| Sun Crypto Accelerator 4000 Board Version 1.1 Installation and User's Guide |    
|
| Sun Crypto Accelerator 4000 Board Version 1.1 Installation and User's Guide |
|
| C H A P T E R 5 |
|
Installing and Configuring Sun ONE Server Software |
This chapter describes how to configure the Sun Crypto Accelerator 4000 board for use with Sun ONE servers. This chapter includes the following sections:
|
Note - The Sun ONE servers described in this manual were previously named iPlanet |
This section provides an overview of the security features of the Sun Crypto Accelerator 4000 board as it is administered with Sun ONE Web Servers.
|
Note - To manage keystores, you must have access to the system administrator account for your system. |
Keystores and users must be created for applications that communicate with the Sun Crypto Accelerator 4000 board through a PKCS#11 interface, such as the Sun ONE Web Server.
|
Note - The Apache Web Server (Chapter 6) does not use the keystore or user account features described in this chapter. |
Within the context of the Sun Crypto Accelerator 4000 board, users are owners of cryptographic keying material. Each key is owned by a single user. Each user may own multiple keys. A user might want to own multiple keys to support different configurations, such as a production key and a development key (to reflect the organizations the user is supporting).
A keystore is a repository for key material. Associated with a keystore are security officers and users. Keystores provide not only storage, but a means for key objects to be owned by user accounts. This enables keys to be hidden from applications that do not authenticate as the owner. Keystores have three components:
A typical installation contains a single keystore with three users. For example, such a configuration could consist of a single keystore sca4000-ks-1 and three users within that keystore, webserv, dirserv, and mailserv. This would enable the three users to own and maintain access control of their server keys within that single keystore. FIGURE 5-1 illustrates an overview of a typical installation.
An administrative tool, vcaadm, is used to manage Sun Crypto Accelerator 4000 keystores and users. Refer to Managing Keystores With vcaadm.
Keystores appear to Sun ONE Web Servers as tokens. Token files enable Sun Crypto Accelerator 4000 administrators to selectively present only specific tokens to a given application.
If three keystores are created, engineering, finance, and legal, by default, the three tokens are presented to the Sun ONE Web Server:
To override the default case, a token file must exist. Some applications cannot handle multiple tokens. Token files are text files that contain one or more token names, one per line.
A Sun ONE Web Server presents only the tokens listed in the token file. The methods of specifying token files are as follows (in order of precedence):
1. The file named by the environment variable SUNW_PKCS11_TOKEN_FILE
Some application software suppresses environment variables, in which case this approach might not be feasible.
2. The file $HOME/.SUNWconn_cryptov2/tokens
This file must exist in the home directory of the UNIX user for which the Sun ONE Web Server runs. The Sun ONE Web Server may run as a UNIX user who has no home directory, in which case this approach might not be feasible.
3. The file /etc/opt/SUNWconn/cryptov2/tokens
If no token file exists, the Sun Crypto Accelerator 4000 software presents all tokens to Sun ONE Web Servers.
The following is an example of a token file:
|
Note - Comments are preceded by a pound sign (#). Empty lines are acceptable. |
If none of the files described in this subsection are found, then the default method described in Tokens and Token Files is used.
The bulk encryption feature for SunONE server software is disabled by default. You might want to enable this feature for securely transferring primarily large files.
To enable Sun ONE server software to use bulk encryption on the Sun Crypto Accelerator 4000 board, you simply create an empty file in the /etc/opt/SUNWconn/cryptov2/ directory named sslreg, and restart the server software.
To disable the bulk encryption feature, you must delete the sslreg file and restart the server software.
This section describes the following topics:
You are asked for several passwords in the course of enabling a Sun ONE Web Server. TABLE 5-1 provides a description of each. These passwords are referred to throughout this chapter.
Before you can enable the board for use with a Sun ONE Web Server, you must first initialize the board and populate the board's keystore with at least one user. The keystore for the board is created during the initialization process. You can also initialize Sun Crypto Accelerator 4000 boards to use an existing keystore. Refer to Initializing the Board With vcaadm.
1. If you have not already done so, place the Sun Crypto Accelerator 4000 tools directory in your search path, for example:
2. Access the vcaadm utility with the vcaadm command or enter vcaadm -h hostname to connect vcaadm to a board on a remote host.
3. Populate the board's keystore with users.
These user names are known only within the domain of the Sun Crypto Accelerator 4000 board and do not need to be identical to the UNIX user name that the web server process is using. Before attempting to create the user, remember that you must first log in as a vcaadm security officer.
4. Create a user with the create user command.
vcaadm{vcaN@hostname, sec-officer}> create user username Initial password: Confirm password: User username created successfully. |
The username and password created here collectively make the username:password (See TABLE 5-1). You must use this password when authenticating during a web server startup. This is the keystore password for a single user.
|
Caution - Users must remember this username:password. Without this password, users cannot access their keys. There is no way to retrieve a lost password. |
To enable Sun ONE Web Servers you must complete the following procedures, which are explained in detail in the next two sections.
1. Install the Sun ONE Web Server.
5. Configure the Sun ONE Web Server.
|
Caution - These procedures must be followed in the order given. Failure to do so could result in an incorrect configuration. |
You can enable the Sun ONE Web Servers to perform an unattended startup at reboot with an encrypted key.
|
|
1. Navigate to the config subdirectory for your Sun ONE Web Server instance--for example, /usr/iplanet/servers/https-webserver-instance-name/config).
2. Create a password.conf file with only the following lines (See TABLE 5-1 for password definitions):
3. Set the file ownership of the password file to the UNIX user ID that the web server runs as, and set the file permissions to be readable only by the owner of the file:
This section describes how to install and configure Sun ONE Web Server 4.1 to use the board. You must perform these procedures in order. Refer to the Sun ONE Web Server documentation for more information about installing and using Sun ONE Web Servers. This section includes the following procedures:
1. Download the Sun ONE Web Server 4.1 software.
You can find the web server software at the following URL:
http://www.sun.com/
2. Change to the installation directory and extract the web server software.
3. Install the web server with the setup script from the command-line.
The default path name for the server is /usr/netscape/server4.
This chapter refers to the default paths. If you decide to install the web server software in a different location, be sure to note where you installed it.
4. Answer the prompts from the installation script.
Except for the following prompts, you can accept the default.
a. Agree to accept the license terms by typing yes.
b. Enter a fully qualified domain name.
c. Enter the Sun ONE Web Server 4.1 Administration Server password twice.
d. Press Return when prompted.
These procedures create a trust database for the web server instance; register the board with the web server; generate and install a server certificate; and enable the web server for SSL.
The Sun ONE Web Server Administration Server must be up and running during the configuration process.
1. Start the Sun ONE Web Server 4.1 Administration Server.
Instead of running startconsole as setup requests, start a Sun ONE Web Server 4.1 Administration Server by typing the following command:
# /usr/netscape/server4/https-admserv/start SunONE-WebServer-Enterprise/4.1SP9 BB1-08/23/2001 05:50 startup: listening to http://hostname.domain, port 8888 as root |
The response provides the URL for connecting to your servers.
2. Start the Administration graphical user interface (GUI) by opening up a web browser and typing:
In the authentication dialog box enter the Sun ONE Web Server 4.1 Administration Server user name and password you selected while running setup.
|
Note - If you used the default settings during the Sun ONE Web Server setup, type admin for the user ID or the Sun ONE Web Server 4.1 Adminstration Server user name. |
The Sun ONE Web Server 4.1 Administration Server window is displayed.
4. Create the trust database for the web server instance.
a. Click the Servers tab in the Sun ONE Web Server 4.1 Administration Server window.
b. Select a server and click the Manage button.
c. Click the Security tab near the top of the page and click the "Create Database" link.
d. Enter a password (web server trust database; see TABLE 5-1) in the two dialog boxes and select OK.
Choose a password of at least eight characters. You use this password to start the internal cryptographic modules when the Sun ONE Web Server runs in secure mode.
You might want to enable security on more than one web server instance. If so, repeat Step 1 through Step 4 for each web server instance.
1. Execute the following script to register the board with the web server:
This script prompts you to choose a server and installs the Sun Crypto Accelerator 4000 cryptographic modules for the Sun ONE server you choose. The script then updates the configuration files to enable the board.
2. Type 1 to configure the Sun ONE Web Server to use SSL and press Return.
|
Note - This procedure assumes that you choose option 1 at this prompt. If you want to choose options 2, 3 or 4, refer to Using the iplsslcfg Script. |
3. Enter the path of the web server root directory when prompted and press Return.
Please enter the full path of the web server root directory [/usr/netscape/server4]: /usr/netscape/server4 |
4. Type y and press Return when prompted.
1. Restart the Sun ONE Web Server 4.1 Administration Server by typing the following commands:
The response provides the URL for connecting to your servers.
2. Start the Administration GUI by opening up a web browser and typing:
In the authentication dialog box, enter the Sun ONE Web Server 4.1 Administration Server user name and password you selected while running setup.
|
Note - If you used the default settings during Sun ONE Web Server setup, type admin for the User ID or the Sun ONE Web Server 4.1 Administration Server user name. |
The Sun ONE Web Server 4.1 Administration Server window is displayed.
4. To request the server certificate, select the Security tab near the top of the Sun ONE Web Server 4.1 Administration Server window (FIGURE 5-2).
The Create Trust Database page is displayed.
5. Select the "Request a Certificate" link on the left panel (FIGURE 5-2).
6. Fill out the form to generate a certificate request, using the following information:
If you can directly post your certificate request to a web-capable certificate authority or registration authority, select the "CA URL" (Certificate Authority URL) link. Otherwise, select "CA Email Address" and enter an email address where you would like the certificate request to be sent.
b. Select the "Cryptographic Module" you want to use.
Each keystore has its own entry in this pull-down menu. Be sure that you select the correct keystore. Do not select "SUNW acceleration only."
c. In the "Key Pair File Password" dialog box, provide the password for the user that will own the key.
This password is the username:password (TABLE 5-1).
d. Type the appropriate information for the requestor information fields in TABLE 5-2.
|
Two-letter ISO code for the country (for example, the United States is US) |
e. Click OK to submit the information.
7. Use a certificate authority to generate the certificate.
8. Once the certificate is generated, copy it, along with the headers, to the clipboard.
|
Note - The certificate is different from the certificate request and is usually presented to you in text form. Keep this data on the clipboard for Step 5 of the following procedure. |
1. Select the "Install Certificate" link on the left side of the Sun ONE Web Server 4.1 Administration Server window.
Once your request has been approved by a certificate authority and a certificate has been issued, you must install the certificate in the Sun ONE Web Server.
3. On the left panel, choose the "Install Certificate" link.
4. Fill out the form to install your certificate:
|
Each keystore has its own entry in this pull-down menu. Be sure to select the correct keystore name. To use the board, you must select a module with the same name you assigned the keystore. |
|
|
This password is the username:password (TABLE 5-1). |
|
|
In most cases, you can leave this blank. If you provide a name, it alters the name the web server uses to access the certificate and key when running with SSL support. The default for this field is Server-Cert. |
5. Paste the certificate you copied from the certificate authority (in Step 8 of To Generate a Server Certificate) into the Message box.
You are shown some basic information about the certificate.
7. If everything looks correct, select the "Add Server Certificate" button.
On-screen messages tell you to restart the server. This is not necessary because the web server instance has been shut down the entire time.
You are also notified that in order for the web server to use SSL, the web server must be configured to do so. Use the following procedure to configure the web server.
|
Note - Refer to the mod_SSL and OpenSSL documentation for information on how to self-sign a certificate for testing. |
Now that your web server and the server certificate are installed, you must enable the web server for SSL.
1. From the main Sun ONE Web Server 4.1 Administration Server page, select the web server instance you want to work with and select Manage.
2. If the Preferences tab is not selected at the top of the page, click the Preferences tab.
3. Select the "Encryption On/Off" link on the left side of the page.
The Port field in the dialog box should update to the default SSL port number 443. Alter the port number if necessary.
6. Apply these changes by clicking the Save button.
The web server is now configured to run in secure mode.
7. Edit the /usr/netscape/server4/https-hostname/config/magnus.conf file (hostname is the name of the web server) by adding the following line:
By default, the certificate you generated is named Server-Cert. If your certificate has a different name, be sure to use the name you chose instead of Server-Cert.
8. Select the server you want to administer and click the Apply button in the far upper right corner of the page.
This selection applies the changes through the Sun ONE Web Server 4.1 Administration Server.
9. Click the "Load Configuration Files" button to apply the changes you just made to the magnus.conf file.
You are redirected to a page that enables you to start your web server instance.
If you select the Apply Changes button when the server is off, an authentication dialog box prompts you for the username:password. This window is not resizable, and you might have a problem submitting the change.
There are two workarounds for this problem:
10. In the Sun ONE Web Server 4.1 Administration Server window, select the On/Off link on the left side of the window.
11. Enter the passwords for the servers and select the OK button.
You are prompted for one or more passwords. At the Module Internal prompt, provide the password for the web server trust database.
At the Module keystore-name prompt, enter the username:password for that keystore.
Enter the username:password for other keystores as prompted.
12. Verify the new SSL-enabled web server at the following URL:
https://hostname.domain:server-port/
This section describes how to install and configure Sun ONE Web Server 6.0 to use the board. You must perform these procedures in order. Refer to the Sun ONE Web Server documentation for more information about installing and using Sun ONE Web Servers. This section includes the following procedures:
1. Download the Sun ONE Web Server 6.0 software.
You can find the web server software at the following URL:
http://www.sun.com/
2. Change to the installation directory and extract the web server software.
3. Install the web server with the setup script from the command-line.
The default path name for the server is: /usr/iplanet/servers.
This chapter refers to the default paths. If you decide to install the software in a different location, be sure to note where you installed it.
4. Answer the prompts from the installation script.
Except for the following prompts, you can accept the defaults:
a. Agree to accept the license terms by typing yes.
b. Enter a fully qualified domain name.
c. Enter the Sun ONE Web Server 6.0 Administration Server password twice.
d. Press Return when prompted.
These procedures create a trust database for the web server instance; register the board with the web server; generate and install a server certificate; and enable the web server for SSL.
The Sun ONE Web Server Administration Server must be up and running during the configuration process.
1. Start the Sun ONE Web Server 6.0 Administration Server.
To start a Sun ONE Web Server 6.0 Administration Server, use the following command (instead of running startconsole as setup requests):
The response provides the URL for connecting to your servers.
2. Start the Administration GUI by opening up a web browser and typing:
In the authentication dialog box, enter the Sun ONE Web Server 6.0 Administration Server user name and password you selected while running setup.
|
Note - If you used the default settings during Sun ONE Web Server setup, enter admin for the User ID or the Sun ONE Web Server 6.0 Administration Server user name. |
The Sun ONE Web Server 6.0 Administration Server window is displayed.
4. Create the trust database for the web server instance.
You might want to enable security on more than one web server instance. If so, repeat Step 1 through Step 4 for each web server instance.
a. Click the Servers tab in the Sun ONE Web Server 6.0 Administration Server dialog box.
b. Select a server and click the Manage button.
c. Click the Security tab near the top of the page and click the "Create Database" link.
d. Enter a password (web server trust database, see TABLE 5-1) in the two dialog boxes and click OK.
Choose a password of at least eight characters. This will be the password used to start the internal cryptographic modules when the Sun ONE Web Server runs in secure mode.
1. Execute the following script to register the board with the web server:
This script prompts you to choose a server and installs the Sun Crypto Accelerator 4000 cryptographic modules for the Sun ONE server you choose. The script then updates the configuration files to enable the board.
2. Type 1 to configure your Sun ONE Web Server to use SSL and press Return.
|
Note - This procedure assumes that you choose option 1 at this prompt. If you want to choose options 2, 3 or 4, see Using the iplsslcfg Script. |
3. Enter the path of the web server root directory when prompted and press Return.
Please enter the full path of the web server root directory [/usr/iplanet/servers]: /usr/iplanet/servers |
4. Type y and press Return when prompted, if you want to proceed.
1. Restart the Sun ONE Web Server 6.0 Administration Server by typing the following commands:
The response provides the URL for connecting to your servers.
2. Start the Administration GUI by opening up a web browser and typing:
In the authentication dialog box enter the Sun ONE Web Server 6.0 Administration Server user name and password you selected while running setup.
|
Note - If you used the default settings during Sun ONE Web Server setup, enter admin for the user ID or the Sun ONE Web Server 6.0 Administration Server user name. |
The Sun ONE Web Server 6.0 Administration Server window is displayed.
4. To request the server certificate, select the Security tab near the top of Sun ONE Web Server 6.0 Administration Server window.
The Create Trust Database window is displayed.
5. Click the "Request a Certificate" link on the left panel of the Sun ONE Web Server 6.0 Administration Server window.
6. Fill out the form to generate a certificate request, using the following information:
If you can directly post your certificate request to a web-capable certificate authority or registration authority, select the CA URL link. Otherwise, select CA Email Address and enter an email address where you would like the certificate request to be sent.
b. Select the "Cryptographic Module" you want to use.
Each keystore has its own entry in this pull-down menu. Be sure that you select the correct keystore. Do not select "SUNW acceleration only."
c. In the "Key Pair File Password" dialog box, provide the password for the user that will own the key.
This password is the username:password (TABLE 5-1).
d. Type the appropriate information for the requestor information fields in TABLE 5-4.
|
Two-letter ISO code for the country (for example, the United States is US) |
e. Click OK to submit the information.
7. Use a certificate authority to generate the certificate.
8. Once the certificate is generated, copy it, along with the headers, to the clipboard.
|
Note - The certificate is different from the certificate request and is usually presented to you in text form. Keep this data on the clipboard for Step 5 of To Install the Server Certificate. |
1. Select the "Install Certificate" link on the left side of the Sun ONE Web Server 6.0 Administration Server window.
Once your request has been approved by a certificate authority and a certificate has been issued, you must install the certificate in the Sun ONE Web Server.
3. On the left panel, click the "Install Certificate" link.
4. Fill out the form to install your certificate:
|
Each keystore has its own entry in this pull-down menu. Ensure that you select the correct keystore name. To use the board, you must select a module in the form of keystore-name. |
|
|
This password is the username:password (TABLE 5-1). |
|
|
In most cases, you can leave this blank. If you provide a name, it alters the name the web server uses to access the certificate and key when running with SSL support. The default for this field is Server-Cert. |
5. Paste the certificate you copied from the certificate authority (in Step 8 of the To Generate a Server Certificate) into the Message text box.
You are shown some basic information about the certificate.
7. If everything looks correct, click the "Add Server Certificate" button.
On-screen messages tell you to restart the server. This is not necessary because the web server instance has been shut down the entire time.
You are also notified that in order for the web server to use SSL, the web server must be configured to do so. Use the following procedure to configure the web server.
|
Note - Refer to the mod_SSL and OpenSSL documentation for information on how to self-sign a certificate for testing. |
Now that your web server and the Server Certificate are installed, you must enable the web server for SSL.
1. Select the Preferences tab near the top of the page.
2. Select the "Edit Listen Sockets" link on the left panel.
The main panel lists all the listen sockets set for the web server instance.
a. Alter the following fields:
b. Click OK to apply these changes.
In the security field of the Edit Listen Sockets page, there should now be an Attributes link.
3. Select the Attributes link.
4. Enter the username:password to authenticate to the keystore on the system.
5. If you want to change the default set of ciphers, select the cipher suites under the Ciphers heading.
A dialog box is displayed for changing the cipher settings. You can select either "Cipher Default" settings, SSL2, or SSL3/TLS. If you select the "Cipher Default," you are not shown the default settings. The other two choices require you to select the algorithms you want to enable in a pop-up dialog box. Refer to your Sun ONE documentation on cipher selection.
6. Select the certificate for the keystore followed by: Server-Cert (or the name you chose).
Only keys that the appropriate keystore user owns appear in the Certificate Name field. This keystore user is the user that is authenticated with the username:password.
7. When you have chosen a certificate and confirmed all the security settings, click OK.
8. Select the Apply link in the far upper right corner to apply these changes before you start your server.
9. Select the "Load Configuration Files" link to apply the changes.
You are redirected to a page that allows you to start your web server instance.
If you click the "Apply Changes" button when the server is off, an authentication dialog box prompts you for the username:password. This window is not resizable, and you might have a problem submitting the change.
There are two workarounds for this problem:
10. In the Sun ONE Web Server 6.0 Administration Server window, select the On/Off link on the left side of the window.
11. Enter the passwords for the servers and click OK.
You are prompted for one or more passwords. At the Module Internal prompt, provide the password for the web server trust database.
At the Module keystore-name prompt, enter the username:password.
Enter the username:password for other keystores as prompted.
12. Verify the new SSL-enabled web server at the following URL:
https://hostname.domain:server-port/
This section describes how to install and configure Sun ONE Application Server 7 to use the board. The application server Add-Ons software must be installed in addition to the application server software. You must perform these procedures in order. Refer to the Sun ONE Application Server documentation for more information about installing and using Sun ONE Application Servers. This section includes the following procedures:
1. Download the Sun ONE Application Server 7 software.
You can find the application server software at the following URL:
http://www.sun.com/
There are different distributions of Sun ONE Application Server 7, each with unique features.
2. Change to the installation directory and extract the application server software.
The default path for the installation directory is different for each distribution of the Sun ONE Application Server 7 software.
3. Run the setup program to start the GUI-based installation.
|
Note - You can also run the setup -console program from a terminal window to start a command-line based installation. The examples in this procedure assume you are using the GUI-based installation. |
4. Answer the prompts in the installation script.
Except for the following prompts, you can accept the defaults:
a. Agree to accept the license terms by typing yes.
b. When prompted for the location of the JDK (Java
Development Kit), you can either choose: Use Existing Installation if it is supported, or Install From the Appserver Build.
c. Enter the Sun ONE Application Server Administration Server username (you can choose any name).
d. Enter the Sun ONE Application Server Administration Server password twice.
|
Note - Perform the following step only if you are using the Solaris 8 OE. |
5. If you are using Solaris 8, install the Solaris 8 Sun ONE Application Server patch (109326-08).
This patch is not required for Solaris 9. Download the Solaris 8 Sun ONE Application Server patch from the SunSolve web site:
http://sunsolve.sun.com
1. Download the Sun ONE Application Server 7 Add-Ons software.
You can find the application server software at the following URL:
2. Extract the application server Add-Ons software.
3. Change to the ./AddOns/SSLUtils directory
4. Create the directory where the iplsslcfg script invokes the modutil security tool.
This path is where the iplsslcfg script expects to find the modutil security tool.
5. Copy the modutil, certutil, and pk12util binaries to the /usr/bin/mps/ path.
6. Enable the execute permission to the binaries in the /usr/bin/mps/ directory.
These procedures create a trust database for the application server instance; register the board with the application server; generate and install a server certificate; and enable the application server for SSL and TLS.
The Sun ONE Application Server Administration Server must be up and running during the configuration process.
1. Start the Sun ONE Application Server and the Sun ONE Application Server Administration Server.
|
Note - Messages appear indicating that the application server is running. |
2. Start the Administration GUI by opening up a web browser and entering the following URL.
In the authentication dialog box, enter the Sun ONE Application Server user name and password you created during the setup program.
|
Note - If you used the default settings during Sun ONE Application Server setup, enter admin for the User ID or the Sun ONE Application Server Administration Server user name. |
4. Create the trust database for the application server instance.
You might want to enable security on more than one application server instance. If so, repeat Step 1 through Step 4 for each application server instance.
a. Navigate to the "Manage Database" section of the Administration GUI.
Select the Security link on the left panel and click the Manage Database tab on the right panel.
b. Type a password of at least eight characters in the two text boxes and click OK.
This password is the trust database password of the Sun ONE Application Server. This password is used to start the internal cryptographic modules when the application server runs in secure mode.
1. Execute the iplsslcfg script to register the board with the application server.
This script prompts you to choose a server and installs the Sun Crypto Accelerator 4000 cryptographic modules for the Sun ONE server you choose. The script then updates the configuration files to enable the board.
2. Type 2 for the Sun ONE Application Server, and enter the binary and domain paths.
|
Note - The procedures in this section assume that you choose option 1 at this prompt. If you wish to choose options 3 or 4, refer to Using the iplsslcfg Script. |
3. Type the location of the binaries and domains, and the domain and server name.
|
Note - The default installation directory might be different depending on your Sun ONE Application Server 7 distribution. |
1. Navigate to the "Certificate Management" section of the Administration GUI.
Select the Security link on the left panel and select the "Certificate Management" tab on the right panel. You are now in the Request submenu window of the "Certificate Management" section of the Administration GUI.
2. Fill out the form to generate a certificate request, using the following information:
If you can directly post your certificate request to a web-capable certificate authority or registration authority, select the CA URL link. Otherwise, select CA Email Address and enter an email address where you would like the certificate request to be sent.
b. Select the "Cryptographic Module" you want to use.
Each keystore has its own entry in this pull-down menu. Be sure that you select the correct keystore. Do not select "SUNW acceleration only."
c. In the "Key Pair File Password" dialog box, provide the password for the user that will own the key.
This password is the username:password (See TABLE 5-1).
d. Type the appropriate information for the requestor information fields in TABLE 5-6.
|
Two-letter ISO code for the country (for example, the United States is US) |
e. Click OK to submit the information.
3. Use a certificate authority to generate the certificate.
4. Once the certificate is generated, copy it, along with the headers, to the clipboard.
|
Note - The certificate is different from the certificate request and is usually presented to you in text form. Keep this data on the clipboard for Step 4 of To Install the Server Certificate. |
1. Select the Install link in the right panel of the "Certificate Management" section of the Administration GUI.
You are now in the Install submenu window of the "Certificate Management" section of the Administration GUI.
2. Fill out the form to install your certificate:
3. Select the Message text (with headers) radio button.
4. Click the "Message text (with headers):" radio button, and paste the certificate you copied from the certificate authority (in Step 4 of To Generate a Server Certificate) into the text box provided underneath the radio button.
You are shown some basic information about the certificate.
6. If everything looks correct, click "Add Server Certificate."
You are prompted to restart the application server. Do not restart the application server yet, it will be restarted after SSL configuration is complete. You are also notified that in order for the application server to use SSL, the application server must be configured to do so.
1. Type the following command in a terminal window.
You must also type the Sun ONE Application Server Administration Server password after executing this command.
2. In the left panel of the Administration GUI, select the expander icon to the left of the HTTP Server link.
The HTTP Server submenu items appear.
3. Select the "HTTP Listeners" submenu item under the "HTTP Server" link.
4. In the right panel, select the HTTP listener that you wish to configure for SSL/TLS and select the associated link of the HTTP listener.
A window appears in which you can edit the properties for the HTTP listener.
5. For the SSL/TLS Settings, verify the Certificate Nickname matches the certificate nickname you chose with the --certname option of the command in Step 1 of To Enable the Application Server for SSL.
6. Check the following boxes at minimum:
7. Set the port--this is typically 443.
8. For rollback, TLS must also be enabled on the browser seeking access to your server.
10. Select "App Server Instances" and select your server instance in the left panel, then select "Apply Changes" in the right panel.
11. Stop and start the server to make the changes take effect.
The init.conf file is automatically modified to show security on, and all virtual servers are automatically assigned the default security parameters.
After you have enabled SSL on a server, its URLs use https instead of http. URLs that point to documents on an SSL-enabled server have the following format:
|
Note - If you use the default secure HTTP port number (443), you do not need to enter the port number in the URL. |
Refer to the Enabling SSL/TLS section of the Sun ONE Application Server 7 Administrator's Guide to Security at:
http://docs.sun.com/source/816-7158-10/sgencryp.html#14403
This section describes how to install and configure Sun ONE Directory Server 5.2 to use the board. You must perform these procedures in order. Refer to the Sun ONE Directory Server documentation for more information about installing and using Sun ONE Directory Servers. This section includes the following procedures:
This procedure installs the directory server software from the command-line.
1. Download the Sun ONE Directory Server 5.2 software.
You can find the directory server software at the following URL:
http://www.sun.com/
2. Change to the installation directory.
3. Execute the ./idsktune command to ensure the recommended patches are installed.
4. Extract the directory server software.
5. Execute the setup script to install the software.
|
Note - There is no need to install individual packages because the setup script installs all of them. |
After installation, the Sun ONE Directory Server and Administration Server start automatically.
1. Change to the startup directory.
2. Execute the start-admin command.
3. Change to the slapd-servername directory.
Where servername is the instance name.
4. Type the start-slapd command.
These procedures create a trust database for the directory server instance; register the board with the directory server; generate and install a server certificate; view and install root CA certificates; and enable the directory server for SSL.
The configuration directory and the Sun ONE Directory Server Administration Server must be up and running during the configuration process.
This procedure adds the Sun Crypto Accelerator 4000 module, and is the same for both 32-bit and 64-bit installations.
1. Start the directory server console.
2. Select the directory server instance you wish to configure and select Open in the main console window.
3. In the new window that appears, select Console
SecurityManage Certificates.
This step creates a trust database for the directory server instance.
a. Select a password and place it in both boxes, then click OK (See FIGURE 5-9).
b. Close the "Manage Certificates" dialog box that follows.
4. In the new window that pops up, select ConsoleSecurityConfigure Security Modules.
b. Type the following path in the Enter the PKCS#11 module driver filename entry:
5. Type a name in the Enter an identifying name for this module entry, for example:
This procedure adds the 32-bit board module from the command-line.
1. Type the following command to set the appropriate path.
2. Add the board to the secmod.db database.
a. Change to the following directory:
b. Add the library with the modutil utility.
# server-inst/shared/bin/modutil -dbdir . -nocertdb -add "Sun Crypto Acclerator 4000" -libfile /opt/SUNWconn/cryptov2/lib/libvpkcs11.so |
This procedure adds the 64-bit board module from the command-line.
1. Obtain the 64-bit versions of the Netscape Security Services (NSS) utilities from http://www.mozilla.org.
Save the nss-3.3.2.tar.gz tar file.
2. Type the following command to set the appropriate path.
|
Note - Throughout this section server-inst refers to the root installation directory of the product, and nss64-inst refers to the location that you installed the 64-bit versions of the NSS tools. |
3. Add the board to the secmod.db database.
a. Change to the alias directory:
# nss64-inst/bin/modutil -dbdir . -nocertdb -add "Sun Crypto Acclerator 4000" -libfile /opt/SUNWconn/cryptov2/lib/64/libvpkcs11.so |
With the exception of the different path variables described in TABLE 5-8, this procedure is the same for both 32-bit and 64-bit versions of the PKCS#11 library installed.
TABLE 5-9 describes the variables used for the certutil commands in this section.
1. Change to the following directory.
# certutil -R -d . -h token-name -s "subject-name" -a -o output-file [-g key-size] -P slapd-instname- |
3. Submit the certificate request in output-file to a Certificate Authority of your choice.
Place the base64-encoded certificate in a text file named certfile.
1. Install the server certificate.
Sun ONE Directory Server includes several publicly known Root Certificate Authority certificates that are currently trusted. If your server certificate was issued by one of these well known Root CAs, skip this procedure.
1. From the directory server console window, open the directory server instance for the board.
2. From the menu at the top of the console window, select ConsoleSecurityManage Certificates
3. Select the CA Certs tab at the top of the "Manage Certificates" window.
A list of CA certificates known to the Sun ONE Directory Server instance is displayed. You can view more detailed information about a given CA certificate by highlighting an entry and clicking the Detail button.
Perform the following procedure only if you retrieve your certificates from a proprietary PKI. That is, do not perform this procedure if you use VeriSign, Thawte, or GTE. This procedure is for cases where certificates issued by major vendors have an intermediate CA that has not been installed in the Sun ONE default trusted CA list.
1. Change to the alias directory.
2. Install the root CA certificate.
1. Start the directory server console if not started already.
2. Open the directory server instance by double-clicking the directory server instance of the board in the left panel of the main console window.
3. Click the Directory tab in the main console window.
4. Open the cn=config entry in the left panel of the Directory tab and modify the following parameters (See FIGURE 5-12):
a. Set nsslapd-security to on.
b. Set nsslapd-secureport to the desired port (default 636).
5. Open the cn=encryption,cn=config entry in the left panel of the main console window and modify the following parameters (See FIGURE 5-13):
b. Use the "Add Attribute" button to add nsCertFile with a value of alias/slapd-instname-cert8.db
c. Use the "Add Attribute" button to add nsKeyFile with a value of alias/slapd-instname-key3.db
6. Create a new entry in the database under cn=encryption,cn=config
a. In the main window, right click on the encryption icon, and select NewOther from the menu.
c. Change the value of the "Full Name" attribute to "RSA" (Remote Security Access) from "New" (See FIGURE 5-14).
d. Use the "Add Attribute" button to add the following attributes and values:
This section describes how to install and configure Sun ONE Messaging Server 5.2 to use the board. You must perform these procedures in order. Refer to the Sun ONE Messaging Server documentation for more information about installing and using Sun ONE Messaging Servers. This section addresses the following topics:
This procedure installs the Sun ONE Messaging Server 5.2 from the command-line.
1. Download the Sun ONE Messaging Server 5.2 software.
You can find the messaging server software at the following URL:
http://www.sun.com/
2. Change to the installation directory and extract the messaging server software.
3. Install the messaging server software with the setup script.
a. Type the install path when prompted.
b. Type the components you wish to install when prompted.
c. Execute the ./setup command to install the components.
These procedures create a trust database for the messaging server instance; register the board with the messaging server; generate and install a server certificate; and enable the messaging server for SSL.
The configuration directory and the Sun ONE Messaging Server Administration Server must be up and running during the configuration process.
1. Start the messaging server console.
2. Open the Sun ONE Messaging server instance.
The menu in FIGURE 5-15 appears:
3. Select ConsoleCertificate Setup Wizard
The Certificate Setup Wizard appears.
b. Select the "internal (software)" token.
c. Select "Do not install a certificate" and click Next.
e. Set the password for the internal database and click Next.
1. Change to the following directory.
2. Ensure the LD_LIBRARY_PATH variable is set properly.
3. Add the board module to the secmod.db database.
# ./modutil -dbdir ../../admin-serv/config \ -nocertdb \ -add "Sun Crypto Accelerator 4000" \ -libfile "/opt/SUNWconn/cryptov2/lib/libvpkcs11.so" |
1. Use the messaging server console to request a certificate by opening up the Certificate Setup Wizard; select Console -> Certificate Setup Wizard.
b. Select the token that matches the Sun Crypto Accelerator 4000 token in which you want to store your keys, as shown in FIGURE 5-16.
c. Answer No to "Is the certificate already requested and ready to install?" and click Next.
e. Select "New Certificate" and choose which method (either email or HTTPS) to submit the certificate request to a certificate authority (FIGURE 5-17), and click Next.
f. Type the appropriate information for the requestor information fields in TABLE 5-10, and click Next.
|
Two-letter ISO code for the country (for example, the United States is US) |
g. The screen requests you to enter the password you used when creating a trust database. Instead, enter the password for the keystore user (username:password) and click Next.
See TABLE 5-1 for details on username:password.
h. If you selected the HTTPS method in Step e, the request should already be sent to the CA. If you selected the email method in Step e, click "Copy to Clipboard" and click Next (FIGURE 5-18).
1. If you exited the Certificate Setup Wizard during the Generating a Server Certificate procedure, restart the Wizard by selecting Console -> Certificate Setup Wizard and click Next on the first screen.
2. Select the token that matches the Sun Crypto Accelerator 4000 token in which you want to install the certificate.
This token must be the same token from which you generated the request.
3. Answer Yes to the question that asks if the server certificate is ready to install, and click Next.
5. Install the certificate for "This Server," and input the keystore password (username:password) if not already provided by the Wizard, and click Next (See FIGURE 5-19).
6. Copy the base 64-encoded certificate to the clipboard and paste it into the text box labeled "The certificate is located in the following text field," and click Next (See FIGURE 5-20).
a. Click Add to add the certificate.
7. Add the root CA certificate (only if not from a root certificate authority already trusted by the messaging server).
Use the Certificate Setup Wizard for this step.
a. From the messaging server console, select ConsoleCertificate Setup Wizard.
c. Select "internal (software)" as the token and click Yes to "Is the certificate already requested and ready to install?" and click Next.
e. Select "Trusted Certificate Authority" and click Next.
f. Copy the base 64-encoded CA certificate to the clipboard and paste it into the text box labeled "The certificate is located in the following text field," and click Next.
g. Click Add to add the certificate (FIGURE 5-21).
1. Use the su command to become the user for which you chose to run the messaging server.
If you do not remember this username, you can search the
server-root/msg-instname/config/msg.conf file for the local.serveruid property and retrieve the username.
2. Use the configutil tool to set SSL parameters for the messaging server.
TABLE 5-11 describes the variable definitions used with the configutil tool.
|
Name of the keystore used in Step 1. |
|
|
Friendly name of the certificate to be used. The default is
|
|
3. In the messaging server console, click the Configuration tab for the console window used to administer the Sun ONE Messaging Server instance. Click the System tab under Messaging Server -> Services -> IMAP.
4. In the previous window, set the port number for "Use separate port for IMAP over SSL." By default this port is 993.
5. Configure the sslpassword.conf file for the messaging server instance.
Replace the Internal (Software) token:netscape! line with tokenname:username:password. Where tokenname is the keystore name. This tokenname is the name of the token on which you chose to generate the key in Step 1. The username:password is what you use to authenticate to that token. See TABLE 5-1 for details about username:password.
6. Change ownership and permissions for the sslpassword.conf file.
Because the sslpassword.conf file contains password information used to authenticate to key material, the file must be owned by the user for which the daemon runs, and that file must be readable by that user only.
# cd server-root/msg-instname/config # chown msg-user sslpassword.conf # chmod 0400 sslpassword.conf |
7. Restart the server from the command line.
This section describes how to install and configure Sun ONE Portal Server 6.2 to use the board. You must perform these procedures in order. Refer to the Sun ONE Portal Server documentation for more information about installing and using Sun ONE Portal Servers. This section includes the following procedures:
This section describes how to install and configure Sun ONE Portal Server 6.2 to use the board. You must perform these procedures in order. Refer to the Sun ONE Portal Server documentation for more information about installing and using Sun ONE Portal Servers.
The Sun ONE Portal Server 6.2 includes Sun ONE Web Server 6.0. You must install and configure the Sun ONE Web Server software before installing and configuring the portal server (See Installing and Configuring Sun ONE Web Server 6.0).
|
Note - When installing and configuring the Sun ONE Web Server for use with the portal server, use the following installation path: /opt/SUNWam/servers. |
This section describes how to install the Sun ONE Portal Server 6.1 from the command-line.
1. Download the Sun ONE Portal Server 6.1 software.
You can find the portal server software at the following URL:
http://www.sun.com/
2. Change to the installation directory and extract the portal server software.
3. Install the portal server software with the setup script.
a. Enter the install path when prompted.
b. Enter the components you wish to install when prompted.
c. Execute the ./setup command to install the components.
|
Note - A trust database is automatically created during installation. |
These procedures configure the portal server secure remote access (SRA) gateway; register the board with the portal server; generate and install a server certificate; and enable the portal server for SSL.
Before beginning, ensure that SRA has been installed and a gateway server certificate (self-signed or issued by any CA) has been installed. The Sun ONE Portal Server Administration Server must be up and running during the configuration process.
1. Create a new user account for the board with the vcaadm utility (see Using the vcaadm Utility).
vcaadm{vca0@localhost, sec-officer}> create user New user name: username Enter new user password: Confirm password: User crypta created successfully. |
2. Load the Sun Crypto Accelerator 4000 module.
The LD_LIBRARY_PATH variable must point to the following:
# /usr/bin/mps/modutil -dbdir /etc/opt/SUNWps/cert/default -add "Sun Crypto Accelerator 4000" -libfile /opt/SUNWconn/cryptov2/lib/libvpkcs11.so |
b. Verify that this module is loaded.
During these procedures, the LD_LIBRARY_PATH environment variable must point to the following:
TABLE 5-9 describes the variables used for the certutil commands in this section.
1. Change to the following directory.
3. Submit the certificate request in output-file to a Certificate Authority of your choice.
Place the base64-encoded certificate in a text file named certfile.
1. Install the server certificate.
Sun ONE Portal Server includes several publicly known Root Certificate Authority certificates that are currently trusted. If your server certificate was issued by one of these well known Root CAs, skip this procedure.
Perform the following procedure only if you retrieve your certificates from a proprietary PKI. That is, do not perform this procedure if you use VeriSign, Thawte, or GTE. This procedure is for cases where certificates issued by major vendors have an intermediate CA that has not been installed in the Sun ONE default trusted CA list.
1. Change to the certificate database directory.
2. Install the root CA certificate.
1. Create a /etc/opt/SUNWps/cert/default/.nickname file.
The file must contain only the following line with no spaces:
2. Select the acceleration ciphers.
|
Note - The /etc/opt/SUNWconn/cryptov2/sslreg file must be present for the DES and 3DES algorithms to be accelerated in the Sun Crypto Accelerator 4000 hardware. See Enabling and Disabling Bulk Encryption. |
The board accelerates RSA functions but supports acceleration only for DES and 3DES ciphers. To enable one of these ciphers do the following:
Gateway >> Security >> Enable SSL Cipher Selection: >> SSL3 Ciphers: >> SSL3_RSA_WITH_3DES_EDE_CBC_SHA or SSL3_RSA_WITH_DES_CBC_SHA |
3. Modify the /etc/opt/SUNWps/platform.conf.gateway-profile-name to enable the board.
4. From a terminal window, restart the gateway.
The gateway prompts you to enter the keystore password. Enter the password or pin for sra-keystore:username:password.
| Sun Crypto Accelerator 4000 Board Version 1.1 Installation and User's Guide | 817-3693-10 |
|
Copyright © 2004, Sun Microsystems, Inc. All rights reserved.
To Populate a Keystore
