Manuals / Brands / Computer Equipment / Network Router / Sun Microsystems / Computer Equipment / Network Router

Sun Microsystems 4000 Key Features, Supported Applications, Supported Cryptographic Protocols

1 204

Download 204 pages, 1.65 Mb

2Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003

Key Features

■Gigabit Ethernet with either copper or fiber interface

■Accelerates IPsec and SSL cryptographic functions

■Session establishment rate: up to 4300 operations per second

■Bulk encryption rate: up to 800 Mbps

■Provides up to 2048-bit RSA encryption

■Delivers up to 10 times faster 3DES bulk data encryption

■Provides tamper-proof,centralized security key and certificate administration for

Sun ONE WebServer for increased security and simplified key management

■Designed for FIPS 140-2 Level 3 certification

■Low CPU utilization—frees up server system resource and bandwidth

■Secure private key storage and management

■Dynamic reconfiguration (DR) and redundancy/failover support on Sun’s

midframe and high-end servers

■Load balancing for RX packets among multiple CPUs

■Full flow control support (IEEE 802.3x)

The Sun Crypto Accelerator 4000 boards are designed to comply with the security

requirements for cryptographic modules as documented in the Federal Information

Processing Standard (FIPS) 140-2, Level 3.

Supported Applications

■Solaris 8 and 9 operating environments (IPsec VPN)

■Sun ONE WebServer

■Apache WebServer

Supported Cryptographic Protocols

The board supports the following protocols:

■IPsec for IPv4 and IPv6, including IKE

■SSLv2, SSLv3, TLSv1

The board accelerates the following IPsec functions:

■ESP (DES, 3DES) Encryption

The board accelerates the following SSL functions:

■Secure establishment of a set of cryptographic parameters and secret keys

between a client and a server

■Secure key storage on the board—keys are encrypted if they leave the board

Contents

Main Please Recycle Declaration of Conformity (Fiber MMF) EMC European Union Safety Supplementary Information Declaration of Conformity (Copper UTP) EMC European Union EN 60950:2000, 3rd Edition IEC 60950:2000, 3rd Edition Safety Supplementary Information EN 60950:2000, 3rd Edition IEC 60950:2000, 3rd Edition Page Regulatory Compliance Statements FCCClass A Notice Note: ShieldedCables: Modifications: Page Page Page Contents Page Page Page Page Page Page Page Tables Page Page Page Preface How This Book Is Organized Using UNIX Commands Typographic Conventions Shell Prompts AaBbCc123 Page Product Overview Product Features Key Protocols and Interfaces Key Features Supported Applications Supported Cryptographic Protocols Diagnostic Support Cryptographic Algorithm Acceleration Supported Cryptographic Algorithms SSL Acceleration Bulk Encryption Hardware Overview IPsec Hardware Acceleration Note Sun Crypto Accelerator 4000 MMF Adapter LED Displays See TABLE1-4. Sun Crypto Accelerator 4000 UTP Adapter LED Displays See TABLE1-5. Server 4.1 or 6.0 is mentioned. Note Dynamic Reconfiguration and High Availability Load Sharing Hardware and Software Requirements Required Patches Apache Web Server Patch Page Page Installing the Sun Crypto Accelerator 4000 Board Handling the Board Caution Installing the Board To Install the Hardware Page Installing the Sun Crypto Accelerator 4000 Software To Install the Software Note Installing the Optional Packages Directories and Files Note / / Removing the Software Caution To Remove the Software Caution Page Configuring Driver Parameters Sun Crypto Accelerator 4000 Ethernet Device Driver (vca) Parameters Caution Driver Parameter Values and Definitions Advertised Link Parameters Note Page Flow Control Parameters Gigabit Forced Mode Parameter Interpacket Gap Parameters Page Interrupt Parameters Random Early Drop Parameters Page PCI Bus Interface Parameters Setting vca Driver Parameters Setting Parameters Using the ndd Utility To Specify Device Instances for the ndd Utility Note Noninteractive and Interactive Modes Using the ndd Utility in Noninteractive Mode Using the ndd Utility in Interactive Mode (See TABLE3-1 through TABLE 3-9 for parameter descriptions.) Setting Autonegotiation or Forced Mode The following link parameters can be set to operate in either autonegotiation or forced mode: To Disable Autonegotiation Mode Note Setting Parameters Using the vca.conf File Caution To Set Driver Parameters Using a vca.conf File Setting Parameters for All Sun Crypto Accelerator 4000 vca Devices With the vca.conf File To Set Parameters for All Sun Crypto Accelerator 4000 vca Devices With the vca.conf File Example vca.conf File Enabling Autonegotiation or Forced Mode for Link Parameters With the OpenBoot PROM Caution Note Sun Crypto Accelerator 4000 Cryptographic and Ethernet Driver Operating Statistics Cryptographic Driver Statistics Ethernet Driver Statistics Page Page Page Reporting the Link Partner Capabilities Page Page To Check Link Partner Settings Note number should reflect the instance number of the board for which you arerunning the kstat command. Network Configuration Configuring the Network Host Files Note Page Page Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities Using vcaadm Note Modes of Operation Note Single-Command Mode Note File Mode Interactive Mode Logging In and Out With vcaadm Logging In to a Board With vcaadm Logging In to a New Board Note Logging In to a Board With a Changed Remote Access Key vcaadm Prompt Logging Out of a Board With vcaadm Example: Entering Commands With vcaadm Getting Help for Commands Quitting the vcaadm Program in Interactive Mode Initializing the Sun Crypto Accelerator 4000 Board With vcaadm To Initialize the Sun Crypto Accelerator 4000 Board With a New Keystore Note Initializing the Sun Crypto Accelerator 4000 Board to Use an Existing Keystore To Initialize the Sun Crypto Accelerator 4000 Board to Use an Existing Keystore Managing Keystores With vcaadm Note Naming Requirements Password Requirements Setting the Password Requirements Populating a Keystore With Security Officers Populating a Keystore With Users Caution Note Listing Users and Security Officers Changing Passwords Enabling or Disabling Users Note Deleting Users Deleting Security Officers Backing Up the Master Key Caution Locking the Keystore to Prevent Backups Caution Managing Boards With vcaadm Setting the Auto-Logout Time Displaying Board Status Determining if the Board is Operating in FIPS 140-2 Mode Loading New Firmware Resetting a Sun Crypto Accelerator 4000 Board Rekeying a Sun Crypto Accelerator 4000 Board Zeroizing a Sun Crypto Accelerator 4000 Board Note Using the vcaadm diagnostics Command Using vcadiag Note Page The following is an example of the -K option: The following is an example of the -Q option: The following is an example of the -Z option: The following is an example of the -R option: Page Configuring Sun ONE Server Software for Use With the Sun Crypto Accelerator 4000 Board Note Administering Security for Sun ONE Web Servers Note Concepts and Terminology Note Tokens and Token Files Example Token Files Note Enabling and Disabling Bulk Encryption Configuring Sun ONE WebServers Passwords Populating a Keystore Note To Populate a Keystore Caution Overview for Enabling Sun ONE Web Servers Caution Installing and Configuring Sun ONE Web Server 4.1 Installing Sun ONE Web Server 4.1 To Install Sun ONE WebServer 4.1 To Create a Trust Database Note To Generate a Server Certificate Page Note To Install the Server Certificate Configuring Sun ONE Web Server 4.1 for SSL To Configure the Sun ONE Web Server 4.1 Page Note Installing and Configuring Sun ONE Web Server 6.0 Installing Sun ONE Web Server 6.0 To Install Sun ONE WebServer 6.0 To Create a Trust Database Note Page To Generate a Server Certificate Page Note To Install the Server Certificate Configuring Sun ONE Web Server 6.0 for SSL To Configure the Sun ONE Web Server 6.0 Page Page Configuring Apache Web Servers for Use With the Sun Crypto Accelerator 4000 Board Caution Note Enabling the Board for Apache Web Servers Enabling Apache Web Servers To Enable the Apache WebServer Page Caution Creating a Certificate To Create a Certificate Note Page Page Diagnostics and Troubleshooting SunVTS Diagnostic Software Installing SunVTS netlbtest and nettest Support for the vca Driver Note Using SunVTS Software to Perform vcatest, nettest, and netlbtest Note To Perform vcatest Note Test Parameter Options for vcatest vcatest Command-Line Syntax To Perform netlbtest Note To Perform nettest Page Note Using kstat to Determine Cryptographic Activity Note Using the OpenBoot PROM FCode Self- Test Performing the Ethernet FCode Self-Test Diagnostic Page Note Troubleshooting the Sun Crypto Accelerator 4000 Board show-devs .properties watch-net Specifications Sun Crypto Accelerator 4000 MMF Adapter Connectors 136 Sun Crypto Accelerator 4000 Board Installation and Users Guide May 2003 TABLEA-1 lists the characteristics of the SC connector (850 nm). Operating range Up to 260 meters Up to 550 meters Physical Dimensions Performance Specifications Power Requirements Interface Specifications Environmental Specifications Sun Crypto Accelerator 4000 UTP Adapter Connectors Appendix A Specifications 139 TABLEA-7 lists the characteristics of the Cat-5 connector used by the Sun Crypto Accelerator 4000 UTP adapter. Operating range Up to 100 meters Physical Dimensions Performance Specifications Power Requirements Interface Specifications Environmental Specifications Page SSL Configuration Directives for Apache Web Servers Note Page Page Page Page Page Page Building Applications for Use With the Sun Crypto Accelerator 4000 Board Note Page Software Licenses Note Sun Microsystems, Inc. Binary Code License Agreement Page Sun Microsystems, Inc. Supplemental Termsfor Sun Crypto Accelerator 4000 Third Party License Terms OPENSSL LICENSE ISSUES OpenSSL License Original SSLeay License MOD_SSL LICENSE Page Page Manual Pages man -M /opt/SUNWconn/man page Page Zeroizing the Hardware Caution Note Zeroizing the Sun Crypto Accelerator 4000 Hardware to the Factory State Note Board With the Hardware Jumper Note Caution Page Frequently Asked Questions How Do I Configure the WebServer to Startup Without User Interaction on Reboot? To Create an Encrypted Key for Automatic Startup of Apache Web Servers on Reboot To Create an Encrypted Key for Automatic Startup of Sun ONE Web Servers on Reboot How Do I Assign Different MAC Addresses to Multiple Boards Installed in the Same Server? Page How Do I Self-Sign a Certificate for Testing? Index SYMBOLS NUMERICS A B C D E F G H I K L M N O P Q R S T U V