Page
Please Recycle
European Union
Product Family Name Sun Crypto Accelerator 4000 Fiber X4012A
Supplementary Information
EN 609502000, 3rd Edition IEC 609502000, 3rd Edition
Safety
Page
FCC Class B Notice
Regulatory Compliance Statements
FCC Class a Notice
ICES-003 Class a Notice Avis NMB-003, Classe a
ICES-003 Class B Notice Avis NMB-003, Classe B
Bsmi Class a Notice
Page
Contents
Installing the Sun Crypto Accelerator 4000 Board
Configuring Driver Parameters
Contents
Page
Contents
Diagnostics and Troubleshooting 119
Third Party License Terms
Specifications
134
Frequently Asked Questions
Manual Pages Zeroizing the Hardware
Tables
106
108
123
137
141
144
145
146
Page
Preface
How This Book Is Organized
Using Unix Commands
Solaris Hardware Platform Guide
Typographic Conventions
Shell Prompts
Accessing Sun Documentation Online
Sun Welcomes Your Comments
Product Features
Key Protocols and Interfaces
Supported Cryptographic Protocols
Key Features
Supported Applications
Diagnostic Support
Cryptographic Algorithm Acceleration
Supported Cryptographic Algorithms
1IPsec Cryptographic Algorithms
Bulk Encryption
3Supported SSL Algorithms
# touch /etc/opt/SUNWconn/cryptov2/sslreg
# rm /etc/opt/SUNWconn/cryptov2/sslreg
Hardware Overview
IPsec Hardware Acceleration
4Front Panel Display LEDs for the MMF Adapter
Sun Crypto Accelerator 4000 MMF Adapter
LED Displays
Sun Crypto Accelerator 4000 UTP Adapter
2Sun Crypto Accelerator 4000 UTP Adapter
5Front Panel Display LEDs for the UTP Adapter
Dynamic Reconfiguration and High Availability
Load Sharing
Hardware and Software Requirements
Required Patches
Apache Web Server Patch
6Hardware and Software Requirements
There are currently no required Solaris 9 patches
Solaris 8 Patches
Solaris 9 Patches
Page
Installing the Sun Crypto Accelerator 4000 Board
Handling the Board
Ok show-devs
Installing the Board
To Install the Hardware
Ok cd /pci@8,600000/network@1 Ok .properties
# mount -F hsfs -o ro /dev/dsk/c0t6d0s2 /cdrom
Installing the Sun Crypto Accelerator 4000 Software
To Install the Software
VCA Firmware
VCA Administration
1Files in the /cdrom/cdrom0 Directory
Installing the Optional Packages
Install the required software packages by typing
# prtdiag
# modinfo grep Crypto
Directories and Files
2Sun Crypto Accelerator 4000 Directories
Apache configuration support
Encrypted keys
Application executables
Development Application Support libraries
Removing the Software
To Remove the Software
Page
Configuring Driver Parameters
Driver Parameter Values and Definitions
1vca Driver Parameter, Status, and Descriptions
Advertised Link Parameters
2Operational Mode Parameters
Flow Control Parameters
3Read-Write Flow Control Keyword Descriptions
Interpacket Gap Parameters
Gigabit Forced Mode Parameter
4Gigabit Forced Mode Parameter
5Parameters Defining enable-ipg0and ipg0
Interrupt Parameters
Random Early Drop Parameters
7describes the receive interrupt blanking values
7RX Blanking Register for Alias Read
When Fifo threshold is greater than 6,144 bytes
PCI Bus Interface Parameters
9PCI Bus Interface Parameters
Setting vca Driver Parameters
Setting Parameters Using the ndd Utility
To Specify Device Instances for the ndd Utility
Use the instance number to select the device
Noninteractive and Interactive Modes
Device remains selected until you change the selection
To modify a parameter value, use the -setoption
# ndd -set /dev/vcaN parameter value
Ndd utility then prompts you for the name of the parameter
# ndd /dev/vcaN
Setting Autonegotiation or Forced Mode
# ndd /dev/vca
# ndd -set /dev/vcaNadv-autoneg-cap
To Disable Autonegotiation Mode
Set the adv-autoneg-capparameter to
Setting Parameters Using the vca.conf File
To Set Driver Parameters Using a vca.conf File
Refer to the online manual pages for pathtoinst4
# grep vca /etc/driveraliases vca pci108e,3de8
10Device Path Name
Example vca.conf File
Following is an example vca.conf file
11Local Link Network Device Parameters
Ok boot netspeed=100,duplex=half
Ok boot netspeed=1000,duplex=half,link-clock=master
Ok boot netspeed=10,duplex=auto
Ok boot netspeed=10
Cryptographic Driver Statistics
Refer to the Ieee 802.3 documentation for further details
13Ethernet Driver Statistics
Ethernet Driver Statistics
13describes the Ethernet driver statistics
14describes the transmit and receive MAC counters
14TX and RX MAC Counters
Tx-underrun
15Current Ethernet Link Properties
16Read-Only vca Device Capabilities
17Read-Only Link Partner Capabilities
Reporting the Link Partner Capabilities
17describes the read-only link partner capabilities
18Driver-Specific Parameters
Ethernet Transmit Counters
Ethernet Receive Counters
# kstat vcaN
To Check Link Partner Settings
As superuser, type the kstat vcaN command
Network Configuration
Configuring the Network Host Files
Locate the correct vca interfaces and instance numbers
Instance number in the previous example is
# cat /etc/hosts
# Internet host table Localhost Zardoz Loghost Zardoz-11
Page
Using vcaadm
$ PATH=$PATH/opt/SUNWconn/bin $ export Path
1shows the options for the vcaadm utility
Vcaadm command-line syntax is
Modes of Operation
Single-Command Mode
File Mode
$ vcaadm -s secofficer create user webadmin
$ vcaadm show user
$ vcaadm -f deluser.scr -y
Interactive Mode
Logging In and Out With vcaadm
Logging In to a Board With vcaadm
Logging In to a New Board
Logging In to a Board With a Changed Remote Access Key
# vcaadm -h hostname
Vcaadm prompt in Interactive mode is displayed as follows
Logging Out of a Board With vcaadm
Following table describes the vcaadm prompt variables
2vcaadm Prompt Variable Definitions
3connect Command Optional Parameters
Vcaadm connect host hostname dev vca2
Tom
Entering Commands With vcaadm
Webadmin
Getting Help for Commands
VcaadmvcaN@hostname, secofficer set ?
Quitting the vcaadm Program in Interactive Mode
Select Fips 140-2 mode or non-FIPS mode
Create a keystore name Refer to Naming Requirements on
Verify the configuration information
Enter the path and password to the backup file
Naming Requirements
Password Requirements
Managing Keystores With vcaadm
Populating a Keystore With Security Officers
Setting the Password Requirements
5Password Requirement Settings
Populating a Keystore With Users
Changing Passwords
Listing Users and Security Officers
To enable an account, enter the enable user command
Enabling or Disabling Users
Backing Up the Master Key
Deleting Users
Deleting Security Officers
Locking the Keystore to Prevent Backups
Setting the Auto-Logout Time
Managing Boards With vcaadm
Displaying Board Status
VcaadmvcaN@hostname, secofficer show status Board Status
Resetting a Sun Crypto Accelerator 4000 Board
Loading New Firmware
Rekeying a Sun Crypto Accelerator 4000 Board
Key Types
Using the vcaadm diagnostics Command
Zeroizing a Sun Crypto Accelerator 4000 Board
Vcadiag command-line syntax is
VcaadmvcaN@hostname, secofficer diagnostics
1shows the options for the vcadiag utility
Following is an example of the -Doption
Following is an example of the -Foption
# vcadiag -D vca0
Following is an example of the -Koption
Following is an example of the -Qoption
Following is an example of the -Roption
Following is an example of the -Zoption
Page
Administering Security for Sun ONE Web Servers
Concepts and Terminology
Tokens and Token Files
Token Files
Following is an example of the contents in a token file
Enabling and Disabling Bulk Encryption
1Passwords Required for Sun ONE Web Servers
Configuring Sun ONE Web Servers
Passwords
Refer to Using vcaadm on
Populating a Keystore
To Populate a Keystore
Populate the board’s keystore with users
Exit vcaadm
Create a user with the create user command
Overview for Enabling Sun ONE Web Servers
To Install Sun ONE Web Server
Installing and Configuring Sun ONE Web Server
Installing Sun ONE Web Server
Start the Sun ONE Web Server 4.1 Administration Server
Response provides the URL for connecting to your servers
To Create a Trust Database
Select OK
# /opt/SUNWconn/bin/iplsslcfg
To Generate a Server Certificate
Type 0 to quit
Create Trust Database page is displayed
2Requestor Information Fields
This password is the usernamepassword Table
Select the Cryptographic Module you want to use
To Install the Server Certificate
Configuring Sun ONE Web Server 4.1 for SSL
To Configure the Sun ONE Web Server
Fill out the form to install your certificate
3Fields for the Certificate to Install
Web server is now configured to run in secure mode
Set encryption to On
Usr/iplanet/servers
# /usr/iplanet/servers/https-admserv/start
Start the Sun ONE Web Server 6.0 Administration Server
Create the trust database for the web server instance
# /opt/SUNWconn/crypto/bin/iplsslcfg
To Generate a Server Certificate
Create Trust Database window is displayed
4Requestor Information Fields
To Install the Server Certificate
Configuring Sun ONE Web Server 6.0 for SSL
5Fields for the Certificate to Install
Select the OK button to apply these changes
Page
111
To Enable the Apache Web Server
Create an httpd configuration file
Enabling the Board for Apache Web Servers
Enabling Apache Web Servers
Select 1 to configure your Apache Web Server to use SSL
Create an RSA keypair for your system
Creating a Certificate
Choose a base name for the key material
Provide a key length between 512 and 2048 bits
Create your PEM pass phrase
To Create a Certificate
Modify the /etc/apache/httpd.conf file as directed
Select 0 to quit when you finish with apsslcfg
# /usr/apache/bin/apachectl start
Copy your certificate request with the headers from
Start the Apache Web Server
Diagnostics and Troubleshooting
SunVTS Diagnostic Software
Page
# /opt/SUNWvts/bin/sunvts
To Perform vcatest
As superuser, start SunVTS
Page
2describes the vcatest subtests
Vcatest Command-Line Syntax
Test Parameter Options for vcatest
To Perform netlbtest
To Perform nettest
VcaN up inet ip-addressplumb
Diagnostics and Troubleshooting
Using kstat to Determine Cryptographic Activity
# kstat Vca0
Using the OpenBoot Prom FCode Self- Test
Performing the Ethernet FCode Self-Test Diagnostic
Ok setenv auto-boot? false
Shut down the system
Reset the system
Perform the self-test using the test command
Ok reset-all
Ok show-nets
Set the auto-boot?configuration parameter to true
Reset and reboot the system
Type the following
If the test passes, you see the following messages
Troubleshooting the Sun Crypto Accelerator 4000 Board
Show-devs
Properties
Watch-net
Connectors
Sun Crypto Accelerator 4000 MMF Adapter
Figure A-1Sun Crypto Accelerator 4000 MMF Adapter Connector
Table A-1SC Connector Link Characteristics Ieee P802.3z
Power Requirements
Physical Dimensions
Performance Specifications
Interface Specifications
Environmental Specifications
Table A-5Interface Specifications
Table A-6Environmental Specifications
Figure A-2Sun Crypto Accelerator 4000 UTP Adapter Connector
Table A-7Cat-5 Connector Link Characteristics
Table A-9Performance Specifications
Table A-10Power Requirements
Table A-11Interface Specifications
Table A-12Environmental Specifications
Page
SSL Configuration Directives for Apache Web Servers
Table B-1SSL Protocols
Preceding statement is equivalent to
SSL Aliases
Table B-3SSL Aliases
Default value of cipher-specis
Table B-4Special Characters to Configure Cipher Preference
Context Global, virtual host
Table B-5SSL Verify Client Levels
Table B-6SSL Log Level Values
Options are listed and described in Table B-7
Table B-7Available SSL Options
Opt/SUNWconn/cryptov2/include
Page
Software Licenses
Page
Appendix D Software Licenses
Openssl License Issues
Third Party License Terms
Original SSLeay License
Modssl License
Appendix D Software Licenses
Page
Man -M /opt/SUNWconn/man
Table E-1Sun Crypto Accelerator 4000 Online Manual Pages
Kcl2 device driver is a multithreaded loadable kernel module
Zeroizing the Hardware
Page
Reconnect to Sun Crypto Accelerator 4000 board with vcaadm
Page
Frequently Asked Questions
# chmod 400 password.conf
Enter the following command
Reboot the system
Enter the following command at the OBP prompt
Boot the operating environment
How Do I Self-Sign a Certificate for Testing?
Advertised link parameters
Index
Extension
Commands
Failsafe mode
Page
Pause capability
Vca driver
Command-line syntax, 123 test parameter options
Rx-intr-pktsparameter, 25
URL
Vca.conf file, example
Watch-netcommand Zeroize command, 163 zeroizing the hardware
