C H A P T E R  1

Product Overview

This chapter describes the Sun Crypto Accelerator 1000 board. This chapter contains the following sections:


Hardware Overview

The Sun Crypto Accelerator 1000 board is a short PCI board that functions as a cryptographic co-processor to accelerate public key and symmetric cryptography. This product has no external interfaces. The board communicates with the host through the internal PCI bus interface. The purpose of this board is to accelerate a variety of computationally intensive cryptographic algorithms for security protocols in e-commerce applications.

 FIGURE 1-1 Sun Crypto Accelerator 1000 Board

Diagram of the Sun Crypto Accelerator 1000 board.

Product Features

The Sun Crypto Accelerator 1000 is a cryptographic accelerator board that enhances the performance of SSL on Sun platforms. The Sun Crypto Accelerator 1000 accelerates cryptographic algorithms in both hardware and software. The reason for this complexity is that the cost of accelerating cryptographic algorithms is not uniform across all algorithms. Some cryptographic algorithms were designed specifically to be implemented in hardware, others were designed to be implemented in software. For hardware acceleration, there is the additional cost of moving data from the user application to the hardware acceleration device, and moving the results back to the user application. Note that a few cryptographic algorithms (for example, ARCFOUR) can be performed by highly tuned software as quickly as they can be performed in dedicated hardware.

The Sun Crypto Accelerator 1000 board examines each cryptographic request and determines the best location for the acceleration (host processor or Sun Crypto Accelerator 1000), to achieve maximum throughput. Load distribution is based on cryptographic algorithm, current job loading, and data size.

TABLE 1-1 shows which accelerated algorithms may be off-loaded to hardware and which software algorithms are provided for iPlanet and Apache Web Servers.

TABLE 1-1 Supported SSL Algorithms

IPlanet Web Servers

Apache Web Servers

Algorithm

Hardware

Software

Hardware

Software

RSA

X

X

X

X

DSA

X

X

X

X

Diffie-Hellman

 

 

X

X

DES

X

X

X

X

3DES

 

 

X

X

ARCFOUR

 

 

 

X


Dynamic Reconfiguration and High Availability Considerations

The Sun Crypto Accelerator 1000 hardware and associated software provides the capability to work effectively on Sun platforms supporting Dynamic Reconfiguration (DR) and hot-plugging. During a DR or hot-plug operation, the Sun Crypto Accelerator 1000 software layer automatically detects the addition or removal of a board and adjusts the scheduling algorithms to accommodate the change in hardware resources.

For High Availability (HA) configurations, multiple Sun Crypto Accelerator 1000 boards can be installed within a system or domain to insure that hardware acceleration is continuously available. In the unlikely event of a Sun Crypto Accelerator 1000 hardware failure, the software layer detects the failure and removes the failed card from the list of available hardware cryptographic accelerators. Sun Crypto Accelerator 1000 adjusts the scheduling algorithms to accommodate the reduction in hardware resources. Subsequent cryptographic requests will be scheduled to the remaining cards.

Additionally, the Sun Crypto Accelerator 1000 software libraries provide the capability to perform all cryptographic operations in software. This feature supports DR or hot-plug removal of all Sun Crypto Accelerator 1000 boards within a system domain with no adverse functional consequences. A significant performance penalty is incurred until the Sun Crypto Accelerator 1000 hardware is restored to the supported configuration.

Note that the Sun Crypto Accelerator 1000 hardware provides a source for high- quality entropy for the generation of long-term keys. If all the Sun Crypto Accelerator 1000 boards within a domain or system are removed, long-term keys are generated with lower-quality entropy.

Load Sharing

The Sun Crypto Accelerator 1000 software distributes load across as many boards as are installed within the Solaris domain or system. Incoming cryptographic requests are distributed across the boards based on fixed-length work queues. Cryptographic requests are directed to the first board, and subsequent requests stay directed to the first board until it is running at full capacity. Once the first board is running at full capacity, further requests are queued to the first board available that can accept the request of this type. The queueing mechanism is designed to optimize throughput by facilitating request coalescing at the board.


Hardware and Software Requirements

TABLE 1-2 provides a summary of the hardware and software requirements for the Sun Crypto Accelerator 1000 board.

TABLE 1-2 Hardware and Software Requirements

Hardware and Software

Requirements

Hardware

Sun Bladetrademark 1000

Sun Enterprisetrademark 220R, 250, 420R, 450

Sun Firetrademark 280R, V480, V880, 4800, 4810, 6800,

Sun Netratrademark T1 AC200/DC200, 20, t 100/105, t 1120/1125
t 1400/1405

Sun Ultratrademark 5, 10, 30, 60, 80

Operating environment

Solaris 8 7/01 or a subsequent compatible release

Solaris 9 or a subsequent compatible release

PCI slots

32-bit or 64-bit

33 MHz or 66 MHz

Software

iPlanet Web Server 4.1 SP9, 6.0 SP1, or Apache Web Server 1.3.12, 1.3.22

Any required patches to run the iPlanet or Apache Web Servers




Note - The service pack numbers (SP9 or SP1) are implied whenever iPlanet Web Server 4.1 or 6.0 is mentioned.



Required Patches

The following patches may be required to run the Sun Crypto Accelerator 1000 board on your system. Solaris updates contain patches to previous releases. Use the
showrev -p command to determine whether the listed patches have already been installed.

If necessary, you can download the patches from the following web site: http://sunsolve.sun.com.

Install the latest version of the patches. The dash number (-01, for example) becomes higher with each new version of the patch. If the version on the web site is higher than that shown in the following tables, it is simply a later version.

If the patch you need is not available on SunSolveSM, contact your local sales or service representative.

Solaris 8 Patches

The following tables list required and recommended Solaris 8 patches to use with this product. TABLE 1-3 lists and describes required patches.

TABLE 1-3 Required Solaris 8 Patches for Sun Crypto Accelerator 1000 Software

Patch-ID

Description

110383-01

libnvpair

108528-05

KU-05 (nvpair support)

112438-01

/dev/random




Note - If you plan to use the Apache 1.3.12 Web Server, you must also install Patch Number 109234-02.



TABLE 1-4 lists and describes recommended Solaris 8 patches.

TABLE 1-4 Recommended Solaris 8 Patches for Sun Crypto Accelerator 1000 Software

Patch_ID

Description

108528-13

KU-13 (nvpair security fixes)


Solaris 9 Patches

There are currently no required or recommended Solaris 9 patches.