Sun Microsystems 4000 Tokens and Token Files

Chapter 5 Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board 87

Tokens and Token Files

Keystores appear to Sun ONE WebServers as tokens. Token files are a technique for

Sun Crypto Accelerator 4000 administrators to selectively present only specific

tokens to a given application.

Example

There are three keystores,engineering ,finance, and legal. The following tokens are

presented to the Sun ONE WebServer:

■engineering

■finance

■legal

Token Files

Tooverride the default case, a token file must exist. Some applications cannot handle

multiple tokens. Tokenfiles are text files that contain one or more token names, one

per line.

Note – Tokennames and keystore names are the same.

A Sun ONE WebServer presents only the tokens listed in the token file. The

methods of specifying token files are as follows (in orderof precedence):

1. The file named by the environment variable SUNW_PKCS11_TOKEN_FILE

Some application software suppresses environment variables, in which case this

approach might not be feasible.

2. The file $HOME/.SUNWconn_cryptov2/tokens

This filemust exist in the home directory of the UNIX user that the Sun ONE Web

Server runs as. The Sun ONE WebServer may run as a UNIX user who has no

home directory,in which case this approach might not be feasible.

3. The file /etc/opt/SUNWconn/cryptov2/tokens

If no token file exists, the Sun Crypto Accelerator 4000 software presents all tokens

to Sun ONE WebServers.

Contents

Main Please Recycle Declaration of Conformity (Fiber MMF) EMC European Union Safety Supplementary Information Declaration of Conformity (Copper UTP) EMC European Union EN 60950:2000, 3rd Edition IEC 60950:2000, 3rd Edition Safety Supplementary Information EN 60950:2000, 3rd Edition IEC 60950:2000, 3rd Edition Page Regulatory Compliance Statements FCCClass A Notice Note: ShieldedCables: Modifications: Page Page Page Contents Page Page Page Page Page Page Page Tables Page Page Page Preface How This Book Is Organized Using UNIX Commands Typographic Conventions Shell Prompts AaBbCc123 Page Product Overview Product Features Key Protocols and Interfaces Key Features Supported Applications Supported Cryptographic Protocols Diagnostic Support Cryptographic Algorithm Acceleration Supported Cryptographic Algorithms SSL Acceleration Bulk Encryption Hardware Overview IPsec Hardware Acceleration Note Sun Crypto Accelerator 4000 MMF Adapter LED Displays See TABLE1-4. Sun Crypto Accelerator 4000 UTP Adapter LED Displays See TABLE1-5. Server 4.1 or 6.0 is mentioned. Note Dynamic Reconfiguration and High Availability Load Sharing Hardware and Software Requirements Required Patches Apache Web Server Patch Page Page Installing the Sun Crypto Accelerator 4000 Board Handling the Board Caution Installing the Board To Install the Hardware Page Installing the Sun Crypto Accelerator 4000 Software To Install the Software Note Installing the Optional Packages Directories and Files Note / / Removing the Software Caution To Remove the Software Caution Page Configuring Driver Parameters Sun Crypto Accelerator 4000 Ethernet Device Driver (vca) Parameters Caution Driver Parameter Values and Definitions Advertised Link Parameters Note Page Flow Control Parameters Gigabit Forced Mode Parameter Interpacket Gap Parameters Page Interrupt Parameters Random Early Drop Parameters Page PCI Bus Interface Parameters Setting vca Driver Parameters Setting Parameters Using the ndd Utility To Specify Device Instances for the ndd Utility Note Noninteractive and Interactive Modes Using the ndd Utility in Noninteractive Mode Using the ndd Utility in Interactive Mode (See TABLE3-1 through TABLE 3-9 for parameter descriptions.) Setting Autonegotiation or Forced Mode The following link parameters can be set to operate in either autonegotiation or forced mode: To Disable Autonegotiation Mode Note Setting Parameters Using the vca.conf File Caution To Set Driver Parameters Using a vca.conf File Setting Parameters for All Sun Crypto Accelerator 4000 vca Devices With the vca.conf File To Set Parameters for All Sun Crypto Accelerator 4000 vca Devices With the vca.conf File Example vca.conf File Enabling Autonegotiation or Forced Mode for Link Parameters With the OpenBoot PROM Caution Note Sun Crypto Accelerator 4000 Cryptographic and Ethernet Driver Operating Statistics Cryptographic Driver Statistics Ethernet Driver Statistics Page Page Page Reporting the Link Partner Capabilities Page Page To Check Link Partner Settings Note number should reflect the instance number of the board for which you arerunning the kstat command. Network Configuration Configuring the Network Host Files Note Page Page Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities Using vcaadm Note Modes of Operation Note Single-Command Mode Note File Mode Interactive Mode Logging In and Out With vcaadm Logging In to a Board With vcaadm Logging In to a New Board Note Logging In to a Board With a Changed Remote Access Key vcaadm Prompt Logging Out of a Board With vcaadm Example: Entering Commands With vcaadm Getting Help for Commands Quitting the vcaadm Program in Interactive Mode Initializing the Sun Crypto Accelerator 4000 Board With vcaadm To Initialize the Sun Crypto Accelerator 4000 Board With a New Keystore Note Initializing the Sun Crypto Accelerator 4000 Board to Use an Existing Keystore To Initialize the Sun Crypto Accelerator 4000 Board to Use an Existing Keystore Managing Keystores With vcaadm Note Naming Requirements Password Requirements Setting the Password Requirements Populating a Keystore With Security Officers Populating a Keystore With Users Caution Note Listing Users and Security Officers Changing Passwords Enabling or Disabling Users Note Deleting Users Deleting Security Officers Backing Up the Master Key Caution Locking the Keystore to Prevent Backups Caution Managing Boards With vcaadm Setting the Auto-Logout Time Displaying Board Status Determining if the Board is Operating in FIPS 140-2 Mode Loading New Firmware Resetting a Sun Crypto Accelerator 4000 Board Rekeying a Sun Crypto Accelerator 4000 Board Zeroizing a Sun Crypto Accelerator 4000 Board Note Using the vcaadm diagnostics Command Using vcadiag Note Page The following is an example of the -K option: The following is an example of the -Q option: The following is an example of the -Z option: The following is an example of the -R option: Page Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board Note Administering Security for Sun ONE Web Servers Note Concepts and Terminology Note Tokens and Token Files Example Token Files Note Enabling and Disabling Bulk Encryption Configuring Sun ONE WebServers Passwords Populating a Keystore Note To Populate a Keystore Caution Overview for Enabling Sun ONE Web Servers Caution Installing and Configuring Sun ONE Web Server 4.1 Installing Sun ONE Web Server 4.1 To Install Sun ONE WebServer 4.1 To Create a Trust Database Note To Generate a Server Certificate Page Note To Install the Server Certificate Configuring Sun ONE Web Server 4.1 for SSL To Configure the Sun ONE Web Server 4.1 Page Note Installing and Configuring Sun ONE Web Server 6.0 Installing Sun ONE Web Server 6.0 To Install Sun ONE WebServer 6.0 To Create a Trust Database Note Page To Generate a Server Certificate Page Note To Install the Server Certificate Configuring Sun ONE Web Server 6.0 for SSL To Configure the Sun ONE Web Server 6.0 Page Page Configuring Apache Web Servers for Use With the Sun Crypto Accelerator 4000 Board Caution Note Enabling the Board for Apache Web Servers Enabling Apache Web Servers To Enable the Apache WebServer Page Caution Creating a Certificate To Create a Certificate Note Page Page Diagnostics and Troubleshooting SunVTS Diagnostic Software Installing SunVTS netlbtest and nettest Support for the vca Driver Note Using SunVTS Software to Perform vcatest, nettest, and netlbtest Note To Perform vcatest Note Test Parameter Options for vcatest vcatest Command-Line Syntax To Perform netlbtest Note To Perform nettest Page Note Using kstat to Determine Cryptographic Activity Note Using the OpenBoot PROM FCode Self- Test Performing the Ethernet FCode Self-Test Diagnostic Page Note Troubleshooting the Sun Crypto Accelerator 4000 Board show-devs .properties watch-net Specifications Sun Crypto Accelerator 4000 MMF Adapter Connectors 136 Sun Crypto Accelerator 4000 Board Installation and Users Guide May 2003 TABLEA-1 lists the characteristics of the SC connector (850 nm). Operating range Up to 260 meters Up to 550 meters Physical Dimensions Performance Specifications Power Requirements Interface Specifications Environmental Specifications Sun Crypto Accelerator 4000 UTP Adapter Connectors Appendix A Specifications 139 TABLEA-7 lists the characteristics of the Cat-5 connector used by the Sun Crypto Accelerator 4000 UTP adapter. Operating range Up to 100 meters Physical Dimensions Performance Specifications Power Requirements Interface Specifications Environmental Specifications Page SSL Configuration Directives for Apache Web Servers Note Page Page Page Page Page Page Building Applications for Use With the Sun Crypto Accelerator 4000 Board Note Page Software Licenses Note Sun Microsystems, Inc. Binary Code License Agreement Page Sun Microsystems, Inc. Supplemental Termsfor Sun Crypto Accelerator 4000 Third Party License Terms OPENSSL LICENSE ISSUES OpenSSL License Original SSLeay License MOD_SSL LICENSE Page Page Manual Pages man -M /opt/SUNWconn/man page Page Zeroizing the Hardware Caution Note Zeroizing the Sun Crypto Accelerator 4000 Hardware to the Factory State Note Board With the Hardware Jumper Note Caution Page Frequently Asked Questions How Do I Configure the WebServer to Startup Without User Interaction on Reboot? To Create an Encrypted Key for Automatic Startup of Apache Web Servers on Reboot To Create an Encrypted Key for Automatic Startup of Sun ONE Web Servers on Reboot How Do I Assign Different MAC Addresses to Multiple Boards Installed in the Same Server? Page How Do I Self-Sign a Certificate for Testing? Index SYMBOLS NUMERICS A B C D E F G H I K L M N O P Q R S T U V