| Sun Crypto Accelerator 4000 Board Version 1.1 Installation and User's Guide |    
|
| Sun Crypto Accelerator 4000 Board Version 1.1 Installation and User's Guide |
|
| C H A P T E R 4 |
|
Administering the Sun Crypto Accelerator 4000 Board |
This chapter provides an overview of administering the board with the vcaadm, vcad, vcadiag, pk11export, utilities. The following sections are included:
The vcaadm utility offers a command-line interface to the Sun Crypto Accelerator 4000 board. Only users designated as security officers are permitted to use the vcaadm utility. When you first connect to a Sun Crypto Accelerator 4000 board with vcaadm, you are prompted to create an initial security officer and password.
To access the vcaadm utility easily, place the Sun Crypto Accelerator 4000 tools directory in your search path, for example:
The vcaadm command-line syntax is:
|
Note - When using the -d attribute, vcaN is the board's device name, where the N corresponds to the Sun Crypto Accelerator 4000 device instance number. |
TABLE 4-1 shows the options for the vcaadm utility.
|
Note - The name sec-officer is used throughout this user's guide as an example security officer name. |
vcaadm can run in one of three modes. These modes differ mainly in how commands are passed into vcaadm. The three modes are Single-Command mode, File mode, and Interactive mode.
|
Note - To use vcaadm, you must authenticate as security officer. How often you need to authenticate as security officer is determined by which operating mode you are using. |
In Single-Command mode, you must authenticate as security officer for every command. Once the command is executed, you are logged out of vcaadm.
When entering commands in Single-Command mode, you specify the command to be run after all the command-line switches are specified. For example, in Single-Command mode, the following command would show all the users in a given keystore and return the user to the command shell prompt.
The following command performs a login as the security officer, sec-officer, and creates the user web-admin in the keystore.
$ vcaadm -s sec-officer create user web-admin Security Officer Password: Enter new user password: Confirm password: User web-admin created successfully. |
|
Note - The first password is for the security officer, followed by the password and confirmation for the new user web-admin. |
All output from Single-Command mode goes to the standard output stream. This output can be redirected using standard UNIX shell-based methods.
In File mode, you must authenticate as security officer for every file you run. You are logged out of vcaadm after the commands in the command file are executed.
To enter commands in File mode, you specify a file from which vcaadm reads one or more commands. The file must be ASCII text, consisting of one command per line. Begin each comment with a pound sign (#) character. If the File mode option is set, vcaadm ignores any command-line arguments after the last option. The following example runs the commands in the deluser.scr file and answers all prompts in the affirmative:
In Interactive mode, you must authenticate as security officer every time you connect to a board. This is the default operating mode for vcaadm. To log out of vcaadm in Interactive mode, use the logout command. Refer to Logging In and Out With vcaadm.
Interactive mode presents the user with an interface similar to ftp(1), where commands can be entered one at a time. The -y option is not supported in Interactive mode.
When you use vcaadm from the command line and specify host, port, and device using the -h, -p, and -d attributes respectively, you are immediately prompted to log in as security officer if a successful network connection was made.
The vcaadm utility establishes an encrypted network connection (channel) between the vcaadm application and the Sun Crypto Accelerator 4000 firmware running on a specific board.
During setup of the encrypted channel, boards identify themselves by their hardware Ethernet address and an RSA public key. A trust database ($HOME/.vcaadm/trustdb) is created the first time vcaadm connects to a board. This file contains all of the boards that are currently trusted by the security officer.
If the security officer connects to a new board, vcaadm notifies the security officer and prompt the following options:
1. Abort the connection 2. Trust the connection one time only (no changes to trust database) 3. Trust this board forever (adds the hardware ethernet address and RSA public key to the trust database) |
If the security officer connects to a board that has a remote access key that has been changed, vcaadm will notify the security officer and prompt the following three options:
1. Abort the connection 2. Trust the connection one time only (no changes to trust database) 3. Replace the old public key bound to this hardware ethernet address with the new public key |
|
Note - The remaining examples in this chapter were created with the Interactive mode of vcaadm. |
When connecting to a new board, vcaadm must create a new entry in the trust database. The following is an example of logging in to a new board.
When connecting to a board that has a changed remote access key, vcaadm must change the entry corresponding to the board in the trust database. The following is an example of logging in to a board with a changed remote access key.
The vcaadm prompt in Interactive mode is displayed as follows:
The following table describes the vcaadm prompt variables:
|
vca is a string that represents the Sun Crypto Accelerator 4000 board. N is the device instance number (unit address) that is in the device path name of the board. Refer to To Set Driver Parameters Using a vca.conf File for details on retrieving this number for a device. |
|
|
The name of the host for which the Sun Crypto Accelerator 4000 board is physically connected. hostname may be replaced with the physical host's IP address. |
|
|
The name of the security officer that is currently logged in to the board. |
If you are working in Interactive mode, you might want to disconnect from one board and connect to another board without completely exiting vcaadm. To disconnect from a board and log out, but remain in Interactive mode, use the logout command:
In the previous example, notice that the vcaadm> prompt no longer displays the device instance number, hostname, or security officer name. To log in to another device, type the connect command with the following optional parameters.
vcaadm{vcaN@hostname, sec-officer}> logout vcaadm> connect host hostname dev vca2 Security Officer Login: sec-officer Security Officer Password: vcaadm{vcaN@hostname, sec-officer}> |
vcaadm does not let you issue the connect command if you are already connected to a Sun Crypto Accelerator 4000 board. You must first log out and then issue the connect command.
Each new connection causes vcaadm and the target Sun Crypto Accelerator 4000 firmware to renegotiate new session keys to protect the administrative data that is sent.
The vcaadm utility has a command language that must be used to interact with the Sun Crypto Accelerator 4000 board. Commands are entered using all or part of a command (enough to uniquely identify that command from any other command). Entering sh instead of show would work, but re is ambiguous because it could be reset or rekey.
The following example shows entering commands using entire words:
vcaadm{vcaN@hostname, sec-officer}> show user User Status ----------------------------------------------------- web-admin enabled Tom enabled ----------------------------------------------------- |
The same information can be obtained in the previous example using partial words as commands, such as sh us.
An ambiguous command produces an explanatory response:
vcaadm has built-in help functions. To get help, you must enter a question mark (?) character following the command you want more help on. If an entire command is entered and a "?" exists anywhere on the line, you get the syntax for the command, for example:
You can also enter a question mark at the vcaadm prompt to see a list of all of the vcaadm commands and their description, for example:
When not in vcaadm Interactive mode, the "?" character could be interpreted by the shell in which you are working. In this case, be sure to use the command shell escape character before the question mark.
Two commands allow you to exit from vcaadm: quit and exit. The Ctrl-D key sequence also exits from vcaadm.
The first step in configuring a Sun Crypto Accelerator 4000 board is to initialize it. When you initialize a board it is necessary to create a keystore. (See Concepts and Terminology.) When you first connect to a Sun Crypto Accelerator 4000 board with vcaadm, you are prompted to initialize the board with a new keystore, or to initialize the board to use an existing keystore, which is stored in a backup file. vcaadm prompts you for all the required information for either type of board initialization.
1. Enter vcaadm at a command prompt of the system with the board installed or enter vcaadm -h hostname if the system is remote, and select 1 to initialize the board:
2. Create a keystore name (See Naming Requirements.):
3. Select FIPS 140-2 mode or non-FIPS mode.
When in FIPS mode the board is FIPS 140-2, level 3 compliant. FIPS 140-2 is a Federal Information Processing standard that requires tamper-resistance and a high level of data integrity and security. Refer to the FIPS 140-2 document located at:
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
4. Create an initial security officer name and password (See Naming Requirements.):
5. Verify the configuration information:
If you are adding multiple boards to a single keystore, you might want to initialize all of the boards to use the same keystore information. In addition, you might want to restore a Sun Crypto Accelerator 4000 board to the original keystore configuration. This section describes how to initialize a board to use an existing keystore which is stored in a backup file.
You must first create a backup file of an existing board configuration before performing this procedure. Creating and restoring a backup file requires a password to encrypt and decrypt the data in the backup file. (See Backing Up the Master Key.)
1. Enter vcaadm at a command prompt of the system with the Sun Crypto Accelerator 4000 board installed or enter vcaadm -h hostname if the system is remote, and select 2 to restore the board from a backup:
2. Enter the path and password to the backup file:
3. Verify the configuration information:
A keystore is a repository for key material. Associated with a keystore are security officers and users. Keystores not only provide storage, but a means for key objects to be owned by user accounts. This enables keys to be hidden from applications that do not authenticate as the owner. Keystores have three components:
Security officer names, user names, and keystore names must meet the following requirements:
|
63 characters for user names and 32 characters for keystore names |
|
Password requirements vary based on the current set passreq setting (low,
med, or high).
Use the set passreq command to set the password requirements for the Sun Crypto Accelerator 4000 board. This command sets the password character requirements for any password prompted by vcaadm. There are three settings for password requirements, as shown in the following table:
To change the password requirements, enter the set passreq command followed by low, med, or high. The following commands set the password requirements for a Sun Crypto Accelerator 4000 board to high:
vcaadm{vcaN@hostname, sec-officer}> set passreq high vcaadm{vcaN@hostname, sec-officer}> set passreq Password security level (low/med/high): high |
There may be more than one security officer for a keystore. Security officer names are known only within the domain of the Sun Crypto Accelerator 4000 board and do not need to be identical to any user name on the host system.
When creating a security officer, the name is an optional parameter on the command line. If the security officer name is omitted, vcaadm prompts you for the name. (See Naming Requirements.)
These user names are known only within the domain of the Sun Crypto Accelerator 4000 board and do not need to be identical to the UNIX user name for the web server process.
When creating a user, the user name is an optional parameter on the command line. If the user name is omitted, vcaadm prompts you for the user name. (See Naming Requirements.)
Users must use this password when authenticating during a web server startup.
|
Caution - Users must remember their password so they can access their keys. There is no way to retrieve a lost password. |
|
Note - The user account is logged out if no commands are entered for more than five minutes. This is a tunable option. See Setting the Auto-Logout Time for details. |
To list users or security officers associated with a keystore, enter the show user or show so commands.
Only security officer passwords may be changed with vcaadm. Security officers can change are their own password. Use the set password command to change security officer passwords.
vcaadm{vcaN@hostname, sec-officer}> set password Enter new security officer password: Confirm password: Security Officer password has been set. |
User passwords may be changed through the PKCS#11 interface with the Sun ONE Web Server modutil utility. Refer to the Sun ONE Web Server documentation for details.
|
Note - Security officers cannot be disabled. Once a security officer is created, it is enabled until it is deleted. |
By default each user is created in the enabled state. Users may be disabled. Disabled users cannot access their key material with the PKCS#11 interface. Enabling a disabled user restores access to all of that user's key material.
When enabling or disabling a user, the user name is an optional parameter on the command line. If the user name is omitted, vcaadm prompts you for the user name. To disable a user account, enter the disable user command.
vcaadm{vcaN@hostname, sec-officer}> disable user Tom User Tom disabled. vcaadm{vcaN@hostname, sec-officer}> disable user User name: web-admin User web-admin disabled. |
To enable an account, enter the enable user command.
vcaadm{vcaN@hostname, sec-officer}> enable user Tom User Tom enabled. vcaadm{vcaN@hostname, sec-officer}> enable user User name: web-admin User web-admin enabled. |
Issue the delete user command and specify the user to be deleted. When deleting a user, the user name is an optional parameter on the command line. If the user name is omitted, vcaadm prompts you for the user name.
Issue the delete so command and specify the security officer to be deleted. When deleting a security officer, the security officer name is an optional parameter on the command line. If the security officer name is omitted, vcaadm prompts you for the security officer name.
Keystores are stored on the disk and encrypted in a master key. This master key is stored in the Sun Crypto Accelerator 4000 firmware and can be backed up by a security officer.
To back up the master key, use the backup command. The backup command requires a path name to a backup file where the backup will be stored. This path name can be placed on the command line or if omitted, vcaadm prompts you for the path name.
A password must be set for the backup data. This password is used to encrypt the master key that is in the backup file.
vcaadm{vcaN@hostname, sec-officer}> backup /opt/SUNWconn/vca/backups/bkup.data Enter a password to protect the data: Confirm password: Backup to /opt/SUNWconn/vca/backups/bkup.data successful. |
A site might have a strict security policy that does not permit the master key for a Sun Crypto Accelerator 4000 board to leave the hardware. This can be enforced using the set lock command.
|
Caution - Once this command is issued, all attempts to back up the master key will fail. This lock persists even if the master key is rekeyed. The only way to clear this setting is to zeroize the Sun Crypto Accelerator 4000 board with the zeroize command. (See Performing a Software Zeroize on the Board.) |
This section describes how to manage Sun Crypto Accelerator 4000 boards with the vcaadm utility.
To customize the amount of time before a security officer is automatically logged out of the board, use the set timeout command. To change the auto-logout time, enter the set timeout command followed by the number of minutes before a security officer is automatically logged out. A value of 0 disables the automatic logout feature. The maximum delay is 1,440 minutes (1 day). A newly initialized board defaults to 5 minutes.
The following command changes the auto-logout time for a security officer to 10 minutes:
To get the current status of a Sun Crypto Accelerator 4000 board, issue the show status command. This command displays the hardware and firmware versions for that board, the MAC address of the network interface, the status (Up versus Down, speed, duplex, and so on) of the network interface, and the keystore name and ID.
If the Sun Crypto Accelerator 4000 board is operating in FIPS 140-2 mode, the show status command prints the following line:
If the board is not operating in FIPS 140-2 mode, the show status command does not print a line specifying FIPS 140-2 mode.
You can also use the kstat(1M) utility to determine if the board is operating in FIPS 140-2 mode. The kstat(1M) parameter, vs-mode, returns a value of FIPS if the board is operating in FIPS 140-2 mode. See Cryptographic and Ethernet Driver Operating Statistics and the online manual page for kstat(1M).
You can update the firmware for the Sun Crypto Accelerator 4000 board as new features are added. To load firmware, issue the loadfw command and provide a path to the firmware file.
A successful update of the firmware requires you to manually reset the board with the reset command. When you reset the board, the currently logged in security officer is logged out.
In certain situations, it might be necessary to reset the board. To do this, you must issue the reset command. You are asked if this is what you wish to do. Resetting a Sun Crypto Accelerator 4000 board might temporarily cease the acceleration of cryptography on the system unless there are other active Sun Crypto Accelerator 4000 boards able to take over the load. Also, this command automatically logs you out of vcaadm, so you must reconnect to the device by logging back into vcaadm if you wish to continue administering it.
vcaadm{vcaN@hostname, sec-officer}> reset WARNING: Issuing this command will reset the the board and close this connection. Proceed with reset? (Y/Yes/N/No) [No]: y Reset successful. |
If your security policy changes, you might want to use new keys as the master key or remote access key. The rekey command enables you to regenerate either of these keys, or both.
Rekeying the master key also causes the keystore to be reencrypted under the new key, and invalidates older backed up master key files with the new keystore file. Make a backup of the master key whenever it is rekeyed. If you have multiple Sun Crypto Accelerator 4000 boards using the same keystore, you need to backup this new master key and restore it to the other boards.
Rekeying the remote access key logs the security officer out, forcing a new connection that uses the new remote access key.
You may specify one of three key types when issuing the rekey command:
The following is an example of entering a key type of all with the rekey command:
There are two methods of clearing a board of all its key material. The first method is with a hardware jumper (shunt); this form of zeroizing returns the board to its original factory state (Failsafe mode). (See Zeroizing the Sun Crypto Accelerator 4000 Hardware to the Factory State.) The second method is to use the zeroize command.
|
Note - The zeroize command removes the key material, and leaves any updated firmware intact. This command also logs the security officer out upon successful completion. |
To perform a software zeroize on a board with the zeroize command, enter the command and confirm it:
Diagnostics can be performed from the vcaadm utility and from the SunVTS software. The diagnostics command in vcaadm covers three major categories in the Sun Crypto Accelerator 4000 hardware: general hardware, cryptographic subsystem, and network subsystem. Tests for general hardware cover DRAM, flash memory, the PCI bus, the DMA controller, and other hardware internals. Tests for the cryptographic subsystem cover random number generators and cryptographic accelerators. Tests on the network subsystem cover the vca device.
The vcad command configures and starts the vcad daemon, which provides cryptographic keystore services for vcaadm(1M) and other cryptographic applications. The vcad daemon also handles reading and writing of keystore data for the driver and hardware.
To access the vcad command easily, place the Sun Crypto Accelerator 4000 tools directory in your search path, for example:
The command-line syntax for the vcad command is:
/opt/SUNWconn/cryptov2/sbin/vcad [-dFlV] [-f config-file]
[-h host-address] [-k keystore-dir] [-L logfile] [-p port] [-s max-size]
[-t seconds] [-u username]
TABLE 4-7 describes the supported options for the vcad command.
|
Turns on debugging. Each message contains the process ID for vcad, current thread ID, and message category in addition to the actual message itself. Multiple -d options increase the verbosity (maximum 2). When using multiple -d options, one -d is equivalent to setting the DebugLevel parameter in the configuration file to INFO, -dd is equivalent to setting it to DEBUG. |
|
|
Specifies the location of the configuration file. The default location for this configuration file is /etc/opt/SUNWconn/vca/vcad.conf. If this option is used and the file cannot be opened, vcad does not start. |
|
|
Performs vcad in the foreground and sends log output to stderr. This behavior overrides a logfile chosen with the -L flag. |
|
|
Specifies the host IPv4 or IPv6 address for vcad to bind and listens for incoming connections. More than one host or IP address can be specified with additional -h options. If this option is not used the default behavior for vcad is to listen on all available interfaces for incoming connections. When specific hosts or IP addresses are specified for binding, connections can only be established on interfaces answering those addresses and localhost. Any addresses or hosts specified with the -h flag are overridden by the
|
|
|
Uses keystore-dir as the directory for all keystore data. If the daemon runs as a nonsuperuser, this directory must be readable and writable by that user, as should the keystore data files themselves. The default directory for keystore data is /etc/opt/SUNWconn/vca/keydata. |
|
|
Accepts only incoming connections from administrative clients that originate on the local host. This option overrides any command-line or .conf file directive that would have the daemon listen on any other interface. |
|
|
Sends logging output to logfile instead of the standard location for system logs. |
|
|
Binds using port for incoming connections. The default port used for 6870. |
|
|
Enables commands with data of length up to max-size bytes to be passed down to the Sun Crypto Accelerator. Administrators can use this facility to prevent large volumes of data from being sent down through the kernel in single commands. The default maximum size for a single command is 4 MegaBytes (4194304 bytes). |
|
|
Sets seconds as the number of seconds before vcad stops waiting for data from the client. If this timer expires, the connection between vcad and the client is closed. |
|
|
Performs vcad as username. If no username is specified, vcad attempts to run as the user who started vcad. If a username is specified and that username cannot be found on the system, vcad fails to start. If vcad runs as superuser or any other account with a user ID of 0, vcad issues a warning. See vcad Daemon Security for recommendations on running vcad as a nonsuperuser. |
|
The vcad daemon obtains operating parameters from a configuration file. By default the daemon looks for this configuration file in /etc/opt/SUNWconn/vca/vcad.conf, though other files may be specified with the -f flag of the vcad command when invoking the vcad daemon. If the -f flag is not used and the default configuration file cannot be found or read, the vcad daemon attempts to start using all default values. In this case a warning message is sent to the standard error output.
The configuration file contains one directive per line. Each directive must have a value associated with it. Comments may be used and must start with the pound sign (#). Directive names are case-insensitive, but their values might be case-sensitive. See the descriptions of each directive in TABLE 4-8 for more detail.
Configuration file directives may be superseded by the use of a command-line option for the same operating parameter. For example, you can supersede the "Port" configuration file directive with the -p option. Operating parameters that are not specified with a command-line option or a configuration file directive use a built-in default value. TABLE 4-8 describes the supported command-line directives for the vcad command.
|
Enables the user to set the one of three debug levels in the configuration file. These three levels, from least verbose to most, are Notice, Info, and Debug. Notice level is the default. |
|
|
Tells vcad to bind and listen on the specified IPv4 or IPv6 address, or the IP address that host resolves to. Multiple HostBind directives enable vcad to listen on more than one address. If no HostBind entries are in a configuration file, the default behavior is to listen on all interfaces for connections. Note that the -l command-line flag supersedes all HostBind entries. |
|
|
Enables the administrator to select an alternate directory for the storage of keystore files. This directory must have read and write permission for the user for which vcad runs (See the User directive). The default location for the keystore directory is /etc/opt/SUNWconn/vca/keydata. |
|
|
Uses logfile as the location where all logging data is to be written. By default, logging data is written to syslog. If the -F (run in foreground) command-line flag is used, this directive is ignored and vcad logging data is sent to the standard error device. |
|
|
Sets the maximum allowable data to be sent in a single command to be size bytes. By default this value is 4 MegaBytes (4194304 bytes). If the data sent exceeds this value, vcad returns an error to the client and closes the connection. |
|
|
Sets the listen port. The default port vcad listens on is 6870. If an administrator needs to have vcad listen on a privileged port (usually a port under 1024), vcad must run as a user with superuser privileges. See vcad Daemon Security for security relevant notes. |
|
|
Enables the administrator to set a timeout value for command data once the first byte of that data has been received. This timeout value prevents stalled reads from locking access to specific cards. This timeout does not apply to vcad when it is waiting for a connected client to send a new command. Firmware timeout values cover this issue. (See Setting the Auto-Logout Time.) The default timeout is 300 seconds (five minutes). |
|
|
Sets vcad to run as username. The daemon attempts to set its real user ID to the UID associated with username. The default value for this directive is the user who started the vcad process. |
Because the vcad daemon listens on a TCP port, certain security recommendations that should be considered.
When running vcad, the process should be run as a user ID that does not have superuser privileges, that is, not a UID0 account. You must not be able to directly log in to this user account from the network. This account should have either no password or a locked password and no login shell. The entry in the /etc/shadow file for this account would have NP or *LK*.
By default, the vcad daemon will attempt to start as the daemon user account. The vcad daemon will start correctly even if this account is disabled, but the account should be present on the system. Perform the following steps to manually configure vcad to run as a different username.
1. Configure read/write access to /dev/vcactl.
The vcad daemon communicates directly with /dev/vcactl to relay command data and get keystore I/O commands from the Sun Crypto Accelerator 4000 firmware. Permissions and ownership should be set such that only the user account in which vcad runs can read and write to /dev/vcactl. By default, the vcactl module is added such that minor nodes are owned by the daemon with owner read and write permissions only. The safest way to change these permissions is to use rem_drv(1m) and add_drv(1m) to reregister the vcactl module:
The USER and GROUP place holders should contain the user and group ownership desired for the device minor node. MODE is the file mode for the device minor node. 0600 is the recommended mode for the vcactl module. See the add_drv(1m) man pages for more details.
2. Configure Read/Write access to keystores.
For the vcad daemon to perform keystore I/O operations, it must be able to access the keystore directory specified in its configuration. The keystore directory must have read, write, and execute permissions available only to the user account in which vcad is running. Keystore files in this directory should only allow read and write permissions for that user.
3. Run the vcad daemon on a nonprivileged TCP port.
If the vcad daemon is running without superuser privileges, it cannot bind to a privileged port. Typically nonprivileged ports are 1024 and higher. Use ndd to determine the value of the tcp_smallest_nonpriv_port parameter if this value is not 1024 on a given system. By default, the vcad daemon uses port 6870.
Example 1: Start the vcad daemon to listen on port 5525.
Example 2: Start the vcad daemon with extra debugging information and send the information to the screen.
This starting method yields the following output on startup:
The vcad daemon also provides notices when new connections are opened and closed when running with two levels of debug output.
Example 3: Start the vcad daemon and use an alternate configuration file.
The vcadiag utility provides a command-line interface to the Sun Crypto Accelerator 4000 board that enables superusers to perform administrative tasks without authenticating as security officer. Command-line options determine the actions that vcadiag performs.
To access the vcadiag utility easily, place the Sun Crypto Accelerator 4000 tools directory in your search path, for example:
The vcadiag command-line syntax is:
|
Note - When using the [-DFKRZ] options, vcaN is the board's device name where the N corresponds to the Sun Crypto Accelerator 4000 device instance number. |
TABLE 4-9 describes the supported options for the vcadiag utility.
The following is an example of the -D option:
The following is an example of the -F option:
The following is an example of the -K option:
The following is an example of the -Q option:
# vcadiag -Q vca0:cb vca0:cb:keystore-name:83097c2b3e35ef5b:1 vca0:ca vca0:ca:keystore-name:83097c2b3e35ef5b:1 kcl2pseudo vca0:om vca0:om:keystore-name:83097c2b3e35ef5b:1 libkcl |
The following is an example of the -R option:
# vcadiag -R vca0 Resetting device vca0, this may take a minute. Please be patient. Device vca0 reset ok. |
The following is an example of the -Z option:
# vcadiag -Z vca0 Zeroizing device vca0, this may take a few minutes. Please be patient. Device vca0 zeroized. |
The pk11export utility extracts keys and certificates from key databases and places them into the PKCS#12 importable format. This utility requires a PKCS#11 interface to extract the objects, and place the keys and certificates into a PKCS#12 file. Only one key and certificate pair may be extracted at a time.
This utility works with different PKCS#11 providers, if the interface is contained within a dynamic library. The pk11export utility exports keys through a PKCS#11 provider while the following requirements are met:
The command-line syntax for pk11export is as follows:
TABLE 4-10 describes the supported options for the pk11export utility.
Example 1: List the tokens for a PKCS#11 implementation.
Example 2: Export the Server-Cert certificate from the PKCS#11 token nobody@webserv and place in the /tmp/webserv-export.p12 file.
Options 1 and 2 of the iplsslcfg script install the modules to configure and register the board with Sun ONE Web and Application Server software. Options 3 and 4 of the script export and import Sun ONE Web Server keys to and from the PKCS#12 format.
|
|
See Configuring Sun ONE Web Server 4.1.
|
|
See Configuring Sun ONE Web Server 6.0.
1. Type the following to execute the iplsslcfg script:
2. Type 2 for the Sun ONE Application Server and enter the binary and domain paths.
This option exports SSL certificates and keys from the Sun ONE Web Server internal database into PKCS#12 format. These certificates can then be reimported into the Sun Crypto Accelerator 4000 module.
1. Type the following to execute the iplsslcfg script:
2. Type 3 to export Sun ONE Web Server keys to PKCS#12 format, and press Return.
3. Type the path of the Sun ONE server directory.
The iplsslcfg utility searches for any potential certificates and key databases from which you can export keys.
Please enter the full path of the web server root directory [/usr/iplanet/servers]: /usr/iplanet/servers |
4. Type in the name from the list provided.
5. Provide the server certificate friendly name you wish to export.
By default, this name is Server-Cert.
6. Specify the path and filename for the PKCS#12 file.
Upon successful authentication, you are asked to set the password for the PKCS#12 file. Once this password is created, the PKCS#12 file is written to the filename you chose in Step 6.
Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL Successfully created the PKCS#12 file. <Press ENTER to continue> |
This option imports keys and certificates from PKCS#12 format into the board.
1. Type the following to execute the iplsslcfg script:
2. Type 4 to import keys from PKCS#12 format for the Sun ONE Web Server, and press Return.
3. Type the path to the Sun ONE server directory.
Please enter the full path of the web server root directory [/usr/iplanet/servers]: /usr/iplanet/servers |
4. Type the path to the PKCS#12 file you wish to import.
5. Answer yes to the following question.
6. Type the keystore name that you configured the board to use during initialization.
7. Type the username:password string to authenticate successfully. See TABLE 5-1.
8. Type the password used to protect the PKCS#12 file.
Option 1 of the apsslcfg script configures the Apache Web Server for SSL. Option 2 configures keys for Apache Web Servers.
|
Note - The apsslcfg script supports Apache Web Server 1.3.26 only. |
See Configuring Apache Web Server 1.3x.
Option 2 has 3 subsequent options as follows:
1. Generate a keypair and request a certificate for Apache
2. Export Apache (PEM encoded X.509) keys to PKCS#12 format
3. Import keys from PKCS#12 format to Apache (PEM encoded X.509)
This option generates RSA keys and certificate requests that can be submitted to a certification authority.
1. Type 1 to select this option.
2. Type the path for the binaries and Apache modules, and the path for the configuration files.
Please enter the directory where the Apache binaries and libraries exist [/usr/apache]: /usr/apache Please enter the directory where the Apache configuration files exist [/etc/apache]: /etc/apache |
3. Type the path for the keys.
4. Type the base name for the key and certificate request files.
This name is prepended to the filenames. For example, if you choose cert1 the key filename is cert1-key.pem and the certificate request filename is
cert1-certreq.pem.
5. Select the size of the RSA key to be generated.
Once the bit size has been chosen, the RSA key is generated.
6. Type the password that encrypts the key file.
Use a strong password and do not forget it.
7. Type the certificate name components for your request.
The certificate request is written to a file that can be submitted to a certification authority.
This option enables you to place Apache Web Server keys and certificates into a PKCS#12 file.
1. Type 2 to select the option.
2. Type the paths to the key and certificate files.
If the key and certificate files are the same file, type the same path twice.
|
Note - Key and certificate data may be stored in the same file or in separate files. However, when stored in different files, the filenames must be the same. |
3. Type the path for the output PKCS#12 file.
4. Type a friendly name for the certificate.
This name uniquely identifies certificates and key pairs.
Please provide a friendly name for the PKCS#12 being built. This friendly name is necessary when importing your PKCS#12 file for use by other web servers. Friendly Name [Server-Cert]: |
5. Type the password that protects the key that to be placed into the PCKS#12 file.
6. Type the password to protect the key data in the PKCS#12 file.
The PKCS#12 file is written to the file specified above.
Enter Export Password: Verifying - Enter Export Password: Your PKCS#12 file has been created successfully and is in /tmp/exp.p12 <Press ENTER to continue> |
|
|
This option enables you to extract keys and certificates from PKCS#12 files and use them with an Apache Web Server.
1. Type 3 to select the option.
2. Type the path and filename of a PKCS#12 file.
3. Type the path for the extracted key and certificate.
4. Type a filename for the key and certificate file.
Both the encrypted key and the certificate will be contained in the same file.
Please choose a name for the key and Certificate file. This file will contain both the encrypted key and the certificate: |
5. Type the password used to protect the PKCS#12 file.
6. Type a new password to protect the extracted key file in an Apache-readable format.
The key and certificate data is written to the file specified in Step 4.
Enter PEM pass phrase: Verifying - Enter PEM pass phrase: The keys have been successfully extracted to the file /etc/apache/key2/yakstuff.pem. <Press ENTER to continue> |
There are two methods to assign different MAC addresses to multiple boards in a single server. The first method is at the operating-system level, and the second is at the OpenBoot PROM level.
1. Enter the following command:
|
Note - With the "local-mac-address?" parameter set to true, all nonintegrated network interface devices use the local MAC address assigned to the product at the manufacturing facility. |
|
|
1. Enter the following command at the OpenBoot PROM ok prompt:
|
Note - With the "local-mac-address?" parameter set to true, all nonintegrated network interface devices use the local MAC address assigned to the product at the manufacturing facility. |
| Sun Crypto Accelerator 4000 Board Version 1.1 Installation and User's Guide | 817-3693-10 |
|
Copyright © 2004, Sun Microsystems, Inc. All rights reserved.
To Initialize the Board With a New 