test

IPsec and IKE Administration Guide

How to Use the Sun Crypto Accelerator 4000 Board With IKE

Note –

The following procedure assumes that a Sun Crypto Accelerator 4000 board is attached to the system. The procedure also assumes that the software for the board has been installed and that the software has been configured. For instructions, see the Sun Crypto Accelerator 4000 Board Installation and User's Guide. The guide is available from the Sun Hardware Documentation web site, under Network and Security Products.

  1. On the system console, become superuser or assume an equivalent role.

    Note –

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session.

  2. Add the PKCS #11 library path to the /etc/inet/ike/config file.


    pkcs11_path "/opt/SUNWconn/lib/libpkcs11.so"

    The path name must point to a 32-bit PKCS #11 library. If the library is present, IKE uses the library's routines to handle key generation and key storage on the Sun Crypto Accelerator 4000 board.

  3. Close the file and reboot.

  4. After rebooting, check that the library has been linked. Type the following command to determine whether a PKCS #11 library has been linked:


    $ ikeadm get stats
…
PKCS#11 library linked in from /opt/SUNWconn/lib/libpkcs11.so
$

    Unlike other parameters in the /etc/inet/ike/config file, the pkcs11_path keyword is read only when IKE is started. If you use the ikeadm command to add or reload a new /etc/inet/ike/config file, the pkcs11_path persists. The path persists because the IKE daemon does not clobber Phase 1 data.

    Note –

    The Sun Crypto Accelerator 4000 board supports keys up to 2048 bits for RSA. For DSA, this board supports keys up to 1024 bits.

  5. Find the token ID for the attached Sun Crypto Accelerator 4000 board.


    $ ikecert tokens
Available tokens with library "/opt/SUNWconn/lib/libpkcs11.so":

"SUN-1000-accel                 "
"SUN-4000-stor                  "

    The library returns a token ID, also called a keystore name, of 32 characters. In this example, you could use the SUN-4000-stor token with the ikecert commands to store IKE keys

    For instructions on how to use the token, see How to Generate and Store Public Key Certificates on Hardware.

    The trailing spaces are automatically padded by the ikecert command.