Ensure that SRA has been installed and a gateway server certificate (self-signed or issued by any CA) has been installed. The following checklist helps you keep track of the required information before installing the SSL Accelerator.
Enable Crypto Accelerator 1000 lists the Crypto Accelerator 4000 parameters and values.
Table 15–2 Crypto Accelerator 4000 Installation Checklist
Parameter |
Value |
---|---|
Portal Server Secure Remote Access installation base directory |
/opt |
SRA instance |
default |
SRA certificate database path |
/etc/opt/SUNWportal/cert/default |
SRA server certificate nickname |
server-cert |
CA4000 keystore |
srap |
CA4000 keystore user |
crypta |
Follow the instructions in the user\qs guide to install the hardware and the software packages. See:
http://www.sun.com/products-n-solutions/hardware/docs/pdf/816-2450-11.pdf
Install the following patch. (You can get them from the http://sunsolve.sun.com): 114795
Make sure that you have the tools certutil, pk12util and modutil.
These tools are installed under /usr/sfw/bin
If the tools are not available in the /usf/sfw/bin directory, you need
to manually add the SUNWtlsu package from the Sun Java System distribution media:
Solaris_[sparc/x86]/Product/shared_components/
Initialize the board.
Run the /opt/SUNWconn/bin/vcadm tool to initialize the crypto board and set the following values.
Initial Security Officer Name: sec_officer
Keystore name: sra-keystore
Run in FIPS 140-2 Mode: No
Create a user.
vcaadm{vca0@localhost, sec_officer}> create user
New user name: crypta
Enter new user password:
Confirm password:
User crypta created successfully.
Map token to the key store.
vi /opt/SUNWconn/cryptov2/tokens
and append sra-keystore to the file.
Enable bulk encryption.
touch /opt/SUNWconn/cryptov2/sslreg
Load the Sun Crypto module.
The environment variable LD_LIBRARY_PATH must point to /usr/lib/mps/secv1/
Type:
modutil -dbdir /etc/opt/SUNWportal/cert/default -add "Sun Crypto Module" -libfile /opt/SUNWconn/cryptov2/lib/libvpkcs11.so
You can verify that this module is loaded using the following command:
modutil -list -dbdir /etc/opt/SUNWportal/cert/default
Export the gateway certificate and the key to the "Sun Crypto Module".
The environment variable LD_LIBRARY_PATH must point to /usr/lib/mps/secv1/
pk12util -o servercert.p12 -d /etc/opt/SUNWportal/cert/default -n server-cert
pk12util -i servercert.p12 -d /etc/opt/SUNWportal/cert/default -h "sra-keystore"
You can verify that the key has been exported using the following command:
certutil -K -h "sra-keystore" -d /etc/opt/SUNWportal/cert/default
Change the nickname in the /etc/opt/SUNWportal/cert/default/.nickname file:
vi /etc/opt/SUNWportal/cert/default/.nickname
replace the server-cert with sra-keystore:server-cert
Enable the ciphers for acceleration.
From a terminal window, restart the gateway:
./psadmin start-sra-instance -u amadmin -f passwordfile -N profilename -t gateway |
The Gateway prompts you to enter the keystore password.
Enter Password or Pin for "sra-keystore":crypta:crytpa-password
Gateway binds to a plain ServerSocket (non SSL) on the port mentioned as https port in the gateway profile.
No SSL encryption or decryption is done on the incoming client traffic. This is done by the accelerator.
PDC is not be functional in this mode.