C H A P T E R 1

Product Overview

This chapter provides an overview of the Sun Crypto Accelerator 4000 board, and contains the following sections:

Product Features

Hardware Overview

Hardware and Software Requirements

Product Features

The Sun Crypto Accelerator 4000 board is a Gigabit Ethernet-based network interface card that supports cryptographic hardware acceleration for IPsec and SSL (both symmetric and asymmetric) on Sun servers. In addition to operating as a standard Gigabit Ethernet network interface card for unencrypted network traffic, the board contains cryptographic hardware to support a higher throughput for encrypted IPsec traffic than the standard software solution.

Once installed, the board is initialized and configured with the vcaadm utility which manages the keystore and user information and determines the level of security in which the board operates. Once a keystore and security officer account are configured, the Sun ONE Web and Application Servers, or the Apache Web Server can be configured to use the board for SSL acceleration with the iplsslcfg and apsslcfg scripts. The Sun ONE Directory, Messaging, and Portal Servers can also be configured to use the board for SSL acceleration with the Sun ONE administration console and the modutil and certutil utilities. Additionally, most applications that require a PKCS#11 interface for keystore and cryptographic services are compatible to use the board.

Key Protocols and Interfaces

The Sun Crypto Accelerator 4000 board is interoperable with existing Ethernet equipment assuming standard Ethernet minimum and maximum frame size (64 to 1518 bytes), frame format, and compliance with the following standards and protocols:

Full-size PCI 33/66 Mhz, 32/64-bit

IEEE 802.3 CSMA/CD (Ethernet)

IEEE 802.2 Logical Link Control

SNMP (limited MIB)

Full- and half-duplex Gigabit Ethernet interface (IEEE 802.z)

Universal dual voltage signaling (3.3V and 5V)

Key Features

Gigabit Ethernet with either copper or fiber interface

Accelerates IPsec and SSL cryptographic functions

Session establishment rate: up to 4300 operations per second

Bulk encryption rate: up to 800 Mbps

Provides up to 2048-bit RSA encryption

Delivers up to 10 times faster 3DES bulk data encryption

Provides tamper-proof, centralized security key and certificate administration for Sun ONE Web Server for increased security and simplified key management

Designed for FIPS 140-2 Level 3 certification

Low CPU utilization--frees up server system resource and bandwidth

Secure private key storage and management

Dynamic reconfiguration (DR) and redundancy/failover support on Sun's midframe and high-end servers

Load balancing for RX packets among multiple CPUs

Full flow control support (IEEE 802.3x)

The Sun Crypto Accelerator 4000 boards are designed to comply with the security requirements for cryptographic modules as documented in the Federal Information Processing Standard (FIPS) 140-2, Level 3.

Supported Applications

Solaris 8 and 9 operating environments (IPsec VPN)

Sun ONE Web Server 4.1 and 6.0

Sun ONE Application Server 7.0

Sun ONE Directory Server 5.2

Sun ONE Messaging Server 5.2

Sun ONE Portal Server 6.2

Apache Web Server 1.3.x and 2.x

Supported Cryptographic Protocols

The board supports the following protocols:

IPsec for IPv4 and IPv6, including IKE

SSLv2, SSLv3, TLSv1 (transmission layer security)

The board accelerates the following IPsec functions:

ESP (DES, 3DES) encryption

ESP (SHA1, MD5) authentication *

AH (SHA1, MD5) authentication *

^{* When configured for in-line IPsec acceleration (See In-Line IPsec Hardware Acceleration)}

The board accelerates the following SSL functions:

Secure establishment of a set of cryptographic parameters and secret keys between a client and a server

Secure key storage on the board--keys are encrypted if they leave the board

Diagnostic Support

User-executable self-test using OpenBoot PROM

SunVTS diagnostic tests

Cryptographic Algorithm Acceleration

The board accelerates cryptographic algorithms in both hardware and software. The reason for this complexity is that the cost of accelerating cryptographic algorithms is not uniform across all algorithms. Some cryptographic algorithms were designed specifically to be implemented in hardware, others were designed to be implemented in software. For hardware acceleration, there is the additional cost of moving data from the user application to the hardware acceleration device, and moving the results back to the user application. Note that a few cryptographic algorithms can be performed by highly tuned software as quickly as they can be performed in dedicated hardware.

Supported Cryptographic Algorithms

The Sun Crypto Accelerator 4000 driver (vca) examines each cryptographic request and determines the best location for the acceleration (host processor or Sun Crypto Accelerator 4000), to achieve maximum throughput. Load distribution is based on the cryptographic algorithm, the current job load, and the data size.

The board accelerates the following IPsec algorithms.


Type	Algorithm
Symmetric	DES, 3DES
Hash*	MD5, SHA1

^{* When configured for in-line IPsec hardware acceleration.}

The board accelerates the following SSL algorithms.


Type	Algorithm
Symmetric	DES, 3DES, ARCFOUR
Asymmetric	Diffie-Hellman (Apache only) and RSA (up to 2048 bit key), DSA
Hash	MD5, SHA1

IPsec Acceleration

The board supports two forms of IPsec acceleration: out-of-band and in-line. Both configurations offload high-overhead cryptographic operations from the SPARC® processor to the board. See Configuring IPsec Hardware Acceleration.


Algorithm	Out-of-Band	In-Line
DES	X	X
3DES	X	X
MD5		X
SHA1		X

Out-of-Band IPsec Hardware Acceleration

When the board is configured for out-of-band IPsec acceleration, supported encryption and decryption operations are accelerated in hardware when installed on a Solaris 9 (or later) system. All IPsec specific packet processing is performed by the host Solaris IPsec software. See Enabling Out-of-Band IPsec Acceleration.

Note - No IPsec configuration or tuning is required to use the board for out-of-band IPsec acceleration in Solaris 9. You simply install the Sun Crypto Accelerator 4000 packages and reboot.

In-Line IPsec Hardware Acceleration

When configured for in-line IPsec acceleration, supported encryption, decryption, and authentication operations are accelerated in hardware when installed on a Solaris 9 12/03 (or later) system. Portions of the IPsec specific packet processing are performed directly by the board. See Enabling In-Line IPsec Acceleration for instructions on how to configure the board for in-line IPsec acceleration.

SSL Acceleration

TABLE 1-4 shows which SSL accelerated algorithms may be off-loaded to hardware and which software algorithms are provided for Sun ONE and Apache Web Servers.


	Sun ONE Web Servers		Apache Web Servers
Algorithm	Hardware	Software	Hardware	Software
RSA	X	X	X	X
DSA	X	X	X	X
ARCFOUR		X		X
Diffie-Hellman			X	X
DES	X	X	X	X
3DES	X	X	X	X
MD5	X	X
SHA1	X	X

Bulk Encryption

The Sun Crypto Accelerator 4000 bulk encryption feature for Sun ONE server software is disabled by default. You must manually enable this feature by creating a file and restarting the Sun ONE server software.

To enable Sun ONE server software to use bulk encryption on the board, you simply create an empty file in the /etc/opt/SUNWconn/cryptov2/ directory named sslreg, and restart the server software.

# touch /etc/opt/SUNWconn/cryptov2/sslreg

To disable the bulk encryption feature, you must delete the sslreg file and restart the server software.

# rm /etc/opt/SUNWconn/cryptov2/sslreg

The bulk encryption feature for Apache Web Server software is enabled by default and cannot be disabled.

Hardware Overview

The Sun Crypto Accelerator 4000 hardware is a full-size (4.2 inches x 12.283 inches) cryptographic accelerator PCI Gigabit Ethernet adapter that enhances the performance of IPsec and SSL on Sun servers.

Sun Crypto Accelerator 4000 MMF Adapter

The Sun Crypto Accelerator 4000 MMF adapter is a single-port Gigabit Ethernet fiber optics PCI bus card. It operates in 1000 Mbps Ethernet networks only.

FIGURE 1-1 Sun Crypto Accelerator 4000 MMF Adapter

Illustration of the top view of the MMF adapter

LED Displays


Label	Meaning if Lit	Color
FAULT	On when the board is HALTED (fatal error) state or low-level hardware initialization failed. Flashing if an error occurred during the boot process.	Red
DIAG	On in POST, DIAGNOSTICS, and FAILSAFE (firmware not upgraded) state. Flashing when running DIAGNOSTICS.	Green
OPERATE	On in POST, DIAGNOSTICS, and DISABLED (driver not attached) state. Flashing in IDLE, OPERATIONAL, and FAILSAFE states.	Green
INIT	On if the security officer has initialized the board with `vcaadm`. See Initializing the Board With vcaadm. Flashing if the ZEROIZE jumper is present.	Green
FIPS	On when operating in FIPS 140-2 level 3 certified mode. Off when in non-FIPS mode.	Green
LINK	On when the link is up.	Green

Sun Crypto Accelerator 4000 UTP Adapter

The Sun Crypto Accelerator 4000 UTP adapter is a single-port Gigabit Ethernet copper-based PCI bus card. It can be configured to operate in 10, 100, or 1000 Mbps Ethernet networks.

Illustration of the top view of the UTP adapter
FIGURE 1-2 Sun Crypto Accelerator 4000 UTP Adapter

LED Displays


Label	Meaning if Lit	Color
FAULT	On when the board is HALTED (fatal error) state or low level hardware initialization failed. Flashing if an error occurred during the boot process.	Red
DIAG	On in POST, DIAGNOSTICS, and FAILSAFE (firmware not upgraded) state. Flashing when running DIAGNOSTICS.	Green
OPERATE	On in POST, DIAGNOSTICS, and DISABLED (driver not attached) state. Flashing in IDLE, OPERATIONAL, and FAILSAFE states.	Green
INIT	On if the security officer has initialized the board with `vcaadm`. See Initializing the Board With vcaadm. Flashing if the ZEROIZE jumper is present.	Green
FIPS	On when operating in FIPS 140-2 level 3 certified mode. Off when in non-FIPS mode.	Green
1000	On when using Gigabit Ethernet.	Green
ACTIVITY (no label)	On when the link is transmitting or receiving.	Amber
LINK (no label)	On when the link is up.	Green

Note - The service pack numbers (SP9 or SP1) are implied whenever Sun ONE Web Server 4.1 or 6.0 is mentioned.

Dynamic Reconfiguration and High Availability

The Sun Crypto Accelerator 4000 hardware and associated software provides the capability to work effectively on Sun platforms supporting Dynamic Reconfiguration (DR) and hot-plugging. During a DR or hot-plug operation, the Sun Crypto Accelerator 4000 software layer automatically detects the addition or removal of a board, and adjusts the scheduling algorithms to accommodate the change in hardware resources.

For High Availability (HA) configurations, multiple Sun Crypto Accelerator 4000 boards can be installed within a system or domain to insure that hardware acceleration is continuously available. In the unlikely event of a Sun Crypto Accelerator 4000 hardware failure, the software layer detects the failure and removes the failed board from the list of available hardware cryptographic accelerators. Sun Crypto Accelerator 4000 software adjusts the scheduling algorithms to accommodate the reduction in hardware resources. Subsequent cryptographic requests are scheduled to the remaining boards.

Note that the Sun Crypto Accelerator 4000 hardware provides a source for high-quality entropy for the generation of long-term keys. If all the Sun Crypto Accelerator 4000 boards within a domain or system are removed, long-term keys are generated with lower-quality entropy.

Load Sharing

The Sun Crypto Accelerator 4000 software distributes load across as many boards as are installed within the Solaris domain or system. Incoming cryptographic requests are distributed across the boards based on fixed-length work queues. Cryptographic requests are directed to the first board, and subsequent requests stay directed to the first board until it is running at full capacity. Once the first board is running at full capacity, further requests are queued to the next board available that can accept the request of this type. The queueing mechanism is designed to optimize throughput by facilitating request coalescing at the board.

Hardware and Software Requirements

TABLE 1-7 provides a summary of the hardware and software requirements for the Sun Crypto Accelerator 4000 adapter.


Hardware and Software	Requirements
Hardware	Sun Fire V120, V210, V240, 280R, V480, V880, 4800, 4810, 6800, 12K, 15K; Netra 20 (lw4); Sun Blade 100, 150, 1000, 2000
Operating Environment	Solaris 8 2/02 and future compatible releases (Solaris 9 is required for IPsec acceleration.)

Required Patches

Refer to the Sun Crypto Accelerator 4000 Board Version 1.1 Release Notes for detailed required patch information.

The following patches are required to run the Sun Crypto Accelerator 4000 board on your system. Solaris updates contain patches to previous releases. Use the
showrev -p command to determine whether the listed patches have already been installed.

You can download the patches from the following web site: http://sunsolve.sun.com

Install the latest version of the patches. The dash number (-01, for example) becomes higher with each new revision of the patch. If the version on the web site is higher than that shown in the following tables, it is simply a later version.

If the patch you need is not available at the SunSolveSM web site, contact your local sales or service representative.

Apache Web Server Patch

If you plan to use the Apache Web Server with Solaris 8, you must install Patch 109234-09 before installing the Sun Crypto Accelerator 4000 software. Once the SUNWkcl2a package is added, the system will be configured with Apache Web Server mod_ssl 1.3.26.

Solaris 8 Patches

TABLE 1-8 lists the required Solaris 8 patches for the Sun Crypto Accelerator 4000 software.


Patch ID	Description
110383-01	`libnvpair`
108528-23	`KU-05` (`nvpair` support)
112438-01	`/dev/random`
110900-10	`pcifg, SunFire 15K support, and DR`
110824-04	DR
110842-11	Bus speed and DR
110839-04	Minor node and DLPI provider names
109234-09	Apache support

Solaris 9 Patches

TABLE 1-9 lists the required Solaris 9 patches for the Sun Crypto Accelerator 4000 software.


Patch ID	Description
113068-04	`Bus speed, Sun Fire 15K support, and DR`
112838-08	pcicfg, DR, and Sun Fire 15K support
113218-08	`Gigabit performance and vca memory leak`
112904-08	Gigabit performance
114758-01	Minor node and DLPI provider names
112233-08	(only required for Solaris releases prior to Solaris 9 9/04)