Sun Oracle Crypto Accelerator 6000 Board User Manual Download Page 60 | Manualshive

Page: 60 / 266

background image

38

Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013

scamgr

Secure Communication

The

scamgr

utility establishes an encrypted network connection (channel) between

the

scamgr

application and the Sun Crypto Accelerator 6000 firmware running on a

specific board. This point-to-point encrypted channel is not visible to any of the
other software components between

scamgr

and the device (for example, the

mca

device driver). This encrypted channel allows

scamgr

to run safely and securely

over the network. The key exchange is performed with RSA 1024-bit keys while the
bulk data is protected using AES-128. SHA1 HMACs provide data integrity for each
command data payload.

During setup of the encrypted channel, boards identify themselves by their
hardware serial ID address and an RSA public key. A trust database
(

$HOME/.sunw/sca/trustdb

) is created the first time

scamgr

connects to a board.

This file contains all of the boards that are currently trusted by the security officer.

When the firmware gives

scamgr

an RSA public key, a SHA-1 hash is taken on the

modulus. This action forms a key fingerprint that can be stored in a database in the
UNIX user's home directory. When a connection is made and an unrecognized key is
given to

scamgr

by the firmware,

scamgr

prompts the security officer to either

abort the connection, accept the key for this one session, or accept the key
permanently as a trusted key in the trust database. If a key to a previously trusted
card changes,

scamgr

offers the same choices except that when accepting the key as

a trusted key it overwrites the old key with the new one.

Note –

The Sun Crypto Accelerator 6000 board is preprogrammed with a unique

remote access key for connecting to an uninitialized board. The fingerprint for this
remote access key is printed on the board and must be verified when logging into a
board for the first time to ensure that a secure channel is established with the correct
board.

Initializing the Board With

scamgr

The first step in configuring a Sun Crypto Accelerator 6000 board is to initialize it.
There are two types of initialization. The first is board initialization and the second is
keystore initialization. When you first connect to an uninitialized board with

scamgr

, you are prompted to perform a board initialization, which creates a device

security officer (DSO) account. Once the board is initialized, you are prompted to
perform a keystore initiailiztion, which creates a keystore security officer (KSO)
account. For more information on DSOs and KSO, see

“Device and Keystore Security

Officers” on page 34

.

«
...
58
59
60
61
62
...
»

Summary of Contents for Crypto Accelerator 6000 Board

Page 1: ...Sun Crypto Accelerator 6000 Board Version 1 1 User s Guide Part No E39851 01 February 2013...

Page 2: ...i t intellectuelle Ils sont conc d s sous licence et soumis des restrictions d utilisation et de divulgation Sauf disposition de votre contrat de licence ou de la loi vous ne pouvez pas copier reprodu...

Page 3: ...se 2 Key Features 2 Financial Services Support 3 Supported Applications 3 Supported Cryptographic Protocols and Algorithms 3 Diagnostic Support 4 Cryptographic Algorithm Acceleration 4 Hardware Overvi...

Page 4: ...pt 19 Remove the Software With the remove Script on the CD ROM 19 For Oracle Solaris 11 Remove the Software With the remove Script 20 Installing the Software on Oracle Solaris Platforms Without the In...

Page 5: ...he scamgr Utility 34 Device and Keystore Security Officers 34 scamgr Syntax 35 scamgr Options 35 Modes of Operation 36 Interactive Mode 37 Single Command Mode 37 File Mode 37 scamgr Secure Communicati...

Page 6: ...ands 49 Getting Help for Commands 56 Managing Keystores With scamgr 57 Multiple Keystore Support 57 Naming Requirements 58 Password Requirements 59 Set the Password Requirements 59 Change Password Req...

Page 7: ...of Security Officers Required to Authenticate Multi Admin Commands 71 Set a Multi Admin Command Timeout 71 Enable Multi Admin Mode 72 Disable Multi Admin Mode 72 Add Additional Security Officers to th...

Page 8: ...s 92 Modify Service Configuration Parameters 93 Enabling Optional Cryptographic Algorithms 93 Enable the SHA 512 Algorithm 93 Enable the RC2 CBC Algorithm 94 Enable the Multi part MD5 Algorithm 94 Ena...

Page 9: ...Adding the Certificate to the Agent Entry in the Directory Server 110 Add the Certificate to the Agent Entry in the DS 110 Configuring the Board to Join a Centralized Keystore 112 Join a Previously C...

Page 10: ...s 127 Change the MFK 127 Key Management Functions 127 Generate Key Function fs_generate_key 128 Import Key Function fs_import_key 129 Export Key Function fs_export_key 130 Translate Key Function fs_tr...

Page 11: ...ng PKCS 11 Applications for Use With the Sun Crypto Accelerator 6000 Board 145 Board Administration 146 Slot Descriptions 147 Keystore Slot 147 Sun Metaslot 148 Configuring Sun Metaslot to Use the Sun...

Page 12: ...Keystore 162 Installing and Configuring Sun Java System Web Server 6 1 163 Install Sun Java System Web Server 6 1 164 Create a Trust Database 165 Register the Board With the Web Server 166 Generate a...

Page 13: ...g and Configuring Apache Web Server on Linux Platforms 192 Prepare OpenSSL Libraries 193 Compile Apache Web Server 194 Configure and Start Apache Web Server 194 9 Diagnostics and Troubleshooting 197 D...

Page 14: ...stall openCryptoki Software on RHEL5 208 Build and Install openCryptoki on RHEL4 Updates 208 Build and Install openCryptoki Software on SUSE10 SP1 Platforms 209 C Software Licenses 211 Third Party Lic...

Page 15: ...h the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmf...

Page 16: ...xvi Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Page 17: ...xvii BSMI Class A Notice The following statement is applicable to products shipped to Taiwan and marked as Class A on the product compliance label...

Page 18: ...xviii Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Page 19: ...ers and Apache Web Servers IPsec SunVTS software certification authority acquisitions Note In this document these x86 related terms mean the following x86 refers to the larger family of 64 bit and 32...

Page 20: ...ation visit http www oracle com pls topic lookup ctx acc id info or visit http www oracle com pls topic lookup ctx acc id trs if you are hearing impaired Documentation Link All Oracle products http ww...

Page 21: ...Preface xxi...

Page 22: ...xxii Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Page 23: ...security features and support for new Oracle Solaris OS on SPARC and x86 platforms and x86 AMD Opteron platforms running Linux The combination of a dedicated HSM advanced cryptographic security and se...

Page 24: ...as Sun Java System Server products Provides centralized keystore support enabling multiple machines to access a common key repository FIPS 140 2 Level 3 certification Low CPU utilization frees up serv...

Page 25: ...ata by performing the entire operation within the secure cryptographic boundary of the board Specialized key management capabilities and a new user library libfinsvcs so and associated application int...

Page 26: ...s Some cryptographic algorithms were designed specifically to be implemented in hardware others were designed to be implemented in software For hardware acceleration there is the additional cost of mo...

Page 27: ...re is a low profile half length 6 6 inches 1 67 64 mm by 2 54 inches 64 41 mm 8 lane PCI Express based HBA that enhances the performance of IPsec and SSL and provides robust security features FIGURE 1...

Page 28: ...ATIONAL and FAILSAFE states heart beat Red when board is in the HALTED fatal error state or when a low level hardware initialization failure occurs Flashing red if an error occurrs during the boot pro...

Page 29: ...port and a Point of Presence button Serial Port The six wire RJ 11 port connector enables direct input adminstration The port operates at a baud rate of 9600 8N1 The pinout specifications are describ...

Page 30: ...URE 1 3 RJ 11 Port Connector Pins USB Port The standard size USB connector enables you to back up and restore the on board keystore The port is USB 1 1 compliant and is compatible with standard USB ma...

Page 31: ...ns multiple Sun Crypto Accelerator 6000 boards can be installed within a system or domain to insure that hardware acceleration is continuously available In the unlikely event of a Sun Crypto Accelerat...

Page 32: ...nctionality with PKCS 11 OpenSSL and Java J2SE x86 AMD Opteron Platforms Running Linux The openCryptoki software interface is used in Linux environments to access the Sun Crypto Accelerator 6000 board...

Page 33: ...ge 18 Removing the Sun Crypto Accelerator 6000 Software on Oracle Solaris Platforms With the remove Script on page 19 Installing the Software on Oracle Solaris Platforms Without the Installation Scrip...

Page 34: ...damaging the sensitive components on the board wear an antistatic wrist strap when handling the board hold the board by its edges only and always place the board on an antistatic surface such as the p...

Page 35: ...nter the scanpci command from a terminal prtdiag IO Configuration IO Location Type Slot Path Name Model IOBD NET0 PCIE IOBD pci 780 pci 0 pci 1 network 0 network pciex8086 105e IOBD NET1 PCIE IOBD pci...

Page 36: ...d patches before installing the software In addition to the software provided on the product CD required software is provided at My Oracle Support http support oracle com For CD installations the inst...

Page 37: ...components SUNWscafsu Financial services usr SUNWscafsm Financial services manual pages SUNWscamga Administration client SUNWscamgm Administration manual pages SUNWscamgr Administration root SUNWscam...

Page 38: ...sun sca6000 man user documentation sun sca6000 var variable length files sun sca6000 libs supporting libraries sun nss Netscape Security Services libraries and tools sun nspr Netscape Portable Runtim...

Page 39: ...or Solaris 10 Install Optional Crypto IPsec Acceleration software To cancel installation of this software press q followed by a Return OR Press Return key to begin installation Installing Sun Crypto A...

Page 40: ...LE 2 2 Sun Crypto Accelerator 6000 Directories and Files for Solaris Platforms Directory Contents kernel drv Driver configuration files kernel drv sparcv9 64 bit SPARC drivers kernel drv amd64 64 bit...

Page 41: ...ipt If you used the install script to install the software use the remove script on the CD ROM to remove the software If you installed the software without the install script see Removing the Software...

Page 42: ...cafsu SUNWscafsm SUNWmcau SUNWmcar SUNWmcamn SUNWmcafw SUNWmcact To cancel removal of this software press q followed by a Return OR Press Return key to begin package removal Found the following packag...

Page 43: ...ed on the product CD required software is provided at My Oracle Support http support oracle com Install the Software Without the install Script 1 If installing from a CD insert the Sun Crypto Accelera...

Page 44: ...camn SUNWmcar SUNWmcau SUNWscafsm SUNWscafsu SUNWscamga SUNWscamgm SUNWscamgr SUNWscamgu system SUNWmcact Sun Crypto Accelerator 6000 Activation File system SUNWmcafw Sun Crypto Accelerator 6000 Firmw...

Page 45: ...ores With scamgr on page 57 you must delete the keystore information that the Sun Crypto Accelerator 6000 board is configured with before removing the software The zeroize command removes all key mate...

Page 46: ...n this order could result in dependency warnings and leave kernel modules loaded For Solaris 10 if you installed all the packages you would remove them as follows For Solaris 11 if you installed all t...

Page 47: ...ypto Accelerator 6000 CD into a CD ROM drive that is connected to your system and enter the following command lspci Network and computing encryption device Sun Microsystems Computer Corp Unknown devic...

Page 48: ...m sun sca6000 libs 1 1 1 x86_64 rpm sun sca6000 man 1 1 1 x86_64 rpm sun sca6000 var 1 1 1 x86_64 rpm Install the Software Without the install Script 1 If it is not already on the system install the N...

Page 49: ...ts etc init d Start and stop scripts links etc rc5 d Service configuration files etc opt sun sca6000 Daemon configuration files opt sun sca6000 bin Application executables drivers and the scamgr utili...

Page 50: ...rypto Accelerator 6000 Software on Linux Platforms Removing the Sun Crypto Accelerator 6000 Software With the remove Script All applications such as Sun Java System and Apache Web Servers that are usi...

Page 51: ...the following packages to remove sun sca6000 firmware 1 1 1 sun sca6000 man 1 1 1 sun sca6000 1 1 1 sun sca6000 libs 1 1 1 sun sca6000 config 1 1 1 sun sca6000 var 1 1 1 sun sca6000 admin 1 1 1 Removi...

Page 52: ...archive the correct keystore directory and configuration file The keystore name and ID are shown in the filename for the conf file and the corresponding directory For example if the keystore name is k...

Page 53: ...load the 1 0 software components 8 Apply any 1 0 software and firmware patches that are necessary Refer to the Sun Crypto Accelerator 6000 Board Product Notes for Version 1 1 819 5537 at http docs ora...

Page 54: ...32 Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Page 55: ...ollowing sections Using the scamgr Utility on page 34 Authentication and Logging In and Out With scamgr on page 43 Entering Commands With scamgr on page 48 Initializing the Board With scamgr on page 3...

Page 56: ...ccounts The default behavior for scamgr is to log in as a KSO To log in as a DSO you must sun scamgr with the D command line option If you have already started an scamgr session but are logged out fro...

Page 57: ...For example in the C shell the command is changed to scamgr scamgr Options TABLE 3 1 shows the options for the scamgr utility TABLE 3 1 scamgr Options Option Meaning Displays help files for scamgr com...

Page 58: ...mode you are using h hostname Connects to the board on hostname The value for hostname can be a host name or an IP address and defaults to the loopback address localhost k keystorename Logs into the s...

Page 59: ...ommand mode you specify the command to be run after all the command line switches are specified For example in Single Command mode the following command would show all the users in a given keystore an...

Page 60: ...connection is made and an unrecognized key is given to scamgr by the firmware scamgr prompts the security officer to either abort the connection accept the key for this one session or accept the key p...

Page 61: ...successful board initialization a new remote access key is created This new key is used to secure communications when new keystores are initialized and administered Perform a Board Initialization 1 Se...

Page 62: ...ng Keystore on page 42 The scamgr utility prompts for the backup file location and uploads the file to the board as part of the keystore initialization process This option can be used to recover a key...

Page 63: ...up file You must first create a backup file of an existing board configuration before performing this procedure Creating and restoring a backup file requires a password to encrypt and decrypt the data...

Page 64: ...d keystore name serial number keystore id Perform a Keystore Initialization and Use an Existing Keystore 1 Initialize the board with the scamgr command If the board is installed locally enter scamgr a...

Page 65: ...tity based A valid security officer name and password must exist in the card s keystore before access is granted When you use scamgr from the command line and specify host port and device using the h...

Page 66: ...with the Interactive mode of scamgr TABLE 3 2 scamgr Prompt Variable Definitions Prompt Variable Definition mcaN mca is a string that represents the Sun Crypto Accelerator 6000 board N is the device i...

Page 67: ...access key you must use scamgr to change the entry corresponding to the board in the trust database scamgr h hostname Warning Serial ID and Public Key Not Found The Serial ID and public key presented...

Page 68: ...mgr h hostname Warning Public Key Conflict The public key presented by the board you are connecting to is different than the public key that is trusted for this Serial ID Serial ID 36 30 30 30 30 33 N...

Page 69: ...ator 6000 firmware to renegotiate new session keys to protect the administrative data that is sent scamgr mcaN hostname sec officer logout scamgr connect host hostname dev mca2 Security Officer Login...

Page 70: ...ommands The scamgr utility has a command language that must be used to interact with the Sun Crypto Accelerator 6000 board You enter commands using all or part of a command enough to uniquely identify...

Page 71: ...e Successful backups increment the backup counter by one see show status If Multi Admin mode is enabled when this command is entered it requires authentication by multiple security officers with the M...

Page 72: ...ed to confirm it delete keystore KSO only Ensure that you create a full keystore backup if you want to be able to restore a keystore before deleting it see the backup keystore command This command del...

Page 73: ...keystore creation functions on the board With this setting disabled no new keystores can be created disable user username KSO only Disable the user named username in the keystore A disabled user cann...

Page 74: ...through the rekey command are automatically locked and cannot be backed up Once set a locked master key cannot be unset If the master key is locked by a DSO a board zeroize is required to clear it If...

Page 75: ...mum admin role sec officers This command sets the quorum of security officers required for the successful completion of a Multi Admin mode command This value must be at least 2 and less than or equal...

Page 76: ...splays the current keystore audit log Audit logs are displayed to standard out by default but can be sent to the file outfile using the path option keyword The number of log messages displayed can be...

Page 77: ...d requires a quorum of security officers with the Multi Admin role to authenticate if Multi Admin mode is enabled zeroize DSO only Cleans the board of all security parameters and returns the board to...

Page 78: ...c officer create user Usage create user username scamgr mcaN hostname sec officer set Sub Command Description lock Lock master key Prevents key backup multiadmin Configure Multi Admin mode passreq Set...

Page 79: ...a repository for key material Associated with a keystore are keystore security officers KSOs and users Keystores not only provide storage but a means for key objects to be owned by user accounts This...

Page 80: ...lectively work with the same keystore to provide additional performance and fault tolerance Naming Requirements Security officer names user names and keystore names must meet the following requirement...

Page 81: ...nts for a Sun Crypto Accelerator 6000 board to high TABLE 3 6 Password Requirement Settings Password Setting Requirements low Does not require any password restrictions This is the default while the b...

Page 82: ...documentation for details Managing Security Officers and Users This section describes how to populate keystores and how to list enable disable and delete security officers and users Populate a Keystor...

Page 83: ...meter on the command line If the user name is omitted scamgr prompts you for the user name See Naming Requirements on page 58 For example Users must use this password when authenticating during a web...

Page 84: ...on page 77 for details List Users You can list users associated with a keystore 1 Start the scamgr utility 2 Type the show user command For example List Security Officers You can list security office...

Page 85: ...name When enabling or disabling a user the user name is an optional parameter on the command line If the user name is omitted scamgr prompts you for the user name For example Enable Users 1 Start the...

Page 86: ...ypes of backups that can be performed with the board Device Configuration Master Key and Keystore Back Up a Device Configuration This type of backup saves the global device configuration including FIP...

Page 87: ...oard to use an existing keystore the master key for that keystore must be loaded to that board using a master key backup file Only the keystore security officer can backup a master key 1 Start the sca...

Page 88: ...me serial number keystore id conf The second and third files are the user db and object db files which are located in the subdirectory under the top level keystore directory named keystore name serial...

Page 89: ...keystore directory var sca keydata by default If keystore files for a keystore with the same name as the keystore backup already exist in the keystore directory the backup will not be allowed A keyst...

Page 90: ...ult back to the disabled state until it is re enabled by a KSO 1 Start the scamgr utility 2 Type lock keystore For example Enable a Locked Keystore To Enable Access After a reset or power cycle a keys...

Page 91: ...t from 1 to 15 minutes must be set at or before Multi Admin mode is enabled See Set a Multi Admin Command Timeout on page 71 for more information Also security officers must set the number of Multi Ad...

Page 92: ...um number set with the set multiadmin minauth command See Set the Minimum Number of Security Officers Required to Authenticate Multi Admin Commands on page 71 If the number of Multi Admin role members...

Page 93: ...utility 2 Type set multiadmin minauth minimum role members The minimum role members value must be at least two and less than or equal to the total number of security officers on the system In additio...

Page 94: ...cessfully When this command is executed the security officer is presented with the current Multi Admin mode settings and is given the opportunity to change these settings before the command completes...

Page 95: ...equires the authorization of three different security officers including the initiating security officer to authenticate before this command can complete Execute the following command on the initiatin...

Page 96: ...is currently in progress You are a member of the Multi Admin role and may approve this command Command enable authmember sec officer4 Initiating SO sec officer1 Authorize this command Y Yes N No No y...

Page 97: ...command you have the option of cancelling it If you choose not to cancel the command you will be logged out and the board will continue with the command Cancel this command Y Yes N No No y Authorizat...

Page 98: ...2 Type a command as a security officer without Multi Admin role permissions The command fails For example scamgr Security Officer Login new sec officer Security Officer Password You have authenticated...

Page 99: ...r locally with a direct input device see Direct Board Administration on page 82 Set the Auto Logout Time 1 Start the scamgr utility by logging in as a DSO 2 Type set timeout N where N is the number of...

Page 100: ...s are added 1 Start the scamgr utility by logging in as a DSO 2 Type load firmware path name where path name is the path to the firmware file scamgr mcaN hostname sec officer show status Board Status...

Page 101: ...u must reconnect to the device by logging back into scamgr if you want to continue administering it 1 Start the scamgr utility by logging in as a DSO 2 Type reset 3 Type y to proceed type n to cancel...

Page 102: ...f three key types when issuing the rekey command The following is an example of entering a key type of all with the rekey command 4 Backup the master key to enable disaster recovery see Back Up a Mast...

Page 103: ...and For example Use the scamgr diagnostics Command Diagnostics can be performed from the scamgr utility and from the SunVTS software The diagnostics command in scamgr covers three major categories in...

Page 104: ...The following commands are not supported on the direct interface reset zeroize load firmware There are also additional commands supported on the local interface that are not available when connecting...

Page 105: ...evices on page 7 for details on the USB port and the suggested USB backup device Using the backup command through a local interface works the same as accessing scamgr remotely unless the board is in F...

Page 106: ...e them to reenter the required UWK components Since the board is in an uninitialized state each security officer need not authenticate to the board before entering a component The following example sh...

Page 107: ...x described in TABLE 3 8 for both the Oracle Solaris OS and Linux is as follows scadiag scadiag b bootstrap fw mcaN scadiag d mcaN scadiag f mcaN scadiag k mcaN scadiag l mcaN device name is optional...

Page 108: ...ad the operation must not be interrupted or the board could be rendered inoperable d mcaN Performs diagnostics on the board f mcaN Displays the public key fingerprint used by the board for secure remo...

Page 109: ...e device cannot be accessed from an application Regardless of which mode is set you can always manage the board with the scadiag and scamgr commands s mcaN Checks device status for possible DR This op...

Page 110: ...392c 1c8f 5cc6 ec61 e617 1b7f 4ded 71b0 scadiag k mca0 Device mca0 Key Length 1024 bits Key Fingerprint b605 c285 392c 1c8f 5cc6 ec61 e617 1b7f 4ded 71b0 Modulus e4df259c 4725367a 3070ddff d78c4225 b...

Page 111: ...w in diagnostic mode scadiag l mca0 Device mca0 State Diag Status Initialized scadiag r mca0 Resetting device mca0 this may take a minute Please be patient Device mca0 reset ok scadiag s mca0 Device m...

Page 112: ...ility and the firmware The scakiod service performs keystore I O services The Fault Management Resouce Identifiers FMRIs for these services are svc device scad and svc device scakiod Start and Stop th...

Page 113: ...trative data between clients and the service The value is in seconds and the default is to 300 seconds five minutes maxdata Sets a limit on the amount of data a client can send to the card in a single...

Page 114: ...l fs restart_on astring none fs type astring service start method start exec astring usr lib crypto scakiod start group astring default start limit_privileges astring default start privileges astring...

Page 115: ...ti part MD5 Multi part SHA1 Multi part SHA512 HMAC MD5 or SHA1 Enable these algorithms as needed by adding entries to kernel drv mca conf file One example for enabling certain algorithms is to use the...

Page 116: ...Add enable multi part sha1 1 to the kernel drv mca conf file Enable the Multi part SHA512 Algorithm Add enable multi part sha512 1 to the kernel drv mca conf file Enable the HMAC MD5 or SHA1 Algorith...

Page 117: ...board must be stopped and restarted after initialization or a zeroize Stop the Board on a Linux Platform 1 Type Start the Board on a Linux Platform 1 Type scadiag Program The scadiag program is instal...

Page 118: ...96 Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Page 119: ...ions Centralized Keystore Overview on page 97 Configuring Centralized Keystores on page 99 Troubleshooting CKS Issues on page 114 Centralized Keystore Overview The centralized keystore CKS feature req...

Page 120: ...service authenticates to the directory under a specific distinguished name DN called an agent name Each system must have a unique agent DN and an agent object with its authentication credentials These...

Page 121: ...Directory Server to support centralized keystores This utility is located at usr sbin scakscfg Oracle Solaris or at opt sun sca6000 sbin scakscfg Linux The command line usage for scakscfg is as follow...

Page 122: ...tion credentials or both b cks dn Base object under which the CKS infrastructure is created This device does not need to be a root node in a directory server The device can exist anywhere under the ro...

Page 123: ...ry Manager h iplds config Bind password for cn Directory Manager modifying entry cn schema modifying entry cn userRoot cn ldbm database cn plugins cn config adding new entry ou scakeystore o SUN c US...

Page 124: ...added as follows svccfg s scakiod setprop config serverlist astring uri1 uri2 urin On Linux systems uncomment the ServerList directive and the URI provided Multiple LDAP servers can be specified using...

Page 125: ...irectory If SSL is not configured this property is ignored and does not need to be set The default value is var sca private for Oracle Solaris systems and var opt sun sca6000 private on Linux certname...

Page 126: ...ldap centks svccfg s scakiod setprop config binddn cn agent1 ou Agents ou scakeystore o SUN c US svccfg s scakiod setprop config basedn o SUN c US svccfg s scakiod listprop grep config config applicat...

Page 127: ...irectory servers using SSL To enable this communication an NSS certificate database must be configured The CA certificate that signs the directory server SSL certificate must be imported into that dat...

Page 128: ...or Linux use the var opt sun sca6000 private path instead of var sca private Note certname is a friendly name for the CA certificate certpath is the path to the actual certificate file Use the a optio...

Page 129: ...it requires not only the previous steps for basic SSL configuration This method also requires that you obtain a digital certificate for the scakiod service and that the CA that signs that certificate...

Page 130: ...BINDDN g 1024 a o var sca private certreq pem Enter Password or Pin for NSS Certificate DB A random seed must be generated that will be used in the creation of your key One of the easiest ways to crea...

Page 131: ...ert pem 7 If the issued certificate is in ASCII encoded form convert it to binary form as follows 8 Install the resulting certificate and the CA certificate into the NSS certificate database with cert...

Page 132: ...te Adding the Certificate to the Agent Entry in the Directory Server You must add the certificate to the agent entry in the directory server If the agent entry does not exist in the DS use the scakscf...

Page 133: ...nf file for Sun directory servers contains a default mapping and zero or more additional mappings tied to the issuer DN for certificates used in authentication If the default rule cannot be used you m...

Page 134: ...hods across all your servers if possible 2 Use the scamgr utility to log into the keystore and export the master key Join an Unconfigured Board to a Centralized Keystore 1 If the board is uninitialize...

Page 135: ...d previously scamgr h target host Select Keystore 1 Create new keystore 2 Load keystore from backup Selection 0 to exit 2 Enter the path to the backup file path to backup Password for restore file Loa...

Page 136: ...IRECTIVE VALUE Directives should be one per line and if two directives with the same name are found in the configuration file the last one will be the one used The only exception to this is the HostBi...

Page 137: ...LDAP servers where centralized keystores are hosted Entries in this property should be in the form of an LDAP URL proto server port Where proto is either ldap or ldaps server is a hostname fully quali...

Page 138: ...ficate are stored on an external device then the value should be the PKCS 11 token name followed by a colon followed by the friendly name certname server cert The passfile property defines the locatio...

Page 139: ...ig subcommand Failed Binding to Server Possible causes The value for the binddn property is incorrect The agent entry has not been created using scakscfg using the makeagent subcommand Sep 18 09 33 09...

Page 140: ...directory referenced by the certdb property are not readable to the UNIX user daemon The certificate database files have not been created in the directory referenced by the certdb property Sep 18 12...

Page 141: ...this new functionality Basic familiarity with PIN and credit card processing and the associated standards is assumed The following sections are included Financial Service Components Overview on page 1...

Page 142: ...ibrary libfinsvcs so and associated application interfaces are provided to support this feature Data types referenced in this chapter are defined in the opt SUNWsca include finsvcs h header file which...

Page 143: ...components comprise the Sun Crypto Accelerator 6000 board financial services functionality Key management PIN processing Card processing These core components are described in the following sections F...

Page 144: ...e fs_lib_open function Library Shutdown Function fs_lib_close Applications can close the financial services library services when the services are no longer required fsLibHandle_t fs_lib_open char tok...

Page 145: ...dle is returned and must then be used for all financial service requests for that specific session The syntax for the fs_session_open function is as follows TABLE 5 5 lists the parameters for the fs_s...

Page 146: ...n_close function TABLE 5 8 lists the return values for the fs_session_close function Financial Services Data Types The financial services API requires the use of new data types defined in the finsvcs...

Page 147: ...ollowing types of financial keys are supported Master file key MFK The Sun Crypto Accelerator 6000 board is a dedicated hardware security module HSM The MFK never leaves the secure HSM and encrypts ot...

Page 148: ...his extra security step is required to meet the following key management requirements Split knowledge No single user can know the entire key Dual control The component and a valid user name and passwo...

Page 149: ...matically by an application to retrieve the desired KEK Type the following command Change the MFK Financial applications require their keys be encrypted using the MFK Thus changing the MFK is a comple...

Page 150: ...erated these keys are encrypted by the MFK and returned in the user provided buffer upon success The syntax for the fs_generate_key function is as follows TABLE 5 9 lists the parameters for the fs_gen...

Page 151: ...dState Device not in proper state to handle command fsReturn_t fs_import_key fsSessHandle _t handle fsKeyUsage_t usage fsKey_t KEK fsKey917_t iKey fsKey_t oKey BOOLEAN useVariants TABLE 5 11 fs_import...

Page 152: ...arameters for the fs_export_key function TABLE 5 12 fs_import_key Function Return Values Return Value Description fsOK The oKey is filled in for this case if the key is successfully imported fsInvalid...

Page 153: ...Function Return Values Return Value Description fsOK The oKey is filled in for this case if key successfully exported fsInvalidKeyType Export key type invalid fsInvalidKeyUsage Key usage type invalid...

Page 154: ...cate the object The syntax for the fs_retrieve_object function is as follows TABLE 5 17 lists the parameters for the fs_retrieve_object function TABLE 5 16 fs_translate_key Function Return Values Retu...

Page 155: ...anslations are done in this mode The syntax for the fs_status function is as follows The parameter for the fs_status function is as follows status Status buffer PIN Processing Functions The Sun Crypto...

Page 156: ...account number field hexadecimal characters are defined in TABLE 5 20 C N P P P P P F P F P F P F P F P F P F P F F F TABLE 5 19 ANSI ISO Format 0 Cleartext PIN Hexadecimal Characters Field Name Value...

Page 157: ...ssuer or a designated agent provides a PIN verification service PVS This service compares the cardholder s PIN to a cryptographic transformation of the PIN The PVV method is a two step process 1 When...

Page 158: ...IN The PIN verification key PVK used in the PIN calculation algorithm and encrypted with the MFK Validation information for identifing the customer which is typically the customer s account number Che...

Page 159: ...fication Visa PVV and IBM 3624 Additionally the board supports two types of PIN block formats ANSI ISO Format 0 and ISO Format 1 The syntax for the fs_pin_verify function is as follows TABLE 5 22 list...

Page 160: ...ction to the credit card issuing bank the PAN Personal account number iPIN Encrypted input PIN data PIN algorithm specific data For Visa PVV data consists of PVKI Reference PVV For IBM 3624 data consi...

Page 161: ...IN fPIN_t oPIN fsPAN_t PAN TABLE 5 24 fs_pin_translate Function Parameters Parameter Description handle Session handle returned by the fs_session_open function iPEK Input PEK used to encrypt the PIN t...

Page 162: ...3 The fs_card_verify function provides credit card processing operations for the board s financial services API Verification for Visa MasterCard and American Express credit cards is supported The fs_...

Page 163: ...ossible errors and their meanings fsInvalidHandle The session handle provided by handle is not valid fsVerifyFail The card verification failed fsInvalidCVK The CVK is corrupt or invalid fsInvalidState...

Page 164: ...ultiple FSSOs per board to authenticate commands a security officer must enable Multi Admin mode which is described in Multi Admin Authentication on page 69 Direct Input Device A direct input device i...

Page 165: ...length enable mfk Activates a new MFK and deletes the old one Use this command after all applications have translated their keys under the new MFK cancel mfk Cancels the MFK Must be initiated before...

Page 166: ...load decimalization table Loads a decimalization table which is required for IBM 3624 PIN verification You are prompted for a label to associate with the decimalization table The entered decimalizatio...

Page 167: ...ction This chapter includes the following sections Board Administration on page 146 Slot Descriptions on page 147 PKCS 11 and FIPS Mode on page 151 Developing Applications to Use PKCS 11 on page 152 D...

Page 168: ...r utility See Chapter 3 When a keystore is first initialized scamgr prompts you to set up a keystore security officer KSO account This keystore security officer is not related to the PKCS 11 security...

Page 169: ...slot The Hardware slot is bound to and dedicated to a hardware device These slots are directly accessible when the device is uninitialized or when it is in diagnostic mode There should be three Hardwa...

Page 170: ...lots including the Oracle Solaris software implementation for the mechanisms not supported by the board The Sun Metaslot also supports failover For more details please refer to the Sun Metaslot docume...

Page 171: ...the auto key migration is disabled sensitive token keys are not automatically migrated to other slots With this configuration if an operation with a sensitive token key fails on the Sun Crypto Accele...

Page 172: ...n keys only The CA Hardware slot accelerates asymmetric operations such as RSA DSA and DH The OM Hardware slot allows key management operations such as key generation and key creation However the keys...

Page 173: ...rd itself All keys and critical security parameters cross the PCI bus in encrypted form Certain additional integrity checks are done at startup and when keys and random numbers are generated Random nu...

Page 174: ...he PKCS 11 administrative functions C_InitToken and C_InitPin are not implemented The C_Login function with the CKU_SO security officer flag is rejected Token Objects In PKCS 11 public token objects a...

Page 175: ...for the hash operations CKM_SHA_1 and CKM_MD5 are not available from the user level of the PKCS 11 application However those mechanisms are available for the kernel consumers such as IPsec The tokens...

Page 176: ...se CKA_APPLICATION empty string CKA_ATTR_TYPES empty string CKA_AUTH_PIN_FLAGS false CKA_DECRYPT true not enforced CKA_DERIVE false not enforced CKA_ENCRYPT true not enforced CKA_END_DATE empty string...

Page 177: ...ftware will not return an error code The inconsistent attribute CKA_VALUE_LENGTH is simply ignored by the software Software Error Codes The error codes returned by the software are not always as speci...

Page 178: ...Applications for Use With the Sun Crypto Accelerator 6000 Board on Linux Platforms The openCryptoki software is used as the PKCS 11 framework See Appendix B for details on openCryptoki software If th...

Page 179: ...Java System Web Server 6 1 on page 163 Installing and Configuring Sun Java System Web Server 7 0 Update 1 on page 173 Installing and Configuring Sun Java System Web Server on Linux Platforms on page...

Page 180: ...S 11 interface such as the Sun Java System Applications Note The Apache Web Server Chapter 8 does not use the keystore or user account features described in this chapter Users Within the context of th...

Page 181: ...ticate and access specific keys Security officer accounts Accounts that provide access to key management functions through scamgr Note A single Sun Crypto Accelerator 6000 board must have exactly one...

Page 182: ...Chapter 6 there are four kinds of slots presented through the Oracle Solaris Cryptographic Framework s PKCS 11 interface PKCS 11 application PKCS 11 layer Firmware PKCS 11 token sca4000 ks 1 PKCS 11 t...

Page 183: ...ormance and fault tolerance Example If there are two boards mca0 and mca1 each is assigned a keystore name engineering and finance three slots are presented to the Sun Java System application engineer...

Page 184: ...LE 7 1 Passwords Required for Sun Java System Web Servers Type of Password Description Sun Java System Web Server Administration Server Required to start up the Sun Java System Web Server Administrati...

Page 185: ...his password users cannot access their keys There is no way to retrieve a lost password 4 Exit scamgr Installing and Configuring Sun Java System Web Server 6 1 This section describes how to install an...

Page 186: ...ion directory and extract the web server software 3 Install the web server with the setup script from the command line The default path name for the server is opt SUNWwbsvr This chapter refers to the...

Page 187: ...a System Web Server 6 1 Administration Server window is displayed 4 Create the trust database for the web server instance You might want to enable security on more than one web server instance If so r...

Page 188: ...database of the Sun Java System Web Server using the modutil utility Note modutil is a utility developed by Mozilla and is available with the Sun Java System distribution By default the modutil is loc...

Page 189: ...System Web Server setup enter admin for the user ID or the Sun Java System Web Server 6 1 Administration Server user name 3 Click OK The Sun Java System Web Server 6 1 Administration Server window is...

Page 190: ...t using the following information a Select a New Certificate If you can directly post your certificate request to a web capable certificate authority or registration authority select the CA URL link O...

Page 191: ...our certificate authority 10 Once the certificate is generated copy it along with the headers to the clipboard Note The certificate is different from the certificate request and is usually presented t...

Page 192: ...authority and a certificate has been issued you must install the certificate in the Sun Java System Web Server 1 Click the Security tab near the top of the Sun Java System Web Server 6 1 Server Manag...

Page 193: ...the web server for SSL Enable the Web Server for SSL 1 Select the Preferences tab near the top of the page 2 Select the Edit Listen Sockets link on the left panel The main panel lists all the listen...

Page 194: ...his keystore user is the user that is authenticated with the username password 7 When you have chosen a certificate and confirmed all the security settings click OK 8 Select the Apply link in the far...

Page 195: ...more information about installing and using Sun Java System Web Servers This section includes the following procedures 1 Install Sun Java System Web Server 7 0 on page 174 2 Register the Board With th...

Page 196: ...web server with the setup script from the command line The default path name for the server is sun webserver7 This chapter refers to the default path If you decide to install the software in a differ...

Page 197: ...name and password you selected while running setup Note If you used the default settings during Sun Java System Web Server setup enter admin for the User ID or the Sun Java System Web Server 7 0 Admin...

Page 198: ...be used A new window pops up 6 Uncheck the Token State box that is disable the token 7 Click OK You can also pre set the password for tokens so that the Sun Java System Web Server can start up without...

Page 199: ...and select Request Server Certificate under Configuration Tasks A new window pops up 2 Select a server from the scroll down menu and click the Next button 3 Select a token you would like to use from t...

Page 200: ...for Step 4 of Install the Server Certificate on page 178 Install the Server Certificate Once your request has been approved by a certificate authority and a certificate has been issued you must insta...

Page 201: ...r Certificate on page 177 into the Certificate Data text box Click Next 5 Type the nickname of the certificate and click Next In this example Server Cert is used FIGURE 7 5 Screenshot of the Sun Java...

Page 202: ...s displayed The nickname is in the form token name Certificate Nickname Deploy the Change Whenever you make a change to a server instance the change is temporarily made to the copy of the server insta...

Page 203: ...deploy the new configuration 3 Ensure that the deployment was successful and close the window Now that your web server and the Server Certificate are installed you must enable the web server for SSL...

Page 204: ...Version 1 1 February 2013 4 Click the Apply button 5 Click SSL tab at the top of the window 6 Alter the following fields SSL choose Enabled Certificate choose the certificate you installed The certif...

Page 205: ...un Java System Server Software 183 FIGURE 7 7 Screenshot of the Sun Java Web Server Edit HTTP Listener SSL Settings 7 Click the Apply button and close the window Note Ensure to deploy the change after...

Page 206: ...with Red Hat Enterprise Linux 4 0 Both RHEL 4 0 and SuSE 9 are supported with the Sun Java Web Server software The installation and configuration of Sun Java System Web Server on Linux is similar to t...

Page 207: ...so Manufacturer IBM Description Meta PKCS11 LIBRARY PKCS 11 Version 2 11 Library Version 2 2 Cipher Enable Flags None Default Mechanism Flags None Slot Linux 2 6 5 7 139 smp Linux SCA Slot Mechanism F...

Page 208: ...n on Reboot You can enable the Sun Java System Web Servers to perform an unattended startup at reboot with an encrypted key Create an Encrypted Key for Automatic Startup of Sun Java System Web Servers...

Page 209: ...es TABLE 7 1 for password definitions 3 Set the file ownership of the password file to the UNIX user ID that the web server runs as and set the file permissions to be readable only by the owner of the...

Page 210: ...188 Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Page 211: ...ver on Linux Platforms on page 192 Installing and Configuring Apache Web Server on Oracle Solaris Platforms This section provides instructions specific to Oracle Solaris platforms Create a Private Key...

Page 212: ...Verifying password Enter PEM pass phrase openssl req new key usr local apache2 conf server key out crtreq csr TABLE 8 1 Certificate Field Descriptions Certificate Field Description Country Name The tw...

Page 213: ...to Step 4 If you do not have a private key and certificate go to Create a Private Key and Certificate on page 189 Enter PEM pass phrase You are about to be asked to enter information that will be inc...

Page 214: ...ing to the following URL Note The default port is 443 9 Verify that the Sun Crypto Accelerator 6000 board is being used Verify that the rsaprivate field is being incremented in the statistics Installi...

Page 215: ...he required patches before configuring OpenSSL 4 Configure and compile OpenSSL Refer to the README pkcs11 and INSTALL file for more information tar zxvf openssl 0 9 7d tar gz gunzip pkcs11_engine 0 9...

Page 216: ...e OpenSSL libraries 4 Compile and install Apache Refer to the INSTALL file for more information Note Using Apache 2 2 0 or 2 2 2 on SuSE with the x86_x64 architecture make could fail with an error mes...

Page 217: ...n openssl for the OpenSSL command usr local apache2 conf server key and usr local apache2 conf server crt for the key and certificate files for Apache 2 x 4 Put the private key in the usr local apache...

Page 218: ...s error occurs verify that pk11 libname usr lib64 pkcs11 PKCS11_API so is used for the OpenSSL configuration and also that usr lib64 pkcs11 PKCS11_API so is a link to the 64 bit openCryptoki PKCS 11 l...

Page 219: ...r 6000 software provides three interactive utilities for running diagnostics on the board The first of these utilities SunVTS focuses on the system level network and cryptographic functionality of the...

Page 220: ...nterface enables the security administrator to perform diagnostics on both an initialized and uninitialized board The scadiag interface provides less information regarding diagnostic failures then the...

Page 221: ...reflect cryptographic activity on the board To determine whether cryptographic work requests are being performed on the board use the kstat 1M command to display the device usage Displaying the kstat...

Page 222: ...vious example 0 is the instance number of the mca device This number should reflect the instance number of the board for which you are performing the kstat command kstat mca 0 module mca instance 0 na...

Page 223: ...d does not contain lights or other indicators to reflect cryptographic activity on the board To determine whether cryptographic work requests are being performed on the board you must use the proc fil...

Page 224: ...aprivate 0 rsapublic 1 dsasign 0 dsaverify 0 dhderive 0 dhkeygen 0 md5bytes 0 md5jobs 0 sha1bytes 0 sha1jobs 0 fsbytes 0 fsjobs 0 rngbytes 60 rngjobs 3 keygenjobs 0 wrapjobs 0 unwrapjobs 0 mode FIPS s...

Page 225: ...00 board It contains the following sections Connectors on page 203 Physical Dimensions on page 204 Power Requirements on page 205 Environmental Specifications on page 205 Connectors FIGURE A 1 shows t...

Page 226: ...s Guide for Version 1 1 February 2013 FIGURE A 1 Sun Crypto Accelerator 6000 Board Connectors Physical Dimensions TABLE A 1 Physical Dimensions Dimension Measurement Metric Measurement Length 6 6 inc...

Page 227: ...ower Requirements Specification Measurement Maximum power consumption 6 25 W 5V 12 75 W 3 3V Voltage tolerance 5V 5 3 3V 5 TABLE A 3 Environmental Specifications Condition Operating Specification Stor...

Page 228: ...206 Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Page 229: ...ses openCryptoki as the interface for PKCS 11 applications Version 1 1 of the board uses the certified openCryptoki 2 2 4 release of the software The source rpm package is downloadable from the RedHat...

Page 230: ...ry on 64 bit systems only Build and Install openCryptoki on RHEL4 Updates The openCryptoki binary packages for RHEL5 cannot install on RHEL4 due to dependencies The openCryptoki 2 2 4 source rpm packa...

Page 231: ...started or restarted On RHEL systems start and stop openCryptoki with the following commands Build and Install openCryptoki Software on SUSE10 SP1 Platforms The openCryptoki binary packages for RHEL5...

Page 232: ...and Start openCryptoki Note The openCryptoki packages must be installed before the Sun Crypto Accelerator 6000 packages are installed The Sun Crypto Accelerator 6000 installation modifies openCryptoki...

Page 233: ...s Sun Ray Sun tm ONE and Sun tm Crypto Accelerator 6000 are trademarks or registered trademarks of Sun Microsystems Inc in the U S and other countries All SPARC trademarks are used under license and a...

Page 234: ...y third parties Sun Sun Microsystems the Sun logo Java Jini Netra Solaris StarOffice Sun tm ONE FORTE SunVTS AnswerBook2 Sun Enterprise Sun Enterprise Volume Manager iPLANET SunSolve and Sun logo are...

Page 235: ...ept as specifically authorized in any Supplemental License Terms you may not make copies of Software other than a single copy of Software for archival purposes Unless enforcement is prohibited by appl...

Page 236: ...you have the responsibility to obtain such licenses to export re export or import as may be required after delivery to you 8 U S GOVERNMENT RESTRICTED RIGHTS If Software is being acquired by or on be...

Page 237: ...ok2 Sun Enterprise Sun Enterprise Volume Manager and iPLANET trademarks and all SUN SOLARIS JAVA JINI FORTE STAROFFICE SunVTS AnswerBook2 Sun Enterprise Sun Enterprise Volume Manager and iPLANET relat...

Page 238: ...er in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This pro...

Page 239: ...etc code not just the SSL code The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson tjh cryptsoft com Copyright remains Er...

Page 240: ...THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The licence and distribution terms for any publically available version or derivative of this code cannot be changed i e this code cann...

Page 241: ...the following acknowledgment This product includes software developed by Ralf S Engelschall rse engelschall com for use in the mod_ssl project http www modssl org THIS SOFTWARE IS PROVIDED BY RALF S E...

Page 242: ...220 Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Page 243: ...mcactl 7d mca control device driver character based that provides an administrative interface to entities such as scad 1M and scadiag 1M scad 1m Daemon that provides keystore services scadiag 1m Util...

Page 244: ...ent operations for the financial services API fs_card_verify 3 Command that provides credit card processing operations for the financial services API fs_pin_verify 3 Command that provides PIN manageme...

Page 245: ...mgr program See Perform a Software Zeroize on the Board on page 81 Also refer to the online manual pages for scadiag 4 regarding removing all key material Note Performing a hardware zeroize on the boa...

Page 246: ...s you can use dynamic reconfiguration DR to remove and replace the board as necessary for this procedure instead of powering off the system Refer to the documentation delivered with your system for th...

Page 247: ...wer off the system 6 Remove the jumper from pins 0 and 1 of the jumper block and store the jumper in the original location Note You can safely store the jumper on pins 3 and 5 This location does not a...

Page 248: ...rsion 1 1 February 2013 10 Reconnect to Sun Crypto Accelerator 6000 board with scamgr scamgr prompts you to either initialize the board with a new keystore or initialize the board to use an existing k...

Page 249: ...r File Copyright 2006 Sun Microsystems Inc All rights reserved Use is subject to license terms ifndef_FINSVCS_H define_FINSVCS_H pragma ident finsvcs h1 506 04 19 SMI ifdef__cplusplus extern C endif i...

Page 250: ...nvalidPinType invalid pin block format fsInvalidDectbl fsInvalidPan fsInvalidCmd fsInvalidState fsNotInitialized fsNotFound fsInvalidLibVersion fsReturn_t fs state typedef enum fsStateUninit fsStateNo...

Page 251: ...R where N PIN length P PIN digit R random digit between o and 0xf typedef enum fsPinType ISOFormat0 ISOFormat1 fsPinType_t defineFS_PIN_SIZE8 Personal Identificatin Number PIN data type typedef struct...

Page 252: ...ication Key KEK Key Encryption Key MACK MAC Key fsKeyUsage_t defineMAX_KEY_USAGE6 Financial Key Types DESx only currently typedef enum fsKeyType DES 1 Single length DES DES2 Double length DES DES3 3DE...

Page 253: ...nibbles digits from 12 to 19 uint8_tpan FS_PAN_SIZE fsPan_t typedef enum fsObjectType fsObjDecTable fsObjKey fsObjectType_t typedef struct fsObjectData_s fsObjectType_ttype union fsDecTable_tdecTable...

Page 254: ...uint8_t refCSC 3 csc data fsCardData_t if defined CPU_XSCALE defined _KERNEL Library prototypes general purpose routines fsLibHandle_tfs_lib_open char fsReturn_t fsReturn_tfs_lib_close fsLibHandle_t f...

Page 255: ...turn_tfs_key_import fsSessHandle_t fsKeyUsage_t fsKey_t fsKey917_t fsKey_t boolean_t fsReturn_tfs_key_export fsSessHandle_t fsKeyUsage_t fsKey_t fsKey_t fsKey917_t boolean_t fsReturn_tfs_retrieve_obje...

Page 256: ...234 Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Page 257: ...235 APPENDIX G Supported PKCS 11 Mechanisms This appendix lists the PKCS 11 mechanisms supported by the Sun Crypto Accelerator 6000 board TABLE G 1 lists the mechanisms supported by the board...

Page 258: ...or 32 byte CKM_MD5_HMAC 1 61439 bytes Multi Part is implemented in firmware Disabled by default CKM_SHA_1_HMAC 1 61439 bytes Multi Part is implemented in firmware Disabled by default CKM_SHA512_HMAC 1...

Page 259: ...EY_PAIR_GEN 512 1024 bits CKM_DES_KEY_GEN 8 bytes CKM_DES2_KEY_GEN 16 bytes CKM_DES3_KEY_GEN 24 bytes CKM_AES_KEY_GEN 16 24 or 32 bytes CKM_RC2_CBC_PAD 8 1024 bits Disabled by default TABLE G 1 Suppor...

Page 260: ...238 Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Page 261: ...nds ldapmodify 111 modinfo 23 openssl 109 pkgadd 21 prtdiag 13 14 22 27 svcadm 111 zeroize 224 credit card processing 140 cryptographic algorithms acceleration 4 enabling optional algorithms 93 suppor...

Page 262: ...personal account number 136 PIN 136 PVKI 137 security officers 142 setting mode 142 FIPS 140 2 mode 39 firmware 225 H hardware 10 hardware and software requirements 10 hardware zeroize 223 235 hexadec...

Page 263: ...pdate 153 C_GetObjectSize 153 C_GetOperationState 153 C_SetOperationState 153 C_SignEncryptUpdate 153 CK_EFFECTIVELY_INFINITE 153 CKM_MD5 153 CKM_SHA_1 153 cryptoadm 148 developing applications 152 de...

Page 264: ...a keystore with security officers 60 with users 61 prompt 43 quitting 48 setting auto logout 77 user name requirements 58 using 34 utility 34 security officer accounts 57 security officers 60 server...

Page 265: ...key 125 TPK 125 trust database creating scamgr 38 Sun Java System Web Server 6 0 165 U user accounts 57 V Visa PVV Method 135 W web servers 158 Z zeroize command 224 zeroizing the hardware 223 235 zon...

Page 266: ...244 Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Reviews:

No comments

Related manuals for Crypto Accelerator 6000 Board

Brand: P.I. Engineering Pages: 4

Brand: Pace Pages: 15

Brand: VSmart Pages: 9

Brand: AR Pages: 20

Brand: DeLOCK Pages: 4

Brand: Acard Pages: 33

Brand: Quintum Pages: 58

Brand: X-media Pages: 7

SG-EMFCOE2-Q-SR

Brand: Oracle Pages: 70

Brand: EtherWAN Pages: 21

Brand: Belkin Pages: 165

Brand: TAMS Pages: 24

Brand: Plantronics Pages: 1

Plug Prong Adapter

Brand: Plantronics Pages: 2

Brand: Plantronics Pages: 19

Brand: Plantronics Pages: 52

HHM Series HHM2209SA1

Brand: TDK Pages: 2

SmartSwitch 6C110

Brand: Cabletron Systems Pages: 50

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands