Sun Microsystems 4000 Creating a Certificate

114 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003

9. Choose a base name for the key material.

This name is appended with different suffixesto distinguish key files, certificate

request files and later on, certificatefiles from one another.

10. Provide a key length between 512 and 2048 bits.

For most web server applications, 1024 bits is sufficientlystrong, but you can choose

stronger keys if preferred.

11. Create your PEM pass phrase.

This pass phrase protectsthe key material. Be sure to select a strong pass phrase, but

one that you can remember.If you forget the pass phrase, you will be unable to

access your keys.

Caution – Youmust remember the pass phrase you enter. Without the pass phrase,

you cannot access your keys. There is no way to retrieve a lost pass phrase.

Creating a Certificate

The following procedure describes how to create the certificaterequired to enable

Apache WebServers to use the Sun Crypto Accelerator 4000 board.

Please choose a base name for the key and request file: base_name

What size would you like the RSA key to be [1024]? 1024

Using configuration from /opt/SUNWconn/cryptov2/ssl/openssl.cnf

Generating a 1024 bit RSA private key

........++++++

...................................................++++++

writing new private key to /etc/apache/keys/base_name

Enter PEM pass phrase:

Verifying password - Enter PEM pass phrase:

Contents

Main Please Recycle Declaration of Conformity (Fiber MMF) EMC European Union Safety Supplementary Information Declaration of Conformity (Copper UTP) EMC European Union EN 60950:2000, 3rd Edition IEC 60950:2000, 3rd Edition Safety Supplementary Information EN 60950:2000, 3rd Edition IEC 60950:2000, 3rd Edition Page Regulatory Compliance Statements FCCClass A Notice Note: ShieldedCables: Modifications: Page Page Page Contents Page Page Page Page Page Page Page Tables Page Page Page Preface How This Book Is Organized Using UNIX Commands Typographic Conventions Shell Prompts AaBbCc123 Page Product Overview Product Features Key Protocols and Interfaces Key Features Supported Applications Supported Cryptographic Protocols Diagnostic Support Cryptographic Algorithm Acceleration Supported Cryptographic Algorithms SSL Acceleration Bulk Encryption Hardware Overview IPsec Hardware Acceleration Note Sun Crypto Accelerator 4000 MMF Adapter LED Displays See TABLE1-4. Sun Crypto Accelerator 4000 UTP Adapter LED Displays See TABLE1-5. Server 4.1 or 6.0 is mentioned. Note Dynamic Reconfiguration and High Availability Load Sharing Hardware and Software Requirements Required Patches Apache Web Server Patch Page Page Installing the Sun Crypto Accelerator 4000 Board Handling the Board Caution Installing the Board To Install the Hardware Page Installing the Sun Crypto Accelerator 4000 Software To Install the Software Note Installing the Optional Packages Directories and Files Note / / Removing the Software Caution To Remove the Software Caution Page Configuring Driver Parameters Sun Crypto Accelerator 4000 Ethernet Device Driver (vca) Parameters Caution Driver Parameter Values and Definitions Advertised Link Parameters Note Page Flow Control Parameters Gigabit Forced Mode Parameter Interpacket Gap Parameters Page Interrupt Parameters Random Early Drop Parameters Page PCI Bus Interface Parameters Setting vca Driver Parameters Setting Parameters Using the ndd Utility To Specify Device Instances for the ndd Utility Note Noninteractive and Interactive Modes Using the ndd Utility in Noninteractive Mode Using the ndd Utility in Interactive Mode (See TABLE3-1 through TABLE 3-9 for parameter descriptions.) Setting Autonegotiation or Forced Mode The following link parameters can be set to operate in either autonegotiation or forced mode: To Disable Autonegotiation Mode Note Setting Parameters Using the vca.conf File Caution To Set Driver Parameters Using a vca.conf File Setting Parameters for All Sun Crypto Accelerator 4000 vca Devices With the vca.conf File To Set Parameters for All Sun Crypto Accelerator 4000 vca Devices With the vca.conf File Example vca.conf File Enabling Autonegotiation or Forced Mode for Link Parameters With the OpenBoot PROM Caution Note Sun Crypto Accelerator 4000 Cryptographic and Ethernet Driver Operating Statistics Cryptographic Driver Statistics Ethernet Driver Statistics Page Page Page Reporting the Link Partner Capabilities Page Page To Check Link Partner Settings Note number should reflect the instance number of the board for which you arerunning the kstat command. Network Configuration Configuring the Network Host Files Note Page Page Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities Using vcaadm Note Modes of Operation Note Single-Command Mode Note File Mode Interactive Mode Logging In and Out With vcaadm Logging In to a Board With vcaadm Logging In to a New Board Note Logging In to a Board With a Changed Remote Access Key vcaadm Prompt Logging Out of a Board With vcaadm Example: Entering Commands With vcaadm Getting Help for Commands Quitting the vcaadm Program in Interactive Mode Initializing the Sun Crypto Accelerator 4000 Board With vcaadm To Initialize the Sun Crypto Accelerator 4000 Board With a New Keystore Note Initializing the Sun Crypto Accelerator 4000 Board to Use an Existing Keystore To Initialize the Sun Crypto Accelerator 4000 Board to Use an Existing Keystore Managing Keystores With vcaadm Note Naming Requirements Password Requirements Setting the Password Requirements Populating a Keystore With Security Officers Populating a Keystore With Users Caution Note Listing Users and Security Officers Changing Passwords Enabling or Disabling Users Note Deleting Users Deleting Security Officers Backing Up the Master Key Caution Locking the Keystore to Prevent Backups Caution Managing Boards With vcaadm Setting the Auto-Logout Time Displaying Board Status Determining if the Board is Operating in FIPS 140-2 Mode Loading New Firmware Resetting a Sun Crypto Accelerator 4000 Board Rekeying a Sun Crypto Accelerator 4000 Board Zeroizing a Sun Crypto Accelerator 4000 Board Note Using the vcaadm diagnostics Command Using vcadiag Note Page The following is an example of the -K option: The following is an example of the -Q option: The following is an example of the -Z option: The following is an example of the -R option: Page Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board Note Administering Security for Sun ONE Web Servers Note Concepts and Terminology Note Tokens and Token Files Example Token Files Note Enabling and Disabling Bulk Encryption Configuring Sun ONE WebServers Passwords Populating a Keystore Note To Populate a Keystore Caution Overview for Enabling Sun ONE Web Servers Caution Installing and Configuring Sun ONE Web Server 4.1 Installing Sun ONE Web Server 4.1 To Install Sun ONE WebServer 4.1 To Create a Trust Database Note To Generate a Server Certificate Page Note To Install the Server Certificate Configuring Sun ONE Web Server 4.1 for SSL To Configure the Sun ONE Web Server 4.1 Page Note Installing and Configuring Sun ONE Web Server 6.0 Installing Sun ONE Web Server 6.0 To Install Sun ONE WebServer 6.0 To Create a Trust Database Note Page To Generate a Server Certificate Page Note To Install the Server Certificate Configuring Sun ONE Web Server 6.0 for SSL To Configure the Sun ONE Web Server 6.0 Page Page Configuring Apache Web Servers for Use With the Sun Crypto Accelerator 4000 Board Caution Note Enabling the Board for Apache Web Servers Enabling Apache Web Servers To Enable the Apache WebServer Page Caution Creating a Certificate To Create a Certificate Note Page Page Diagnostics and Troubleshooting SunVTS Diagnostic Software Installing SunVTS netlbtest and nettest Support for the vca Driver Note Using SunVTS Software to Perform vcatest, nettest, and netlbtest Note To Perform vcatest Note Test Parameter Options for vcatest vcatest Command-Line Syntax To Perform netlbtest Note To Perform nettest Page Note Using kstat to Determine Cryptographic Activity Note Using the OpenBoot PROM FCode Self- Test Performing the Ethernet FCode Self-Test Diagnostic Page Note Troubleshooting the Sun Crypto Accelerator 4000 Board show-devs .properties watch-net Specifications Sun Crypto Accelerator 4000 MMF Adapter Connectors 136 Sun Crypto Accelerator 4000 Board Installation and Users Guide May 2003 TABLEA-1 lists the characteristics of the SC connector (850 nm). Operating range Up to 260 meters Up to 550 meters Physical Dimensions Performance Specifications Power Requirements Interface Specifications Environmental Specifications Sun Crypto Accelerator 4000 UTP Adapter Connectors Appendix A Specifications 139 TABLEA-7 lists the characteristics of the Cat-5 connector used by the Sun Crypto Accelerator 4000 UTP adapter. Operating range Up to 100 meters Physical Dimensions Performance Specifications Power Requirements Interface Specifications Environmental Specifications Page SSL Configuration Directives for Apache Web Servers Note Page Page Page Page Page Page Building Applications for Use With the Sun Crypto Accelerator 4000 Board Note Page Software Licenses Note Sun Microsystems, Inc. Binary Code License Agreement Page Sun Microsystems, Inc. Supplemental Termsfor Sun Crypto Accelerator 4000 Third Party License Terms OPENSSL LICENSE ISSUES OpenSSL License Original SSLeay License MOD_SSL LICENSE Page Page Manual Pages man -M /opt/SUNWconn/man page Page Zeroizing the Hardware Caution Note Zeroizing the Sun Crypto Accelerator 4000 Hardware to the Factory State Note Board With the Hardware Jumper Note Caution Page Frequently Asked Questions How Do I Configure the WebServer to Startup Without User Interaction on Reboot? To Create an Encrypted Key for Automatic Startup of Apache Web Servers on Reboot To Create an Encrypted Key for Automatic Startup of Sun ONE Web Servers on Reboot How Do I Assign Different MAC Addresses to Multiple Boards Installed in the Same Server? Page How Do I Self-Sign a Certificate for Testing? Index SYMBOLS NUMERICS A B C D E F G H I K L M N O P Q R S T U V