| Sun Crypto Accelerator 4000 Board Version 2.0 Installation and User's Guide |    
|
| Sun Crypto Accelerator 4000 Board Version 2.0 Installation and User's Guide |
|
| C H A P T E R 6 |
|
Installing and Configuring Sun ONE Server Software |
This chapter describes how to configure the Sun Crypto Accelerator 4000 board for use with Sun ONE servers. This chapter includes the following sections:
|
Note - The Sun ONE servers described in this manual were previously named iPlanet |
This section provides an overview of the security features of the Sun Crypto Accelerator 4000 board as it is administered with Sun ONE applications.
|
Note - To manage keystores, you must have access to the system administrator account for your system. |
Keystores and users must be created for applications that communicate with the Sun Crypto Accelerator 4000 board through a PKCS#11 interface, such as the Sun ONE Applications.
|
Note - The Apache Web Server (Chapter 7) does not use the keystore or user account features described in this chapter. |
Within the context of the Sun Crypto Accelerator 4000 board, users are owners of cryptographic keying material. Each key is owned by a single user. Each user may own multiple keys. A user might want to own multiple keys to support different configurations, such as a production key and a development key (to reflect the organizations the user is supporting).
A keystore is a repository for key material. Associated with a keystore are security officers and users. Keystores provide not only storage, but a means for key objects to be owned by user accounts. This enables keys to be hidden from applications that do not authenticate as the owner. Keystores have three components:
A typical installation contains a single keystore with three users. For example, such a configuration could consist of a single keystore keystore-name and three users within that keystore, webserv, dirserv, and mailserv. This would enable the three users to own and maintain access control of their server keys within that single keystore. FIGURE 6-1illustrates an overview of a typical installation.
An administrative tool, vcaadm, is used to manage Sun Crypto Accelerator 4000 keystores and users. See Managing Keystores With vcaadm.
As discussed in Chapter 5, there are four kinds of slots presented through the Solaris Cryptographic Framework's PKCS#11 interface.
The Sun Crypto Accelerator 4000 Keystore slot can also be used for Sun ONE applications. Through a Keystore slot, asymmetric operations are the only mechanisms accelerated by the Sun Crypto Accelerator 4000 board. When there are more than two boards using the same keystore, Keystore slot provides additional performance and fault-tolerance.
Alternatively, the Sun Crypto Accelerator Hardware Slot can be used for Sun ONE applications. When the Hardware Slot is used, there is no failover support.
If there are two boards, vca0 and vca1, each is assigned a keystore name (engineering and finance), five slots are presented to the Sun ONE application.
If the server certificate resides in the finance keystore, the possible slots to be used for the Sun ONE application is as follows:
1. finance (the Keystore slot)
2. vca/1 Crypto Accel 2.0 (the hardware slot)
This section describes assigning passwords, how to populate a keystore, and how to enable the Sun ONE Web Server.
You are asked for several passwords in the course of enabling a Sun ONE Web Server, all of which are described in TABLE 6-2. These passwords are referred to throughout this chapter.
Before you can enable the board for use with a Sun ONE Web Server, you must first initialize the board and populate the board's keystore with at least one user. The keystore for the board is created during the initialization process. You can also initialize Sun Crypto Accelerator 4000 boards to use an existing keystore. See Initializing the Board With vcaadm.
|
1. If you have not already done so, place the Sun Crypto Accelerator 4000 tools directory in your search path, for example:
2. Access the vcaadm utility with the vcaadm command or enter vcaadm -h hostname to connect vcaadm to a board on a remote host. See Using the vcaadm Utility.
3. Populate the board's keystore with users.
These user names are known only within the domain of the Sun Crypto Accelerator 4000 board and do not need to be identical to the UNIX user name that the web server process is using. Before attempting to create the user, remember that you must first log in as a vcaadm security officer.
4. Create a user with the create user command.
vcaadm{vca0@hostname, sec-officer}> create user username Initial password: Confirm password: User username created successfully. |
The username and password created here collectively make the username:password (See TABLE 6-1). You must use this password when authenticating during a web server startup. This is the keystore password for a single user.
|
Caution - Users must remember this username:password. Without this password, users cannot access their keys. There is no way to retrieve a lost password. |
To enable Sun ONE Web Servers you must complete the following procedures, that the rest of the chapter explains in detail.
1. Install the Sun ONE Web Server.
5. Configure the Sun ONE Web Server.
|
Caution - These procedures must be followed in the order given. Failure to do so could result in an incorrect configuration. |
This section describes how to install and configure Sun ONE Web Server 6.1 to use the board. You must perform these procedures in order. Refer to the Sun ONE Web Server documentation for more information about installing and using Sun ONE Web Servers. This section includes the following procedures:
|
1. Download the Sun ONE Web Server 6.1 software.
You can find the web server software at the following URL:
http://www.sun.com/
2. Change to the installation directory and extract the web server software.
3. Install the web server with the setup script from the command-line.
The default path name for the server is: /opt/SUNWwbsvr/.
This chapter refers to the default paths. If you decide to install the software in a different location, be sure to note where you installed it.
4. Answer the prompts from the installation script.
Except for the following prompts, you can accept the defaults:
a. Agree to accept the license terms by typing yes.
b. Enter a fully qualified domain name.
c. Enter the Sun ONE Web Server 6.1 Administration Server password twice.
d. Press Return when prompted.
These procedures create a trust database for the web server instance; register the board with the web server; generate and install a server certificate; and enable the web server for SSL.
The Sun ONE Web Server Administration Server must be up and running during the configuration process. This example uses the Sun Crypto Accelerator 4000 Keystore slot.
1. Start the Sun ONE Web Server 6.1 Administration Server.
To start a Sun ONE Web Server 6.1 Administration Server, use the following command (instead of running startconsole as setup requests):
The response provides the URL for connecting to your servers.
2. Start the Administration GUI by opening up a web browser and typing:
In the authentication dialog box, enter the Sun ONE Web Server 6.1 Administration Server user name and password you selected while running setup.
|
Note - If you used the default settings during Sun ONE Web Server setup, enter admin for the User ID or the Sun ONE Web Server 6.1 Administration Server user name. |
The Sun ONE Web Server 6.1 Administration Server window is displayed.
4. Create the trust database for the web server instance.
You might want to enable security on more than one web server instance. If so, repeat the following Step a through Step d for each web server instance.
a. Click the Servers tab in the Sun ONE Web Server 6.1 Administration Server dialog box.
b. Select a server and click the Manage button.
c. Click the Security tab near the top of the page and click the Create Database link.
d. Enter a password (web server trust database, see TABLE 6-1) in the two dialog boxes and click OK.
Choose a password of at least eight characters. This will be the password used to start the internal cryptographic modules when the Sun ONE Web Server runs in secure mode.
1. Register the Solaris PKCS#11 library in the security module database of the Sun ONE Web Server using the modutil utility.
% modutil -dbdir /opt/SUNWwbsvr/alias -nocertdb -add "Solaris Cryptographic Framework" -libfile /usr/lib/libpkcs11.so |
2. Certain Sun ONE applications ask for a password for every known PKCS#11 token. To limit the slots presented to those required to start the web server, disable all slots, except for one slot used by the Sun ONE application.
1. Restart the Sun ONE Web Server 6.1 Administration Server by typing the following commands:
The response provides the URL for connecting to your servers.
2. Start the Administration GUI by opening up a web browser and typing:
In the authentication dialog box enter the Sun ONE Web Server 6.1 Administration Server user name and password you selected while running setup.
|
Note - If you used the default settings during Sun ONE Web Server setup, enter admin for the user ID or the Sun ONE Web Server 6.1 Administration Server user name. |
The Sun ONE Web Server 6.1 Administration Server window is displayed.
4. To request the server certificate, select the Servers tab near the top of Sun ONE Web Server 6.1 Administration Server window. Then select a server from the drop-down menu and click the Manage button.
The Sun ONE Web Server 6.1 Server Manager window is displayed.
5. Select the Security tab near the top of the Sun ONE Web Server 6.1 Server Manager window. Then click the Request a Certificate link on the left panel.
6. Fill out the form to generate a certificate request, using the following information:
If you can directly post your certificate request to a web-capable certificate authority or registration authority, select the CA URL link. Otherwise, select CA Email Address and enter an email address where you would like the certificate request to be sent.
b. Select the Cryptographic Module you want to use.
Each slot has its own entry in this pull-down menu. For this example, the keystore-name is chosen.
c. In the Key Pair File Password dialog box, provide the password for the user that will own the key.
This password is the username:password (TABLE 6-1).
d. Type the appropriate information for the requestor information fields in TABLE 6-2.
|
Two-letter ISO code for the country (for example, the United States is US) |
e. Click OK to submit the information.
7. Use a certificate authority to generate the certificate.
8. Once the certificate is generated, copy it, along with the headers, to the clipboard.
|
Note - The certificate is different from the certificate request and is usually presented to you in text form. Keep this data on the clipboard for Step 4 of To Install the Server Certificate. |
Once your request has been approved by a certificate authority and a certificate has been issued, you must install the certificate in the Sun ONE Web Server.
1. Click the Security tab near the top of the Sun ONE Web Server 6.1 Server Manager window.
2. On the left panel, click the Install Certificate link.
3. Fill out the form to install your certificate:
|
Each slot has its own entry in this pull-down menu. Ensure that you select the correct slot name. For this example, use keystore-name. |
|
|
This password is the username:password (TABLE 6-1) |
|
|
In most cases, you can leave this blank. If you provide a name, it alters the name the web server uses to access the certificate and key when running with SSL support. The default for this field is Server-Cert. |
4. Paste the certificate you copied from the certificate authority (in Step 8 of the To Generate a Server Certificate) into the Message text box.
You are shown some basic information about the certificate.
6. If everything looks correct, click the Add Server Certificate button.
On-screen messages tell you to restart the server. This is not necessary because the web server instance has been shut down the entire time.
You are also notified that in order for the web server to use SSL, the web server must be configured to do so. Use the following procedure to configure the web server.
Now that your web server and the Server Certificate are installed, you must enable the web server for SSL.
1. Select the Preferences tab near the top of the page.
2. Select the Edit Listen Sockets link on the left panel.
The main panel lists all the listen sockets set for the web server instance.
a. Click the link under Listen Socket ID for the listen socket you wish to configure.
b. Alter the following fields:
c. Click OK to apply these changes.
3. Click the link under Listen Socket ID again for the listen socket you wish to configure.
4. Enter the username:password to authenticate to the keystore on the system.
5. If you want to change the default set of ciphers, select the cipher suites under the Ciphers heading.
A dialog box is displayed for changing the cipher settings. You can select either Cipher Default settings, SSL2, or SSL3/TLS. If you select the Cipher Default, you are not shown the default settings. The other two choices require you to select the algorithms you want to enable in a pop-up dialog box. Refer to your Sun ONE documentation on cipher selection.
6. Select the certificate for the keystore followed by: Server-Cert (or the name you chose).
Only keys that the appropriate keystore user owns appear in the Certificate Name field. This keystore user is the user that is authenticated with the username:password.
7. When you have chosen a certificate and confirmed all the security settings, click OK.
8. Select the Apply link in the far upper right corner to apply these changes before you start your server.
9. Select the Load Configuration Files link to apply the changes.
You are redirected to a page that allows you to start your web server instance.
If you click the Apply Changes button when the server is off, an authentication dialog box prompts you for the username:password. This window is not resizable, and you might have a problem submitting the change.
There are two workarounds for this problem:
10. In the Sun ONE Web Server 6.1 Administration Server window, select the On/Off link on the left side of the window.
11. Enter the passwords for the servers and click Server On.
You are prompted for one or more passwords. At the Module Internal prompt, provide the password for the web server trust database.
At the Module keystore-name prompt, enter the username:password.
Enter the username:password for other keystores as prompted.
12. Verify the new SSL-enabled web server at the following URL:
https://hostname.domain:server-port/
You can enable the Sun ONE Web Servers to perform an unattended startup at reboot with an encrypted key.
|
|
1. Navigate to the config subdirectory for your Sun ONE Web Server instance--for example, /opt/SUNWwbsvr/https-webserver-instance-name/config.
2. Create a password.conf file with only the following lines (See TABLE 6-1 for password definitions):
3. Set the file ownership of the password file to the UNIX user ID that the web server runs as, and set the file permissions to be readable only by the owner of the file:
| Sun Crypto Accelerator 4000 Board Version 2.0 Installation and User's Guide | 817-6972-10 |
|
Copyright © 2005, Sun Microsystems, Inc. All Rights Reserved.
Servers.
To Populate a Keystore
