Page 1 Sun™ Crypto Accelerator 4000 Board Installation and User’s Guide Sun Microsystems, Inc. 4150 Network Circle Santa Clara, CA 95054 U.S.A. 650-960-1300 Part No. 817-0431-10 May 2003, Revision A Send comments about this document to: docfeedback@sun.com...
Page 2 Sun, Sun Microsystems, le logo Sun, SunVTS, AnswerBook2, docs.sun.com, Sun ONE, Sun Enterprise, Sun Enterprise Volume Manager, Sun Fire, SunSolve, Netra, et Solaris sont des marques de fabrique ou des marques déposées, ou marques de service, de Sun Microsystems, Inc. aux Etats-Unis et dans d’autres pays.
Page 3 Declaration of Conformity (Fiber MMF) Compliance Model Number: Venus-FI Product Family Name: Sun Crypto Accelerator 4000 - Fiber (X4012A) USA - FCC Class B This equipment complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: 1) This equipment may not cause harmful interference.
Page 4 As Telecommunication Network Equipment (TNE) in both Telecom Centers and Other Than Telecom Centers per (as applicable): EN300-386 V.1.3.1 (09-2001) Required Limits: EN55022/CISPR22 Class B EN61000-3-2 Pass EN61000-3-3 Pass Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 5 This product was tested and complies with all the requirements for the CE Mark. Dennis P. Symanski Pamela J Dullaghan Manager, Compliance Engineering Quality Program Manager Sun Microsystems, Inc. Sun Microsystems Scotland, Limited 4150 Network Circle, MPK15-102 Springfield, Linlithgow Santa Clara, CA 95054, USA West Lothian, EH49 7LR Tel: 650-786-3255...
Page 6 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 7 FCC radio frequency emission limits. Networking connections can be made using unshielded twisted-pair (UTP) cables. Modifications: Any modiﬁcations made to this device that are not approved by Sun Microsystems, Inc. may void the authority granted to the user by the FCC to operate this equipment.
Page 8 ICES-003 Class B Notice - Avis NMB-003, Classe B This Class B digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada. viii Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 9 BSMI Class A Notice The following statement is applicable to products shipped to Taiwan and marked as Class A on the product compliance label.
Page 10 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 11: Table Of Contents
Supported Cryptographic Algorithms 3 Bulk Encryption 4 Hardware Overview 5 IPsec Hardware Acceleration 5 Sun Crypto Accelerator 4000 MMF Adapter 6 LED Displays 6 Sun Crypto Accelerator 4000 UTP Adapter 7 LED Displays 8 Dynamic Reconfiguration and High Availability 9...
Page 12 Random Early Drop Parameters 30 PCI Bus Interface Parameters 32 Setting vca Driver Parameters 33 Setting Parameters Using the ndd Utility 33 To Specify Device Instances for the ndd Utility 33 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 13 To Set Driver Parameters Using a vca.conf File 38 Setting Parameters for All Sun Crypto Accelerator 4000 vca Devices With the vca.conf File 39 To Set Parameters for All Sun Crypto Accelerator 4000 vca Devices With the vca.conf File 40 Example vca.conf File 40...
Page 14 To Initialize the Sun Crypto Accelerator 4000 Board With a New Keystore 66 Initializing the Sun Crypto Accelerator 4000 Board to Use an Existing Keystore 67 To Initialize the Sun Crypto Accelerator 4000 Board to Use an Existing Keystore 68 Managing Keystores With vcaadm 69 Naming Requirements 69...
Page 15 Displaying Board Status 77 Loading New Firmware 78 Resetting a Sun Crypto Accelerator 4000 Board 78 Rekeying a Sun Crypto Accelerator 4000 Board 79 Zeroizing a Sun Crypto Accelerator 4000 Board 80 Using the vcaadm diagnostics Command 80 Using vcadiag 81...
Page 16 Configuring Sun ONE Web Server 6.0 for SSL 108 To Configure the Sun ONE Web Server 6.0 108 Configuring Apache Web Servers for Use With the Sun Crypto Accelerator 4000 Board 111 Enabling the Board for Apache Web Servers 112...
Page 17 Performance Specifications 140 Power Requirements 140 Interface Specifications 141 Environmental Specifications 141 SSL Configuration Directives for Apache Web Servers 143 Building Applications for Use With the Sun Crypto Accelerator 4000 Board 151 Software Licenses 153 Third Party License Terms 156 Contents...
Page 18 Manual Pages 161 Zeroizing the Hardware 163 Zeroizing the Sun Crypto Accelerator 4000 Hardware to the Factory State 163 To Zeroize the Sun Crypto Accelerator 4000 Board With the Hardware Jumper 164 Frequently Asked Questions 167 How Do I Configure the Web Server to Startup Without User...
Page 19 Front Panel Display LEDs for the UTP Adapter 8 TABLE 1-5 Hardware and Software Requirements 10 TABLE 1-6 Required Solaris 8 Patches for Sun Crypto Accelerator 4000 Software 11 TABLE 1-7 Files in the /cdrom/cdrom0 Directory 17 TABLE 2-1 Sun Crypto Accelerator 4000 Directories 19...
Page 20 TABLE A-3 Power Requirements 137 TABLE A-4 Interface Specifications 138 TABLE A-5 Environmental Specifications 138 TABLE A-6 Cat-5 Connector Link Characteristics 139 TABLE A-7 Physical Dimensions 140 TABLE A-8 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 21 Special Characters to Configure Cipher Preference 147 TABLE B-4 SSL Verify Client Levels 148 TABLE B-5 SSL Log Level Values 149 TABLE B-6 Available SSL Options 150 TABLE B-7 Sun Crypto Accelerator 4000 Online Manual Pages 161 TABLE E-1 Tables...
Page 22 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 23 Preface The Sun Crypto Accelerator 4000 Board Installation and User’s Guide lists the features, protocols, and interfaces of the Sun™ Crypto Accelerator 4000 board and describes how to install, configure, and manage the board in your system. This book assumes that you are a network administrator with experience configuring one or more of the following: Solaris™...
Page 24 Chapter 7 describes how to test the Sun Crypto Accelerator 4000 board with the SunVTS diagnostic application and the onboard FCode self-test. This chapter also provides troubleshooting techniques with OpenBoot PROM commands. Appendix A lists the specifications for the Sun Crypto Accelerator 4000 board.
Page 25 Typographic Conventions Typeface Meaning Examples The names of commands, files, Edit your .login file. AaBbCc123 and directories; on-screen Use ls -a to list all files. computer output % You have mail. What you type, when AaBbCc123 contrasted with on-screen Password: computer output AaBbCc123 Book titles, new words or terms,...
Page 26 Sun is interested in improving its documentation and welcomes your comments and suggestions. You can email your comments to Sun at: docfeedback@sun.com Please include the part number (817-0431-10) of your document in the subject line of your email. xxvi Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 27: Product Overview
C H A P T E R Product Overview This chapter provides an overview of the Sun Crypto Accelerator 4000 board, and contains the following sections: “Product Features” on page 1 “Hardware Overview” on page 5 “Hardware and Software Requirements” on page 10...
Page 28: Key Features
Load balancing for RX packets among multiple CPUs Full flow control support (IEEE 802.3x) The Sun Crypto Accelerator 4000 boards are designed to comply with the security requirements for cryptographic modules as documented in the Federal Information Processing Standard (FIPS) 140-2, Level 3.
Page 29: Diagnostic Support
SunVTS™ diagnostic tests Cryptographic Algorithm Acceleration The Sun Crypto Accelerator 4000 board accelerates cryptographic algorithms in both hardware and software. The reason for this complexity is that the cost of accelerating cryptographic algorithms is not uniform across all algorithms. Some cryptographic algorithms were designed specifically to be implemented in hardware, others were designed to be implemented in software.
Page 30: Bulk Encryption
3DES SHA1 Bulk Encryption The Sun Crypto Accelerator 4000 bulk encryption feature for Sun ONE server software is disabled by default. You must manually enable this feature by creating a file and restarting the Sun ONE server software. To enable Sun ONE server software to use bulk encryption on the Sun Crypto...
Page 31: Hardware Overview
Hardware Overview The Sun Crypto Accelerator 4000 hardware is a full size (4.2 inches x 12.283 inches) cryptographic accelerator PCI Gigabit Ethernet adapter that enhances the performance of IPsec and SSL on Sun servers. IPsec Hardware Acceleration The Sun Crypto Accelerator 4000 board encrypts and decrypts IPsec packets in hardware, offloading this high-overhead operation from the SPARC™...
Page 32: Sun Crypto Accelerator 4000 Mmf Adapter
Sun Crypto Accelerator 4000 MMF Adapter The Sun Crypto Accelerator 4000 MMF adapter is a single-port Gigabit Ethernet fiber optics PCI bus card. It operates in 1000 Mbps Ethernet networks only. Sun Crypto Accelerator 4000 MMF Adapter FIGURE 1-1 LED Displays...
Page 33: Sun Crypto Accelerator 4000 Utp Adapter
Link up. Green Sun Crypto Accelerator 4000 UTP Adapter The Sun Crypto Accelerator 4000 UTP adapter is a single-port Gigabit Ethernet copper-based PCI bus card. It can be configured to operate in 10, 100, or 1000 Mbps Ethernet networks. Sun Crypto Accelerator 4000 UTP Adapter...
Page 34: Led Displays
Amber Link (no label) Link up. Green Note – The service pack numbers (SP9 or SP1) are implied whenever Sun ONE Web Server 4.1 or 6.0 is mentioned. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 35: Dynamic Reconfiguration And High Availability
Subsequent cryptographic requests are scheduled to the remaining boards. Note that the Sun Crypto Accelerator 4000 hardware provides a source for high- quality entropy for the generation of long-term keys. If all the Sun Crypto Accelerator 4000 boards within a domain or system are removed, long-term keys are generated with lower-quality entropy.
Page 36: Hardware And Software Requirements
Environment for IPsec acceleration.) Required Patches Refer to the Sun Crypto Accelerator 4000 Board Release Notes for additional required patch information. The following patches may be required to run the Sun Crypto Accelerator 4000 board on your system. Solaris updates contain patches to previous releases. Use the showrev -p command to determine whether the listed patches have already been installed.
Page 37: Solaris 8 Patches
Solaris 8 Patches The following tables list required and recommended Solaris 8 patches to use with this product. lists and describes required patches. TABLE 1-7 Required Solaris 8 Patches for Sun Crypto Accelerator 4000 Software TABLE 1-7 Patch-ID Description 110383-01...
Page 38 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 39: Installing The Sun Crypto Accelerator 4000 Board
C H A P T E R Installing the Sun Crypto Accelerator 4000 Board This chapter describes how to install the Sun Crypto Accelerator 4000 hardware and software. This chapter includes the following sections: “Handling the Board” on page 13 “Installing the Board”...
Page 40: Installing The Board
Save the screw to hold the bracket in Step 5. 5. Holding the Sun Crypto Accelerator 4000 board by its edges only, take it out of the plastic bag and insert it into the PCI slot, and then secure the screw on the rear bracket.
Page 41 To determine whether the Sun Crypto Accelerator 4000 device properties are listed correctly: from the ok prompt, navigate to the device path and type .properties to display the list of properties. ok cd /pci@8,600000/network@1 ok .properties assigned-addresses 82000810 00000000 00102000 00000000 00002000...
Page 42: Installing The Sun Crypto Accelerator 4000 Software
“Required Patches” on page 10 for more information. To Install the Software 1. Insert the Sun Crypto Accelerator 4000 CD into a CD-ROM drive that is connected to your system. If your system is running Sun Enterprise Volume Manager™, it should automatically mount the CD-ROM to the /cdrom/cdrom0 directory.
Page 43: Table 2-1 Files In The /Cdrom/Cdrom0 Directory
File or Directory Contents U.S. copyright file Copyright French copyright file FR_Copyright Sun Crypto Accelerator 4000 Board Installation and User’s Guide Docs Sun Crypto Accelerator 4000 Board Release Notes Contains the Sun Crypto Accelerator 4000 software packages: Packages Cryptography Kernel Components...
Page 44: Installing The Optional Packages
To install only the optional packages that provide the SSL support for Apache Web Server and the cryptographic administration utility and libraries, type the following: # cd /cdrom/cdrom0/Packages # pkgadd -d . SUNWkcl2a SUNWkcl2m Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 45: Directories And Files
Sun Crypto Accelerator 4000 Directories TABLE 2-2 Directory Contents Keystore data (encrypted) /etc/opt/SUNWconn/vca/keydata Utilities /opt/SUNWconn/cryptov2/bin Support libraries /opt/SUNWconn/cryptov2/lib Administrative commands /opt/SUNWconn/cryptov2/sbin shows the hierarchy of these directories and files. FIGURE 2-1 Chapter 2 Installing the Sun Crypto Accelerator 4000 Board...
Page 46 Note – Once you have installed the hardware and software of the board, you need to initialize the board with configuration and keystore information. Refer to “Initializing the Sun Crypto Accelerator 4000 Board With vcaadm” on page 65 for information on how to initialize the board.
Page 47: Removing The Software
Sun Crypto Accelerator 4000 board is installed. Refer to the “Zeroizing a Sun Crypto Accelerator 4000 Board” on page 80 for details on the zeroize command. To delete the keystore files stored in the system, become superuser and remove the keystore files.
Page 48 Accelerator 4000 board, if SunVTS is already running it might be necessary to reprobe the system to update the available tests. See your SunVTS documentation for more information. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 49: Configuring Driver Parameters
Configuring Driver Parameters This chapter describes how to configure the vca device driver parameters used by both the Sun Crypto Accelerator 4000 UTP and MMF Ethernet adapters. This chapter contains the following sections: “Sun Crypto Accelerator 4000 Ethernet Device Driver (vca) Parameters” on page 23 “Setting vca Driver Parameters”...
Page 50: Driver Parameter Values And Definitions
Read and write Enable additional delay before transmitting a packet enable-ipg0 Read and write Additional delay before transmitting a packet ipg0 Read and write Interpacket Gap parameter ipg1 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 51: Advertised Link Parameters
vca Driver Parameter, Status, and Descriptions (Continued) TABLE 3-1 Parameter Status Description Read and write Interpacket Gap parameter ipg2 Read and write Receive interrupt blanking values rx-intr-pkts Read and write Receive interrupt blanking values rx-intr-time Read and write Random early detection and packet drop vectors red-dv4to6k Read and write Random early detection and packet drop vectors...
Page 52: Table 3-2 Operational Mode Parameters
TABLE 3-2 Operational Mode Parameters TABLE 3-2 Parameter Description The following parameter is for both the Sun Crypto Accelerator 4000 UTP and MMF adapters. Local interface capability advertised by the hardware adv-autoneg-cap 0 = Forced mode 1 = Autonegotiation (default) The following parameter is for the Sun Crypto Accelerator 4000 MMF adapter only.
Page 53: Flow Control Parameters
NOTICE: Last setting will leave vca0 with no link capabilities. WARNING: vca0: Restoring previous setting. Note – In the previous example, vca0 is the Sun Crypto Accelerator 4000 board device name where the string, vca, is used for every Sun Crypto Accelerator 4000 board.
Page 54: Gigabit Forced Mode Parameter
If enable-ipg0 is disabled, the value of ipg0 is ignored and no additional delay is set. Only the delays set by ipg1 and ipg2 will be used. Disable enable-ipg0 if other systems keep sending a large number of continuous packets. Systems that Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 55: Table 3-5 Parameters Defining Enable-Ipg0 And Ipg0
have enable-ipg0 enabled might not have enough time on the network. You can add the additional delay by setting the ipg0 parameter from 0 to 255, which is the media byte time delay. defines the enable-ipg0 and ipg0 parameters. TABLE 3-5 Parameters Defining enable-ipg0 and ipg0 TABLE 3-5 Parameter...
Page 56: Interrupt Parameters
6,144 bytes. Probability of drop can be programmed on a 12.5 percent granularity. For example, if bit 0 is set, the first packet out of every eight will be dropped in this region. (Default=0) Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 57 RX Random Early Detecting 8-Bit Vectors (Continued) TABLE 3-8 Field Name Values Description 0 to 255 Random early detection and packet drop vectors for red-dv6to8k when FIFO threshold is greater than 6,144 bytes and less than 8,192 bytes. Probability of drop can be programmed on a 12.5 percent granularity.
Page 58: Pci Bus Interface Parameters
III based platforms, this parameter may be set to 1 by default. For UltraSPARC II based platforms, the default is 0. The values are 0 or 1 (Default=0, which enables 64-bit capability). Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 59: Setting Vca Driver Parameters
# grep vca /etc/path_to_inst "/pci@8,600000/network@1" 0 "vca" "/pci@8,700000/network@1" 1 "vca" In the previous example, the three Sun Crypto Accelerator 4000 Ethernet instances are from the installed adapters. The instance numbers are 0 and 1. 2. Use the instance number to select the device.
Page 60: Noninteractive And Interactive Modes
When you omit the -set option, a query operation is assumed and the utility queries the named driver instance, retrieves the value associated with the specified parameter, and prints it: # ndd /dev/vcaN parameter Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 61 Using the ndd Utility in Interactive Mode To modify a parameter value in interactive mode, specify ndd /dev/vca, as shown below. The ndd utility then prompts you for the name of the parameter: # ndd /dev/vcaN name to get/set? (Enter the parameter name or ? to view all parameters) After typing the parameter name, the ndd utility prompts you for the parameter value (see...
Page 62: Setting Autonegotiation Or Forced Mode
(read and write) name to get/set ? Setting Autonegotiation or Forced Mode The following link parameters can be set to operate in either autonegotiation or forced mode: speed duplex link-clock Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 63: To Disable Autonegotiation Mode
By default, autonegotiation mode is enabled for these link parameters. When either of these parameters are in autonegotiation mode, the vca device communicates with the link partner to negotiate a compatible value and flow control capability. When a value other than auto is set for either of these parameters, no negotiation occurs and the link parameter is configured in forced mode.
Page 64: Setting Parameters Using The Vca.conf File
Variables defined in the previous section apply to known devices in the system. To set a variable for a Sun Crypto Accelerator 4000 board with the vca.conf file, you must know the following three pieces of information for the device: device name, device parent, and device unit address.
Page 65: Setting Parameters For All Sun Crypto Accelerator 4000 Vca Devices With The Vca.conf File
Devices With the vca.conf File If you omit the device path name (parent name, node name, and the unit address), the variable is set for all instances of all Sun Crypto Accelerator 4000 Ethernet devices. Chapter 3 Configuring Driver Parameters...
Page 66: To Set Parameters For All Sun Crypto Accelerator 4000 Vca Devices With The Vca.conf File
# on boot, to get us to register with KCL2. This also prevents us from # being unloaded by the cleanup modunload -i 0. ddi-forceattach=1 ddi-no-autodetach=1; name="pci108e,3de8" parent="/pci@8,700000" unit-address="1" adv-autoneg-cap=0; adv-autoneg-cap Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 67: Enabling Autonegotiation Or Forced Mode For Link Parameters With The Openboot Prom
This parameter is applicable only if the speed parameter is set to 1000 or if link-clock you are using a 1000 Mbps MMF Sun Crypto Accelerator 4000 board. The value for this parameter must correspond to the value on the link partner—for example, if the local link has a value of master, the link partner...
Page 68 For example, if the link-clock value on the local link is set to master, the link-clock value on the link partner must be set to slave. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 69: Sun Crypto Accelerator 4000 Cryptographic And Ethernet Driver Operating Statistics
You could also type the following at the OBP prompt to establish the same local link parameters as the previous example: ok boot net:speed=10 Refer to the IEEE 802.3 documentation for further details. Sun Crypto Accelerator 4000 Cryptographic and Ethernet Driver Operating Statistics This section describes the statistics presented by the kstat(1M) command.
Page 70: Ethernet Driver Statistics
(long). Packets discarded on output because transmit Stable noxmtbuf buffer was busy, or no buffer could be allocated for transmit (long). Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 71: Table 3-14 Tx And Rx Mac Counters
describes the transmit and receive MAC counters. TABLE 3-14 TX and RX MAC Counters TABLE 3-14 Parameter Description Stable or Unstable 16-bit loadable counter increments for Stable tx-collisions every frame transmission attempt that resulted in a collision. 16-bit loadable counter increments for Unstable tx-first-collisions every frame transmission that...
Page 72 Number of times the hardware cannot Unstable rx-no-comp-wb post completion entries for received data. Number of received frames where the Unstable rx-len-mismatch asserted length does not match the actual frame length. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 73: Table 3-15 Current Ethernet Link Properties
The following Ethernet properties ( ) are derived from the intersection of TABLE 3-15 device capabilities and the link partner capabilities. describes the current Ethernet link properties. TABLE 3-15 Current Ethernet Link Properties TABLE 3-15 Parameter Description Stable or Unstable 1000, 100, or 10 Mbps Stable ifspeed...
Page 74: Reporting The Link Partner Capabilities
0 = No 100 Mbps half-duplex transmission Stable lp-cap-100hdx 1 = 1000 Mbps half-duplex 0 = No 10 Mbps full-duplex transmission Stable lp-cap-10fdx 1 = 10 Mbps full-duplex Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 75: Table 3-18 Driver-Specific Parameters
Read-Only Link Partner Capabilities (Continued) TABLE 3-17 Parameter Description Stable or Unstable 0 = No 10 Mbps half-duplex transmission Stable lp-cap-10hdx 1 = 10 Mbps half-duplex 0 = Not asymmetric pause capable Stable lp-cap-asm-pause 1 = Asymmetric pause towards link partner capability (See “Flow Control Parameters”...
Page 76 Number of times a page with a split packet Unstable rx-nxt-drops was dropped because the driver was unable to map a new one to replace it. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 77: To Check Link Partner Settings
Unstable pci-parity-err Number of times the delayed transaction retry Unstable pci-drto-err time-out was reached. Used by the Sun Crypto Accelerator 4000 Unstable dma-mode driver (vca). To Check Link Partner Settings As superuser, type the kstat vca:N command: # kstat vca:N...
Page 78: Network Configuration
If you want a setup that will remain the same after you reboot, create an file, where corresponds to the instance number of the /etc/hostname.vca vca interface you plan to use. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 79 /etc/hostname.vca0 and /etc/hostname.vca1 cannot share the same host name. The following example shows the /etc/hostname.vca file required for a system named zardoz that has a Sun Crypto Accelerator 4000 board (zardoz-11). # cat /etc/hostname.hme0 zardoz # cat /etc/hostname.vca0 zardoz-11 3.
Page 80 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 81: Administering The Sun Crypto Accelerator 4000 Board With The Vcaadm And Vcadiag Utilities
The vcaadm program offers a command-line interface to the Sun Crypto Accelerator 4000 board. Only users designated as security officers are allowed to use the vcaadm utility. When you first connect to a Sun Crypto Accelerator 4000 board with vcaadm, you are prompted to create an initial security officer and password.
Page 82: Modes Of Operation
Displays help files for vcaadm commands and exit. vcaN Connects to the Sun Crypto Accelerator 4000 board that has N as the driver instance number. For example, -d vca1 connects to device vca1 where vca is a string in the board’s device name and 1 is the instance number of the device.
Page 83: Single-Command Mode
In File mode, you must authenticate as security officer for every file you run. You are logged out of vcaadm after the commands in the command file are executed. Chapter 4 Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities...
Page 84: Interactive Mode
Ethernet address and an RSA public key. A trust database ($HOME/.vcaadm/trustdb) is created the first time vcaadm connects to a board. This file contains all of the boards that are currently trusted by the security officer. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 85: Logging In To A Board With Vcaadm
Logging In to a New Board Note – The remaining examples in this chapter were created with the Interactive mode of vcaadm. Chapter 4 Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities...
Page 86: Logging In To A Board With A Changed Remote Access Key
Please select an action: 1. Abort this connection 2. Trust the board for this session only. 3. Replace the current trusted key with the new key. Your Choice --> Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 87: Vcaadm Prompt
To disconnect from a board and logout, but remain in Interactive mode, use the logout command: vcaadm{vcaN@hostname, sec_officer}> logout vcaadm> Chapter 4 Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities...
Page 88: Table 4-3 Connect Command Optional Parameters
Sun Crypto Accelerator 4000 board. You must first logout and then issue the connect command. Each new connection will cause vcaadm and the target Sun Crypto Accelerator 4000 firmware to renegotiate new session keys to protect the administrative data that is sent.
Page 89: Entering Commands With Vcaadm
The vcaadm program has a command language that must be used to interact with the Sun Crypto Accelerator 4000 board. Commands are entered using all or part of a word (enough to uniquely identify that word from any other possibilities). Entering sh instead of show would work, but re is ambiguous because it could be reset or rekey.
Page 90: Getting Help For Commands
Logout current session quit Exit vcaadm rekey Generate new system keys reset Reset the hardware Set operating parameters show Show system settings zeroize Delete all keys and reset board Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 91: Quitting The Vcaadm Program In Interactive Mode
Initializing the Sun Crypto Accelerator 4000 Board With vcaadm The first step in configuring a Sun Crypto Accelerator 4000 board is to initialize it. When you initialize a board it is necessary to create a keystore, refer to “Concepts and Terminology” on page 86. You can either initialize the Sun Crypto Accelerator 4000 board with a new keystore or use a backup file to initialize the board to use an existing keystore.
Page 92: To Initialize The Sun Crypto Accelerator 4000 Board With A New Keystore
Keystore Name: keystore_name 4. Select FIPS 140-2 mode or non-FIPS mode. When in FIPS mode the Sun Crypto Accelerator 4000 board is FIPS 140-2, level 3 compliant. FIPS 140-2 is a federal information processing standard that requires tamper-resistance and a high level of data integrity and security. Refer to the FIPS 140-2 document located at: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf...
Page 93: Initializing The Sun Crypto Accelerator 4000 Board To Use An Existing Keystore
Creating and restoring a backup file requires a password to encrypt and decrypt the data in the backup file. Refer to “Backing Up the Master Key” on page 74. Chapter 4 Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities...
Page 94: To Initialize The Sun Crypto Accelerator 4000 Board To Use An Existing Keystore
3. Verify the configuration information: Board restore parameters: ----------------------------------------------------- Path to backup file: /tmp/board-backup Keystore name: keystore_name ----------------------------------------------------- Is this correct? (Y/Yes/N/No) [No]: y Restoring data to crypto accelerator board... Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 95: Managing Keystores With Vcaadm
Alphanumeric, underscore (_), dash (-), and dot (.) First character Must be alphabetic Password Requirements Password requirements vary based on the current set passreq setting (low, med, or high). Chapter 4 Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities...
Page 96: Setting The Password Requirements
There may be more than one security officer for a keystore. Security officer names are known only within the domain of the Sun Crypto Accelerator 4000 board and do not need to be identical to any user name on the host system.
Page 97: Populating A Keystore With Users
Caution – User’s must remember their password. Without the password, the users cannot access their keys. There is no way to retrieve a lost password. Chapter 4 Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities...
Page 98: Listing Users And Security Officers
User passwords may be changed through the PKCS#11 interface with the Sun ONE Web Server modutil utility. Refer to the Sun ONE Web Server documentation for modutil for details. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 99: Enabling Or Disabling Users
To enable an account, enter the enable user command. vcaadm{vcaN@hostname, sec_officer}> enable user Tom User Tom enabled. vcaadm{vcaN@hostname, sec_officer}> enable user User name: web_admin User web_admin enabled. Chapter 4 Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities...
Page 100: Deleting Users
Backing Up the Master Key Keystores are stored on the disk and encrypted in a master key. This master key is stored in the Sun Crypto Accelerator 4000 firmware and can be backed up by a security officer. To back up the master key, use the backup command. The backup command requires a path name to a backup file where the backup will be stored.
Page 101: Locking The Keystore To Prevent Backups
Do you wish to lock the master key? (Y/Yes/N/No) [No]: y The master key is now locked. Chapter 4 Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities...
Page 102: Managing Boards With Vcaadm
Managing Boards With vcaadm This section describes how to manage Sun Crypto Accelerator 4000 boards with the vcaadm utility. Setting the Auto-Logout Time To customize the amount of time before a security officer is automatically logged out of the board, use the set timeout command. To change the auto-logout time, enter the set timeout command followed by a single number that is the number of minutes before a security officer is automatically logged out.
Page 103: Displaying Board Status
Displaying Board Status To get the current status of a Sun Crypto Accelerator 4000 board, issue the show status command. This displays the hardware and firmware versions for that board, the MAC address of the network interface, the status (Up versus Down, speed, duplex, and so on.) of the network interface, and the keystore name and ID.
Page 104: Loading New Firmware
Loading New Firmware It is possible to update the firmware for the Sun Crypto Accelerator 4000 board as new features are added. To load firmware, issue the loadfw command and provide a path to the firmware file. A successful update of the firmware requires you to manually reset the board with the reset command.
Page 105: Rekeying A Sun Crypto Accelerator 4000 Board
Rekey board? (Y/Yes/N/No) [No]: y Rekey of master key successful. Rekey of remote access key successful. Logging out. Chapter 4 Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities...
Page 106: Zeroizing A Sun Crypto Accelerator 4000 Board
The first method is with a hardware jumper; this form of zeroizing will return the Sun Crypto Accelerator 4000 board to its original factory state (failsafe mode). See “Zeroizing the Sun Crypto Accelerator 4000 Hardware to the Factory State”...
Page 107: Using Vcadiag
Note – When using the [-DFKRZ] attributes, vcaN is the board’s device name where the N corresponds to the Sun Crypto Accelerator 4000 device instance number. Chapter 4 Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities...
Page 108: Table 4-7 Vcadiag Options
The following is an example of the -D option: # vcadiag -D vca0 Running vca0 on-board diagnostics. Diagnostics on vca0 PASSED. The following is an example of the -F option: # vcadiag -F vca0 5f26-b516-83b4-d254-a75f-c70d-0544-4de6 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 109 The following is an example of the -Z option: # vcadiag -Z vca0 Zeroizing device vca0, this may take a few minutes. Please be patient. Device vca0 zeroized. Chapter 4 Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities...
Page 110 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 111: Configuring Sun One Server Software For Use With The Sun Crypto Accelerator 4000 Board
Software for Use With the Sun Crypto Accelerator 4000 Board This chapter explains how to configure the Sun Crypto Accelerator 4000 board for use with Sun ONE Web Servers. This chapter includes the following sections: “Administering Security for Sun ONE Web Servers” on page 85 “Configuring Sun ONE Web Servers”...
Page 112: Concepts And Terminology
(to reflect the organizations the user is supporting). Note – The term user or user account refers to Sun Crypto Accelerator 4000 users created in vcaadm, not traditional UNIX user accounts. There is no fixed mapping between UNIX user names and Sun Crypto Accelerator 4000 user names.
Page 113: Tokens And Token Files
3. The file /etc/opt/SUNWconn/cryptov2/tokens If no token file exists, the Sun Crypto Accelerator 4000 software presents all tokens to Sun ONE Web Servers. Chapter 5 Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board...
Page 114: Enabling And Disabling Bulk Encryption
/etc/opt/SUNWconn/cryptov2/ directory named sslreg, and restart the server software. # touch /etc/opt/SUNWconn/cryptov2/sslreg To disable the bulk encryption feature, you must delete the sslreg file and restart the server software. # rm /etc/opt/SUNWconn/cryptov2/sslreg Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 115: Configuring Sun One Web Servers
(keystore_name). This password consists of the username and password of a keystore user that was created in vcaadm. The keystore username and password are separated by a colon (:). Chapter 5 Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board...
Page 116: Populating A Keystore
Crypto Accelerator 4000 boards to collectively work with the same keystore to provide additional performance and fault-tolerance. To Populate a Keystore 1. If you have not already done so, place the Sun Crypto Accelerator 4000 tools directory in your search path, for example: $ PATH=$PATH:/opt/SUNWconn/bin $ export PATH 2.
Page 117: Overview For Enabling Sun One Web Servers
ONE Web Server 4.1” on page 92. If you are using Sun ONE Web Server 6.0, go to “Installing and Configuring Sun ONE Web Server 6.0” on page 101. Chapter 5 Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board...
Page 118: Installing And Configuring Sun One Web Server 4.1
Agree to accept the license terms by typing yes. b. Enter a fully qualified hostname.domain. c. Enter the Sun ONE Web Server 4.1 Administration Server password twice. d. Press Return when prompted. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 119: To Create A Trust Database
You might want to enable security on more than one web server instance. If so, repeat Step 1 through Step 4 for each web server instance. Chapter 5 Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board...
Page 120 Refer to the iPlanet Web Server, Enterprise Edition Administrator’s Guide at http://docs.sun.com for more information. 5. Execute the following script to enable the Sun Crypto Accelerator 4000 board: # /opt/SUNWconn/bin/iplsslcfg This script prompts you to choose a web server. It installs the Sun Crypto Accelerator 4000 cryptographic modules for the Sun ONE Web Server.
Page 121: To Generate A Server Certificate
User ID or the Sun ONE Web Server 4.1 Administration Server user name. 3. Select OK. The Sun ONE Web Server 4.1 Administration Server window is displayed. Chapter 5 Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board...
Page 122 CA URL link. Otherwise, select CA Email Address and enter an email address where you would like the certificate request to be sent. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 123: Table 5-2 Requestor Information Fields
Note – The certificate is different from the certificate request and is usually presented to you in text form. Keep this data on the clipboard for Step 5 of the following section. Chapter 5 Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board...
Page 124: To Install The Server Certificate
2. Select the Security tab. 3. On the left pane, choose the Install Certificate link. The Install a Server Certificate Page of the Sun ONE Web Server 4.1 FIGURE 5-2 Administration Server Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 125: Configuring Sun One Web Server 4.1 For Ssl
2. If the Preferences tab is not selected at the top of the page, select the Preferences tab. 3. Select the Encryption On/Off link on the left side of the page. Chapter 5 Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board...
Page 126 At the Module keystore_name prompt, enter the username:password for that keystore. Enter the username:password for other keystores as prompted. 12. Verify the new SSL-enabled web server at the following URL: https://hostname.domain:server_port/ Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 127: Installing And Configuring Sun One Web Server 6.0
Except for the following prompts, you can accept the defaults for ease of use: a. Agree to accept the license terms by typing yes. b. Enter a fully qualified hostname.domain. Chapter 5 Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board...
Page 128: To Create A Trust Database
Server as well, the process of setting up a trust database is similar. Refer to the iPlanet Web Server, Enterprise Edition Administrator’s Guide at http://docs.sun.com for more information. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 129 7. Enter the path of the web server root directory when prompted and press Return. Please enter the full path of the web server root directory [/usr/iplanet/servers]: /usr/iplanet/servers Chapter 5 Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board...
Page 130: To Generate A Server Certificate
ID or the Sun ONE Web Server 6.0 Administration Server user name. 3. Select OK. The Sun ONE Web Server 6.0 Administration Server window is displayed. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 131 CA URL link. Otherwise, select CA Email Address and enter an email address where you would like the certificate request to be sent. Chapter 5 Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board...
Page 132: Table 5-4 Requestor Information Fields
Note – The certificate is different from the certificate request and is usually presented to you in text form. Keep this data on the clipboard for Step 5 of the “To Install the Server Certificate” on page 107. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 133: To Install The Server Certificate
3. On the left pane, choose the Install Certificate link. Install a Server Certificate Page of the Sun ONE Web Server 6.0 FIGURE 5-4 Administration Server Chapter 5 Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board...
Page 134: Configuring Sun One Web Server 6.0 For Ssl
2. Select the Edit Listen Sockets link on the left pane. The main pane lists all the listen sockets set for the web server instance. a. Alter the following fields: Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 135 11. Enter the passwords for the servers and select the OK button. You are prompted for one or more passwords. At the Module Internal prompt, provide the password for the web server trust database. Chapter 5 Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board...
Page 136 At the Module keystore_name prompt, enter the username:password. Enter the username:password for other keystores as prompted. 12. Verify the new SSL-enabled web server at the following URL: https://hostname.domain:server_port/ Note – The default server_port is 443. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 137: Configuring Apache Web Servers For Use With The Sun Crypto Accelerator 4000 Board
Caution – Do not configure Apache Web Server for use with the Sun Crypto Accelerator 1000 board and the Sun Crypto Accelerator 4000 at the same time. If both boards are configured to use the Apache Web Server at the same time, Apache will not work correctly.
Page 138: Enabling The Board For Apache Web Servers
Enabling the Board for Apache Web Servers This section provides an overview of how to enable the Sun Crypto Accelerator 4000 board for use with Apache Web Servers. Enabling Apache Web Servers Apache Web Server 1.3.26 or later is required for use with the Sun Crypto Accelerator 4000 board.
Page 139 8. Provide the directory for storing the keys. If this directory does not exist, it is created. Where would you like the keys stored? [/etc/apache/keys]: /etc/apache/keys Chapter 6 Configuring Apache Web Servers for Use With the Sun Crypto Accelerator 4000 Board...
Page 140: Creating A Certificate
There is no way to retrieve a lost pass phrase. Creating a Certificate The following procedure describes how to create the certificate required to enable Apache Web Servers to use the Sun Crypto Accelerator 4000 board. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 141: To Create A Certificate
Organization Name (eg, company) []: Fictional Company, Inc. Organizational Unit Name (eg, section) []: Online Sales Division SSL Server Name (eg, www.company.com) []:www.fictional-company.com Email Address []:admin@fictional-company.com Chapter 6 Configuring Apache Web Servers for Use With the Sun Crypto Accelerator 4000 Board...
Page 142 In the LoadModule section, add the following: LoadModule ssl_module /usr/apache/libexec/mod_ssl.so.version-number In the AddModule section, add the following: AddModule mod_ssl.c Note – The correct version-number will be displayed for your configuration. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 143 Apache" option after choosing "Work with Sun ONE and Apache keys" from the apsslcfg main menu. 4. Select 0 to quit when you finish with apsslcfg. Chapter 6 Configuring Apache Web Servers for Use With the Sun Crypto Accelerator 4000 Board...
Page 144 8. Enter your PEM pass phrase when prompted for it. 9. Verify the new SSL-enabled web server with a browser by going to the following URL: https://server_name:server_port/ Note that the default server_port is 443. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 145: Diagnostics And Troubleshooting
Supplement CD. Other, unbundled, tests that use the SunVTS core are packaged with the driver software of the device tested. The Sun Crypto Accelerator 4000 board can be tested by three SunVTS tests. Two of those tests, nettest and netlbtest are bundled with the core SunVTS software beginning with the release of SunVTS 5.1 Patch Set (PS) 2.
Page 146: Installing Sunvts Netlbtest And Nettest Support For The Vca Driver
SunVTS packages shown in the Base SunVTS Software column. Do not remove the previously installed SunVTS packages before adding the required patch. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 147: Using Sunvts Software To Perform Vcatest, Nettest, And Netlbtest
Using the patchadd command to install patch 113614-11 is the equivalent of replacing the previously installed SunVTS packages with the SunVTS5.1ps2 packages. The replacement packages are available at: http://www.sun.com/oem/products/vts/ The overlay patches are available at: http://sunsolve.sun.com/ Note – The required SunVTS packages and any required patches must be installed before the SUNWvcav package is installed.
Page 148 9. When you have made all selections, select Apply to remove the dialog box and return to the SunVTS Diagnostic main window. 10. Select Start to perform the selected tests. 11. Select Stop to stop all tests. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 149: Test Parameter Options For Vcatest
Test Parameter Options for vcatest describes the vcatest subtests. TABLE 7-2 vcatest Subtests TABLE 7-2 Test Name Description Tests CDMF bulk encryption. CDMF Tests DES bulk encryption. Tests 3DES bulk encryption 3DES Tests RSA public and private keys Tests DSA signature verification Tests MD5 Message Digest/Digital Signature.
Page 150: To Perform Netlbtest
3. Disable all tests by clearing their check boxes. 4. Select the check box for Network, then select the plus box for Network to display all tests in the Network group. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 151: To Perform Nettest
5. Clear check boxes in the Network group that are not named vca N (netlbtest). Note that N specifies the placement of the instance number of the device under test. If a vcaN(netlbtest) is displayed, then go to Step 6. If a vcaN(netlbtest) is not displayed, probe the system to find it by selecting Reprobe system in the Commands drop-down menu.
Page 152 7. After you have made all selections, select Apply from Within Instance drop-down menu to change the selected instance of vcaN(nettest), or select Apply from the Across All Instances drop-down menu to change all checked instances of vcaN(nettest). Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 153 This action removes the dialog box and returns you to the SunVTS Diagnostic main window. 8. Select one of the instances of vcaN(nettest), then right-click and drag to display the Test Execution Options dialog box. An alternate method of displaying Test Execution Options dialog box is to select the Options drop-down main menu;...
Page 154: Using Kstat To Determine Cryptographic Activity
Displaying the kstat information indicates whether cryptographic requests or “jobs” are being sent to the Sun Crypto Accelerator 4000 board. A change in the jobs values over time indicates that the board is accelerating cryptographic work requests sent to the Sun Crypto Accelerator 4000 board.
Page 155: Using The Openboot Prom Fcode Self-Test
Note – If the nostats property is defined in the /kernel/drv/vca.conf file, the capture and display of statistics will be disabled. This property may be used to help prevent traffic analysis. Using the OpenBoot PROM FCode Self- Test The following tests are available to help identify problems with the adapter if the system does not boot.
Page 156 5. Perform the self-test using the test command: The following tests are performed when the test command is executed: vca register test (happens only when diag-switch? is true) Internal loopback test link up/down test Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 157 Note – The Sun Crypto Accelerator 4000 UTP adapter self-test for a 1000 Mbps connection is not supported for use with an external loopback cable because the link-clock cannot be reconciled. For this test, the local and remote ports must reconcile as clock master and clock slave.
Page 158: Troubleshooting The Sun Crypto Accelerator 4000 Board
/pci@8,600000/SUNW,qlc@4/fp@0,0 In the preceding example, the /pci@8,600000/network@1 entry identifies the device path to the Sun Crypto Accelerator 4000 board. There will be one such line for each board in the system. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 159: Properties
.properties To determine whether the Sun Crypto Accelerator 4000 device properties are listed correctly: from the OBP prompt, type .properties to display the list of properties. ok .properties assigned-addresses 82000810 00000000 00102000 00000000 00002000 81000814 00000000 00000400 00000000 00000100 82000818 00000000 00200000 00000000 00200000...
Page 160: Watch-Net
The system monitors network traffic, displaying “.” each time it receives an error- free packet and “X” each time it receives a packet with an error that can be detected by the network hardware interface. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 161: Specifications
A P P E N D I X Specifications This appendix lists the specifications for the Sun Crypto Accelerator 4000 MMF and UTP adapters. It contains the following sections: “Sun Crypto Accelerator 4000 MMF Adapter” on page 135 “Sun Crypto Accelerator 4000 UTP Adapter” on page 138...
Page 162: Table A-1 Sc Connector Link Characteristics (Ieee P802.3Z)
SC connector (850 nm). TABLE A-1 SC Connector Link Characteristics (IEEE P802.3z) TABLE A-1 Characteristic 62.5 Micron MMF 50 Micron MMF Operating range Up to 260 meters Up to 550 meters Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 163: Physical Dimensions
Physical Dimensions Physical Dimensions TABLE A-2 Dimension Measurement Metric Measurement Length 12.283 inches 312.00 mm Width 4.200 inches 106.68 mm Performance Specifications Performance Specifications TABLE A-3 Feature Specification PCI clock 33/66 MHz max PCI data burst transfer rate Up to 64-byte bursts PCI data/address width 32/64-bit PCI modes...
Page 164: Interface Specifications
5 to 85% noncondensing 0 to 95% noncondensing Sun Crypto Accelerator 4000 UTP Adapter This section provides the specifications for the Sun Crypto Accelerator 4000 UTP adapter. Connectors shows the connector for the Sun Crypto Accelerator 4000 UTP adapter. FIGURE A-1...
Page 165: Table A-7 Cat-5 Connector Link Characteristics
Sun Crypto Accelerator 4000 UTP Adapter Connector FIGURE A-2 lists the characteristics of the Cat-5 connector used by the Sun Crypto TABLE A-7 Accelerator 4000 UTP adapter. Cat-5 Connector Link Characteristics TABLE A-7 Characteristic Description Operating range Up to 100 meters...
Page 166: Physical Dimensions
1000 Mbps (full duplex) Power Requirements Power Requirements TABLE A-10 Specification Measurement Maximum power consumption 6.25 W @ 5V 12.75 W @ 3.3V Voltage tolerance 5V +/- 5% 3.3V +/- 5% Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 167: Interface Specifications
Interface Specifications Interface Specifications TABLE A-11 Feature Specification PCI clock 33 MHz or 66 MHz Host interface PCI 2.1 with support for 33 MHz or 66 MHz clock rate and 3.3V or 5V power PCI bus width 32 bits or 64 bits Environmental Specifications Environmental Specifications TABLE A-12...
Page 168 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 169: Ssl Configuration Directives For Apache Web Servers
SSL Configuration Directives for Apache Web Servers This appendix lists directives for using Sun Crypto Accelerator 4000 software to configure SSL support for Apache Web Servers. Configure directives in your http.conf file. Refer to the Apache Web Server documentation for more information.
Page 170: Table B-1 Ssl Protocols
Updated version of the SSL protocol, supported by most popular SSLv3 web browsers Update to SSLv3 currently undergoing IETF standardization, with TLSv1 minimal browser support Enable all protocols Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 171 Using the plus (+) or minus (-) signs, protocols can be added or removed. For example, to disable support for SSLv2, the following directive could be used: SSLProtocol all -SSLv2 The preceding statement is equivalent to: SSLProtocol +SSLv3 +TLSv1 4. SSLCipherSuite cipher-spec Context: Global, virtual host, directory, .htaccess The SSLCipherSuite directive is used to configure which SSL ciphers are available for use and their preference.
Page 172: Table B-2 Available Ssl Ciphers
All 128-bit ciphers MEDIUM All ciphers using Triple DES HIGH All ciphers using RSA key exchange All ciphers using Diffie-Hellman key exchange All ciphers using Ephemeral Diffie-Hellman key exchange Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 173: Table B-4 Special Characters To Configure Cipher Preference
SSL Aliases (Continued) TABLE B-3 Alias Description All ciphers using anonymous Diffie-Hellman key exchange All ciphers using DSS authentication All ciphers using no encryption NULL The preference of ciphers can be configured using the special characters listed and described in TABLE B-4 Special Characters to Configure Cipher Preference TABLE B-4...
Page 174: Table B-5 Ssl Verify Client Levels
1 means that client certificates must be signed by a CA known directly to the server (through the SSLCACertificateFile). Larger values permit delegation of the CA. 12. SSLLog ﬁlename Context: Global, virtual host Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 175: Table B-6 Ssl Log Level Values
This directive specifies a log file where SSL-specific information will be logged. If not specified (default), then no SSL-specific information will be logged. 13. SSLLogLevel level Context: Global, virtual host This directive specifies the verbosity of the information logged in the SSL log file. Values for level are listed and described in TABLE B-6 SSL Log Level Values...
Page 176: Table B-7 Available Ssl Options
This directive forbids access in a given directory unless HTTPS is used. Use the directive to guard against misconfigurations that might otherwise leave a directory's contents available to unauthenticated and unencrypted accesses. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 177: Building Applications For Use With The Sun Crypto Accelerator 4000 Board
A P P E N D I X Building Applications for Use With the Sun Crypto Accelerator 4000 Board This appendix describes the software supplied with the Sun Crypto Accelerator 4000, which can be used to build OpenSSL-compatible applications to take advantage of the cryptographic acceleration features of the Sun Crypto Accelerator 4000 board.
Page 178 Most OpenSSL-compatible applications reference either or both of the libcrypto.a and libssl.a libraries. The Sun cryptographic libraries must also be included. The following linker attributes will accomplish this: -L/opt/SUNWconn/cryptov2/lib -R/opt/SUNWconn/cryptov2/lib \ -lcrypto -lssl -lkcl Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 179: Software Licenses
Note – The third-party licenses and notices provided in this appendix are included exactly as they are provided by the owners of the software licenses and notices. Sun Microsystems, Inc. Binary Code License Agreement READ THE TERMS OF THIS AGREEMENT AND ANY PROVIDED SUPPLEMENTAL LICENSE TERMS COLLECTIVELY "AGREEMENT") CAREFULLY...
Page 180 Agreement; this is in accordance with 48 CFR 227.7201 through 227.7202-4 (for Department of Defense (DOD) acquisitions) and with 48 CFR 2.101 and 12.212 (for non-DOD acquisitions). Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 181 Sun Microsystems, Inc. Supplemental Terms for Sun Crypto Accelerator 4000 These Supplemental Terms for the Sun Crypto Accelerator 4000 supplement the terms of the Binary Code License Agreement ("BCL"). Capitalized terms not defined herein shall have the meanings ascribed to them in the BCL. These Supplemental Terms will supersede any inconsistent or conflicting terms in the BCL.
Page 182: Third Party License Terms
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 183 OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF...
Page 184 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 185 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by Ralf S.
Page 186 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 187: Manual Pages
A P P E N D I X Manual Pages This appendix provides descriptions of the Sun Crypto Accelerator 4000 board commands and lists the online manual pages for each. The commands in this appendix are included with the Sun Crypto Accelerator 4000 software.
Page 188: Table E-1 Sun Crypto Accelerator 4000 Online Manual Pages
Apache Web Servers. apsslcfg(1m) iplsslcfg is the configuration utility for Sun ONE Web Servers. iplsslcfg(1m) Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 189: Zeroizing The Hardware
A P P E N D I X Zeroizing the Hardware This appendix describes how to zeroize the Sun Crypto Accelerator 4000 board to the factory state which is the failsafe mode for the board. Caution – You should use the procedures described in this appendix only if it is absolutely necessary.
Page 190: To Zeroize The Sun Crypto Accelerator 4000 Board With The Hardware Jumper
0 and 1 pin set as shown in FIGURE F-1 Caution – You cannot use the Sun Crypto Accelerator 4000 board with the jumper on pins 0 and 1. Sun Crypto Accelerator 4000 Board Jumper Block Pins FIGURE F-1 Sun Crypto Accelerator 4000 Board Installation and User’s Guide •...
Page 191 6. Remove the jumper from pins 0 and 1 of the jumper block and store the jumper in the original location. 7. Power on the system. 8. Connect to the Sun Crypto Accelerator 4000 board with vcaadm. vcaadm prompts you for a path to upgrade the firmware. 9. Type /opt/SUNWconn/cryptov2/firmware/sca4000fw as the path for installing the firmware.
Page 192 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 193: Frequently Asked Questions
A P P E N D I X Frequently Asked Questions How Do I Configure the Web Server to Startup Without User Interaction on Reboot? You can enable both Sun ONE and Apache Web Servers to perform an unattended startup at reboot with an encrypted key. To Create an Encrypted Key for Automatic Startup of Apache Web Servers on Reboot 1.
Page 194: To Create An Encrypted Key For Automatic Startup Of Sun One Web Servers On Reboot
There are two methods to assign different MAC addresses to multiple boards in a single server. The first method is at the operating environment level, and the second is at the OpenBoot PROM (OBP) level. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 195: To Assign Different Mac Addresses From A Terminal Window
To Assign Different MAC Addresses From a Terminal Window 1. Enter the following command: # eeprom ”local-mac-address?”=true Note – With the “local-mac-address?” parameter set to true, all nonintegrated network interface devices use the local MAC address assigned to the product at the manufacturing facility.
Page 196: How Do I Self-Sign A Certificate For Testing
For Sun Crypto Accelerator 1000 version 1.1 software – Patch ID 113355-01 How Do I Self-Sign a Certificate for Testing? Refer to the mod_SSL and OpenSSL documentation for this procedure. Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 197 Index SYMBOLS administrative commands, 19 adv-asmpause-cap, 27 $HOME/.vcaadm/trustdb, 58 adv-asmpause-cap parameter, 27 .properties command, 133 adv-autoneg-cap, 24 .u extension, 17 adv-autoneg-cap parameter, 24 /etc/apache/default.pass, 144 advertised link parameters, 25 /etc/apache/ adv-pause-cap, 27 servername.port.keytype.pass, 144 adv-pause-cap parameter, 27 /etc/driver_aliases file, 38 algorithms, 4 /etc/hostname.vcaN file, 53 alias read, 30...
Page 198 52 early detecting 8-bit vectors, 30 cryptographic activity, 128 early drop parameters, 30 cryptographic algorithm acceleration, 3 editing the network host files, 52 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 199 enable-ipg0, 28 enable-ipg0 parameter, 28 gap parameters, 28 enabling Gigabit forced mode parameter, 28 Apache Web Servers, 112 Gigabit media independent interface (GMII), 47 Sun ONE Web Servers, 89 enabling Sun ONE Web Servers, 91 etc/apache/default.pass, 144 etc/apache/ hardware, 10 servername.port.keytype.pass, 144 hardware and software requirements, 10 etc/hostname.vcaN file, 53...
Page 200 165 modinfo command, 18 opt/SUNWconn/cryptov2/include, 151 optimize throughput, 9 optional packages, 17 descriptions, 17 installing, 18 name property, 23 naming requirements, 69 ndd utility, 33 network configuration, 52 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 201 path names, 39 path_to_inst file, 38 packages pause capability, 27 optional, 17 required, 17 pause-off-threshold, 24 parallel-detection, 42 pause-off-threshold parameter, 24 parameter values PCI adapters, 23 how to modify and display, 34 PCI bus interface parameters, 32 parameters, 25 pci name property, 23 8-bit vectors, 30 PKCS#11 interface, 72 adv-asmpause-cap, 27...
Page 202 140 physical dimensions, 140 supported power requirements, 140 algorithms, 4 cryptographic algorithms, 3 speed= hardware, 10 10, 41 operating environments, 10 100, 41 platforms, 10 1000, 41 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...
Page 203 software, 10 vca.conf file, example, 40 Solaris operating environments, 10 vcaadm SSL algorithms, 4 populating a keystore with security officers, 70 with users, 71 vcaadm backups, 74 token files, 87 changing passwords, 72 tokens, 87 character requirements, 69 transmit and receive pause capability, 27 command-line syntax, 56 deleting users, 74 transmit counters, 49...
Page 204 134 zeroize command, 163 zeroizing the hardware, 163 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003...

This manual is also suitable for:

Sun crypto accelerator 4000 board

Sun Microsystems Sun Crypto Accelerator 4000 Installation And User Manual

1 Product Overview

2 Installing the Sun Crypto Accelerator 4000 Board

3 Configuring Driver Parameters

4 Administering the Sun Crypto Accelerator 4000 Board with the Vcaadm and Vcadiag Utilities

5 Configuring Sun ONE Server Software for Use with the Sun Crypto Accelerator 4000 Board

6 Configuring Apache Web Servers for Use with the Sun Crypto Accelerator 4000 Board

7 Diagnostics and Troubleshooting

Specifications

SSL Configuration Directives for Apache Web Servers

Building Applications for Use with the Sun Crypto Accelerator 4000 Board

Software Licenses

Manual Pages

Zeroizing the Hardware

Frequently Asked Questions

Quick Links

Troubleshooting

Need help?

Questions and answers

Related Manuals for Sun Microsystems Sun Crypto Accelerator 4000

Summary of Contents for Sun Microsystems Sun Crypto Accelerator 4000