| Sun Crypto Accelerator 4000 Board Installation and User's Guide |    
|
| Sun Crypto Accelerator 4000 Board Installation and User's Guide |
|
| C H A P T E R 1 |
|
Product Overview |
This chapter provides an overview of the Sun Crypto Accelerator 4000 board, and contains the following sections:
The Sun Crypto Accelerator 4000 board is a Gigabit Ethernet-based network interface card that supports cryptographic hardware acceleration for IPsec and SSL (both symmetric and asymmetric) on Sun servers. In addition to operating as a standard Gigabit Ethernet network interface card for unencrypted network traffic, the board contains cryptographic hardware to support a higher throughput for encrypted IPsec traffic than the standard software solution.
The Sun Crypto Accelerator 4000 board is interoperable with existing Ethernet equipment assuming standard Ethernet minimum and maximum frame size (64 to 1518 bytes), frame format, and compliance with the following standards and protocols:
The Sun Crypto Accelerator 4000 boards are designed to comply with the security requirements for cryptographic modules as documented in the Federal Information Processing Standard (FIPS) 140-2, Level 3.
The board supports the following protocols:
The board accelerates the following IPsec functions:
The board accelerates the following SSL functions:
The Sun Crypto Accelerator 4000 board accelerates cryptographic algorithms in both hardware and software. The reason for this complexity is that the cost of accelerating cryptographic algorithms is not uniform across all algorithms. Some cryptographic algorithms were designed specifically to be implemented in hardware, others were designed to be implemented in software. For hardware acceleration, there is the additional cost of moving data from the user application to the hardware acceleration device, and moving the results back to the user application. Note that a few cryptographic algorithms can be performed by highly tuned software as quickly as they can be performed in dedicated hardware.
The Sun Crypto Accelerator 4000 driver (vca) examines each cryptographic request and determines the best location for the acceleration (host processor or Sun Crypto Accelerator 4000), to achieve maximum throughput. Load distribution is based on the cryptographic algorithm, the current job load, and the data size.
Sun Crypto Accelerator 4000 board accelerates the following IPsec algorithms.
The Sun Crypto Accelerator 4000 board accelerates the following SSL algorithms.
|
Diffie-Hellman (Apache only) and RSA (up to 2048 bit key), DSA |
|
TABLE 1-3 shows which SSL accelerated algorithms may be off-loaded to hardware and which software algorithms are provided for Sun ONE and Apache Web Servers.
The Sun Crypto Accelerator 4000 bulk encryption feature for Sun ONE server software is disabled by default. You must manually enable this feature by creating a file and restarting the Sun ONE server software.
To enable Sun ONE server software to use bulk encryption on the Sun Crypto Accelerator 4000 board, you simply create an empty file in the /etc/opt/SUNWconn/cryptov2/ directory named sslreg, and restart the server software.
# touch /etc/opt/SUNWconn/cryptov2/sslreg |
To disable the bulk encryption feature, you must delete the sslreg file and restart the server software.
# rm /etc/opt/SUNWconn/cryptov2/sslreg |
The bulk encryption feature for Apache Web Server software is enabled by default and cannot be disabled.
The Sun Crypto Accelerator 4000 hardware is a full size (4.2 inches x 12.283 inches) cryptographic accelerator PCI Gigabit Ethernet adapter that enhances the performance of IPsec and SSL on Sun servers.
The Sun Crypto Accelerator 4000 board encrypts and decrypts IPsec packets in hardware, offloading this high-overhead operation from the SPARC
processor. The cryptographic hardware also supports general asymmetric and symmetric cryptographic operations for use in other applications and contains a hardware source of random numbers.
|
Note - No IPsec configuration or tuning is required to use the Sun Crypto Accelerator 4000 board for IPsec acceleration. You simply install the Sun Crypto Accelerator 4000 packages and reboot. |
Once the Sun Crypto Accelerator 4000 board and packages are installed, any existing IPsec configuration and any future IPsec configuration will use the Sun Crypto Accelerator 4000 board instead of the core Solaris software. The board handles any supported IPsec algorithm listed in TABLE 1-1. IPsec algorithms not supported by the Sun Crypto Accelerator 4000 board will continue to be handled by the core Solaris encryption software. The configuration of IPsec is documented in the System Administration Guide of the Solaris System Administrator Collection at http://docs.sun.com.
The Sun Crypto Accelerator 4000 MMF adapter is a single-port Gigabit Ethernet fiber optics PCI bus card. It operates in 1000 Mbps Ethernet networks only.
See TABLE 1-4.
|
On when the board is HALTED (fatal error) state or low level hardware initialization failed. |
||
|
On in POST, DIAGNOSTICS, and FAILSAFE (firmware not upgraded) state. |
||
|
On in POST, DIAGNOSTICS, and DISABLED (driver not attached) state. |
||
|
On if the security officer has initialized the board with vcaadm. See Initializing the Sun Crypto Accelerator 4000 Board With vcaadm. |
||
|
On when operating in FIPS 140-2 level 3 certified mode. Off when in non-FIPS mode. |
||
The Sun Crypto Accelerator 4000 UTP adapter is a single-port Gigabit Ethernet copper-based PCI bus card. It can be configured to operate in 10, 100, or 1000 Mbps Ethernet networks.
See TABLE 1-5.
|
On when the board is HALTED (fatal error) state or low level hardware initialization failed. |
||
|
On in POST, DIAGNOSTICS, and FAILSAFE (firmware not upgraded) state. |
||
|
On in POST, DIAGNOSTICS, and DISABLED (driver not attached) state. |
||
|
On if the security officer has initialized the board with vcaadm. See Initializing the Sun Crypto Accelerator 4000 Board With vcaadm. |
||
|
On when operating in FIPS 140-2 level 3 certified mode. Off when in non-FIPS mode. |
||
|
Note - The service pack numbers (SP9 or SP1) are implied whenever Sun ONE Web Server 4.1 or 6.0 is mentioned. |
The Sun Crypto Accelerator 4000 hardware and associated software provides the capability to work effectively on Sun platforms supporting Dynamic Reconfiguration (DR) and hot-plugging. During a DR or hot-plug operation, the Sun Crypto Accelerator 4000 software layer automatically detects the addition or removal of a board and adjusts the scheduling algorithms to accommodate the change in hardware resources.
For High Availability (HA) configurations, multiple Sun Crypto Accelerator 4000 boards can be installed within a system or domain to insure that hardware acceleration is continuously available. In the unlikely event of a Sun Crypto Accelerator 4000 hardware failure, the software layer detects the failure and removes the failed board from the list of available hardware cryptographic accelerators. Sun Crypto Accelerator 4000 adjusts the scheduling algorithms to accommodate the reduction in hardware resources. Subsequent cryptographic requests are scheduled to the remaining boards.
Note that the Sun Crypto Accelerator 4000 hardware provides a source for high-quality entropy for the generation of long-term keys. If all the Sun Crypto Accelerator 4000 boards within a domain or system are removed, long-term keys are generated with lower-quality entropy.
The Sun Crypto Accelerator 4000 software distributes load across as many boards as are installed within the Solaris domain or system. Incoming cryptographic requests are distributed across the boards based on fixed-length work queues. Cryptographic requests are directed to the first board, and subsequent requests stay directed to the first board until it is running at full capacity. Once the first board is running at full capacity, further requests are queued to the first board available that can accept the request of this type. The queueing mechanism is designed to optimize throughput by facilitating request coalescing at the board.
TABLE 1-6 provides a summary of the hardware and software requirements for the Sun Crypto Accelerator 4000 adapter.
Refer to the Sun Crypto Accelerator 4000 Board Release Notes for additional required patch information.
The following patches may be required to run the Sun Crypto Accelerator 4000 board on your system. Solaris updates contain patches to previous releases. Use the
showrev -p command to determine whether the listed patches have already been installed.
You can download the patches from the following web site: http://sunsolve.sun.com.
Install the latest version of the patches. The dash number (-01, for example) becomes higher with each new revision of the patch. If the version on the web site is higher than that shown in the following tables, it is simply a later version.
If the patch you need is not available on SunSolveSM, contact your local sales or service representative.
If you plan to use the Apache Web Server, you must also install Patch 109234-09. Once the SUNWkcl2a package is added, the system will be configured with Apache Web Server mod_ssl 1.3.26.
The following tables list required and recommended Solaris 8 patches to use with this product. TABLE 1-7 lists and describes required patches.
| Sun Crypto Accelerator 4000 Board Installation and User's Guide | 817-0431-10 |
|
Copyright © 2003, Sun Microsystems, Inc. All rights reserved.