diffie Hellman related cipher suites as follows:
SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL:-EDH-RSA-DES-CBC3-SHA |
Metaslot, when enabled system-wide, can be controlled on a per-process basis by setting the environment variable ${METASLOT_ENABLED} to true or false.
To set an environment variable for SunONE Administration Server programs, add the following line to the https-admserv/config/magnus.conf configuration file:
The following is an example of disabling metaslot for the process.
Refer to the documentation available at:
http://docs.sun.com/source/817-6252/npgmagns.html#wp25400
| Sun Crypto Accelerator 1000 Board Version 2.0 Release Notes | 819-0426-11 | |
Copyright © 2005, Sun Microsystems, Inc. All Rights Reserved.