Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide

Working With Sun Cryptographic Framework on Solaris 10 Systems

This section explains briefly how to use Sun Crypto Accelerator cards through the Sun cryptographic framework on Solaris 10 systems with Directory Server, and Directory Proxy Server. See Chapter 13, Solaris Cryptographic Framework (Overview), in System Administration Guide: Security Services for more information about the framework.

ProcedureTo Use Directory Server With Cryptographic Hardware on a Solaris 10 System

Before You Begin

This procedure is designed for use with Sun Crypto Accelerator hardware. Perform the following procedure as the same user who runs the Directory Server instance.

  1. Set the PIN used to access the cryptographic framework with the pktool setpin command.

  2. Export the current Directory Server certificate to a PKCS#12 file.

    The following command shows how to perform this step if the Directory Server instance is located under /local/ds/.


    $ dsadm export-cert -o cert-file /local/ds defaultCert
  3. Configure Directory Server to use the appropriate token when accessing the key material.

    Typically, the token is Sun Metaslot.


    $ dsconf set-server-prop 'ssl-rsa-security-device:Sun Metaslot'
  4. Stop Directory Server.


    $ dsadm stop /local/ds
  5. (Optional) If you have no other certificates in the existing certificate database for the Directory Server instance, remove the certificate database.


    $ rm -f /local/ds/alias/*.db

    This optional step ensures that no certificates are stored in the software database.

  6. Create a new certificate database backed by the Solaris cryptographic framework.

    If you did not remove the certificate database, you do not need to run the modutil -create line in this example.


    $ /usr/sfw/bin/64/modutil -create -dbdir /local/ds/alias -dbprefix slapd-
    $ /usr/sfw/bin/64/modutil -add "Solaris Kernel Crypto Driver" -libfile \
     /usr/lib/64/libpkcs11.so -dbdir /local/ds/alias -dbprefix slapd-
    $ /usr/sfw/bin/64/modutil -enable "Solaris Kernel Crypto Driver" \
     -dbdir /local/ds/alias -dbprefix slapd-
  7. Import the PKCS#12 certificate that you exported.


    $ /usr/sfw/bin/64/pk12util -i cert-file \
     -d /local/ds/alias -P slapd- -h "Sun Metaslot"
    $ /usr/sfw/bin/64/certutil -M -n "Sun Metaslot:defaultCert" -t CTu \
     -d /local/ds/alias -P slapd-

    If your accelerator board has a FIPS 140-2 keystore, make sure the private key is generated on the device. Sun Crypto Accelerator 4000 and 6000 boards have FIPS 140-2 keystores, for example. The exact process depends on the board.

  8. Create a password file that contains the PIN needed to access the cryptographic framework.


    $ echo "Sun Metaslot:password" > /local/ds/alias/slapd-pin.txt
  9. Start Directory Server.


    $ dsadm start /local/ds

ProcedureTo Use Directory Proxy Server With Cryptographic Hardware on a Solaris 10 System

Before You Begin

This procedure is designed for use with Sun Crypto Accelerator hardware. Perform the following procedure as the same user who runs the Directory Proxy Server instance.

  1. Stop Directory Proxy Server.


    $ dpadm stop /local/dps
  2. Turn off certificate database password storage.


    $ dpadm set-flags /local/dps cert-pwd-prompt=on
    Choose the certificate database password:
    Confirm the certificate database password:
  3. Set the PIN used to access the cryptographic framework with the pktool setpin command.

    Use the same password that you entered when turning off certificate database password storage.

  4. Generate a key pair, using the cryptographic framework as the key store.


    $ keytool -genkeypair -alias defaultDPScert
     -dname "ou=dps server,dc=example,dc=com" -keyalg RSA -sigalg MD5withRSA
     -validity 3652 -storetype PKCS11 -keystore NONE -storepass pin-password
    

    Here, pin-password is the password you set as the PIN with the pktool setpin command.

  5. Edit the Directory Proxy Server configuration file, adding the following attributes to the base entry, cn=config.

    serverCertificateNickName: defaultDPScert
    certificateKeyStore: NONE
    certificateKeyStoreType: PKCS11
  6. Start Directory Proxy Server.


    $ dpadm start /local/dps