Page
Please Recycle
European Union
Product Family Name Sun Crypto Accelerator 4000 Fiber X4012A
Supplementary Information
EN 609502000, 3rd Edition IEC 609502000, 3rd Edition
Safety
Page
Regulatory Compliance Statements
FCC Class a Notice
FCC Class B Notice
ICES-003 Class a Notice Avis NMB-003, Classe a
ICES-003 Class B Notice Avis NMB-003, Classe B
Bsmi Class a Notice
Page
Contents
Installing the Sun Crypto Accelerator 4000 Board
Configuring Driver Parameters
Contents
Page
Contents
Diagnostics and Troubleshooting 119
Specifications
134
Third Party License Terms
Frequently Asked Questions
Manual Pages Zeroizing the Hardware
Tables
123
106
108
137
145
141
144
146
Page
Preface
How This Book Is Organized
Using Unix Commands
Solaris Hardware Platform Guide
Typographic Conventions
Shell Prompts
Accessing Sun Documentation Online
Sun Welcomes Your Comments
Product Features
Key Protocols and Interfaces
Key Features
Supported Applications
Supported Cryptographic Protocols
Supported Cryptographic Algorithms
Diagnostic Support
Cryptographic Algorithm Acceleration
1IPsec Cryptographic Algorithms
# touch /etc/opt/SUNWconn/cryptov2/sslreg
Bulk Encryption
3Supported SSL Algorithms
# rm /etc/opt/SUNWconn/cryptov2/sslreg
Hardware Overview
IPsec Hardware Acceleration
Sun Crypto Accelerator 4000 MMF Adapter
LED Displays
4Front Panel Display LEDs for the MMF Adapter
Sun Crypto Accelerator 4000 UTP Adapter
2Sun Crypto Accelerator 4000 UTP Adapter
5Front Panel Display LEDs for the UTP Adapter
Dynamic Reconfiguration and High Availability
Load Sharing
Apache Web Server Patch
Hardware and Software Requirements
Required Patches
6Hardware and Software Requirements
Solaris 8 Patches
Solaris 9 Patches
There are currently no required Solaris 9 patches
Page
Installing the Sun Crypto Accelerator 4000 Board
Handling the Board
Installing the Board
To Install the Hardware
Ok show-devs
Ok cd /pci@8,600000/network@1 Ok .properties
Installing the Sun Crypto Accelerator 4000 Software
To Install the Software
# mount -F hsfs -o ro /dev/dsk/c0t6d0s2 /cdrom
VCA Administration
1Files in the /cdrom/cdrom0 Directory
VCA Firmware
# prtdiag
Installing the Optional Packages
Install the required software packages by typing
# modinfo grep Crypto
Directories and Files
2Sun Crypto Accelerator 4000 Directories
Application executables
Apache configuration support
Encrypted keys
Development Application Support libraries
Removing the Software
To Remove the Software
Page
Configuring Driver Parameters
Driver Parameter Values and Definitions
1vca Driver Parameter, Status, and Descriptions
Advertised Link Parameters
2Operational Mode Parameters
Flow Control Parameters
3Read-Write Flow Control Keyword Descriptions
Gigabit Forced Mode Parameter
4Gigabit Forced Mode Parameter
Interpacket Gap Parameters
5Parameters Defining enable-ipg0and ipg0
7describes the receive interrupt blanking values
Interrupt Parameters
Random Early Drop Parameters
7RX Blanking Register for Alias Read
When Fifo threshold is greater than 6,144 bytes
PCI Bus Interface Parameters
9PCI Bus Interface Parameters
To Specify Device Instances for the ndd Utility
Setting vca Driver Parameters
Setting Parameters Using the ndd Utility
Use the instance number to select the device
To modify a parameter value, use the -setoption
Noninteractive and Interactive Modes
Device remains selected until you change the selection
# ndd -set /dev/vcaN parameter value
Ndd utility then prompts you for the name of the parameter
# ndd /dev/vcaN
Setting Autonegotiation or Forced Mode
# ndd /dev/vca
To Disable Autonegotiation Mode
Set the adv-autoneg-capparameter to
# ndd -set /dev/vcaNadv-autoneg-cap
Refer to the online manual pages for pathtoinst4
Setting Parameters Using the vca.conf File
To Set Driver Parameters Using a vca.conf File
# grep vca /etc/driveraliases vca pci108e,3de8
10Device Path Name
Example vca.conf File
Following is an example vca.conf file
11Local Link Network Device Parameters
Ok boot netspeed=100,duplex=half
Ok boot netspeed=1000,duplex=half,link-clock=master
Cryptographic Driver Statistics
Ok boot netspeed=10,duplex=auto
Ok boot netspeed=10
Refer to the Ieee 802.3 documentation for further details
Ethernet Driver Statistics
13describes the Ethernet driver statistics
13Ethernet Driver Statistics
14describes the transmit and receive MAC counters
14TX and RX MAC Counters
Tx-underrun
15Current Ethernet Link Properties
16Read-Only vca Device Capabilities
Reporting the Link Partner Capabilities
17describes the read-only link partner capabilities
17Read-Only Link Partner Capabilities
18Driver-Specific Parameters
Ethernet Transmit Counters
Ethernet Receive Counters
To Check Link Partner Settings
As superuser, type the kstat vcaN command
# kstat vcaN
Locate the correct vca interfaces and instance numbers
Network Configuration
Configuring the Network Host Files
Instance number in the previous example is
# cat /etc/hosts
# Internet host table Localhost Zardoz Loghost Zardoz-11
Page
Using vcaadm
$ PATH=$PATH/opt/SUNWconn/bin $ export Path
Vcaadm command-line syntax is
Modes of Operation
1shows the options for the vcaadm utility
$ vcaadm -s secofficer create user webadmin
Single-Command Mode
File Mode
$ vcaadm show user
Interactive Mode
Logging In and Out With vcaadm
$ vcaadm -f deluser.scr -y
Logging In to a Board With vcaadm
Logging In to a New Board
Logging In to a Board With a Changed Remote Access Key
# vcaadm -h hostname
Following table describes the vcaadm prompt variables
Vcaadm prompt in Interactive mode is displayed as follows
Logging Out of a Board With vcaadm
2vcaadm Prompt Variable Definitions
3connect Command Optional Parameters
Vcaadm connect host hostname dev vca2
Entering Commands With vcaadm
Webadmin
Tom
Getting Help for Commands
VcaadmvcaN@hostname, secofficer set ?
Quitting the vcaadm Program in Interactive Mode
Select Fips 140-2 mode or non-FIPS mode
Create a keystore name Refer to Naming Requirements on
Verify the configuration information
Enter the path and password to the backup file
Password Requirements
Managing Keystores With vcaadm
Naming Requirements
Setting the Password Requirements
5Password Requirement Settings
Populating a Keystore With Security Officers
Populating a Keystore With Users
Changing Passwords
Listing Users and Security Officers
To enable an account, enter the enable user command
Enabling or Disabling Users
Deleting Users
Deleting Security Officers
Backing Up the Master Key
Locking the Keystore to Prevent Backups
Setting the Auto-Logout Time
Managing Boards With vcaadm
Displaying Board Status
VcaadmvcaN@hostname, secofficer show status Board Status
Resetting a Sun Crypto Accelerator 4000 Board
Loading New Firmware
Rekeying a Sun Crypto Accelerator 4000 Board
Key Types
Using the vcaadm diagnostics Command
Zeroizing a Sun Crypto Accelerator 4000 Board
Vcadiag command-line syntax is
VcaadmvcaN@hostname, secofficer diagnostics
Following is an example of the -Foption
1shows the options for the vcadiag utility
Following is an example of the -Doption
# vcadiag -D vca0
Following is an example of the -Roption
Following is an example of the -Koption
Following is an example of the -Qoption
Following is an example of the -Zoption
Page
Administering Security for Sun ONE Web Servers
Concepts and Terminology
Tokens and Token Files
Token Files
Following is an example of the contents in a token file
Enabling and Disabling Bulk Encryption
Configuring Sun ONE Web Servers
Passwords
1Passwords Required for Sun ONE Web Servers
To Populate a Keystore
Refer to Using vcaadm on
Populating a Keystore
Populate the board’s keystore with users
Create a user with the create user command
Overview for Enabling Sun ONE Web Servers
Exit vcaadm
Installing and Configuring Sun ONE Web Server
Installing Sun ONE Web Server
To Install Sun ONE Web Server
To Create a Trust Database
Start the Sun ONE Web Server 4.1 Administration Server
Response provides the URL for connecting to your servers
Select OK
# /opt/SUNWconn/bin/iplsslcfg
To Generate a Server Certificate
Type 0 to quit
Create Trust Database page is displayed
This password is the usernamepassword Table
Select the Cryptographic Module you want to use
2Requestor Information Fields
To Install the Server Certificate
Fill out the form to install your certificate
Configuring Sun ONE Web Server 4.1 for SSL
To Configure the Sun ONE Web Server
3Fields for the Certificate to Install
Web server is now configured to run in secure mode
Set encryption to On
Usr/iplanet/servers
Start the Sun ONE Web Server 6.0 Administration Server
Create the trust database for the web server instance
# /usr/iplanet/servers/https-admserv/start
# /opt/SUNWconn/crypto/bin/iplsslcfg
To Generate a Server Certificate
Create Trust Database window is displayed
4Requestor Information Fields
To Install the Server Certificate
Configuring Sun ONE Web Server 6.0 for SSL
5Fields for the Certificate to Install
Select the OK button to apply these changes
Page
111
Enabling the Board for Apache Web Servers
To Enable the Apache Web Server
Create an httpd configuration file
Enabling Apache Web Servers
Select 1 to configure your Apache Web Server to use SSL
Create an RSA keypair for your system
Provide a key length between 512 and 2048 bits
Creating a Certificate
Choose a base name for the key material
Create your PEM pass phrase
To Create a Certificate
Modify the /etc/apache/httpd.conf file as directed
Select 0 to quit when you finish with apsslcfg
Copy your certificate request with the headers from
Start the Apache Web Server
# /usr/apache/bin/apachectl start
Diagnostics and Troubleshooting
SunVTS Diagnostic Software
Page
To Perform vcatest
As superuser, start SunVTS
# /opt/SUNWvts/bin/sunvts
Page
Vcatest Command-Line Syntax
Test Parameter Options for vcatest
2describes the vcatest subtests
To Perform netlbtest
To Perform nettest
VcaN up inet ip-addressplumb
Diagnostics and Troubleshooting
Using kstat to Determine Cryptographic Activity
# kstat Vca0
Ok setenv auto-boot? false
Using the OpenBoot Prom FCode Self- Test
Performing the Ethernet FCode Self-Test Diagnostic
Shut down the system
Ok reset-all
Reset the system
Perform the self-test using the test command
Ok show-nets
Type the following
Set the auto-boot?configuration parameter to true
Reset and reboot the system
If the test passes, you see the following messages
Troubleshooting the Sun Crypto Accelerator 4000 Board
Show-devs
Properties
Watch-net
Connectors
Sun Crypto Accelerator 4000 MMF Adapter
Figure A-1Sun Crypto Accelerator 4000 MMF Adapter Connector
Table A-1SC Connector Link Characteristics Ieee P802.3z
Physical Dimensions
Performance Specifications
Power Requirements
Table A-5Interface Specifications
Interface Specifications
Environmental Specifications
Table A-6Environmental Specifications
Figure A-2Sun Crypto Accelerator 4000 UTP Adapter Connector
Table A-7Cat-5 Connector Link Characteristics
Table A-9Performance Specifications
Table A-10Power Requirements
Table A-11Interface Specifications
Table A-12Environmental Specifications
Page
SSL Configuration Directives for Apache Web Servers
Table B-1SSL Protocols
Preceding statement is equivalent to
SSL Aliases
Default value of cipher-specis
Table B-4Special Characters to Configure Cipher Preference
Table B-3SSL Aliases
Context Global, virtual host
Table B-5SSL Verify Client Levels
Table B-6SSL Log Level Values
Options are listed and described in Table B-7
Table B-7Available SSL Options
Opt/SUNWconn/cryptov2/include
Page
Software Licenses
Page
Appendix D Software Licenses
Openssl License Issues
Third Party License Terms
Original SSLeay License
Modssl License
Appendix D Software Licenses
Page
Man -M /opt/SUNWconn/man
Table E-1Sun Crypto Accelerator 4000 Online Manual Pages
Kcl2 device driver is a multithreaded loadable kernel module
Zeroizing the Hardware
Page
Reconnect to Sun Crypto Accelerator 4000 board with vcaadm
Page
Frequently Asked Questions
# chmod 400 password.conf
Enter the following command at the OBP prompt
Enter the following command
Reboot the system
Boot the operating environment
How Do I Self-Sign a Certificate for Testing?
Index
Extension
Advertised link parameters
Commands
Failsafe mode
Page
Pause capability
Command-line syntax, 123 test parameter options
Rx-intr-pktsparameter, 25
Vca driver
URL
Vca.conf file, example
Watch-netcommand Zeroize command, 163 zeroizing the hardware