C H A P T E R  7

Diagnostics and Troubleshooting

This chapter describes diagnostic tests and troubleshooting for the Sun Crypto Accelerator 1000 software. This chapter includes the following sections:


SunVTS Diagnostic Software

The SunVTS test dcatest, delivered in package SUNWdcav on the Sun Crypto Accelerator 1000 CD, operates with the core SunVTS test control and user interface, delivered in packages SUNWvts and SUNWvtsx on the Solaris Supplement CD, to provide diagnostics for the Sun Crypto Accelerator 1000 board.

Refer to the SunVTS documentation for instructions on how to run and monitor these diagnostics tests. These documents are available on the Solaris on Sun Hardware AnswerBook; which is provided on the Solaris Supplement CD for the Solaris release on your system.



Note - SunVTS can be used only if you have installed the SunVTS packages from the Solaris Supplement CD.




procedure icon  To Run dcatest

1. As superuser, start SunVTS.

# /opt/SUNWvts/bin/sunvts

Refer to the SunVTS User's Guide for detailed instructions on starting SunVTS.

The following instructions assume that you have started SunVTS using the CDE user interface.

2. On the SunVTS Diagnostic main window, set the System Map to Logical mode.



Note - Physical mode is supported; however, this procedure assumes you are using Logical mode.



3. Disable all tests by clearing their check boxes.

4. Select the check box for Cryptography, then select the plus box for Cryptography to display all tests in the Cryptography group.

5. Clear check boxes in the Cryptography group that are not named dcatest.

  • If a dcatest is displayed then go to Step 6.
  • If a dcatest is not displayed, probe the system to find it by selecting Reprobe system in the Commands drop down menu.

Refer to the SunVTS documentation for the exact procedure. When the probe completes and a dcatest is displayed, continue to Step 6.

6. Click one of the instances of dcatest then right-click and drag to display the Test Parameter Options.

These options, which only pertain to the dcatest, are described in Test Parameter Options for dcatest.

7. After you have made all selections, click Apply from the Within Instance drop-down to change the selected instance of dcatest, or select Apply from the Across All Instances drop-down to change all checked instances of dcatest.

This action removes the pop-up and returns you to the Sun Diagnostic main window.

8. Click one of the instances of dcatest then right-click and drag to display the Test Execution Options.

An alternate method of displaying Test Execution Options is to click the Options drop-down main menu; then click Test Executions. These options are generic SunVTS controls that affect all tests. Refer to the SunVTS documentation for detailed information.

9. When you have made all selections, click Apply to remove the pop-up window and return to the Sun Diagnostic main window.

10. Click Start to run the selected tests.

11. Click Stop to stop all tests.

Test Parameter Options for dcatest

TABLE 7-1 describes the dcatest subtests.

TABLE 7-1 dcatest Subtests

Test Name

Description

3DES

Tests 3DES bulk encryption

RSA

Tests RSA public and private keys

DSA

Tests DSA signature verification

RNG

Test random number generation


dcatest Command-Line Syntax

If you choose to run dcatest from the command line instead of the CDE environment, then all arguments must be specified in the command-line string.

In 32-bit mode, the path to dcatest is /opt/SUNWvts/bin/. In 64-bit mode, the path to dcatest is /opt/SUNWvts/bin/sparcv9/.

All SunVTS standard options are supported from the command line interface for dcatest. Test-specific options are specified with the -o argument.

Refer to the SunVTS Test Reference Manual for a definition of the standard command-line arguments. The dcatest is a Functional Mode test; therefore, -f must be included. Include -u to display a usage message, or -v for VERBOSE messages. Items enclosed in square brackets denote optional entries.

The following is an example of invoking dcatest in 32-bit mode as a standalone program. The following command performs all subtests on dca0:

# /opt/SUNWvts/bin/dcatest -f -o dev=dca0,tl=3DES+RSA+DSA+RNG

The following is an example of invoking dcatest in 64-bit mode from the SunVTS infrastructure. The following command tests RCA on dca2:

# /opt/SUNWvts/bin/sparcv9/dcatest -f -o dev=dca2,tl=RSA

When running dcatest from the command line, omission of an option produces the default behavior for that option, as stated in TABLE 7-2.

TABLE 7-2 dcatest Command-Line Syntax

Option

Description

dev=dcan

Specifies the instance of the device to test such as dca0 or dca2. Defaults to dca0 if not included.

tl=testlist

Specifies the list of subtests to be run. The subtests for tl are separated by + (plus) characters. The only supported subtests are 3DES, RSA, DSA, and RNG, so tl=3DES+RSA+DSA+RNG turns all subtests on. You can also insert tl=all which runs all tests. Defaults to all if no subtests are specified.



Troubleshooting the Sun Crypto Accelerator 1000

To determine whether the Sun Crypto Accelerator 1000 device is listed in the system: from the OpenBoot PROM (OBP) prompt, type show-devs to display the list of devices. You should see lines in the list of devices, similar to the examples below, specific to the Sun Crypto Accelerator 1000 board:

ok show-devs
 . . .
/pci@1f,0/pci@1/pci108e,5455@2
 . . .

In the above example, the pci108e,5455 identifies the device path to the Sun Crypto Accelerator 1000 board. There is no firmware on this board, so OBP level diagnostics are not available.

The Sun Crypto Accelerator 1000 board does not contain lights or other indicators to reflect cryptographic activity on the board. In order to determine whether cryptographic work requests are actually being performed on the board, use the kstat(1M) command to display the device usage:

# kstat -m dca -i 0 -n dca0
 
module: dca                     instance: 0     
name:   dca0                    class:    misc                          
        3desbytes               3040
        3desjobs                5
        crtime                  65.342725895
	    dsasign                 0
	    dsaverify               0
	    rngbytes                10592
	    rngjobs                 187
	    rngsha1bytes            16328
	    rngsha1jobs             327
	    rsaprivate              9
	    rsapublic               0
	    snaptime                106956.467004482

Displaying the kstat information indicates whether cryptographic requests or "jobs" are being sent to the Sun Crypto Accelerator 1000 board. A change in the "jobs" values over time indicates that the board is accelerating cryptographic work requests sent to the Sun Crypto Accelerator 1000 board. If cryptographic work requests are not being sent to the board, verify your web server configuration per the web server specific configuration.

Do not attempt to interpret the kernel/driver statistic values returned by kstat(1M). These values are maintained within the driver to facilitate field support. The meanings and actual names may change over time.



Note - If the nostats property is defined in the /kernel/drv/dca.conf file, the capture and display of statistics will be disabled. This property may be used to help prevent traffic analysis.