Sun Oracle Sun Crypto Accelerator 6000 Board User Manual

Version 1.1

Table of Contents

Quick Links

Download this manual

Part No.: E39851-01

February 2013

Sun Crypto Accelerator 6000 Board Version 1.1

User's Guide

Table of Contents

Troubleshooting

Need help?

Do you have a question about the Sun Crypto Accelerator 6000 Board and is the answer not in the manual?

Questions and answers

Summary of Contents for Sun Oracle Sun Crypto Accelerator 6000 Board

Page 1 Sun Crypto Accelerator 6000 Board Version 1.1 User’s Guide Part No.: E39851-01 February 2013...
Page 2 Copyright © 2006, 2013, Oracle and/or its afﬁliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means.
Page 3: Table Of Contents
Contents Regulatory Compliance Statements xv Preface xix Product Overview 1 Product Features 1 New Features in the 1.1 Release 2 Key Features 2 Financial Services Support 3 Supported Applications 3 Supported Cryptographic Protocols and Algorithms 3 Diagnostic Support 4 Cryptographic Algorithm Acceleration 4 Hardware Overview 5 LED Displays 6 Direct Input Devices 7...
Page 4 Installing the Sun Crypto Accelerator 6000 Software on Linux Platforms Without the install Script 26 ▼ Install the Software Without the install Script 26 Directories and Files for Linux Platforms 27 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 5 ▼ Back Up the 1.0 Keystore 30 ▼ Restore the 1.0 Software and Firmware: 30 Administering the Sun Crypto Accelerator 6000 Board 33 Using the scamgr Utility 34 Device and Keystore Security Officers 34 scamgr Syntax 35 scamgr Options 35...
Page 6 ▼ Enable Users 63 ▼ Delete Users 63 ▼ Delete Security Officers 64 Backing Up Configuration and Keystore Data 64 ▼ Back Up a Device Configuration 64 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 7 ▼ Back Up a Master Key 65 ▼ Backup A Keystore 66 Locking Keystores to Restrict Access 67 ▼ Lock a Master Key to Prevent Backups 67 ▼ Lock a Keystore To Restrict Access 68 ▼ Enable a Locked Keystore To Enable Access 68 ▼...
Page 8 Start the Board on a Linux Platform 95 scadiag Program 95 Configuring Centralized Keystores 97 Centralized Keystore Overview 97 Keystore Virtualization 98 Configuring Centralized Keystores 99 viii Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 9 Configuring the Directory Server With the scakscfg Utility 99 Configuring the scakiod Service to Use CKS 101 scakiod Service Configuration Options 102 ▼ Configure the scakiod Service to Use CKS (Oracle Solaris) 104 ▼ Configure the scakiod Service to Use CKS (Linux) 105 Configuring the scakiod Service to Use SSL With Simple Authentication ▼...
Page 10 ISO Format 1 135 PIN Calculation Methods 135 Visa PVV Method 135 IBM-3624 Method 136 Personal Account Number 136 PIN 136 PVKI 137 PIN Verify Function fs_pin_verify() 137 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 11 PIN Translate Function fs_pin_translate() 138 Credit Card Processing Overview 140 Financial Services Library Function fs_card_verify(3) 140 Enabling the Financial Services Feature 141 ▼ Enable Financial Services 141 Administering Financial Services 142 Financial Services Security Officers 142 Direct Input Device 142 Setting Financial Services Mode 142 Administrative Commands 142 Developing PKCS#11 Applications for Use With the Sun Crypto Accelerator...
Page 12 Disable Unused Tokens 176 ▼ Pre-Set the Password for Tokens 176 ▼ Generate a Server Certificate 177 ▼ Install the Server Certificate 178 ▼ Deploy the Change 180 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 13 Reenable Other Hardware Providers 199 Examining and Reporting Kernel Statistics 199 ▼ Determine Cryptographic Activity With the kstat Utility 200 Determining Cryptographic Activity on Linux Platforms 201 ▼ Determine Cryptographic Activity on Linux Platforms 201 Sun Crypto Accelerator 6000 Board Specifications 203 Contents xiii...
Page 14 Zeroizing the Sun Crypto Accelerator 6000 Hardware to the Factory State 223 ▼ Zeroize the Sun Crypto Accelerator 6000 Board With a Hardware Jumper 224 Financial Services Header File 227 Supported PKCS#11 Mechanisms 235 Index 239 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 15: Regulatory Compliance Statements
(UTP) cables. Modifications: Any modiﬁcations made to this device that are not approved by Sun Microsystems, Inc. may void the authority granted to the user by the FCC to operate this equipment. ICES-003 Class B Notice - Avis NMB-003, Classe B This Class B digital apparatus complies with Canadian ICES-003.
Page 16 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 17 BSMI Class A Notice The following statement is applicable to products shipped to Taiwan and marked as Class A on the product compliance label. xvii...
Page 18 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 19: Preface
Preface This guide lists the features, protocols, and interfaces of the Sun Crypto Accelerator 6000 Board from Oracle and describes how to install, configure, and manage the board in your system. This guide assumes that you are a network administrator with experience configuring one or more of the following Oracle Solaris Operating System (OS) ■...
Page 20: Related Documentation
Access to Oracle Support Oracle customers have access to electronic support through My Oracle Support. For information visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id= or visit info http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 21 Preface...
Page 22 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 23: Product Overview
“Hardware and Software Requirements” on page 10 ■ Product Features The Sun Crypto Accelerator 6000 board is an 8-lane PCI Express based host bus adapter (HBA) that combines IPsec and SSL cryptographic acceleration with hardware security module (HSM) features. The Sun Crypto Accelerator 6000 board...
Page 24: New Features In The 1.1 Release
Serial port for direct input adminstration interface ■ USB port for keystore backup and restore to USB mass storage devices ■ Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 25: Financial Services Support
Note – IPsec cryptographic hardware acceleration is not supported on the current Linux distributions. Financial Services Support The Sun Crypto Accelerator 6000 board supports PIN and credit card related functionality, ensuring the security of sensitive customer data by performing the entire operation within the secure cryptographic boundary of the board. Specialized key management capabilities, and a new user library (libfinsvcs.so) and...
Page 26: Diagnostic Support
Note that a few cryptographic algorithms can be performed by highly tuned software as quickly as they can be performed in dedicated hardware. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 27: Hardware Overview
[1.67.64 mm] by 2.54 inches [64.41 mm]) 8-lane PCI Express based HBA that enhances the performance of IPsec and SSL, and provides robust security features. provides an illustration of the board. FIGURE 1-1 Sun Crypto Accelerator 6000 Board FIGURE 1-1 Chapter 1 Product Overview...
Page 28: Led Displays
• Green if the card has been initialized by a security officer • Yellow in POST, DIAGNOSTICS, and FAILSAFE (firmware not upgraded) states • Flashing yellow when running DIAGNOSTICS shows the location of the LEDs. FIGURE 1-2 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 29: Direct Input Devices
LED Locations FIGURE 1-2 Direct Input Devices The Sun Crypto Accelerator 6000 board has three direct input devices: an RJ-11 serial port, a USB port, and a Point of Presence button. Serial Port The six-wire RJ-11 port connector enables direct input adminstration. The port operates at a baud rate of 9600-8N1.
Page 30: Usb Port
One such device tested is the Termiflex OT/30 hand-held terminal from Warner Power. A Termiflex OT/30 terminal has been configured specifically for use with the Sun Crypto Accelerator 6000 board and can be ordered directly from Warner Power using part number 99-3619-04001 (http://www.termiflex.com/).
Page 31: Dynamic Reconfiguration And High Availability
JetFlash 2.0 USB Flash Drive from Transcend ■ DataTravler 100 USB Flash Drive from Kingston ■ Attache Optima Pro High Speed USB 2.0 Drive from PNY ■ Point of Presence Button The Point of Presence button provides physical presence verification when pressed. The physical pressing of this button cannot be emulated remotely.
Page 32: Hardware And Software Requirements
Required Patches Refer to the Sun Crypto Accelerator 6000 Board Product Notes for Version 1.1 (820-4145) for required patch information. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 33: Installing The Sun Crypto Accelerator 6000 Board
Script” on page 21 “Removing the Software on Oracle Solaris Platforms Without the remove Script” ■ on page 23 “Installing the Sun Crypto Accelerator 6000 Board on Linux Platforms” on ■ page 24 “Directories and Files for Linux Platforms” on page 27 ■...
Page 34: Handling The Board
2. Locate an unused PCI slot (preferrably an x8 PCI Express slot). 3. Attach an antistatic wrist strap to your wrist, and attach the other end to a grounded metal surface. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 35 Save the screw to hold the bracket in Step 5. Holding the Sun Crypto Accelerator 6000 board by its edges only, take it out of the plastic bag and insert it into the PCI slot. 6. Secure the screw on the rear bracket.
Page 36: Installing The Sun Crypto Accelerator 6000 Software With The Install Script
CD-ROM to the /cdrom/cdrom0 directory. If your system is not running Sun Enterprise Volume Manager, mount the CD- ■ ROM as follows: # mount -F hsfs -o ro /dev/dsk/c0t6d0s2 /cdrom Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 37 Script that installs the software packages for both Oracle Solaris SPARC and x86 Solaris/install systems. This script is normally called by the main install script. Script that removes the software packages for Oracle Solaris SPARC and x86 Solaris/remove systems. Chapter 2 Installing the Sun Crypto Accelerator 6000 Board...
Page 38 This program installs the software for the Sun Crypto Accelerator 6000, Version 1.1. Copyright 2007 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 39 The Sun Crypto Accelerator 6000 Board User's Guide (820-4144) and the Sun Crypto Accelerator 6000 Board Release Notes (820-4145) can be found at: http://docs.oracle.com Please read and understand these documents prior to software installation. Do you wish to continue the installation? [y,n,?] y Checking for optional package dependencies...
Page 40: Directories And Files For Oracle Solaris Platforms
Financial services man pages /opt/SUNWsca/man Services /usr/lib/crypto Firmware files /usr/lib/crypto/firmware/sca RCM scripts /usr/lib/rcm/scripts Man pages /usr/man Administration utilities /usr/sbin Keystore files (encrypted) /var/sca/keydata Service log files /var/sca/log Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 41: Removing The Sun Crypto Accelerator 6000 Software On Oracle Solaris Platforms With The Remove Script
“Removing the Software on Oracle Solaris Platforms Without the remove Script” on page ▼ Remove the Software With the remove Script on the CD-ROM 1. Insert the Sun Crypto Accelerator 6000 CD-ROM. Chapter 2 Installing the Sun Crypto Accelerator 6000 Board...
Page 42: For Oracle Solaris 11, Remove The Software With The Remove Script
▼ For Oracle Solaris 11, Remove the Software With the remove Script 1. Change to the Solaris11 directory. # cd Sun_Crypto_Acc_6000-1_1-u2-Solaris/Solaris11 2. Enter the following. # ./remove Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 43: Installing The Software On Oracle Solaris Platforms Without The Installation Script
This section describes how to install the software manually without using the installation script provided on the product CD. Refer to the latest version of the Sun Crypto Accelerator 6000 Board Product Notes for Version 1.1 (820-4145) for a list of the required patches. You must install all of the required patches before installing the main software.
Page 44 For Oracle Solaris x86 platforms, use the scanpci command. ■ # /usr/X11/bin/scanpci pci bus 0x0082 cardnum 0x0e function 0x00: vendor 0x108e device 0x5ca0 Sun Microsystems Computer Corp. Device unknown Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 45: Removing The Software On Oracle Solaris Platforms Without The Remove Script
Caution – Do not delete a keystore that is currently in use or that is shared by other users and keystores. To free references to keystores, you might have to shut down the web server, administration server, or both. Chapter 2 Installing the Sun Crypto Accelerator 6000 Board...
Page 46: Remove The Software Without The Remove Script
▼ Remove the Software Without the remove Script Caution – Before removing the Sun Crypto Accelerator 6000 software, disable any web servers you have enabled for use with the Sun Crypto Accelerator 6000 board. Failure to do so leaves those web servers nonfunctional.
Page 47: Install The Sun Crypto Accelerator 6000 Hardware On Linux Platforms
% lspci The output of the previous command should contain the following line: Network and computing encryption device: Sun Microsystems Computer Corp.: Unknown device 5ca0 ▼ Install the Sun Crypto Accelerator 6000 Software on Linux Platforms With the install Script 1.
Page 48: Installing The Sun Crypto Accelerator 6000 Software On Linux Platforms Without The Install Script
2. Change to the appropriate directory for your platform and enter the following command: % rpm -i sun-sca6000-man-1.1-1.x86_64.rpm sun-sca6000-admin-1.1- 1.x86_64.rpm sun-sca6000-var-1.1-1.x86_64.rpm sun-sca6000-config- 1.1-1.x86_64.rpm sun-sca6000-1.1-1.x86_64.rpm sun-sca6000- firmware-1.1-1.x86_64.rpm Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 49: Directories And Files For Linux Platforms
/opt/sun/sca6000/lib libraries Man pages /opt/sun/sca6000/man Administration utilities and services and /opt/sun/sca6000/sbin daemon executables Support libraries /opt/sun/sca6000/private/lib Support libraries /opt/sun/sca6000/private/lib64 openCryptoki plug-in files /usr/local/lib/opencryptoki/stdll/ Keystore files (encrypted) /var/opt/sun/sca6000/keydata Service lock files /var/opt/sun/sca6000/lock Chapter 2 Installing the Sun Crypto Accelerator 6000 Board...
Page 50: Removing The Sun Crypto Accelerator 6000 Software On Linux Platforms
All applications, such as Sun Java System and Apache Web Servers, that are using the board must be stopped before uninstalling the Sun Crypto Accelerator 6000 software. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 51: Remove The Software With The Remove Script
1.x86_64.rpm sun-sca6000-admin-1.0-1.x86_64.rpm sun-sca6000-var- 1.0-1.x86_64.rpm sun-sca6000-config-1.0-1.x86_64.rpm sun-sca6000- firmware-1.0-1.x86_64.rpm % rpm -e sun-sca6000 sun-sca6000-libs sun-sca6000-admin sun- sca6000-var sun-sca6000-config sun-sca6000-firmware Additionally, if no other components are using it on the system: % rpm -e sun-nss sun-nspr Chapter 2 Installing the Sun Crypto Accelerator 6000 Board...
Page 52: Migrating Back To Version 1.0 From 1.1
1. While the 1.1 software and firmware is still running, log into the board as the device security officer using scamgr -D and type the zeroize command. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 53 7. From the 1.0 installation media, execute the install script to load the 1.0 software components. 8. Apply any 1.0 software and firmware patches that are necessary. Refer to the Sun Crypto Accelerator 6000 Board Product Notes for Version 1.1 (819- 5537) at: http://docs.oracle.com/cd/E19321-01/index.html 9.
Page 54 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 55: Administering The Sun Crypto Accelerator 6000 Board
C H A P T E R Administering the Sun Crypto Accelerator 6000 Board This chapter provides an overview of administering the board on both Oracle Solaris and Linux platforms with the scamgr and scadiag utilities, and the scad and scakiod service daemons.
Page 56: Using The Scamgr Utility
Configuring and enabling Multi-Admin mode ■ Performing keystore operations such as: ■ Conversions between local and centralized keystores ■ Renaming and deleting keystores and master keys ■ Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 57: Scamgr Syntax
Displays help files for scamgr commands and exits. -d device Connects to the Sun Crypto Accelerator 6000 board that has N as the driver instance number. For example, -d mca1 connects to device mca1, where mca is a string in the board’s device name and 1 is the instance number of the device.
Page 58: Modes Of Operation
Note – To use scamgr, you must authenticate as security officer. How often you need to authenticate as security officer is determined by which operating mode you are using. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 59: Interactive Mode
Begin each comment with a hash (#) character. If the File mode option is set, scamgr ignores any command-line arguments after the last option. The following example runs the commands in the deluser.scr file and answers all prompts in the affirmative: $ scamgr -f deluser.scr -y Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 60: Scamgr Secure Communication
Initializing the Board With scamgr The first step in configuring a Sun Crypto Accelerator 6000 board is to initialize it. There are two types of initialization. The first is board initialization and the second is keystore initialization. When you first connect to an uninitialized board with scamgr, you are prompted to perform a board initialization, which creates a device security officer (DSO) account.
Page 61: Board Initialization
Note – Before an essential parameter is changed or deleted, or before a command is executed that might have drastic consequences, scamgr prompts you to enter Y, Yes, N, or No to confirm. These values are not case-sensitive; the default is No. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 62: Keystore Initialization
This option can be used to recover a keystore when a board or host system is damaged, or to configure a second Sun Crypto Accelerator 6000 board work with an existing keystore in a fault- tolerant architecture.
Page 63: Performing A Keystore Initialization To Use An Existing Keystore
In addition, you might want to restore a Sun Crypto Accelerator 6000 board to the original keystore configuration. This section describes how to initialize a board to use an existing keystore that is stored in a backup file.
Page 64: Perform A Keystore Initialization And Use An Existing Keystore
Note – If the backup file was created in Multi-Admin mode, authentication is required by multiple security officers assigned the Multi-Admin role. Enter the path to the backup file: /tmp/board-backup Password for restore file: Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 65: Authentication And Logging In And Out With Scamgr
Authentication and Logging In and Out With scamgr Only security officers can log into a Sun Crypto Accelerator 6000 board with this utility. It is not possible to log into a user account using scamgr. User accounts are for applications that use the card (for example, with the PKCS#11 interface).
Page 66: Log In To A Board With Scamgr
3. Replace the trusted key with the new key ▼ Log In To a New Board Note – The remaining examples in this chapter were created with the Interactive mode of scamgr. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 67: Log In To A Board With A Changed Remote Access Key
▼ Log In To a Board With a Changed Remote Access Key When connecting to a board that has a changed remote access key, you must use scamgr to change the entry corresponding to the board in the trust database. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 68 If you are working in Interactive mode, you might want to disconnect from one board and connect to another board without completely exiting scamgr. ● Type the logout command. For example: scamgr{mcaN@hostname, sec-officer}> logout scamgr> Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 69: Log In To Another Board
(defaults to 6870). scamgr does not allow you to issue the connect command if you are already connected to a Sun Crypto Accelerator 6000 board. You must first log out and then issue the connect command. Each new connection causes scamgr and the target Sun Crypto Accelerator 6000 firmware to renegotiate new session keys to protect the administrative data that is sent.
Page 70: Quitting The Scamgr Utility
The scamgr utility has a command language that must be used to interact with the Sun Crypto Accelerator 6000 board. You enter commands using all or part of a command (enough to uniquely identify that command from any other command).
Page 71: Scamgr Commands
The dso option logs in as a device security officer rather than a keystore security officer. The default values for these arguments are the same as for the -h, -p, -d, and -k options (see TABLE 3-1 Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 72 (KSO only) Deletes the user named username from the keystore. All key material owned by the user is also deleted. Confirmation is requested unless the -y option is supplied when scamgr is started. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 73 This command does not identify the -y option. (DSO only) Enables new keystores to be created on the board. enable new-keystores Keystore creation is enabled by default. enable user username Enables the user named username in the keystore. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 74 Other boards working with the same keystore need to have this new master key loaded to be able to continue working with this keystore (see the zeroize command and the section on initialization). Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 75 Multi-Admin role. Changes the password for the currently logged in security set password officer. To change passwords for keystore users, the PKCS#11 interface must be used. See Appendix Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 76 Shows all security officer accounts set for the keystore and show so whether they have the Multi-Admin role. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 77 Zeroizing a board does not delete the keystore file on the disk. Zeroizing a board without backing up its master key makes all data in the keystore that board was working with unrecoverable. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 78: Getting Help For Commands
Logout current session quit Exit scamgr rekey Generate new system keys rename Rename data items Set operating parameters show Show system settings unlock Unlock data items Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 79: Managing Keystores With Scamgr
Multiple Keystore Support The scamgr utility supports multiple keystores running on a single board. Keystores must be uniquely named. Each individual keystore contains its own set of security officers, users, and key objects. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 80: Naming Requirements
63 characters for security officer names and user names. 32 characters for keystore names. Valid characters Alphanumeric, underscore (_), dash (-), and dot (.). First character Must be alphabetic. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 81: Password Requirements
2. Type the set passreq command followed by low, med, or high. The following commands set the password requirements for a Sun Crypto Accelerator 6000 board to high: scamgr{mcaN@hostname, sec-officer}> set passreq high scamgr{mcaN@hostname, sec-officer}> set passreq Password security level (low/med/high): high Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 82: Change Passwords
There might be more than one security officer for a keystore. Security officer names are known only within the domain of the Sun Crypto Accelerator 6000 board and do not need to be identical to any user name on the host system.
Page 83: Populate A Keystore With Users
User web-admin created successfully. scamgr{mcaN@hostname, sec-officer}> create user New user name: Tom Enter new user password: Confirm password: User Tom created successfully. Users must use this password when authenticating during a web server startup. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 84: List Users
1. Start the scamgr utility. 2. Type the show so command. For example: scamgr{mcaN@hostname, sec-officer}> show so Security Officer Multi-Admin Role ---------------------------------------------------------------- sec-officer1 Enabled sec-officer2 Enabled sec-officer3 Enabled sec-officer4 Disabled ---------------------------------------------------------------- Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 85: Disable Users
When enabling a user, the user name is optional. For example: scamgr{mcaN@hostname, sec-officer}> enable user Tom User Tom enabled. scamgr{mcaN@hostname, sec-officer}> enable user User name: web-admin User web-admin enabled. ▼ Delete Users 1. Start the scamgr utility. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 86: Delete Security Officers
▼ Back Up a Device Configuration This type of backup saves the global device configuration including FIPS 140-2 settings, DSO accounts and other settings. Only DSOs can perform this type of backup. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 87: Back Up A Master Key
Enter a password to protect the data: Confirm password: Backup to /opt/SUNWconn/mca/backups/master.bak successful. 3. Set a password for the backup data. This password encrypts the master key in the backup file. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 88: Backup A Keystore
1. Start the scamgr utility. 2. Type backup keystore /opt/backup-directory-name/bkup.data. The path name can be placed on the command line or if omitted, scamgr prompts you for the path name. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 89: Locking Keystores To Restrict Access
Caution – Once this command is entered, all attempts to back up the master key will fail. This lock persists even if the master key is rekeyed. The only way to clear this setting is to delete the keystore from the Sun Crypto Accelerator 6000 board with the delete keystore command. (See...
Page 90: Lock A Keystore To Restrict Access
After a reset or power cycle, a keystore that has been locked to prevent access can be accessed only if enabled by a KSO. 1. Start the scamgr utility. 2. Type enable keystore. For example: scamgr{mcaN@hostname, sec-officer}> enable keystore Keystore enabled. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 91: Disable A Locked Keystore To Prevent Access
Otherwise, the board cannot be administered normally until the command times out. The following commands require multi-admin authentication: backup master-key ■ ■ backup keystore ■ convert keystore copy keystore ■ delete master-key ■ ■ delete keystore Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 92: Managing Multi-Admin Mode With Scamgr
Multi-Admin role. scamgr{mcaN@hostname, sec-officer}> enable authmember sec-officer Added multi-admin role to Security Officer sec-officer. ▼ Remove a Security Officer From the Multi-Admin Role 1. Start the scamgr utility. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 93: Set The Minimum Number Of Security Officers Required To Authenticate Multi-Admin Commands
Multi-Admin commands. scamgr{mcaN@hostname, sec-officer}> set multiadmin minauth 3 Multi-admin mode now requires 3 security officers to authenticate. ▼ Set a Multi-Admin Command Timeout 1. Start the scamgr utility. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 94: Enable Multi-Admin Mode
Multi-Admin command timeout: 3 minutes ---------------------------------------------------------------- Is this correct? (Y/Yes/N/No) [No]: y The board is now in multi-admin mode. ▼ Disable Multi-Admin Mode 1. Start the scamgr utility. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 95: Add Additional Security Officers To The Multi-Admin Role
This command will time out in 3 minutes. Update: Authenticated security officers: sec-officer1 Update: Authenticated security officers: sec-officer1 sec-officer3 Update: Authenticated security officers: sec-officer1 sec-officer3 sec-officer2 Added multi-admin role to Security Officer sec-officer4. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 96: Cancel A Multi-Admin Command Originated By The Initiating Security Officer
NOTICE: Please wait while the other required 2 administrators authenticate this command. This command will time out in 3 minutes. Update: Authenticated security officers: sec-officer1 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 97: Allow A Multi-Admin Command To Time Out
This command will time out in 3 minutes. Update: Authenticated security officers: sec-officer1 Update: Authenticated security officers: sec-officer1 sec-officer2 Failed to remove role from Security Officer sec-officer4: Multi-Admin command timeout Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 98: Log In To A Board During A Multi-Admin Command As A Security Officer Not In The Multi-Admin Role
WARNING: Issuing this command will take the board out of multi-admin mode and return it to the single-administrator mode of authentication. Proceed with change? (Y/Yes/N/No) [No]: y Failed disabling Multi-admin mode: Unauthorized command Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 99: Managing Boards With Scamgr
The following command changes the auto-logout time for a security officer to 10 minutes: scamgr{mcaN@hostname, sec-officer}> set timeout 10 ▼ Display Board Status 1. Start the scamgr utility by logging in as a DSO. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 100: Load New Firmware
* Multiadmin Timeout: 5 Minutes ------------------------------------------------------------- ▼ Load New Firmware You can update the firmware for the Sun Crypto Accelerator 6000 board as new features are added. 1. Start the scamgr utility by logging in as a DSO. 2. Type load firmware path-name.
Page 101: Reset The Board
You are asked if this is what you want to do. Resetting a Sun Crypto Accelerator 6000 board might temporarily cease the acceleration of cryptography on the system unless there are other active Sun Crypto Accelerator 6000 boards able to take over the load.
Page 102 Rekey of master key successful. Rekey of remote access key successful. Logging out. 4. Backup the master key to enable disaster recovery (see “Back Up a Master Key” on page Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 103: Perform A Software Zeroize On The Board
PCI bus, the DMA controller, and other hardware internals. Tests for the cryptographic subsystem cover random number generators and cryptographic accelerators. Tests on the network subsystem cover the sca device. 1. Start the scamgr utility. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 104: Direct Board Administration
■ ■ cancel uwk ■ delete dectable delete kek ■ ■ delete mfk ■ delete uwk load dectable ■ load kek ■ ■ load mfk Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 105: Usb Backup Support
UWK is entered with the local interface and must be entered using split knowledge procedures. The number of key components must be at least two. The security officer who initiates the UWK entry must set the UWK. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 106 Keystore: ks.600002 Multi-Admin: No ------------------------- Correct? (Y/N) [No]: y Restoring data to crypto accelerator board. Please be patient. Initialization complete. Key Fingerprint: c421-2fe8-00ff-1d03-97cf-9ff7-c7ff-d370-d074- fd4a Security Officer Login: Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 107: Using The Scadiag Utility
[-m] [online|offline] mcaN ■ Note – In the scadiag option examples in this section, mcaN is the board’s device name where N corresponds to the Sun Crypto Accelerator 6000 device instance number. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 108: Scadiag Options
Loads the firmware file fw-file onto device. This command works only when the board is uninitialized. To upgrade firmware on an initialized board, use the scamgr(1m) command. Displays the version information for scadiag. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 109: Scadiag Option Examples
# scadiag -b sca6000fw_bootstrap mcaN Updating bootstrap firmware on mca0 this may take a few minutes. Please be patient. ** DO NOT INTERRUPT PROCESS ** Bootstrap firmware update complete. Reset required to activate new bootstrap. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 110 00010001 The following is an example of the -l option: # scadiag -l mca/0 mca/1 # scadiag -l mca0 Device mca1: State : Online Status : Initialized Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 111 Use is subject to license terms. The following is an example of the -z option: # scadiag -z mca0 Zeroizing device mca0, this may take a few minutes. Please be patient. Device mca0 zeroized. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 112: Managing Services For Oracle Solaris Platforms
# svcadm enable scakiod # svcadm disable scad # svcadm disable scakiod You can specify both services in a single command to start both simultaneously. # svcadm enable scad scakiod Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 113: Service Configuration Parameters
This property is undefined by default, so that the default behavior hostbind for this service to bind to all interfaces. To bind the service to a specific hostname or IP address, you must define the hostbind property. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 114: List Service Configuration Parameters
NOTICE config/keystoredir astring /var/sca/keydata config/logfile astring /var/sca/log/scakiod.log config/value_authorization astring solaris.smf.manage.sca tm_common_name template tm_common_name/C ustring "Sun Crypto Accelerator" tm_man_scakiod template Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 115: Modify Service Configuration Parameters
Enable these algorithms as needed by adding entries to /kernel/drv/mca.conf file. One example for enabling certain algorithms is to use them with sensitive keys protected by the board. ▼ Enable the SHA-512 Algorithm ● Add enable-sha512=1; to the /kernel/drv/mca.conf file. Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 116: Enable The Rc2 Cbc Algorithm
Administering the board on Linux platforms is similar to administering it on the Oracle Solaris OS as described in this chapter. The differences are given in this section. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 117: Scamgr Program
Do not start or stop these daemons manually. Stop and start the board to stop and start these daemons (see “Stop the Board on a Linux Platform” on page 95 “Start the Board on a Linux Platform” on page Chapter 3 Administering the Sun Crypto Accelerator 6000 Board...
Page 118 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 119: Configuring Centralized Keystores
C H A P T E R Configuring Centralized Keystores This chapter describes how to configure centralized keystores and enable access to a common repository of key material from multiple Sun Crypto Accelerator 6000 boards. This chapter includes the following sections: “Centralized Keystore Overview”...
Page 120: Keystore Virtualization
The most important component of the CKS is the repository itself, an LDAP server such as the Sun Java System Directory Server. Install this component according to the product documentation. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 121: Configuring Centralized Keystores
(RDNs), and importing the base objects and access control directives for CKS. The Sun Crypto Accelerator 6000 board provides the scakscfg utility for configuring the Sun Java System Directory Server to support centralized keystores. This utility is located at /usr/sbin/scakscfg (Oracle Solaris) or at /opt/sun/sca6000/sbin/scakscfg (Linux).
Page 122 Root CA certificates used to validate the SSL certificate provided by the directory server, or a specific file containing one or more CA certificates. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 123: Configuring The Scakiod Service To Use Cks
The following example configures the directory server on host centks and places the centralized keystore under the DN o=SUN,c=US. The following example then creates an agent named agent1 that uses a password for authentication. > /usr/sbin/scakscfg -b "o=SUN,c=US" -D "cn=Directory Manager" -h iplds config Bind password for cn=Directory Manager: modifying entry cn=schema modifying entry cn=userRoot,cn=ldbm database,cn=plugins,cn=config...
Page 124: Scakiod Service Configuration Options
(SSL client certificate authentication). simple authentication can be done over clear-text LDAP or LDAP over SSL. Client certificate (clientauth) authentication can be done only over SSL. The default setting is simple. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 125 scakiod Service Configuration Options (Continued) TABLE 4-2 Property Name Description Specifies the SSL certificate database path. If scakiod is going to certdb communicate with the LDAP server over SSL, you must create a certificate database path in this directory. If SSL is not configured, this property is ignored and does not need to be set.
Page 126: Configure The Scakiod Service To Use Cks (Oracle Solaris)
3. Restart the server with the svcadm utility: # svcadm restart scakiod Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 127: Configure The Scakiod Service To Use Cks (Linux)
▼ Configure the scakiod Service to Use CKS (Linux) 1. Edit the /etc/opt/sun/sca6000/scakiod.conf file. The following example configures the scakiod service to communicate with LDAP host centks with password-based (simple) authentication. Below are examples of entries in scakiod.conf that must be modified. serverlist ldap://cks-host binddn...
Page 128 4. (Oracle Solaris) Change the URL for the LDAP server in the serverlist to indicate that it is using SSL # svccfg -s scakiod setprop config/serverlist=astring: ldaps://host[:port] Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 129: Configuring The Scakiod Service To Use Ssl With Client Certificate Authentication
5. (Linux) Edit the /etc/opt/sun/sca6000/scakiod.conf file modifying the serverlist property as follows: serverlist ldaps://host[:port] 6. (Oracle Solaris) Restart the scakiod service so the new values take effect. # svcadm restart scakiod 7. (Linux) Stop and start the sca services. /etc/init.d./sca stop /etc/init.d/sca start Configuring the scakiod Service to Use SSL With Client Certificate Authentication...
Page 130 DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments... Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 131 5. (Linux) Use the certutil utility to create a key and certificate request. # certutil -N -d /var/opt/sun/sca6000/private -s <BINDDN> -g 1024 -a -o /var/sca/private/certreq.pem Enter Password or Pin for "NSS Certificate DB": A random seed must be generated that will be used in the creation of your key.
Page 132: Adding The Certificate To The Agent Entry In The Directory Server
Once the agent entry exists, add the certificate to the entry with the ldapmodify command. 1. Create a modification file with the following info: dn: cn=agent-dn changetype: modify replace: usercertificate;binary usercertificate;binary: /var/sca/private/cert.der Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 133 Note – The value for agent-dn must be the same as the value in the binddn SMF property for the scakiod service. 2. Use ldapmodify to alter the agent entry and add the certificate: # ldapmodify -h host -b -D dir-adm-dn < modfile modifying entry cn=geeky,ou=Agents,ou=scakeystore,o=SUN,c=US Note –...
Page 134: Configuring The Board To Join A Centralized Keystore
3. Set the password for the agent in the password configuration file specified by the passfile configuration property. 4. Set the serverlist, basedn, binddn, and authtype for the scakiod service. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 135 5. Restart the scakiod service. From the system where the backup file was saved, use scamgr to remotely connect to the target machine and board. When the Select Keystore screen is given, choose Load Keystore from Backup and provide the backup file saved previously.
Page 136: Troubleshooting Cks Issues
# scakiod will send log entries to syslog. logfile /var/opt/sun/sca6000/log/scakiod.log # keystoredir: The keystoredir directive allows the administrator to set an # alternate directory for keystore files. The default value for this is Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 137 # /var/opt/sun/sca6000/keydata. Any alternate location must have read, # write and execute permissions for the user that the daemon runs as. # is recommended to not allow any permissions for any other user to this # directory. keystoredir /var/opt/sun/sca6000/keydata # debuglevel: The debuglevel directive sets the default log mask for scakiod # logging events.
Page 138 # The auditloglimit directive is used for the keystore audit logging facility. # The value used here is an integer specifying the maximum number of log # entries before the audit log is rotated. auditloglimit [root@nsn104-57 sca6000]# Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 139: Cannot Contact Server
Cannot Contact Server Sep 18 09:33:09 [29290/1]: [info] Cannot contact server vdemo02.west.sun.com:636: Can’t connect to the LDAP server Sep 18 09:33:09 [29290/1]: [ERROR] Cannot connect to any LDAP server for centralized keystore services. Possible causes: The LDAP servers on all hostnames or IP addresses referenced in the ■...
Page 140: Failed Binding To Server
UNIX user daemon. The certificate database files have not been created in the directory referenced by ■ the certdb property. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 141: Developing And Administering Financial Services
C H A P T E R Developing and Administering Financial Services Note – The financial services features described in this chapter are supported for the Oracle Solaris OS on both SPARC and x86 platforms. These features are not currently supported for the Linux OS.
Page 142: Financial Service Components Overview
PKCS#11 interface, however, because this interpretation is handled by the financial services library. A high-level overview of the financial services components is depicted in FIGURE 5-1 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 143: Financial Services Library Initialization
Financial Services High-Level Architecture FIGURE 5-1 Three core components comprise the Sun Crypto Accelerator 6000 board financial services functionality: Key management ■ PIN processing ■ Card processing ■ These core components are described in the following sections. Financial Services Library Initialization This section describes the functions used to initialize the financial services library.
Page 144: Library Open Function Fs_Lib_Open()
• fsNotFound – Token not found • fsError – Unable to initialize libary Library Shutdown Function fs_lib_close() Applications can close the financial services library services when the services are no longer required. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 145: Session Establishment Function Fs_Session_Open()
The syntax for the fs_lib_close() function is as follows: fsReturn_t fs_lib_close(fsLibHandle_t handle) lists the parameters for the fs_ () function. TABLE 5-3 lib_close fs_lib_close() Function Parameters TABLE 5-3 Parameter Description Financial services library handle returned from the fs_lib_open handle function lists the return values for the fs_ () function.
Page 146: Session Shutdown Function Fs_Session_Close()
Financial Services Data Types The financial services API requires the use of new data types defined in the finsvcs.h header file. Appendix F provides the finsvcs.h header file. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 147: Key Management Overview
Key Management Overview To meet the strict key management requirements of financial institutions, the Sun Crypto Accelerator 6000 board adheres to the following essential financial key management principles. Key Separation and Compartmentalization of Risk Keys must be used for specifically defined functions only. This requirement limits potential damage from a key compromise.
Page 148: Permitted Key Forms
2. Type the follwing command: sca6000, so}> load mfk ▼ Enable the MFK Once the MFK components are loaded, a valid security officer must enable the direct input device. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 149: Load The Keks
● Type the following command: sca6000, so}> enable mfk ▼ Load the KEKs A security officer also enters the KEKs with the the direct input device. However, unlike the MFK, these keys are extracted from the board by financial applications. The extracted keys are encrypted with the MFK.
Page 150: Generate Key Function Fs_Generate_Key()
Buffer for the generated key, encrypted with the MFK or a derivative lists the return values for the fs_generate_key() function. TABLE 5-10 fs_generate_key() Function Return Values TABLE 5-10 Return Value Description Key generated fsOK Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 151: Import Key Function Fs_Import_Key()
fs_generate_key() Function Return Values (Continued) TABLE 5-10 Return Value Description Invalid key type specified fsInvalidKeyType Provided buffer is too small for the key fsBufferTooSmall Device not in proper state to handle command fsInvalidState Import Key Function fs_import_key() To interoperate with peer nodes, the board must be able to import keys from these peers.
Page 152: Export Key Function Fs_Export_Key()
The board must allow users to move keys from one device to another. Additionally, the peer device might not be a Sun Crypto Accelerator 6000 board. The export key function enables this feature and allows users to export keys from the Sun Crypto Accelerator 6000 board.
Page 153: Translate Key Function Fs_Translate_Key()
fs_export_key() Function Parameters (Continued) TABLE 5-13 Parameter Description Input key encrypted with the MFK iKey Exported key in ANSI 9.17 format oKey True if the exported key is an Atalla variant useVariants lists the return values for the fs_export_key() function. TABLE 5-14 fs_export_key() Function Return Values TABLE 5-14...
Page 154: Retrieve Object Function Fs_Retrieve_Object()
Session handle returned by the fs_session_open() function label Byte string identifier for the object Output buffer where the object is returned type Type of object to retrieve: KEK or decimalization table Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 155: Status Function Fs_Status()
– Status buffer ■ PIN Processing Functions The Sun Crypto Accelerator 6000 board supports PIN verification and translation functionality. The interface ensures that sensitive customer data is exposed only within the secure HSM. This section describes the capabilities and interfaces supported.
Page 156: Pin Block Formats
4-bit field with binary value of 0000 Primary account 12 right most digits of the PAN represented as 4-bit binary number (PAN) numbers with values of 000 to 1001 (0 to 9) Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 157: Iso Format 1
4-bit binary value determined by the PIN length – P or R random digit PIN Calculation Methods The Sun Crypto Accelerator 6000 board supports the Visa PIN Validation Value (PVV) and the IBM-3624 methods for calculating PINs. Visa PVV Method PVV is a calculation and verification method specified by Visa.
Page 158: Ibm-3624 Method
The PIN associated with the PAN must be used to generate the PVV. Regardless of the length of the PIN (4 to 12 digits), only the left-most four digits are used. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 159: Pvki
PIN Verify Function fs_pin_verify() The PIN verify operation is executed by the credit card issuer or their agent to authenticate a cardholder's transaction. The Sun Crypto Accelerator 6000 board supports two types of PIN verification, Visa PVV and IBM-3624. Additionally, the...
Page 160: Pin Translate Function Fs_Pin_Translate()
PIN comes in encrypted using a PIN encryption key (PEK) specified by the point-of-service bank. To route the transaction to the credit card issuing bank, the Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 161 transaction decrypts the PIN using the transaction originator’s PEK and then reencrypts it using the credit card issuing bank's PEK. The PIN block format can be requested to be translated (from ISO Format 0 to ISO Format 1 for example). The syntax for the fs_pin_translate() function is as follows: fsReturn_t fs_pin_translate(fsSessHandle_t handle, fsKey_t *iPEK, fsKey_t *oPEK, fsPIN_t *iPIN, fPIN_t *oPIN, fsPAN_t *PAN)
Page 162: Credit Card Processing Overview
The allowable values for the card algorithm type are as follows: CVV – Visa or MasterCard card verification value (CVV) algorithm ■ CSC – American Express card security code (CSC) verification algorithm ■ Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 163: Enabling The Financial Services Feature
The caller must also supply a card verification key (CVK) with the cvk parameter. This key must have been previously imported into the device with the fs_key_import() function. Additionally, personal account number (PAN) information and algorithm specific card data must be provided through the pan and data parameters.
Page 164: Administering Financial Services
Normal mode – Enables all functions except importing and exporting keys. ■ Sensitive mode – Enables importing and exporting keys. ■ Administrative Commands describes the financial services administrative commands. TABLE 5-26 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 165 Note – Only FSSOs can initiate the commands listed in , and each TABLE 5-26 command must be entered with a direct input device. Financial Services Administrative Commands TABLE 5-26 Command Description Enters the MFK or the KEKs. The direct input device must be used to enter this key input command.
Page 166 MFK and can be retrieved by an application with the fs_retrieve_object() function. Deletes a decimalization table. delete decimalization table Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 167: Developing Pkcs#11 Applications For Use With The Sun Crypto Accelerator 6000 Board
C H A P T E R Developing PKCS#11 Applications for Use With the Sun Crypto Accelerator 6000 Board This chapter describes the board’s implementation of the PKCS#11 interface and describes how to build customized PKCS#11 applications to be used with the board. Additional instructions for Linux platforms are included in the last section.
Page 168: Board Administration
Administration Guide: Security Services document. The Oracle Solaris Cryptographic Framework provides a PKCS#11 library through which the Sun Crypto Accelerator 6000 board is accessed. For Oracle Solaris SPARC platforms, the default location for this library is /usr/lib/ for 32-bit mode and /usr/lib/sparcv9/ for 64-bit mode.
Page 169: Slot Descriptions
The Keystore slot has the advantage of hardware redundancy and load balancing when there are more than one Sun Crypto Accelerator 6000 board on the system with the same keystore. For example, when there are two boards with the same keystore with the name of ks, a slot with the slot description and token label of ks is used as the Keystore slot.
Page 170: Sun Metaslot
Sun Metaslot. Sun Metaslot The Sun Metaslot takes advantage of the Sun Crypto Accelerator 6000 board for cryptographic acceleration along with all other cryptographic providers available on the system. The Sun Metaslot uses the board for the mechanisms it supports, and it uses other slots, including the Oracle Solaris software implementation, for the mechanisms not supported by the board.
Page 171: Configuring Secure Failover For Sun Metaslot
When the auto key migration is disabled, sensitive token keys are not automatically migrated to other slots. With this configuration, if an operation with a sensitive token key fails on the Sun Crypto Accelerator 6000 board, the request does not failover to other slots, and the operation fails.
Page 172: Hardware Slot
The OM Hardware slot allows key management operations such as key ■ generation and key creation. However, the keys created on the OM slot cannot be used until the board is initialized and online. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 173: Pkcs#11 And Fips Mode
160 bits of output data. (In non-FIPS mode, 512 bits from the thermal-noised-based generator are SHA-1 hashed to 160 bits.) FIPS mode applies only to the Sun Crypto Accelerator 6000 board itself. As stated above, when the board is put in FIPS mode, only FIPS-approved mechanisms are provided by the board.
Page 174: Developing Applications To Use Pkcs#11
RAM on the board, and the driver limits the size of the keystore to 16 Mbytes. However, the fields of the CK_TOKEN_INFO structure (returned by the Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 175: Supported And Unsupported Functions
C_GetOperationState and its companion function C_SetOperationState are not supported. Since the Sun Crypto Accelerator 6000 board can only operate SHA-1 and MD5 in a single part and the PKCS#11 interface requires both single part and multipart for the hash operations, CKM_SHA_1 and CKM_MD5 are not available from the user level of the PKCS#11 application.
Page 176: Software Attributes
CKA_OBJECT_ID empty string CKA_OWNER same as CKA_TOKEN CKA_PRIVATE CKA_RESET_ON_INIT false CKA_SECONDARY_AUTH false opposite of CKA_EXTRACTABLE CKA_SENSITIVE empty string CKA_SERIAL_NUMBER true (not enforced) CKA_SIGN true (not enforced) CKA_SIGN_RECOVER Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 177: Software Error Codes
After this error is returned, an important state has probably not been properly saved, and attempting to continue, except by calling C_Finalize, could be ineffective. The Mutex callback function pointers that can be passed to C_Initialize are ignored. Chapter 6 Developing PKCS#11 Applications for Use With the Sun Crypto Accelerator 6000 Board...
Page 178: Token Object Handles
Sun Crypto Accelerator 6000 (SCA) slot or the Softtoken slot (soft). The Sun Crypto Accelerator 6000 (SCA) slot is a general PKCS#11 slot. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 179: Installing And Configuring Sun Java System Server Software
Installing and Configuring Sun Java System Server Software This chapter describes how to configure the Sun Crypto Accelerator 6000 board for use with Sun Java System servers on Oracle Solaris platforms. Additional instructions for Linux platforms are provided. This chapter contains the following sections: “Administering Security for Sun Java System Web Servers”...
Page 180: Administering Security For Sun Java System Web Servers
Users Within the context of the Sun Crypto Accelerator 6000 board, users are owners of cryptographic keying material. Each key is owned by a single user. Each user may own multiple keys. A user might want to own multiple keys to support different configurations, such as a production key and a development key (to reflect the organizations the user is supporting).
Page 181: Keystores
■ functions through scamgr. Note – A single Sun Crypto Accelerator 6000 board must have exactly one keystore. Multiple Sun Crypto Accelerator 6000 boards can be configured to collectively work with the same keystore to provide additional performance and fault-tolerance.
Page 182: Slots And Tokens
“Managing Keystores With scamgr” on page Slots and Tokens As discussed in Chapter 6, there are four kinds of slots presented through the Oracle Solaris Cryptographic Framework’s PKCS#11 interface. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 183: Preparing To Configure Sun Java System Web Servers
The Sun Crypto Accelerator 6000 Keystore slot can also be used for Sun Java System applications. Through a Keystore slot, asymmetric operations are the only mechanisms accelerated by the Sun Crypto Accelerator 6000 board. When there are more than two boards using the same keystore, Keystore slot provides additional performance and fault-tolerance.
Page 184: Populating A Keystore
“Using the scamgr Utility” on page $ scamgr -h hostname 2. Populate the board’s keystore with users. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 185: Installing And Configuring Sun Java System Web Server 6.1
These user names are known only within the domain of the Sun Crypto Accelerator 6000 board and do not need to be identical to the UNIX user name that the web server process is using. Before attempting to create the user, you must first log in as a scamgr security officer.
Page 186 Enter the Sun Java System Web Server 6.1 Administration Server password twice. d. Press Return when prompted. The Sun Java System Web Server Administration Server must be up and running during the configuration process. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 187: Crejavate Java Trust Djavatjavabjavase
Sun Java System Web Server 6.1 B08/22/2003 12:37 info: CORE3016: daemon is running as super-user info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.4.1_03] from [Sun Microsystems Inc.] info: WEB0100: Loading web module in virtual server [vs-admin] at [/admin-app] info: HTTP3072: [LS ls1] http://hostname.domain:8888 ready to...
Page 188: Register The Board With The Web Server
If the application asks for a password for every known PKCS#11 token, do not provide one. % modutil -dbdir /opt/SUNWwbsvr/alias -nocertdb -disable "Solaris Cryptographic Framework" % modutil -dbdir /opt/SUNWwbsvr/alias -nocertdb -enable "Solaris Cryptographic Framework" -slot "keystore-name" Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 189: Generate A Server Certificate
▼ Generate a Server Certificate 1. Restart the Sun Java System Web Server 6.1 Administration Server by typing the following commands: % /opt/SUNWwbsvr/https-admserv/stop % /opt/SUNWwbsvr/https-admserv/start The response provides the URL for connecting to your servers. 2. Start the Administration GUI by opening up a web browser and typing: http://hostname.domain:admin-port In the Authentication dialog box, enter the Sun Java System Web Server 6.1 Administration Server user name and password you selected while running...
Page 190 Select the Cryptographic Module you want to use. Each slot has its own entry in this pull-down menu. For this example, the keystore-name is chosen. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 191 c. In the Key Pair File Password dialog box, provide the password for the user that will own the key. This password is the username:password (See TABLE 7-1 d. Type the appropriate information for the requestor information fields in TABLE 7-2 Requestor Information Fields TABLE 7-2 Field...
Page 192: Install The Server Certificate
Server Manager window. 2. On the left panel, click the Install Certificate link. Sun Java System Web Server 6.1 Administration Server Install a Server FIGURE 7-3 Certificate Window Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 193: Enable The Web Server For Ssl
3. Fill out the form to install your certificate: Fields for the Certificate to Install TABLE 7-3 Fields Description Certificate For This server. Cryptographic Each slot has its own entry in this pull-down menu. Ensure that you Module select the correct slot name. For this example, use keystore-name. Key Pair File This password is the username:password ( TABLE 7-1...
Page 194 You are prompted for one or more passwords. a. At the Module Internal prompt, provide the password for the web server trust database. b. At the Module keystore-name prompt, enter the username:password. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 195: Installing And Configuring Sun Java System Web Server 7.0 Update 1
c. Enter the username:password for other keystores as prompted. 12. Verify the new SSL-enabled web server at the following URL: https://hostname.domain:server-port/ Note – The default server-port is 443. Installing and Configuring Sun Java System Web Server 7.0 Update 1 This section describes how to install and configure Sun Java System Web Server 7.0 to use the board.
Page 196: Register The Board With The Web Server
▼ Register the Board With the Web Server ● Register the Oracle Solaris PKCS#11 library in the security module database of the Sun Java System Web Server using the modutil utility. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 197: Start The Sun Java System Web Server Administration Server
Sun Java System Web Server 7.0U1 B06/12/2007 21:15 info: CORE3016: daemon is running as super-user info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_09] from [Sun Microsystems Inc.] info: WEB0100: Loading web module in virtual server [admin-server] at [/admingui] info: WEB0100: Loading web module in virtual server [admin-server] at [/jmxconnector] info: HTTP3072: admin-ssl-port: https://hostname.domain:8989 ready...
Page 198: Manage The Tokens
6. Click the Edit Token Password box. 7. Enter the password in the Current Password dialog box, and check “Do not prompt for the current password at instance startup.” 8. Click OK. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 199: Generate A Server Certificate
▼ Generate a Server Certificate 1. To request the server certificate, select the Common Tasks Tab at the home page, and select Request Server Certificate under Configuration Tasks. A new window pops up. 2. Select a server from the scroll-down menu and click the Next button. 3.
Page 200: Install The Server Certificate
1. Click the Common Tasks tab on the home page, and click Install Server Certificate under Configuration Tasks. A new window pops up. 2. Select a server from the scroll-down menu and click Next. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 201 3. Select a token you would like to use from the pull-down menu and enter the password for the token. Step 9 4. Paste the certificate you copied from the certificate authority (in “Generate a Server Certificate” on page 177) into the Certificate Data text box. Click Next.
Page 202: Deploy The Change
The Sun Java System Web Server Administration GUI warns you to deploy when a configuration is modified on the copy. The warning shows up on the upper right corner: Deployment Pending (highlighted in yellow in FIGURE 7-6 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 203: Enable The Web Server For Ssl
Screenshot of the Sun Java Web Server Virtual Servers Window FIGURE 7-6 1. Click the Deployment Pending link. A new window pops up. 2. Click on the Deploy button to deploy the new configuration. 3. Ensure that the deployment was successful and close the window. Now that your web server and the Server Certificate are installed, you must enable the web server for SSL.
Page 204 6. Alter the following fields: SSL – choose Enabled ■ Certificate – choose the certificate you installed. The certificate name is in the ■ form, token label:certificate name. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 205 Screenshot of the Sun Java Web Server Edit HTTP Listener - SSL Settings FIGURE 7-7 7. Click the Apply button, and close the window. Note – Ensure to deploy the change after the web server is configured for SSL. Chapter 7 Installing and Configuring Sun Java System Server Software...
Page 206: Installing And Configuring Sun Java System Web Server On Linux Platforms
Use the following commands to disable the openCryptoki slots other than the Sun Crypto Accelerator 6000 slot: % modutil -dbdir /opt/SUNWwbsvr/alias -nocertdb -disable "openCryptoki" % modutil -dbdir /opt/SUNWwbsvr/alias -nocertdb -enable "openCryptoki" -slot "slot-name" Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 207 For example, for SuSE 9 SP1 the "slot-name" is as follows: "Linux 2.6.5-7.139-smp Linux (SCA)" Use the following command to check whether the other slots are disabled: % modutil -dbdir /opt/SUNWwbsvr/alias -nocertdb -list "openCryptoki" The output of this command should be similar to the following: EXAMPLE 7-1 Using database directory /opt/SUNWwbsvr/alias...
Page 208: Configuring Sun Java System Web Servers To Start Up Without User Interaction On Reboot
▼ Create an Encrypted Key for Automatic Startup of Sun Java System Web Servers on Reboot 1. Navigate to the config subdirectory for your Sun Java System Web Server instance. For example, /opt/SUNWwbsvr/https-webserver-instance- name/config. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 209 2. Create a password.conf file with only the following lines ( TABLE 7-1 password definitions): internal:trust-db-password token-label:username:password 3. Set the file ownership of the password file to the UNIX user ID that the web server runs as, and set the file permissions to be readable only by the owner of the file: # chown web-server-UNIX-user-ID password.conf # chmod 400 password.conf...
Page 210 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 211: Installing And Configuring Apache Web Server Software
C H A P T E R Configuring Apache Installing and Web Server Software This chapter explains how to configure and enable the Sun Crypto Accelerator 6000 board for use with Apache Web Servers on both Oracle Solaris and Linux platforms. This chapter includes the following sections: “Installing and Configuring Apache Web Server on Oracle Solaris Platforms”...
Page 212 (Optional) A value for the Organizational Unit that will be asserted on Unit Name the certificate. SSL Server Web site Domain that is typed in a visitor’s browser. Name Email Address Contact information for requestor. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 213: Enable Apache Web Server
The following is an example of how the certificate fields are entered: Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ’.’, the field will be left blank.
Page 214: Installing And Configuring Apache Web Server On Linux Platforms
The Apache web server included in the Linux installation does not have the appropriate plug-ins. This section describes how to prepares the Apache Web Server with appropriate plug-ins to use the Sun Crypto Accelerator 6000 board for SSL acceleration. Note – On Oracle Solaris platforms, the OpenSSL executable is in the /usr/sfw/bin/ directory.
Page 215: Prepare Openssl Libraries
Note – Check the Sun Crypto Accelerator 6000 Board Product Notes for Version 1.1 for any additional required patches. You must install all of the required patches before configuring OpenSSL. 4. Configure and compile OpenSSL. Refer to the README.pkcs11 and INSTALL file for more information.
Page 216: Compile Apache Web Server
The Apache software is installed in the /usr/local/apache2 directory in this example. 1. Edit the /usr/local/apache2/conf/httpd.conf file and change the following line to enable SSL: #Include conf/extra/httpd-ssl.conf Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 217 Include conf/extra/httpd-ssl.conf 2. Enable the PKCS#11 OpenSSL engine by editing the /usr/local/apache2/conf/extra/httpd-ssl.conf file to add the following line: SSLCryptoDevice pkcs11 just before the following line: Pass Phrase Dialog: In the same file, also change the following line: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL: !DHE-RSA-AES256-SHA:!DHE-DSS-AES256-SHA:!AES256-SHA:!DHE-RSA- AES128-SHA:!DHE-DSS-AES128-SHA:!RSA-AES128-SHA...
Page 218 64-bit openCryptoki PKCS#11 library with the file command. 6. Test the Apache Web Server as described in the previous sections of this chapter. Verify that the Sun Crypto Accelerator 6000 board is being used with the following command: % cat /proc/driver/mca0 7.
Page 219: Diagnostics And Troubleshooting
6000 subsystem (driver, firmware, and hardware). The other two utilities, scamgr and scadiag, perform low-level diagnostics on individual hardware components of the Sun Crypto Accelerator 6000 board. Performing SunVTS Diagnostics SunVTS is the Sun Validation Test Suite software. The core SunVTS wrapper provides test control and a user interface to a suite of system level tests.
Page 220: Performing Scamgr Diagnostics
The Sun Crypto Accelerator 6000 board can be tested with SunVTS 6.2 software that is released with the Oracle Solaris 10 6/06 OS. The SunVTS test, cryptotest, provides diagnostics of the cryptographic circuitry of the board. Refer to the SunVTS 6.2 test reference manuals (x86 or SPARC), user’s guide, and quick reference card for instructions on how to perform and monitor this diagnostic test.
Page 221: Disable Other Hardware Providers
Displaying the kstat information indicates whether cryptographic requests or “jobs” are being sent to the Sun Crypto Accelerator 6000 board. A change in the jobs values over time indicates that the board is accelerating cryptographic work requests sent to the Sun Crypto Accelerator 6000 board.
Page 222: Determine Cryptographic Activity With The Kstat Utility
Note – In the previous example, 0 is the instance number of the mca device. This number should reflect the instance number of the board for which you are performing the kstat command. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 223: Determining Cryptographic Activity On Linux Platforms
Determining Cryptographic Activity on Linux Platforms The Sun Crypto Accelerator 6000 board does not contain lights or other indicators to reflect cryptographic activity on the board. To determine whether cryptographic work requests are being performed on the board, you must use the /proc file system ▼...
Page 224 FIPS status online crtime 1893.73075636 cbflowctl cbsubmit cblowater cbhiwater cbringsize caflowctl casubmit calowater cahiwater caringsize omflowctl omsubmit omlowater omhiwater omringsize Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 225: Sun Crypto Accelerator 6000 Board Specifications
A P P E N D I X Sun Crypto Accelerator 6000 Board Specifications This appendix lists the specifications for the Sun Crypto Accelerator 6000 board. It contains the following sections: “Connectors” on page 203 ■ “Physical Dimensions” on page 204 ■...
Page 226: Physical Dimensions
Sun Crypto Accelerator 6000 Board Connectors FIGURE A-1 Physical Dimensions Physical Dimensions TABLE A-1 Dimension Measurement Metric Measurement Length 6.6 inches 167.64 mm Width 2.536 inches 64.41 mm Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 227: Power Requirements
Storage Specification ˚ ˚ ˚ ˚ ˚ ˚ ˚ ˚ Temperature to +55 C, +32 to +131 to +85 C, -40 to +167 Relative humidity 0 to 95% noncondensing -40 to +85% Appendix A Sun Crypto Accelerator 6000 Board Specifications...
Page 228 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 229: Overview
Note – The openCryptoki software is for Linux platforms only. Overview The Sun Crypto Accelerator 6000 board uses openCryptoki as the interface for PKCS#11 applications. Version 1.1 of the board uses the certified openCryptoki 2.2.4 release of the software. The source rpm package is downloadable from the RedHat web site (http://www.redhat.com/).
Page 230: Installing Opencryptoki Software
2. Install openCryptoki source with the following command: %> rpm -i openCryptoki-2.2.4-15.el5.src.rpm 3. Change to /usr/src/redhat/SPECS directory. 4. Delete the following line from openCryptoki.spec file: BuildRequires: openssl-devel >= 0.9.8a-5 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 231: Build And Install Opencryptoki Software On Suse10 Sp1 Platforms
5. Type the following command: %> rpmbuild -ba openCryptoki.spec Once this command completes, the openCryptoki packages should be as follows: /usr/src/redhat/RPMS/openCryptoki-2.2.4-15.i386.rpm on 32-bit ■ systems /usr/src/redhat/RPMS/openCryptoki-2.2.4-15.x86_64.rpm on 64-bit ■ systems 6. Install the openCryptoki packages on RHEL4 with the following command: %>...
Page 232 SUSE. The openCryptoki software must be started or restarted after the Sun Crypto Accelerator 6000 is started or restarted. On SUSE systems, start and stop openCryptoki with the following commands: %> /etc/rc.d/init.d/pkcsslotd stop %> /etc/rc.d/init.d/pkcsslotd start Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 233 Cette distribution peut comprendre des composants développés par des tierces parties. Sun, Sun Microsystems, le logo Sun, Java, Netra, Oracle Solaris, Sun Ray, Sun[tm] ONE et Sun[tm] Crypto Accelerator 6000 sont des marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d’autres pays.
Page 234 Export or reexport to countries subject to U.S. embargo or to entities identified on U.S. export exclusion lists, including, but not limited to, the denied persons and specially designated nationals lists is strictly prohibited. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 235: License Agreement
License Agreement SUN ONE (TM) SUN CRYPTO ACCELERATOR 6000 Sun Microsystems, Inc. Binary Code License Agreement READ THE TERMS OF THIS AGREEMENT AND ANY PROVIDED SUPPLEMENTAL LICENSE TERMS (COLLECTIVELY "AGREEMENT") CAREFULLY BEFORE OPENING THE SOFTWARE MEDIA PACKAGE. BY OPENING THE SOFTWARE MEDIA PACKAGE, YOU AGREE TO THE TERMS OF THIS AGREEMENT.
Page 236 Agreement. No modification of this Agreement will be binding, unless in writing and signed by an authorized representative of each party. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 237 For inquiries please contact: Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 Sun Microsystems, Inc. Supplemental Terms for Sun Crypto Accelerator 6000 These Supplemental Terms for the Sun Crypto Accelerator 6000 supplement the terms of the Binary Code License Agreement ("BCL").
Page 238: Third Party License Terms
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 239 PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Page 240 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 241 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http://www.modssl.org/)." 4. The names "mod_ssl" must not be used to endorse or promote products derived from this software without prior written permission.
Page 242 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 243 A P P E N D I X Manual Pages This appendix describes software commands and utilities and lists the online manual pages for each. Display the man pages with the following command: pagename lists and describes the online manual pages. TABLE D-1 Sun Crypto Accelerator 6000 Online Manual Pages TABLE D-1...
Page 244 API. Command that provides credit card processing operations for the fs_card_verify(3) financial services API. Command that provides PIN management operatins for the fs_pin_verify(3) financial services API. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 245: Zeroizing The Sun Crypto Accelerator 6000 Hardware To The Factory State
A P P E N D I X Zeroizing the Hardware This appendix describes how to perform a hardware zeroize of the Sun Crypto Accelerator 6000 board, which returns the board to the factory state. When the board is returned to the factory state, it is in Failsafe mode. Caution –...
Page 246: Zeroize The Sun Crypto Accelerator 6000 Board With A Hardware Jumper
Place the jumper on the 0 and 1 pin set as shown in FIGURE E-1 Caution – The board does not function with the jumper on pins 0 and 1. Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 247 Note – You can safely store the jumper on pins 3 and 5. This location does not affect any operation of the board 7. Power on the system. 8. Connect to the Sun Crypto Accelerator 6000 board with scamgr. scamgr prompts you for a path to upgrade the firmware. 9. Type /opt/SUNWconn/cryptov2/firmware/sca6000fw as the path for installing the firmware.
Page 248 See “Initializing the Board With scamgr” on page Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 249 This appendix provides the financial services header file that defines the financial service data types for developing finacial service applications. Financial Services Header File EXAMPLE F-1 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. #ifndef_FINSVCS_H #define_FINSVCS_H #pragma ident"@(#)finsvcs.h1.506/04/19 SMI"...
Page 250 } fsPinAlg_t; /* supported magnetic/credit card algorithms */ typedef enum fsCardAlg { CVV, } fsCardAlg_t; /* MAC'ing Algorithms - used by fs_mac_generate/fs_mac_verify */ typedef enum fsMacAlg { Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 251 Financial Services Header File (Continued) EXAMPLE F-1 X9_9, X9_19, X9_19_3DES } fsMacAlg_t; * supported PIN types * ISO Format 0 is defined as follows (nibbles) [0][N][P][P][P][P][P/F][P/F][P/F][P/F][P/F][P/F][P/F][P/F][F][F] * where: * N = PIN length * P = PIN digit * F = Fill = 0xf * ISO Format 1 is defined as follows: [1][N][P][P][P][P][P/R][P/R][P/R][P/R][P/R][P/R][P/R][P/R][R][R] * where:...
Page 252 /* ISO 9.17 Key Format - common external key format */ #defineFS_KEYSIZE_91724 #defineFS_KCVSIZE_9173 /* ANSI X9.17 key definition - used for import/export operations */ typedef struct fsKey917 { uint8_tlength; Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 253 Financial Services Header File (Continued) EXAMPLE F-1 uint8_tkcv[FS_KCVSIZE_917]; uint8_tkey[FS_KEYSIZE_917]; } fsKey917_t; #defineFS_PAN_SIZE10 #defineFS_PAN_CONTROL_SIZE2 #defineFS_PAN_PIN_SIZE12/* PIN op PAN size (nibbles) */ #defineFS_PAN_PIN_TOTAL \ ((FS_PAN_CONTROL_SIZE * 2) + FS_PAN_PIN_SIZE) /* Personal Account Number (PAN) data structure */ typedef struct fsPan { uint8_tlength;/* in nibbles/digits (from 12 to 19) */ uint8_tpan[FS_PAN_SIZE];...
Page 254 *, fsPin_t *, fsPinData_t *); fsReturn_tfs_pin_translate(fsSessHandle_t, fsKey_t *, fsKey_t *, fsPin_t *, fsPin_t *, fsPan_t *); /* card processing functions */ fsReturn_tfs_card_verify(fsSessHandle_t, fsCardAlg_t, fsKey_t *, fsPan_t *, fsCardData_t *); Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 255 Financial Services Header File (Continued) EXAMPLE F-1 /* Key/object management functions */ fsReturn_t fs_key_generate(fsSessHandle_t, fsKeyType_t, fsKeyUsage_t, fsKey_t *); fsReturn_tfs_key_translate(fsSessHandle_t, fsKey_t *, fsKey_t *); fsReturn_tfs_key_import(fsSessHandle_t, fsKeyUsage_t, fsKey_t *, fsKey917_t *, fsKey_t *, boolean_t); fsReturn_tfs_key_export(fsSessHandle_t, fsKeyUsage_t, fsKey_t *, fsKey_t *, fsKey917_t *, boolean_t); fsReturn_tfs_retrieve_object(fsSessHandle_t, fsObjectType_t, char fsObjectData_t *);...
Page 256 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 257 A P P E N D I X Supported PKCS#11 Mechanisms This appendix lists the PKCS#11 mechanisms supported by the Sun Crypto Accelerator 6000 board. lists the mechanisms supported by the board. TABLE G-1...
Page 258 256-2048 bits CKM_RSA_X_509 256-2048 bits CKM_RSA_PKCS 512-1024 bits CKM_DSA 64-2048 bits CKM_DH_PKCS_KEY_PAIR_GEN 64-2048 bits CKM_DH_PKCS_DERIVE 163-571 bits CKM_EC_KEY_PAIR_GEN 163-571 bits CKM_ECDH1_DERIVE 163-571 bits CKM_ECDSA 256-2048 bits CKM_RSA_PKCS_KEY_PAIR_GEN Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 259 Supported PKCS#11 Mechanisms TABLE G-1 Mechanism Name Key Range Note 512-1024 bits CKM_DSA_KEY_PAIR_GEN 8 bytes CKM_DES_KEY_GEN 16 bytes CKM_DES2_KEY_GEN 24 bytes CKM_DES3_KEY_GEN 16, 24, or 32 bytes CKM_AES_KEY_GEN 8-1024 bits Disabled by default. CKM_RC2_CBC_PAD Appendix G Supported PKCS#11 Mechanisms...
Page 260 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 261: Index
Index svcadm, 111 zeroize, 224 ANSI/ISO Format 0, 134 credit card processing, 140 Apache Web Servers cryptographic algorithms compiling on Linux, 194 acceleration, 4 conﬁguring, 189 enabling optional algorithms, 93 conﬁguring on Linux, 192 supported, 4 creating a certiﬁcate, 189 enabling, 191 CVK, 125 installing, 189...
Page 262 Multi-Admin, 69 hardware and software requirements, 10 commands requiring, 69 hardware zeroize, 223, 235 managing with scamgr, 70 hexadecimal characters, 134 high availability, 9 high-quality entropy, 9 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 263 CK_EFFECTIVELY_INFINITE, 153 CKM_MD5, 153 naming requirements, 58 CKM_SHA_1, 153 cryptoadm, 148 developing applications, 152 online manual pages, 221 developing applications on Linux, 156 fs_card_verify(3), 222 FIPS mode, 150, 151 fs_key_generate(3), 222 hardware slot, 150 fs_lib_open(3), 221 implementation specifics, 152 fs_pin_verify(3), 222 keystore slot, 147 mca(7d), 221 libpkcs11, 145...
Page 264 10 password requirements, 58 platforms, 10 populating a keystore software, 10 with security ofﬁcers, 60 Solaris operating systems, 10 with users, 61 prompt, 43 quitting, 48 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...
Page 265 terminal PIN key, 125 TPK, 125 trust database, creating scamgr, 38 Sun Java System Web Server 6.0, 165 user accounts, 57 Visa PVV Method, 135 web servers, 158 zeroize command, 224 zeroizing the hardware, 223, 235 zone working key, 125 ZWK, 125 Index...
Page 266 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013...

Sun Oracle Sun Crypto Accelerator 6000 Board User Manual

Regulatory Compliance Statements

Preface

1 Product Overview

2 Installing the Sun Crypto Accelerator 6000 Board

3 Administering the Sun Crypto Accelerator 6000 Board

4 Configuring Centralized Keystores

5 Developing and Administering Financial Services

6 Developing PKCS#11 Applications for Use with the Sun Crypto Accelerator 6000 Board

7 Installing and Configuring Sun Java System Server Software

8 Installing and Configuring Apache Web Server Software

9 Diagnostics and Troubleshooting

Sun Crypto Accelerator 6000 Board Specifications

Index

Quick Links

Troubleshooting

Need help?

Questions and answers

Summary of Contents for Sun Oracle Sun Crypto Accelerator 6000 Board