test

Sun Java System Portal Server Secure Remote Access 7.2 Administration Guide

ProcedureTo Configure Crypto Accelerator 4000

  1. Follow the instructions in the user\qs guide to install the hardware and the software packages. See:

    http://www.sun.com/products-n-solutions/hardware/docs/pdf/816-2450-11.pdf

  2. Install the following patch. (You can get them from the http://sunsolve.sun.com): 114795

  3. Make sure that you have the tools certutil, pk12util and modutil.

    These tools are installed under /usr/sfw/bin

    If the tools are not available in the /usf/sfw/bin directory, you need

    to manually add the SUNWtlsu package from the Sun Java System distribution media:

    Solaris_[sparc/x86]/Product/shared_components/

  4. Initialize the board.

    Run the /opt/SUNWconn/bin/vcadm tool to initialize the crypto board and set the following values.

    Initial Security Officer Name: sec_officer

    Keystore name: sra-keystore

    Run in FIPS 140-2 Mode: No

  5. Create a user.

    vcaadm{vca0@localhost, sec_officer}> create user

    New user name: crypta

    Enter new user password:

    Confirm password:

    User crypta created successfully.

  6. Map token to the key store.

    vi /opt/SUNWconn/cryptov2/tokens

    and append sra-keystore to the file.

  7. Enable bulk encryption.

    touch /opt/SUNWconn/cryptov2/sslreg

  8. Load the Sun Crypto module.

    The environment variable LD_LIBRARY_PATH must point to /usr/lib/mps/secv1/

    Type:

    modutil -dbdir /etc/opt/SUNWportal/cert/default -add "Sun Crypto Module" -libfile /opt/SUNWconn/cryptov2/lib/libvpkcs11.so

    You can verify that this module is loaded using the following command:

    modutil -list -dbdir /etc/opt/SUNWportal/cert/default

  9. Export the gateway certificate and the key to the "Sun Crypto Module".

    The environment variable LD_LIBRARY_PATH must point to /usr/lib/mps/secv1/

    pk12util -o servercert.p12 -d /etc/opt/SUNWportal/cert/default -n server-cert

    pk12util -i servercert.p12 -d /etc/opt/SUNWportal/cert/default -h "sra-keystore"

    You can verify that the key has been exported using the following command:

    certutil -K -h "sra-keystore" -d /etc/opt/SUNWportal/cert/default

  10. Change the nickname in the /etc/opt/SUNWportal/cert/default/.nickname file:

    vi /etc/opt/SUNWportal/cert/default/.nickname

    replace the server-cert with sra-keystore:server-cert

  11. Enable the ciphers for acceleration.

  12. From a terminal window, restart the gateway:


    ./psadmin start-sra-instance -u amadmin -f passwordfile -N profilename -t gateway

    The Gateway prompts you to enter the keystore password.

    Enter Password or Pin for "sra-keystore":crypta:crytpa-password

    Note –

    Gateway binds to a plain ServerSocket (non SSL) on the port mentioned as https port in the gateway profile.

    No SSL encryption or decryption is done on the incoming client traffic. This is done by the accelerator.

    PDC is not be functional in this mode.