Sun Directory Server Enterprise Edition 7.0 Installation Guide

ProcedureTo Use Directory Server With Cryptographic Hardware on a Solaris 10 System

  1. Set the PIN used to access the cryptographic framework by typing the pktool setpin command.

    Set the PIN as the same user as the one running Directory Server.

  2. Export the current Directory Server certificate to a PKCS#12 file.

    The following command shows how to perform this step if the Directory Server instance is located under /local/ds/.

    $ dsadm export-cert -o cert-file /local/ds defaultCert
  3. Configure Directory Server to use the appropriate token when accessing the key material.

    Typically, the token is Sun Metaslot.

    $ dsconf set-server-prop 'ssl-rsa-security-device:Sun Metaslot'
  4. Stop Directory Server.

    $ dsadm stop /local/ds
  5. (Optional) If you have no other certificates in the existing certificate database for the Directory Server instance, remove the certificate database.

    $ rm -f /local/ds/alias/*.db

    This optional step ensures that no certificates are stored in the software database.

  6. Create a new certificate database backed by the Solaris cryptographic framework.

    If you have not removed the certificate database, you do not need to run the modutil -create line in this example.

    $ /usr/sfw/bin/64/modutil -create -dbdir /local/ds/alias -dbprefix slapd-
    $ /usr/sfw/bin/64/modutil -add "Solaris Kernel Crypto Driver" -libfile \
     /usr/lib/64/ -dbdir /local/ds/alias -dbprefix slapd-
    $ /usr/sfw/bin/64/modutil -enable "Solaris Kernel Crypto Driver" \
     -dbdir /local/ds/alias -dbprefix slapd-
  7. Import the PKCS#12 certificate that you exported.

    $ /usr/sfw/bin/64/pk12util -i cert-file \
     -d /local/ds/alias -P slapd- -h "Sun Metaslot"
    $ /usr/sfw/bin/64/certutil -M -n "Sun Metaslot:defaultCert" -t CTu \
     -d /local/ds/alias -P slapd-

    If your accelerator board has a FIPS 140-2 keystore, for added security, make sure that the private key is stored on the device. Sun Crypto Accelerator 4000 and 6000 boards have FIPS 140-2 keystores, for example. The exact process depends on the board.

    Note –

    Make sure that the cryptographic hardware supports the cipher suites that you want to use. Not all the hardwares support all cipher suites. As a workaround, you can use dsconf ssl-cipher-family to set specific suites.

  8. Create a password file that contains the PIN needed to access the cryptographic framework.

    This file is required only when the password is changed in step 1.

    $ echo "Sun Metaslot:password" > /local/dsInst/alias/slapd-pin.txt

    If the password has been changed in step 1, password is the new password, otherwise it is the one currently in use.

  9. Start Directory Server.

    $ dsadm start /local/ds