test

Sun Java System Portal Server Secure Remote Access 7.2 Administration Guide

Sun Crypto Accelerator 1000

The Sun™ Crypto Accelerator 1000 (Sun CA1000) board is a short PCI board that functions as a cryptographic co-processor to accelerate public key and symmetric cryptography. This product has no external interfaces. The board communicates with the host through the internal PCI bus interface. The purpose of this board is to accelerate a variety of computationally intensive cryptographic algorithms for security protocols in eCommerce applications.

Many critical cryptographic functions, such as RSA [7] and Triple-DES (3DES) [8], can be off-loaded from an application to the Sun CA1000 and performed in parallel. This frees the CPU to perform other tasks, increasing the processing speed for SSL transactions.

See To Configure Crypto Accelerator 1000 for steps.

Enable Crypto Accelerator 1000

Ensure that Portal Server Secure Remote Access has been installed, and a gateway server certificate (self-signed or issued by any CA) has been installed. See the Chapter 10, Working with Certificates for details.

Enable Crypto Accelerator 1000 is a checklist to help you keep track of the required information before installing the SSL Accelerator.lists the Crypto Accelerator 1000 parameters and values.

Table 15–1 Crypto Accelerator 1000 Installation Checklist

Parameter 

Value 

SRA installation base directory 

/opt 

SRA certificate database path 

/etc/opt/SUNWportal/cert/default 

SRA server certificate nickname 

server-cert 

Realm 

sra-keystore 

Realm user 

crypta 

ProcedureTo Configure Crypto Accelerator 1000

  1. Follow the instructions in the user's guide to install the hardware. See:

    http://www.sun.com/products-n-solutions/hardware/docs/pdf/816-2450-11.pdf

  2. Install the following packages from the CD.

    SUNWcrypm, SUNWcrypu, SUNWcrysu, SUNWdcar, SUNWcrypr, SUNWcrysl, SUNWdcamn, SUNWdcav

  3. Install the following patches. (You can get them from the http://sunsolve.sun.com)

    110383-01, 108528-05, 112438-01

  4. Make sure you have the tools pk12util and modutil.

    These tools are installed under /usr/sfw/bin. If the tools are not available in the /usf/sfw/bin directory, you need to manually add the SUNWtlsu package from the Sun Java System distribution media:

    Solaris_[sparc/x86]/Product/shared_components/

  5. Create the slots file:

    vi /etc/opt/SUNWconn/crypto/slots

    and put "crypta@sra" as the first and only line in the file.

  6. Create and set a realm.

    1. Login as root.

    2. Type these commands:

      cd /opt/SUNWconn/bin/secadm

      secadm> create realm=sra

      Realm sra created successfully.

  7. Create a user:

    1. Type and respond to these commands:

      secadm> set realm=sra

      secadm{srap}> su

      secadm{root@sra}>create user=crypta

      Initial password:

      Confirm password:

      User crypta created successfully.

  8. Login as the user you created.

    secadm{root@sra}> login user=crypta

    Password:

    secadm{crypta@sra}> show key

    No keys exist for this user.

  9. Load the Sun Crypto module.

    The environment variable LD_LIBRARY_PATH must point to /usr/lib/mps/secv1/

    Type:

    modutil -dbdir /etc/opt/SUNWportal/cert/default -add "Sun Crypto Module" -libfile /opt/SUNWconn/crypto/lib/libpkcs11.so

    Use the following command to verify that this module is loaded:

    modutil -list -dbdir /etc/opt/SUNWportal/cert /default

  10. Export the gateway certificate and the key to the "Sun Crypto Module".

    The environment variable LD_LIBRARY_PATH must point to /usr/lib/mps/secv1/

    Type:

    pk12util -o servercert.p12 -d /etc/opt/SUNWportal/cert/default -n server-cert

    pk12util -i servercert.p12 -d /etc/opt/SUNWportal/cert/default -h "crypta@sra"

    Now run the show key command:

    secadm{crypta@sra}> show key

    You should see two keys for this user.

  11. Change the nickname in the /etc/opt/SUNWportal/cert/default/.nickname file.

    vi /etc/opt/SUNWportal/cert/default/.nickname

    replace the server-cert with crypta@sra:server-cert

  12. Enable ciphers for acceleration.

    SUN CA1000 accelerates RSA functions but supports acceleration only for DES and 3DES ciphers.

  13. Modify the /etc/opt/SUNWportal/platform.conf.gateway-profile-name to enable the accelerator:

    gateway.enable.accelerator=true

  14. From a terminal window, restart the gateway:


    ./psadmin start-sra-instance -u amadmin -f passwordfile -N profilename -t gateway
    Note –

    Gateway binds to a plain ServerSocket (non SSL) on the port mentioned as https port in the gateway profile.

    No SSL encryption or decryption is done on the incoming client traffic. This is done by the accelerator.

    PDC is not be functional in this mode.