Sun Crypto Accelerator 4000

The Sun™ Crypto Accelerator 4000 board is a Gigabit Ethernet-based network interface card that supports cryptographic hardware acceleration for IPsec and SSL (both symmetric and asymmetric) on Sun servers.

In addition to operating as a standard Gigabit Ethernet network interface card for unencrypted network traffic, the board contains cryptographic hardware to support a higher throughput for encrypted IPsec traffic.

The Crypto Accelerator 4000 board accelerates cryptographic algorithms in both hardware and software. It also supports bulk encryption for ciphers DES and 3DES.

See To Configure Crypto Accelerator 4000 for steps.

Enable Crypto Accelerator 4000

Ensure that SRA has been installed and a gateway server certificate (self-signed or issued by any CA) has been installed. The following checklist helps you keep track of the required information before installing the SSL Accelerator.

Enable Crypto Accelerator 1000 lists the Crypto Accelerator 4000 parameters and values.

To Configure Crypto Accelerator 4000

1. Follow the instructions in the user\qs guide to install the hardware and the software packages. See:

   http://www.sun.com/products-n-solutions/hardware/docs/pdf/816-2450-11.pdf

2. Install the following patch. (You can get them from the http://sunsolve.sun.com): 114795

3. Make sure that you have the tools certutil, pk12util and modutil.

   These tools are installed under /usr/sfw/bin

   If the tools are not available in the /usf/sfw/bin directory, you need

   to manually add the SUNWtlsu package from the Sun Java System distribution media:

   Solaris_[sparc/x86]/Product/shared_components/

4. Initialize the board.

   Run the /opt/SUNWconn/bin/vcadm tool to initialize the crypto board and set the following values.

   Initial Security Officer Name: sec_officer

   Keystore name: sra-keystore

   Run in FIPS 140-2 Mode: No

5. Create a user.

   vcaadm{vca0@localhost, sec_officer}> create user

   New user name: crypta

   Enter new user password:

   Confirm password:

   User crypta created successfully.

6. Map token to the key store.

   vi /opt/SUNWconn/cryptov2/tokens

   and append sra-keystore to the file.

7. Enable bulk encryption.

   touch /opt/SUNWconn/cryptov2/sslreg

8. Load the Sun Crypto module.

   The environment variable LD_LIBRARY_PATH must point to /usr/lib/mps/secv1/

   Type:

   modutil -dbdir /etc/opt/SUNWportal/cert/default -add "Sun Crypto Module" -libfile /opt/SUNWconn/cryptov2/lib/libvpkcs11.so

   You can verify that this module is loaded using the following command:

   modutil -list -dbdir /etc/opt/SUNWportal/cert/default

9. Export the gateway certificate and the key to the "Sun Crypto Module".

   The environment variable LD_LIBRARY_PATH must point to /usr/lib/mps/secv1/

   pk12util -o servercert.p12 -d /etc/opt/SUNWportal/cert/default -n server-cert

   pk12util -i servercert.p12 -d /etc/opt/SUNWportal/cert/default -h "sra-keystore"

   You can verify that the key has been exported using the following command:

   certutil -K -h "sra-keystore" -d /etc/opt/SUNWportal/cert/default

10. Change the nickname in the /etc/opt/SUNWportal/cert/default/.nickname file:

    vi /etc/opt/SUNWportal/cert/default/.nickname

    replace the server-cert with sra-keystore:server-cert

11. Enable the ciphers for acceleration.

12. From a terminal window, restart the gateway:

    ./psadmin start-sra-instance -u amadmin -f passwordfile -N profilename -t gateway

    The Gateway prompts you to enter the keystore password.

    Enter Password or Pin for "sra-keystore":crypta:crytpa-password

    ---

    Note –

    Gateway binds to a plain ServerSocket (non SSL) on the port mentioned as https port in the gateway profile.

    No SSL encryption or decryption is done on the incoming client traffic. This is done by the accelerator.

    PDC is not be functional in this mode.

    ---