Sun Microsystems 4000 Locking the Keystore to Prevent Backups

Chapter 4 Administering the Sun Crypto Accelerator 4000 Board With the vcaadm andvcadiag Utilities 75

A password must be set for the backup data. This password is used to encrypt the

master key that is in the backup file.

Caution – Youshould choose a password that is very difficult to guess when

making backup files because this password protects the master key for your

keystore. Youmust also remember the password you enter. Without the password,

you cannot access the master key backup file. There is no way to retrieve the data

protected by a lost password.

Locking the Keystore to Prevent Backups

A site might have a strict security policy that doesn’t allow the master key for a Sun

Crypto Accelerator 4000 board to ever leave the hardware. This can be enforced

using the set lockcommand.

Caution – Once this command is issued, all attempts to back up the master key will

fail. This lock persists even if the master key is rekeyed. The only way to clear this

setting is to zeroize the Sun Crypto Accelerator 4000 board with the zeroize

command. Refer to “Zeroizing a Sun Crypto Accelerator 4000 Board” on page80.

vcaadm{vcaN@hostname,sec_officer}> backup /opt/SUNWconn/vca/backups/bkup.data

Enter a password to protect the data:

Confirm password:

Backup to /opt/SUNWconn/vca/backups/bkup.data successful.

vcaadm{vcaN@hostname,sec_officer}> set lock

WARNING: Issuing this command will lock the

master key. You will be unable to back

up your master key once this command

is issued. Once set, the only way to

remove this lock is to zeroize the board.

Do you wish to lock the master key? (Y/Yes/N/No) [No]: y

The master key is now locked.

Contents

Main Please Recycle Declaration of Conformity (Fiber MMF) EMC European Union Safety Supplementary Information Declaration of Conformity (Copper UTP) EMC European Union EN 60950:2000, 3rd Edition IEC 60950:2000, 3rd Edition Safety Supplementary Information EN 60950:2000, 3rd Edition IEC 60950:2000, 3rd Edition Page Regulatory Compliance Statements FCCClass A Notice Note: ShieldedCables: Modifications: Page Page Page Contents Page Page Page Page Page Page Page Tables Page Page Page Preface How This Book Is Organized Using UNIX Commands Typographic Conventions Shell Prompts AaBbCc123 Page Product Overview Product Features Key Protocols and Interfaces Key Features Supported Applications Supported Cryptographic Protocols Diagnostic Support Cryptographic Algorithm Acceleration Supported Cryptographic Algorithms SSL Acceleration Bulk Encryption Hardware Overview IPsec Hardware Acceleration Note Sun Crypto Accelerator 4000 MMF Adapter LED Displays See TABLE1-4. Sun Crypto Accelerator 4000 UTP Adapter LED Displays See TABLE1-5. Server 4.1 or 6.0 is mentioned. Note Dynamic Reconfiguration and High Availability Load Sharing Hardware and Software Requirements Required Patches Apache Web Server Patch Page Page Installing the Sun Crypto Accelerator 4000 Board Handling the Board Caution Installing the Board To Install the Hardware Page Installing the Sun Crypto Accelerator 4000 Software To Install the Software Note Installing the Optional Packages Directories and Files Note / / Removing the Software Caution To Remove the Software Caution Page Configuring Driver Parameters Sun Crypto Accelerator 4000 Ethernet Device Driver (vca) Parameters Caution Driver Parameter Values and Definitions Advertised Link Parameters Note Page Flow Control Parameters Gigabit Forced Mode Parameter Interpacket Gap Parameters Page Interrupt Parameters Random Early Drop Parameters Page PCI Bus Interface Parameters Setting vca Driver Parameters Setting Parameters Using the ndd Utility To Specify Device Instances for the ndd Utility Note Noninteractive and Interactive Modes Using the ndd Utility in Noninteractive Mode Using the ndd Utility in Interactive Mode (See TABLE3-1 through TABLE 3-9 for parameter descriptions.) Setting Autonegotiation or Forced Mode The following link parameters can be set to operate in either autonegotiation or forced mode: To Disable Autonegotiation Mode Note Setting Parameters Using the vca.conf File Caution To Set Driver Parameters Using a vca.conf File Setting Parameters for All Sun Crypto Accelerator 4000 vca Devices With the vca.conf File To Set Parameters for All Sun Crypto Accelerator 4000 vca Devices With the vca.conf File Example vca.conf File Enabling Autonegotiation or Forced Mode for Link Parameters With the OpenBoot PROM Caution Note Sun Crypto Accelerator 4000 Cryptographic and Ethernet Driver Operating Statistics Cryptographic Driver Statistics Ethernet Driver Statistics Page Page Page Reporting the Link Partner Capabilities Page Page To Check Link Partner Settings Note number should reflect the instance number of the board for which you arerunning the kstat command. Network Configuration Configuring the Network Host Files Note Page Page Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities Using vcaadm Note Modes of Operation Note Single-Command Mode Note File Mode Interactive Mode Logging In and Out With vcaadm Logging In to a Board With vcaadm Logging In to a New Board Note Logging In to a Board With a Changed Remote Access Key vcaadm Prompt Logging Out of a Board With vcaadm Example: Entering Commands With vcaadm Getting Help for Commands Quitting the vcaadm Program in Interactive Mode Initializing the Sun Crypto Accelerator 4000 Board With vcaadm To Initialize the Sun Crypto Accelerator 4000 Board With a New Keystore Note Initializing the Sun Crypto Accelerator 4000 Board to Use an Existing Keystore To Initialize the Sun Crypto Accelerator 4000 Board to Use an Existing Keystore Managing Keystores With vcaadm Note Naming Requirements Password Requirements Setting the Password Requirements Populating a Keystore With Security Officers Populating a Keystore With Users Caution Note Listing Users and Security Officers Changing Passwords Enabling or Disabling Users Note Deleting Users Deleting Security Officers Backing Up the Master Key Caution Locking the Keystore to Prevent Backups Caution Managing Boards With vcaadm Setting the Auto-Logout Time Displaying Board Status Determining if the Board is Operating in FIPS 140-2 Mode Loading New Firmware Resetting a Sun Crypto Accelerator 4000 Board Rekeying a Sun Crypto Accelerator 4000 Board Zeroizing a Sun Crypto Accelerator 4000 Board Note Using the vcaadm diagnostics Command Using vcadiag Note Page The following is an example of the -K option: The following is an example of the -Q option: The following is an example of the -Z option: The following is an example of the -R option: Page Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board Note Administering Security for Sun ONE Web Servers Note Concepts and Terminology Note Tokens and Token Files Example Token Files Note Enabling and Disabling Bulk Encryption Configuring Sun ONE WebServers Passwords Populating a Keystore Note To Populate a Keystore Caution Overview for Enabling Sun ONE Web Servers Caution Installing and Configuring Sun ONE Web Server 4.1 Installing Sun ONE Web Server 4.1 To Install Sun ONE WebServer 4.1 To Create a Trust Database Note To Generate a Server Certificate Page Note To Install the Server Certificate Configuring Sun ONE Web Server 4.1 for SSL To Configure the Sun ONE Web Server 4.1 Page Note Installing and Configuring Sun ONE Web Server 6.0 Installing Sun ONE Web Server 6.0 To Install Sun ONE WebServer 6.0 To Create a Trust Database Note Page To Generate a Server Certificate Page Note To Install the Server Certificate Configuring Sun ONE Web Server 6.0 for SSL To Configure the Sun ONE Web Server 6.0 Page Page Configuring Apache Web Servers for Use With the Sun Crypto Accelerator 4000 Board Caution Note Enabling the Board for Apache Web Servers Enabling Apache Web Servers To Enable the Apache WebServer Page Caution Creating a Certificate To Create a Certificate Note Page Page Diagnostics and Troubleshooting SunVTS Diagnostic Software Installing SunVTS netlbtest and nettest Support for the vca Driver Note Using SunVTS Software to Perform vcatest, nettest, and netlbtest Note To Perform vcatest Note Test Parameter Options for vcatest vcatest Command-Line Syntax To Perform netlbtest Note To Perform nettest Page Note Using kstat to Determine Cryptographic Activity Note Using the OpenBoot PROM FCode Self- Test Performing the Ethernet FCode Self-Test Diagnostic Page Note Troubleshooting the Sun Crypto Accelerator 4000 Board show-devs .properties watch-net Specifications Sun Crypto Accelerator 4000 MMF Adapter Connectors 136 Sun Crypto Accelerator 4000 Board Installation and Users Guide May 2003 TABLEA-1 lists the characteristics of the SC connector (850 nm). Operating range Up to 260 meters Up to 550 meters Physical Dimensions Performance Specifications Power Requirements Interface Specifications Environmental Specifications Sun Crypto Accelerator 4000 UTP Adapter Connectors Appendix A Specifications 139 TABLEA-7 lists the characteristics of the Cat-5 connector used by the Sun Crypto Accelerator 4000 UTP adapter. Operating range Up to 100 meters Physical Dimensions Performance Specifications Power Requirements Interface Specifications Environmental Specifications Page SSL Configuration Directives for Apache Web Servers Note Page Page Page Page Page Page Building Applications for Use With the Sun Crypto Accelerator 4000 Board Note Page Software Licenses Note Sun Microsystems, Inc. Binary Code License Agreement Page Sun Microsystems, Inc. Supplemental Termsfor Sun Crypto Accelerator 4000 Third Party License Terms OPENSSL LICENSE ISSUES OpenSSL License Original SSLeay License MOD_SSL LICENSE Page Page Manual Pages man -M /opt/SUNWconn/man page Page Zeroizing the Hardware Caution Note Zeroizing the Sun Crypto Accelerator 4000 Hardware to the Factory State Note Board With the Hardware Jumper Note Caution Page Frequently Asked Questions How Do I Configure the WebServer to Startup Without User Interaction on Reboot? To Create an Encrypted Key for Automatic Startup of Apache Web Servers on Reboot To Create an Encrypted Key for Automatic Startup of Sun ONE Web Servers on Reboot How Do I Assign Different MAC Addresses to Multiple Boards Installed in the Same Server? Page How Do I Self-Sign a Certificate for Testing? Index SYMBOLS NUMERICS A B C D E F G H I K L M N O P Q R S T U V