Contents
Page
Please Recycle
Product Family Name Sun Crypto Accelerator 4000 Fiber X4012A
European Union
EN 609502000, 3rd Edition IEC 609502000, 3rd Edition
Supplementary Information
Safety
Page
FCC Class a Notice
Regulatory Compliance Statements
FCC Class B Notice
ICES-003 Class B Notice Avis NMB-003, Classe B
ICES-003 Class a Notice Avis NMB-003, Classe a
Bsmi Class a Notice
Page
Contents
Configuring Driver Parameters
Installing the Sun Crypto Accelerator 4000 Board
Contents
Page
Contents
Diagnostics and Troubleshooting 119
134
Specifications
Third Party License Terms
Manual Pages Zeroizing the Hardware
Frequently Asked Questions
Tables
108
106
123
137
144
141
145
146
Page
How This Book Is Organized
Preface
Solaris Hardware Platform Guide
Using Unix Commands
Shell Prompts
Typographic Conventions
Sun Welcomes Your Comments
Accessing Sun Documentation Online
Key Protocols and Interfaces
Product Features
Supported Applications
Key Features
Supported Cryptographic Protocols
Cryptographic Algorithm Acceleration
Diagnostic Support
Supported Cryptographic Algorithms
1IPsec Cryptographic Algorithms
3Supported SSL Algorithms
Bulk Encryption
# touch /etc/opt/SUNWconn/cryptov2/sslreg
# rm /etc/opt/SUNWconn/cryptov2/sslreg
IPsec Hardware Acceleration
Hardware Overview
LED Displays
Sun Crypto Accelerator 4000 MMF Adapter
4Front Panel Display LEDs for the MMF Adapter
2Sun Crypto Accelerator 4000 UTP Adapter
Sun Crypto Accelerator 4000 UTP Adapter
5Front Panel Display LEDs for the UTP Adapter
Load Sharing
Dynamic Reconfiguration and High Availability
Required Patches
Hardware and Software Requirements
Apache Web Server Patch
6Hardware and Software Requirements
Solaris 9 Patches
Solaris 8 Patches
There are currently no required Solaris 9 patches
Page
Handling the Board
Installing the Sun Crypto Accelerator 4000 Board
To Install the Hardware
Installing the Board
Ok show-devs
Ok cd /pci@8,600000/network@1 Ok .properties
To Install the Software
Installing the Sun Crypto Accelerator 4000 Software
# mount -F hsfs -o ro /dev/dsk/c0t6d0s2 /cdrom
1Files in the /cdrom/cdrom0 Directory
VCA Administration
VCA Firmware
Install the required software packages by typing
Installing the Optional Packages
# prtdiag
# modinfo grep Crypto
2Sun Crypto Accelerator 4000 Directories
Directories and Files
Encrypted keys
Apache configuration support
Application executables
Development Application Support libraries
To Remove the Software
Removing the Software
Page
Configuring Driver Parameters
1vca Driver Parameter, Status, and Descriptions
Driver Parameter Values and Definitions
Advertised Link Parameters
2Operational Mode Parameters
3Read-Write Flow Control Keyword Descriptions
Flow Control Parameters
4Gigabit Forced Mode Parameter
Gigabit Forced Mode Parameter
Interpacket Gap Parameters
5Parameters Defining enable-ipg0and ipg0
Random Early Drop Parameters
Interrupt Parameters
7describes the receive interrupt blanking values
7RX Blanking Register for Alias Read
When Fifo threshold is greater than 6,144 bytes
9PCI Bus Interface Parameters
PCI Bus Interface Parameters
Setting Parameters Using the ndd Utility
Setting vca Driver Parameters
To Specify Device Instances for the ndd Utility
Use the instance number to select the device
Device remains selected until you change the selection
Noninteractive and Interactive Modes
To modify a parameter value, use the -setoption
# ndd -set /dev/vcaN parameter value
# ndd /dev/vcaN
Ndd utility then prompts you for the name of the parameter
# ndd /dev/vca
Setting Autonegotiation or Forced Mode
Set the adv-autoneg-capparameter to
To Disable Autonegotiation Mode
# ndd -set /dev/vcaNadv-autoneg-cap
To Set Driver Parameters Using a vca.conf File
Setting Parameters Using the vca.conf File
Refer to the online manual pages for pathtoinst4
# grep vca /etc/driveraliases vca pci108e,3de8
10Device Path Name
Following is an example vca.conf file
Example vca.conf File
11Local Link Network Device Parameters
Ok boot netspeed=1000,duplex=half,link-clock=master
Ok boot netspeed=100,duplex=half
Ok boot netspeed=10
Ok boot netspeed=10,duplex=auto
Cryptographic Driver Statistics
Refer to the Ieee 802.3 documentation for further details
13describes the Ethernet driver statistics
Ethernet Driver Statistics
13Ethernet Driver Statistics
14TX and RX MAC Counters
14describes the transmit and receive MAC counters
Tx-underrun
16Read-Only vca Device Capabilities
15Current Ethernet Link Properties
17describes the read-only link partner capabilities
Reporting the Link Partner Capabilities
17Read-Only Link Partner Capabilities
Ethernet Transmit Counters
18Driver-Specific Parameters
Ethernet Receive Counters
As superuser, type the kstat vcaN command
To Check Link Partner Settings
# kstat vcaN
Configuring the Network Host Files
Network Configuration
Locate the correct vca interfaces and instance numbers
Instance number in the previous example is
# Internet host table Localhost Zardoz Loghost Zardoz-11
# cat /etc/hosts
Page
$ PATH=$PATH/opt/SUNWconn/bin $ export Path
Using vcaadm
Modes of Operation
Vcaadm command-line syntax is
1shows the options for the vcaadm utility
File Mode
Single-Command Mode
$ vcaadm -s secofficer create user webadmin
$ vcaadm show user
Logging In and Out With vcaadm
Interactive Mode
$ vcaadm -f deluser.scr -y
Logging In to a New Board
Logging In to a Board With vcaadm
# vcaadm -h hostname
Logging In to a Board With a Changed Remote Access Key
Logging Out of a Board With vcaadm
Vcaadm prompt in Interactive mode is displayed as follows
Following table describes the vcaadm prompt variables
2vcaadm Prompt Variable Definitions
Vcaadm connect host hostname dev vca2
3connect Command Optional Parameters
Webadmin
Entering Commands With vcaadm
Tom
VcaadmvcaN@hostname, secofficer set ?
Getting Help for Commands
Quitting the vcaadm Program in Interactive Mode
Create a keystore name Refer to Naming Requirements on
Select Fips 140-2 mode or non-FIPS mode
Verify the configuration information
Enter the path and password to the backup file
Managing Keystores With vcaadm
Password Requirements
Naming Requirements
5Password Requirement Settings
Setting the Password Requirements
Populating a Keystore With Security Officers
Populating a Keystore With Users
Listing Users and Security Officers
Changing Passwords
Enabling or Disabling Users
To enable an account, enter the enable user command
Deleting Security Officers
Deleting Users
Backing Up the Master Key
Locking the Keystore to Prevent Backups
Managing Boards With vcaadm
Setting the Auto-Logout Time
VcaadmvcaN@hostname, secofficer show status Board Status
Displaying Board Status
Loading New Firmware
Resetting a Sun Crypto Accelerator 4000 Board
Key Types
Rekeying a Sun Crypto Accelerator 4000 Board
Zeroizing a Sun Crypto Accelerator 4000 Board
Using the vcaadm diagnostics Command
VcaadmvcaN@hostname, secofficer diagnostics
Vcadiag command-line syntax is
Following is an example of the -Doption
1shows the options for the vcadiag utility
Following is an example of the -Foption
# vcadiag -D vca0
Following is an example of the -Qoption
Following is an example of the -Koption
Following is an example of the -Roption
Following is an example of the -Zoption
Page
Administering Security for Sun ONE Web Servers
Concepts and Terminology
Token Files
Tokens and Token Files
Enabling and Disabling Bulk Encryption
Following is an example of the contents in a token file
Passwords
Configuring Sun ONE Web Servers
1Passwords Required for Sun ONE Web Servers
Populating a Keystore
Refer to Using vcaadm on
To Populate a Keystore
Populate the board’s keystore with users
Overview for Enabling Sun ONE Web Servers
Create a user with the create user command
Exit vcaadm
Installing Sun ONE Web Server
Installing and Configuring Sun ONE Web Server
To Install Sun ONE Web Server
Response provides the URL for connecting to your servers
Start the Sun ONE Web Server 4.1 Administration Server
To Create a Trust Database
Select OK
# /opt/SUNWconn/bin/iplsslcfg
Type 0 to quit
To Generate a Server Certificate
Create Trust Database page is displayed
Select the Cryptographic Module you want to use
This password is the usernamepassword Table
2Requestor Information Fields
To Install the Server Certificate
To Configure the Sun ONE Web Server
Configuring Sun ONE Web Server 4.1 for SSL
Fill out the form to install your certificate
3Fields for the Certificate to Install
Set encryption to On
Web server is now configured to run in secure mode
Usr/iplanet/servers
Create the trust database for the web server instance
Start the Sun ONE Web Server 6.0 Administration Server
# /usr/iplanet/servers/https-admserv/start
# /opt/SUNWconn/crypto/bin/iplsslcfg
To Generate a Server Certificate
Create Trust Database window is displayed
4Requestor Information Fields
To Install the Server Certificate
5Fields for the Certificate to Install
Configuring Sun ONE Web Server 6.0 for SSL
Select the OK button to apply these changes
Page
111
Create an httpd configuration file
To Enable the Apache Web Server
Enabling the Board for Apache Web Servers
Enabling Apache Web Servers
Create an RSA keypair for your system
Select 1 to configure your Apache Web Server to use SSL
Choose a base name for the key material
Creating a Certificate
Provide a key length between 512 and 2048 bits
Create your PEM pass phrase
To Create a Certificate
Modify the /etc/apache/httpd.conf file as directed
Select 0 to quit when you finish with apsslcfg
Start the Apache Web Server
Copy your certificate request with the headers from
# /usr/apache/bin/apachectl start
SunVTS Diagnostic Software
Diagnostics and Troubleshooting
Page
As superuser, start SunVTS
To Perform vcatest
# /opt/SUNWvts/bin/sunvts
Page
Test Parameter Options for vcatest
Vcatest Command-Line Syntax
2describes the vcatest subtests
To Perform netlbtest
To Perform nettest
VcaN up inet ip-addressplumb
Diagnostics and Troubleshooting
# kstat Vca0
Using kstat to Determine Cryptographic Activity
Performing the Ethernet FCode Self-Test Diagnostic
Using the OpenBoot Prom FCode Self- Test
Ok setenv auto-boot? false
Shut down the system
Perform the self-test using the test command
Reset the system
Ok reset-all
Ok show-nets
Reset and reboot the system
Set the auto-boot?configuration parameter to true
Type the following
If the test passes, you see the following messages
Show-devs
Troubleshooting the Sun Crypto Accelerator 4000 Board
Properties
Watch-net
Sun Crypto Accelerator 4000 MMF Adapter
Connectors
Table A-1SC Connector Link Characteristics Ieee P802.3z
Figure A-1Sun Crypto Accelerator 4000 MMF Adapter Connector
Performance Specifications
Physical Dimensions
Power Requirements
Environmental Specifications
Interface Specifications
Table A-5Interface Specifications
Table A-6Environmental Specifications
Table A-7Cat-5 Connector Link Characteristics
Figure A-2Sun Crypto Accelerator 4000 UTP Adapter Connector
Table A-10Power Requirements
Table A-9Performance Specifications
Table A-12Environmental Specifications
Table A-11Interface Specifications
Page
SSL Configuration Directives for Apache Web Servers
Table B-1SSL Protocols
Preceding statement is equivalent to
SSL Aliases
Table B-4Special Characters to Configure Cipher Preference
Default value of cipher-specis
Table B-3SSL Aliases
Table B-5SSL Verify Client Levels
Context Global, virtual host
Table B-6SSL Log Level Values
Table B-7Available SSL Options
Options are listed and described in Table B-7
Opt/SUNWconn/cryptov2/include
Page
Software Licenses
Page
Appendix D Software Licenses
Third Party License Terms
Openssl License Issues
Original SSLeay License
Modssl License
Appendix D Software Licenses
Page
Table E-1Sun Crypto Accelerator 4000 Online Manual Pages
Man -M /opt/SUNWconn/man
Kcl2 device driver is a multithreaded loadable kernel module
Zeroizing the Hardware
Page
Reconnect to Sun Crypto Accelerator 4000 board with vcaadm
Page
Frequently Asked Questions
# chmod 400 password.conf
Reboot the system
Enter the following command
Enter the following command at the OBP prompt
Boot the operating environment
How Do I Self-Sign a Certificate for Testing?
Extension
Index
Advertised link parameters
Commands
Failsafe mode
Page
Pause capability
Rx-intr-pktsparameter, 25
Command-line syntax, 123 test parameter options
Vca driver
Vca.conf file, example
URL
Watch-netcommand Zeroize command, 163 zeroizing the hardware