Sun Microsystems manual Rekeying a Sun Crypto Accelerator 4000 Board, Key Types

Page 105

Rekeying a Sun Crypto Accelerator 4000 Board

Over time, it may be necessary because of your security policy to use new keys as the master key or remote access key. The rekey command allows you to regenerate either of these keys, or both.

Rekeying the master key also causes the keystore to be reencrypted under the new key, and invalidates older backed up master key files with the new keystore file. It is advisable to make a backup of the master key whenever it is rekeyed. If you have multiple Sun Crypto Accelerator 4000 boards using the same keystore, you will need to backup this new master key and restore it to the other boards.

Rekeying the remote access key logs the security officer out, forcing a new connection that uses the new remote access key.

You may specify one of three key types when issuing the rekey command:

TABLE 4-6

Key Types

 

 

Key Type

Action

 

 

master

Rekey the master key.

remote

Rekey the remote access key. Logs the security officer out.

all

Rekeys both master and remote access keys.

 

 

The following is an example of entering a key type of all with the rekey command:

vcaadm{vcaN@hostname, sec_officer}> rekey

Key type (master/remote/all): all

WARNING: Rekeying the master key will render all old board backups useless with the new keystore file. If other boards use this keystore, they will need to have this new key backed up and restored to those boards. Rekeying the remote access key will terminate this session and force you to log in again.

Rekey board? (Y/Yes/N/No) [No]: y

Rekey of master key successful.

Rekey of remote access key successful. Logging out.

Chapter 4 Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities 79

Image 105
Contents Page Please Recycle Product Family Name Sun Crypto Accelerator 4000 Fiber X4012A European UnionEN 609502000, 3rd Edition IEC 609502000, 3rd Edition Supplementary InformationSafety Page Regulatory Compliance Statements FCC Class a NoticeFCC Class B Notice ICES-003 Class B Notice Avis NMB-003, Classe B ICES-003 Class a Notice Avis NMB-003, Classe aBsmi Class a Notice Page Contents Configuring Driver Parameters Installing the Sun Crypto Accelerator 4000 BoardContents Page Contents Diagnostics and Troubleshooting 119 Specifications 134Third Party License Terms Manual Pages Zeroizing the Hardware Frequently Asked QuestionsTables 108 106123 137144 141145 146Page How This Book Is Organized PrefaceSolaris Hardware Platform Guide Using Unix CommandsShell Prompts Typographic ConventionsSun Welcomes Your Comments Accessing Sun Documentation OnlineKey Protocols and Interfaces Product FeaturesKey Features Supported ApplicationsSupported Cryptographic Protocols Cryptographic Algorithm Acceleration Diagnostic SupportSupported Cryptographic Algorithms 1IPsec Cryptographic Algorithms3Supported SSL Algorithms Bulk Encryption# touch /etc/opt/SUNWconn/cryptov2/sslreg # rm /etc/opt/SUNWconn/cryptov2/sslregIPsec Hardware Acceleration Hardware OverviewSun Crypto Accelerator 4000 MMF Adapter LED Displays4Front Panel Display LEDs for the MMF Adapter 2Sun Crypto Accelerator 4000 UTP Adapter Sun Crypto Accelerator 4000 UTP Adapter5Front Panel Display LEDs for the UTP Adapter Load Sharing Dynamic Reconfiguration and High AvailabilityRequired Patches Hardware and Software RequirementsApache Web Server Patch 6Hardware and Software RequirementsSolaris 8 Patches Solaris 9 PatchesThere are currently no required Solaris 9 patches Page Handling the Board Installing the Sun Crypto Accelerator 4000 BoardInstalling the Board To Install the HardwareOk show-devs Ok cd /pci@8,600000/network@1 Ok .properties Installing the Sun Crypto Accelerator 4000 Software To Install the Software# mount -F hsfs -o ro /dev/dsk/c0t6d0s2 /cdrom VCA Administration 1Files in the /cdrom/cdrom0 DirectoryVCA Firmware Install the required software packages by typing Installing the Optional Packages# prtdiag # modinfo grep Crypto2Sun Crypto Accelerator 4000 Directories Directories and FilesEncrypted keys Apache configuration supportApplication executables Development Application Support librariesTo Remove the Software Removing the SoftwarePage Configuring Driver Parameters 1vca Driver Parameter, Status, and Descriptions Driver Parameter Values and DefinitionsAdvertised Link Parameters 2Operational Mode Parameters 3Read-Write Flow Control Keyword Descriptions Flow Control ParametersGigabit Forced Mode Parameter 4Gigabit Forced Mode ParameterInterpacket Gap Parameters 5Parameters Defining enable-ipg0and ipg0 Random Early Drop Parameters Interrupt Parameters7describes the receive interrupt blanking values 7RX Blanking Register for Alias ReadWhen Fifo threshold is greater than 6,144 bytes 9PCI Bus Interface Parameters PCI Bus Interface ParametersSetting Parameters Using the ndd Utility Setting vca Driver ParametersTo Specify Device Instances for the ndd Utility Use the instance number to select the deviceDevice remains selected until you change the selection Noninteractive and Interactive ModesTo modify a parameter value, use the -setoption # ndd -set /dev/vcaN parameter value# ndd /dev/vcaN Ndd utility then prompts you for the name of the parameter# ndd /dev/vca Setting Autonegotiation or Forced ModeTo Disable Autonegotiation Mode Set the adv-autoneg-capparameter to# ndd -set /dev/vcaNadv-autoneg-cap To Set Driver Parameters Using a vca.conf File Setting Parameters Using the vca.conf FileRefer to the online manual pages for pathtoinst4 # grep vca /etc/driveraliases vca pci108e,3de810Device Path Name Following is an example vca.conf file Example vca.conf File11Local Link Network Device Parameters Ok boot netspeed=1000,duplex=half,link-clock=master Ok boot netspeed=100,duplex=halfOk boot netspeed=10 Ok boot netspeed=10,duplex=autoCryptographic Driver Statistics Refer to the Ieee 802.3 documentation for further detailsEthernet Driver Statistics 13describes the Ethernet driver statistics13Ethernet Driver Statistics 14TX and RX MAC Counters 14describes the transmit and receive MAC countersTx-underrun 16Read-Only vca Device Capabilities 15Current Ethernet Link PropertiesReporting the Link Partner Capabilities 17describes the read-only link partner capabilities17Read-Only Link Partner Capabilities Ethernet Transmit Counters 18Driver-Specific ParametersEthernet Receive Counters To Check Link Partner Settings As superuser, type the kstat vcaN command# kstat vcaN Configuring the Network Host Files Network ConfigurationLocate the correct vca interfaces and instance numbers Instance number in the previous example is# Internet host table Localhost Zardoz Loghost Zardoz-11 # cat /etc/hostsPage $ PATH=$PATH/opt/SUNWconn/bin $ export Path Using vcaadmVcaadm command-line syntax is Modes of Operation1shows the options for the vcaadm utility File Mode Single-Command Mode$ vcaadm -s secofficer create user webadmin $ vcaadm show userInteractive Mode Logging In and Out With vcaadm$ vcaadm -f deluser.scr -y Logging In to a New Board Logging In to a Board With vcaadm# vcaadm -h hostname Logging In to a Board With a Changed Remote Access KeyLogging Out of a Board With vcaadm Vcaadm prompt in Interactive mode is displayed as followsFollowing table describes the vcaadm prompt variables 2vcaadm Prompt Variable DefinitionsVcaadm connect host hostname dev vca2 3connect Command Optional ParametersEntering Commands With vcaadm WebadminTom VcaadmvcaN@hostname, secofficer set ? Getting Help for CommandsQuitting the vcaadm Program in Interactive Mode Create a keystore name Refer to Naming Requirements on Select Fips 140-2 mode or non-FIPS modeVerify the configuration information Enter the path and password to the backup file Password Requirements Managing Keystores With vcaadmNaming Requirements Setting the Password Requirements 5Password Requirement SettingsPopulating a Keystore With Security Officers Populating a Keystore With Users Listing Users and Security Officers Changing PasswordsEnabling or Disabling Users To enable an account, enter the enable user commandDeleting Users Deleting Security OfficersBacking Up the Master Key Locking the Keystore to Prevent Backups Managing Boards With vcaadm Setting the Auto-Logout TimeVcaadmvcaN@hostname, secofficer show status Board Status Displaying Board StatusLoading New Firmware Resetting a Sun Crypto Accelerator 4000 BoardKey Types Rekeying a Sun Crypto Accelerator 4000 BoardZeroizing a Sun Crypto Accelerator 4000 Board Using the vcaadm diagnostics CommandVcaadmvcaN@hostname, secofficer diagnostics Vcadiag command-line syntax isFollowing is an example of the -Doption 1shows the options for the vcadiag utilityFollowing is an example of the -Foption # vcadiag -D vca0Following is an example of the -Qoption Following is an example of the -KoptionFollowing is an example of the -Roption Following is an example of the -ZoptionPage Administering Security for Sun ONE Web Servers Concepts and Terminology Token Files Tokens and Token FilesEnabling and Disabling Bulk Encryption Following is an example of the contents in a token fileConfiguring Sun ONE Web Servers Passwords1Passwords Required for Sun ONE Web Servers Populating a Keystore Refer to Using vcaadm onTo Populate a Keystore Populate the board’s keystore with usersCreate a user with the create user command Overview for Enabling Sun ONE Web ServersExit vcaadm Installing and Configuring Sun ONE Web Server Installing Sun ONE Web ServerTo Install Sun ONE Web Server Response provides the URL for connecting to your servers Start the Sun ONE Web Server 4.1 Administration ServerTo Create a Trust Database Select OK# /opt/SUNWconn/bin/iplsslcfg Type 0 to quit To Generate a Server CertificateCreate Trust Database page is displayed This password is the usernamepassword Table Select the Cryptographic Module you want to use2Requestor Information Fields To Install the Server Certificate To Configure the Sun ONE Web Server Configuring Sun ONE Web Server 4.1 for SSLFill out the form to install your certificate 3Fields for the Certificate to InstallSet encryption to On Web server is now configured to run in secure modeUsr/iplanet/servers Start the Sun ONE Web Server 6.0 Administration Server Create the trust database for the web server instance# /usr/iplanet/servers/https-admserv/start # /opt/SUNWconn/crypto/bin/iplsslcfg To Generate a Server Certificate Create Trust Database window is displayed 4Requestor Information Fields To Install the Server Certificate 5Fields for the Certificate to Install Configuring Sun ONE Web Server 6.0 for SSLSelect the OK button to apply these changes Page 111 Create an httpd configuration file To Enable the Apache Web ServerEnabling the Board for Apache Web Servers Enabling Apache Web ServersCreate an RSA keypair for your system Select 1 to configure your Apache Web Server to use SSLChoose a base name for the key material Creating a CertificateProvide a key length between 512 and 2048 bits Create your PEM pass phraseTo Create a Certificate Modify the /etc/apache/httpd.conf file as directed Select 0 to quit when you finish with apsslcfg Copy your certificate request with the headers from Start the Apache Web Server# /usr/apache/bin/apachectl start SunVTS Diagnostic Software Diagnostics and TroubleshootingPage To Perform vcatest As superuser, start SunVTS# /opt/SUNWvts/bin/sunvts Page Vcatest Command-Line Syntax Test Parameter Options for vcatest2describes the vcatest subtests To Perform netlbtest To Perform nettest VcaN up inet ip-addressplumb Diagnostics and Troubleshooting # kstat Vca0 Using kstat to Determine Cryptographic ActivityPerforming the Ethernet FCode Self-Test Diagnostic Using the OpenBoot Prom FCode Self- TestOk setenv auto-boot? false Shut down the systemPerform the self-test using the test command Reset the systemOk reset-all Ok show-netsReset and reboot the system Set the auto-boot?configuration parameter to trueType the following If the test passes, you see the following messagesShow-devs Troubleshooting the Sun Crypto Accelerator 4000 BoardProperties Watch-net Sun Crypto Accelerator 4000 MMF Adapter ConnectorsTable A-1SC Connector Link Characteristics Ieee P802.3z Figure A-1Sun Crypto Accelerator 4000 MMF Adapter ConnectorPhysical Dimensions Performance SpecificationsPower Requirements Environmental Specifications Interface SpecificationsTable A-5Interface Specifications Table A-6Environmental SpecificationsTable A-7Cat-5 Connector Link Characteristics Figure A-2Sun Crypto Accelerator 4000 UTP Adapter ConnectorTable A-10Power Requirements Table A-9Performance SpecificationsTable A-12Environmental Specifications Table A-11Interface SpecificationsPage SSL Configuration Directives for Apache Web Servers Table B-1SSL Protocols Preceding statement is equivalent to SSL Aliases Default value of cipher-specis Table B-4Special Characters to Configure Cipher PreferenceTable B-3SSL Aliases Table B-5SSL Verify Client Levels Context Global, virtual hostTable B-6SSL Log Level Values Table B-7Available SSL Options Options are listed and described in Table B-7Opt/SUNWconn/cryptov2/include Page Software Licenses Page Appendix D Software Licenses Third Party License Terms Openssl License IssuesOriginal SSLeay License Modssl License Appendix D Software Licenses Page Table E-1Sun Crypto Accelerator 4000 Online Manual Pages Man -M /opt/SUNWconn/manKcl2 device driver is a multithreaded loadable kernel module Zeroizing the Hardware Page Reconnect to Sun Crypto Accelerator 4000 board with vcaadm Page Frequently Asked Questions # chmod 400 password.conf Reboot the system Enter the following commandEnter the following command at the OBP prompt Boot the operating environmentHow Do I Self-Sign a Certificate for Testing? Index ExtensionAdvertised link parameters Commands Failsafe mode Page Pause capability Command-line syntax, 123 test parameter options Rx-intr-pktsparameter, 25Vca driver Vca.conf file, example URLWatch-netcommand Zeroize command, 163 zeroizing the hardware
Related manuals
Manual 334 pages 12.65 Kb Manual 72 pages 39 Kb Manual 28 pages 54.7 Kb

4000 specifications

Sun Microsystems, a pivotal player in the computing industry during the late 20th and early 21st centuries, was renowned for its innovative hardware and software solutions. Among its notable offerings were the Sun-6000, Sun-5000, and Sun-4000 series, powerful workstations and servers designed for a range of enterprise-level applications.

The Sun-6000 series, introduced in the early 1990s, marked a significant advancement in computing performance. These systems were built on the SPARC architecture, which facilitated high levels of processing power and multitasking capabilities. One of the main features of the 6000 series was its scalability, allowing organizations to increase their processing power by adding more modules. It also offered robust graphics performance, making it ideal for scientific visualization and complex data analysis.

Next in line was the Sun-5000 series. Launched shortly after the 6000 series, the 5000 line was celebrated for its reliability and ease of management. This series emphasized a balanced architecture, which combined processing capabilities with ample memory and storage options. Key characteristics included support for multiple processors, leading to improved performance for demanding applications. Additionally, the 5000 systems featured advanced input/output capabilities, ensuring fast data transfers—crucial for database applications and web servers.

Finally, the Sun-4000 series targeted businesses seeking affordable yet potent computing solutions. These servers boasted a modular design, allowing for easy upgrades and maintenance. The 4000 series was particularly notable for its support for various operating systems, including SunOS and Solaris. These systems were engineered to handle a range of workloads, from enterprise resource planning to web hosting, while still fitting into a value-driven budget.

Across all three series, Sun Microsystems prioritized compatibility and integration, ensuring that each system offered seamless connectivity with Sun's software solutions and third-party applications. Their commitment to open standards and interoperability set them apart in the competitive landscape of enterprise computing. Additionally, the use of high-quality components lent the systems durability, making them a wise investment for organizations looking to future-proof their IT infrastructure.

In summary, the Sun-6000, 5000, and 4000 series exemplified Sun Microsystems' ethos of innovation and reliability. These powerful systems catered to diverse business needs, setting benchmarks in performance and functionality that continue to influence modern computing.