background image

222

Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013

fs_key_generate

(3)

Command that provides key management operations for the
financial services API.

fs_card_verify

(3)

Command that provides credit card processing operations for the
financial services API.

fs_pin_verify

(3)

Command that provides PIN management operatins for the
financial services API.

TABLE D-1

Sun Crypto Accelerator 6000 Online Manual Pages

(Continued)

man

page

Description

Содержание Crypto Accelerator 6000 Board

Страница 1: ...Sun Crypto Accelerator 6000 Board Version 1 1 User s Guide Part No E39851 01 February 2013...

Страница 2: ...i t intellectuelle Ils sont conc d s sous licence et soumis des restrictions d utilisation et de divulgation Sauf disposition de votre contrat de licence ou de la loi vous ne pouvez pas copier reprodu...

Страница 3: ...se 2 Key Features 2 Financial Services Support 3 Supported Applications 3 Supported Cryptographic Protocols and Algorithms 3 Diagnostic Support 4 Cryptographic Algorithm Acceleration 4 Hardware Overvi...

Страница 4: ...pt 19 Remove the Software With the remove Script on the CD ROM 19 For Oracle Solaris 11 Remove the Software With the remove Script 20 Installing the Software on Oracle Solaris Platforms Without the In...

Страница 5: ...he scamgr Utility 34 Device and Keystore Security Officers 34 scamgr Syntax 35 scamgr Options 35 Modes of Operation 36 Interactive Mode 37 Single Command Mode 37 File Mode 37 scamgr Secure Communicati...

Страница 6: ...ands 49 Getting Help for Commands 56 Managing Keystores With scamgr 57 Multiple Keystore Support 57 Naming Requirements 58 Password Requirements 59 Set the Password Requirements 59 Change Password Req...

Страница 7: ...of Security Officers Required to Authenticate Multi Admin Commands 71 Set a Multi Admin Command Timeout 71 Enable Multi Admin Mode 72 Disable Multi Admin Mode 72 Add Additional Security Officers to th...

Страница 8: ...s 92 Modify Service Configuration Parameters 93 Enabling Optional Cryptographic Algorithms 93 Enable the SHA 512 Algorithm 93 Enable the RC2 CBC Algorithm 94 Enable the Multi part MD5 Algorithm 94 Ena...

Страница 9: ...Adding the Certificate to the Agent Entry in the Directory Server 110 Add the Certificate to the Agent Entry in the DS 110 Configuring the Board to Join a Centralized Keystore 112 Join a Previously C...

Страница 10: ...s 127 Change the MFK 127 Key Management Functions 127 Generate Key Function fs_generate_key 128 Import Key Function fs_import_key 129 Export Key Function fs_export_key 130 Translate Key Function fs_tr...

Страница 11: ...ng PKCS 11 Applications for Use With the Sun Crypto Accelerator 6000 Board 145 Board Administration 146 Slot Descriptions 147 Keystore Slot 147 Sun Metaslot 148 Configuring Sun Metaslot to Use the Sun...

Страница 12: ...Keystore 162 Installing and Configuring Sun Java System Web Server 6 1 163 Install Sun Java System Web Server 6 1 164 Create a Trust Database 165 Register the Board With the Web Server 166 Generate a...

Страница 13: ...g and Configuring Apache Web Server on Linux Platforms 192 Prepare OpenSSL Libraries 193 Compile Apache Web Server 194 Configure and Start Apache Web Server 194 9 Diagnostics and Troubleshooting 197 D...

Страница 14: ...stall openCryptoki Software on RHEL5 208 Build and Install openCryptoki on RHEL4 Updates 208 Build and Install openCryptoki Software on SUSE10 SP1 Platforms 209 C Software Licenses 211 Third Party Lic...

Страница 15: ...h the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmf...

Страница 16: ...xvi Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Страница 17: ...xvii BSMI Class A Notice The following statement is applicable to products shipped to Taiwan and marked as Class A on the product compliance label...

Страница 18: ...xviii Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Страница 19: ...ers and Apache Web Servers IPsec SunVTS software certification authority acquisitions Note In this document these x86 related terms mean the following x86 refers to the larger family of 64 bit and 32...

Страница 20: ...ation visit http www oracle com pls topic lookup ctx acc id info or visit http www oracle com pls topic lookup ctx acc id trs if you are hearing impaired Documentation Link All Oracle products http ww...

Страница 21: ...Preface xxi...

Страница 22: ...xxii Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Страница 23: ...security features and support for new Oracle Solaris OS on SPARC and x86 platforms and x86 AMD Opteron platforms running Linux The combination of a dedicated HSM advanced cryptographic security and se...

Страница 24: ...as Sun Java System Server products Provides centralized keystore support enabling multiple machines to access a common key repository FIPS 140 2 Level 3 certification Low CPU utilization frees up serv...

Страница 25: ...ata by performing the entire operation within the secure cryptographic boundary of the board Specialized key management capabilities and a new user library libfinsvcs so and associated application int...

Страница 26: ...s Some cryptographic algorithms were designed specifically to be implemented in hardware others were designed to be implemented in software For hardware acceleration there is the additional cost of mo...

Страница 27: ...re is a low profile half length 6 6 inches 1 67 64 mm by 2 54 inches 64 41 mm 8 lane PCI Express based HBA that enhances the performance of IPsec and SSL and provides robust security features FIGURE 1...

Страница 28: ...ATIONAL and FAILSAFE states heart beat Red when board is in the HALTED fatal error state or when a low level hardware initialization failure occurs Flashing red if an error occurrs during the boot pro...

Страница 29: ...port and a Point of Presence button Serial Port The six wire RJ 11 port connector enables direct input adminstration The port operates at a baud rate of 9600 8N1 The pinout specifications are describ...

Страница 30: ...URE 1 3 RJ 11 Port Connector Pins USB Port The standard size USB connector enables you to back up and restore the on board keystore The port is USB 1 1 compliant and is compatible with standard USB ma...

Страница 31: ...ns multiple Sun Crypto Accelerator 6000 boards can be installed within a system or domain to insure that hardware acceleration is continuously available In the unlikely event of a Sun Crypto Accelerat...

Страница 32: ...nctionality with PKCS 11 OpenSSL and Java J2SE x86 AMD Opteron Platforms Running Linux The openCryptoki software interface is used in Linux environments to access the Sun Crypto Accelerator 6000 board...

Страница 33: ...ge 18 Removing the Sun Crypto Accelerator 6000 Software on Oracle Solaris Platforms With the remove Script on page 19 Installing the Software on Oracle Solaris Platforms Without the Installation Scrip...

Страница 34: ...damaging the sensitive components on the board wear an antistatic wrist strap when handling the board hold the board by its edges only and always place the board on an antistatic surface such as the p...

Страница 35: ...nter the scanpci command from a terminal prtdiag IO Configuration IO Location Type Slot Path Name Model IOBD NET0 PCIE IOBD pci 780 pci 0 pci 1 network 0 network pciex8086 105e IOBD NET1 PCIE IOBD pci...

Страница 36: ...d patches before installing the software In addition to the software provided on the product CD required software is provided at My Oracle Support http support oracle com For CD installations the inst...

Страница 37: ...components SUNWscafsu Financial services usr SUNWscafsm Financial services manual pages SUNWscamga Administration client SUNWscamgm Administration manual pages SUNWscamgr Administration root SUNWscam...

Страница 38: ...sun sca6000 man user documentation sun sca6000 var variable length files sun sca6000 libs supporting libraries sun nss Netscape Security Services libraries and tools sun nspr Netscape Portable Runtim...

Страница 39: ...or Solaris 10 Install Optional Crypto IPsec Acceleration software To cancel installation of this software press q followed by a Return OR Press Return key to begin installation Installing Sun Crypto A...

Страница 40: ...LE 2 2 Sun Crypto Accelerator 6000 Directories and Files for Solaris Platforms Directory Contents kernel drv Driver configuration files kernel drv sparcv9 64 bit SPARC drivers kernel drv amd64 64 bit...

Страница 41: ...ipt If you used the install script to install the software use the remove script on the CD ROM to remove the software If you installed the software without the install script see Removing the Software...

Страница 42: ...cafsu SUNWscafsm SUNWmcau SUNWmcar SUNWmcamn SUNWmcafw SUNWmcact To cancel removal of this software press q followed by a Return OR Press Return key to begin package removal Found the following packag...

Страница 43: ...ed on the product CD required software is provided at My Oracle Support http support oracle com Install the Software Without the install Script 1 If installing from a CD insert the Sun Crypto Accelera...

Страница 44: ...camn SUNWmcar SUNWmcau SUNWscafsm SUNWscafsu SUNWscamga SUNWscamgm SUNWscamgr SUNWscamgu system SUNWmcact Sun Crypto Accelerator 6000 Activation File system SUNWmcafw Sun Crypto Accelerator 6000 Firmw...

Страница 45: ...ores With scamgr on page 57 you must delete the keystore information that the Sun Crypto Accelerator 6000 board is configured with before removing the software The zeroize command removes all key mate...

Страница 46: ...n this order could result in dependency warnings and leave kernel modules loaded For Solaris 10 if you installed all the packages you would remove them as follows For Solaris 11 if you installed all t...

Страница 47: ...ypto Accelerator 6000 CD into a CD ROM drive that is connected to your system and enter the following command lspci Network and computing encryption device Sun Microsystems Computer Corp Unknown devic...

Страница 48: ...m sun sca6000 libs 1 1 1 x86_64 rpm sun sca6000 man 1 1 1 x86_64 rpm sun sca6000 var 1 1 1 x86_64 rpm Install the Software Without the install Script 1 If it is not already on the system install the N...

Страница 49: ...ts etc init d Start and stop scripts links etc rc5 d Service configuration files etc opt sun sca6000 Daemon configuration files opt sun sca6000 bin Application executables drivers and the scamgr utili...

Страница 50: ...rypto Accelerator 6000 Software on Linux Platforms Removing the Sun Crypto Accelerator 6000 Software With the remove Script All applications such as Sun Java System and Apache Web Servers that are usi...

Страница 51: ...the following packages to remove sun sca6000 firmware 1 1 1 sun sca6000 man 1 1 1 sun sca6000 1 1 1 sun sca6000 libs 1 1 1 sun sca6000 config 1 1 1 sun sca6000 var 1 1 1 sun sca6000 admin 1 1 1 Removi...

Страница 52: ...archive the correct keystore directory and configuration file The keystore name and ID are shown in the filename for the conf file and the corresponding directory For example if the keystore name is k...

Страница 53: ...load the 1 0 software components 8 Apply any 1 0 software and firmware patches that are necessary Refer to the Sun Crypto Accelerator 6000 Board Product Notes for Version 1 1 819 5537 at http docs ora...

Страница 54: ...32 Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Страница 55: ...ollowing sections Using the scamgr Utility on page 34 Authentication and Logging In and Out With scamgr on page 43 Entering Commands With scamgr on page 48 Initializing the Board With scamgr on page 3...

Страница 56: ...ccounts The default behavior for scamgr is to log in as a KSO To log in as a DSO you must sun scamgr with the D command line option If you have already started an scamgr session but are logged out fro...

Страница 57: ...For example in the C shell the command is changed to scamgr scamgr Options TABLE 3 1 shows the options for the scamgr utility TABLE 3 1 scamgr Options Option Meaning Displays help files for scamgr com...

Страница 58: ...mode you are using h hostname Connects to the board on hostname The value for hostname can be a host name or an IP address and defaults to the loopback address localhost k keystorename Logs into the s...

Страница 59: ...ommand mode you specify the command to be run after all the command line switches are specified For example in Single Command mode the following command would show all the users in a given keystore an...

Страница 60: ...connection is made and an unrecognized key is given to scamgr by the firmware scamgr prompts the security officer to either abort the connection accept the key for this one session or accept the key p...

Страница 61: ...successful board initialization a new remote access key is created This new key is used to secure communications when new keystores are initialized and administered Perform a Board Initialization 1 Se...

Страница 62: ...ng Keystore on page 42 The scamgr utility prompts for the backup file location and uploads the file to the board as part of the keystore initialization process This option can be used to recover a key...

Страница 63: ...up file You must first create a backup file of an existing board configuration before performing this procedure Creating and restoring a backup file requires a password to encrypt and decrypt the data...

Страница 64: ...d keystore name serial number keystore id Perform a Keystore Initialization and Use an Existing Keystore 1 Initialize the board with the scamgr command If the board is installed locally enter scamgr a...

Страница 65: ...tity based A valid security officer name and password must exist in the card s keystore before access is granted When you use scamgr from the command line and specify host port and device using the h...

Страница 66: ...with the Interactive mode of scamgr TABLE 3 2 scamgr Prompt Variable Definitions Prompt Variable Definition mcaN mca is a string that represents the Sun Crypto Accelerator 6000 board N is the device i...

Страница 67: ...access key you must use scamgr to change the entry corresponding to the board in the trust database scamgr h hostname Warning Serial ID and Public Key Not Found The Serial ID and public key presented...

Страница 68: ...mgr h hostname Warning Public Key Conflict The public key presented by the board you are connecting to is different than the public key that is trusted for this Serial ID Serial ID 36 30 30 30 30 33 N...

Страница 69: ...ator 6000 firmware to renegotiate new session keys to protect the administrative data that is sent scamgr mcaN hostname sec officer logout scamgr connect host hostname dev mca2 Security Officer Login...

Страница 70: ...ommands The scamgr utility has a command language that must be used to interact with the Sun Crypto Accelerator 6000 board You enter commands using all or part of a command enough to uniquely identify...

Страница 71: ...e Successful backups increment the backup counter by one see show status If Multi Admin mode is enabled when this command is entered it requires authentication by multiple security officers with the M...

Страница 72: ...ed to confirm it delete keystore KSO only Ensure that you create a full keystore backup if you want to be able to restore a keystore before deleting it see the backup keystore command This command del...

Страница 73: ...keystore creation functions on the board With this setting disabled no new keystores can be created disable user username KSO only Disable the user named username in the keystore A disabled user cann...

Страница 74: ...through the rekey command are automatically locked and cannot be backed up Once set a locked master key cannot be unset If the master key is locked by a DSO a board zeroize is required to clear it If...

Страница 75: ...mum admin role sec officers This command sets the quorum of security officers required for the successful completion of a Multi Admin mode command This value must be at least 2 and less than or equal...

Страница 76: ...splays the current keystore audit log Audit logs are displayed to standard out by default but can be sent to the file outfile using the path option keyword The number of log messages displayed can be...

Страница 77: ...d requires a quorum of security officers with the Multi Admin role to authenticate if Multi Admin mode is enabled zeroize DSO only Cleans the board of all security parameters and returns the board to...

Страница 78: ...c officer create user Usage create user username scamgr mcaN hostname sec officer set Sub Command Description lock Lock master key Prevents key backup multiadmin Configure Multi Admin mode passreq Set...

Страница 79: ...a repository for key material Associated with a keystore are keystore security officers KSOs and users Keystores not only provide storage but a means for key objects to be owned by user accounts This...

Страница 80: ...lectively work with the same keystore to provide additional performance and fault tolerance Naming Requirements Security officer names user names and keystore names must meet the following requirement...

Страница 81: ...nts for a Sun Crypto Accelerator 6000 board to high TABLE 3 6 Password Requirement Settings Password Setting Requirements low Does not require any password restrictions This is the default while the b...

Страница 82: ...documentation for details Managing Security Officers and Users This section describes how to populate keystores and how to list enable disable and delete security officers and users Populate a Keystor...

Страница 83: ...meter on the command line If the user name is omitted scamgr prompts you for the user name See Naming Requirements on page 58 For example Users must use this password when authenticating during a web...

Страница 84: ...on page 77 for details List Users You can list users associated with a keystore 1 Start the scamgr utility 2 Type the show user command For example List Security Officers You can list security office...

Страница 85: ...name When enabling or disabling a user the user name is an optional parameter on the command line If the user name is omitted scamgr prompts you for the user name For example Enable Users 1 Start the...

Страница 86: ...ypes of backups that can be performed with the board Device Configuration Master Key and Keystore Back Up a Device Configuration This type of backup saves the global device configuration including FIP...

Страница 87: ...oard to use an existing keystore the master key for that keystore must be loaded to that board using a master key backup file Only the keystore security officer can backup a master key 1 Start the sca...

Страница 88: ...me serial number keystore id conf The second and third files are the user db and object db files which are located in the subdirectory under the top level keystore directory named keystore name serial...

Страница 89: ...keystore directory var sca keydata by default If keystore files for a keystore with the same name as the keystore backup already exist in the keystore directory the backup will not be allowed A keyst...

Страница 90: ...ult back to the disabled state until it is re enabled by a KSO 1 Start the scamgr utility 2 Type lock keystore For example Enable a Locked Keystore To Enable Access After a reset or power cycle a keys...

Страница 91: ...t from 1 to 15 minutes must be set at or before Multi Admin mode is enabled See Set a Multi Admin Command Timeout on page 71 for more information Also security officers must set the number of Multi Ad...

Страница 92: ...um number set with the set multiadmin minauth command See Set the Minimum Number of Security Officers Required to Authenticate Multi Admin Commands on page 71 If the number of Multi Admin role members...

Страница 93: ...utility 2 Type set multiadmin minauth minimum role members The minimum role members value must be at least two and less than or equal to the total number of security officers on the system In additio...

Страница 94: ...cessfully When this command is executed the security officer is presented with the current Multi Admin mode settings and is given the opportunity to change these settings before the command completes...

Страница 95: ...equires the authorization of three different security officers including the initiating security officer to authenticate before this command can complete Execute the following command on the initiatin...

Страница 96: ...is currently in progress You are a member of the Multi Admin role and may approve this command Command enable authmember sec officer4 Initiating SO sec officer1 Authorize this command Y Yes N No No y...

Страница 97: ...command you have the option of cancelling it If you choose not to cancel the command you will be logged out and the board will continue with the command Cancel this command Y Yes N No No y Authorizat...

Страница 98: ...2 Type a command as a security officer without Multi Admin role permissions The command fails For example scamgr Security Officer Login new sec officer Security Officer Password You have authenticated...

Страница 99: ...r locally with a direct input device see Direct Board Administration on page 82 Set the Auto Logout Time 1 Start the scamgr utility by logging in as a DSO 2 Type set timeout N where N is the number of...

Страница 100: ...s are added 1 Start the scamgr utility by logging in as a DSO 2 Type load firmware path name where path name is the path to the firmware file scamgr mcaN hostname sec officer show status Board Status...

Страница 101: ...u must reconnect to the device by logging back into scamgr if you want to continue administering it 1 Start the scamgr utility by logging in as a DSO 2 Type reset 3 Type y to proceed type n to cancel...

Страница 102: ...f three key types when issuing the rekey command The following is an example of entering a key type of all with the rekey command 4 Backup the master key to enable disaster recovery see Back Up a Mast...

Страница 103: ...and For example Use the scamgr diagnostics Command Diagnostics can be performed from the scamgr utility and from the SunVTS software The diagnostics command in scamgr covers three major categories in...

Страница 104: ...The following commands are not supported on the direct interface reset zeroize load firmware There are also additional commands supported on the local interface that are not available when connecting...

Страница 105: ...evices on page 7 for details on the USB port and the suggested USB backup device Using the backup command through a local interface works the same as accessing scamgr remotely unless the board is in F...

Страница 106: ...e them to reenter the required UWK components Since the board is in an uninitialized state each security officer need not authenticate to the board before entering a component The following example sh...

Страница 107: ...x described in TABLE 3 8 for both the Oracle Solaris OS and Linux is as follows scadiag scadiag b bootstrap fw mcaN scadiag d mcaN scadiag f mcaN scadiag k mcaN scadiag l mcaN device name is optional...

Страница 108: ...ad the operation must not be interrupted or the board could be rendered inoperable d mcaN Performs diagnostics on the board f mcaN Displays the public key fingerprint used by the board for secure remo...

Страница 109: ...e device cannot be accessed from an application Regardless of which mode is set you can always manage the board with the scadiag and scamgr commands s mcaN Checks device status for possible DR This op...

Страница 110: ...392c 1c8f 5cc6 ec61 e617 1b7f 4ded 71b0 scadiag k mca0 Device mca0 Key Length 1024 bits Key Fingerprint b605 c285 392c 1c8f 5cc6 ec61 e617 1b7f 4ded 71b0 Modulus e4df259c 4725367a 3070ddff d78c4225 b...

Страница 111: ...w in diagnostic mode scadiag l mca0 Device mca0 State Diag Status Initialized scadiag r mca0 Resetting device mca0 this may take a minute Please be patient Device mca0 reset ok scadiag s mca0 Device m...

Страница 112: ...ility and the firmware The scakiod service performs keystore I O services The Fault Management Resouce Identifiers FMRIs for these services are svc device scad and svc device scakiod Start and Stop th...

Страница 113: ...trative data between clients and the service The value is in seconds and the default is to 300 seconds five minutes maxdata Sets a limit on the amount of data a client can send to the card in a single...

Страница 114: ...l fs restart_on astring none fs type astring service start method start exec astring usr lib crypto scakiod start group astring default start limit_privileges astring default start privileges astring...

Страница 115: ...ti part MD5 Multi part SHA1 Multi part SHA512 HMAC MD5 or SHA1 Enable these algorithms as needed by adding entries to kernel drv mca conf file One example for enabling certain algorithms is to use the...

Страница 116: ...Add enable multi part sha1 1 to the kernel drv mca conf file Enable the Multi part SHA512 Algorithm Add enable multi part sha512 1 to the kernel drv mca conf file Enable the HMAC MD5 or SHA1 Algorith...

Страница 117: ...board must be stopped and restarted after initialization or a zeroize Stop the Board on a Linux Platform 1 Type Start the Board on a Linux Platform 1 Type scadiag Program The scadiag program is instal...

Страница 118: ...96 Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Страница 119: ...ions Centralized Keystore Overview on page 97 Configuring Centralized Keystores on page 99 Troubleshooting CKS Issues on page 114 Centralized Keystore Overview The centralized keystore CKS feature req...

Страница 120: ...service authenticates to the directory under a specific distinguished name DN called an agent name Each system must have a unique agent DN and an agent object with its authentication credentials These...

Страница 121: ...Directory Server to support centralized keystores This utility is located at usr sbin scakscfg Oracle Solaris or at opt sun sca6000 sbin scakscfg Linux The command line usage for scakscfg is as follow...

Страница 122: ...tion credentials or both b cks dn Base object under which the CKS infrastructure is created This device does not need to be a root node in a directory server The device can exist anywhere under the ro...

Страница 123: ...ry Manager h iplds config Bind password for cn Directory Manager modifying entry cn schema modifying entry cn userRoot cn ldbm database cn plugins cn config adding new entry ou scakeystore o SUN c US...

Страница 124: ...added as follows svccfg s scakiod setprop config serverlist astring uri1 uri2 urin On Linux systems uncomment the ServerList directive and the URI provided Multiple LDAP servers can be specified using...

Страница 125: ...irectory If SSL is not configured this property is ignored and does not need to be set The default value is var sca private for Oracle Solaris systems and var opt sun sca6000 private on Linux certname...

Страница 126: ...ldap centks svccfg s scakiod setprop config binddn cn agent1 ou Agents ou scakeystore o SUN c US svccfg s scakiod setprop config basedn o SUN c US svccfg s scakiod listprop grep config config applicat...

Страница 127: ...irectory servers using SSL To enable this communication an NSS certificate database must be configured The CA certificate that signs the directory server SSL certificate must be imported into that dat...

Страница 128: ...or Linux use the var opt sun sca6000 private path instead of var sca private Note certname is a friendly name for the CA certificate certpath is the path to the actual certificate file Use the a optio...

Страница 129: ...it requires not only the previous steps for basic SSL configuration This method also requires that you obtain a digital certificate for the scakiod service and that the CA that signs that certificate...

Страница 130: ...BINDDN g 1024 a o var sca private certreq pem Enter Password or Pin for NSS Certificate DB A random seed must be generated that will be used in the creation of your key One of the easiest ways to crea...

Страница 131: ...ert pem 7 If the issued certificate is in ASCII encoded form convert it to binary form as follows 8 Install the resulting certificate and the CA certificate into the NSS certificate database with cert...

Страница 132: ...te Adding the Certificate to the Agent Entry in the Directory Server You must add the certificate to the agent entry in the directory server If the agent entry does not exist in the DS use the scakscf...

Страница 133: ...nf file for Sun directory servers contains a default mapping and zero or more additional mappings tied to the issuer DN for certificates used in authentication If the default rule cannot be used you m...

Страница 134: ...hods across all your servers if possible 2 Use the scamgr utility to log into the keystore and export the master key Join an Unconfigured Board to a Centralized Keystore 1 If the board is uninitialize...

Страница 135: ...d previously scamgr h target host Select Keystore 1 Create new keystore 2 Load keystore from backup Selection 0 to exit 2 Enter the path to the backup file path to backup Password for restore file Loa...

Страница 136: ...IRECTIVE VALUE Directives should be one per line and if two directives with the same name are found in the configuration file the last one will be the one used The only exception to this is the HostBi...

Страница 137: ...LDAP servers where centralized keystores are hosted Entries in this property should be in the form of an LDAP URL proto server port Where proto is either ldap or ldaps server is a hostname fully quali...

Страница 138: ...ficate are stored on an external device then the value should be the PKCS 11 token name followed by a colon followed by the friendly name certname server cert The passfile property defines the locatio...

Страница 139: ...ig subcommand Failed Binding to Server Possible causes The value for the binddn property is incorrect The agent entry has not been created using scakscfg using the makeagent subcommand Sep 18 09 33 09...

Страница 140: ...directory referenced by the certdb property are not readable to the UNIX user daemon The certificate database files have not been created in the directory referenced by the certdb property Sep 18 12...

Страница 141: ...this new functionality Basic familiarity with PIN and credit card processing and the associated standards is assumed The following sections are included Financial Service Components Overview on page 1...

Страница 142: ...ibrary libfinsvcs so and associated application interfaces are provided to support this feature Data types referenced in this chapter are defined in the opt SUNWsca include finsvcs h header file which...

Страница 143: ...components comprise the Sun Crypto Accelerator 6000 board financial services functionality Key management PIN processing Card processing These core components are described in the following sections F...

Страница 144: ...e fs_lib_open function Library Shutdown Function fs_lib_close Applications can close the financial services library services when the services are no longer required fsLibHandle_t fs_lib_open char tok...

Страница 145: ...dle is returned and must then be used for all financial service requests for that specific session The syntax for the fs_session_open function is as follows TABLE 5 5 lists the parameters for the fs_s...

Страница 146: ...n_close function TABLE 5 8 lists the return values for the fs_session_close function Financial Services Data Types The financial services API requires the use of new data types defined in the finsvcs...

Страница 147: ...ollowing types of financial keys are supported Master file key MFK The Sun Crypto Accelerator 6000 board is a dedicated hardware security module HSM The MFK never leaves the secure HSM and encrypts ot...

Страница 148: ...his extra security step is required to meet the following key management requirements Split knowledge No single user can know the entire key Dual control The component and a valid user name and passwo...

Страница 149: ...matically by an application to retrieve the desired KEK Type the following command Change the MFK Financial applications require their keys be encrypted using the MFK Thus changing the MFK is a comple...

Страница 150: ...erated these keys are encrypted by the MFK and returned in the user provided buffer upon success The syntax for the fs_generate_key function is as follows TABLE 5 9 lists the parameters for the fs_gen...

Страница 151: ...dState Device not in proper state to handle command fsReturn_t fs_import_key fsSessHandle _t handle fsKeyUsage_t usage fsKey_t KEK fsKey917_t iKey fsKey_t oKey BOOLEAN useVariants TABLE 5 11 fs_import...

Страница 152: ...arameters for the fs_export_key function TABLE 5 12 fs_import_key Function Return Values Return Value Description fsOK The oKey is filled in for this case if the key is successfully imported fsInvalid...

Страница 153: ...Function Return Values Return Value Description fsOK The oKey is filled in for this case if key successfully exported fsInvalidKeyType Export key type invalid fsInvalidKeyUsage Key usage type invalid...

Страница 154: ...cate the object The syntax for the fs_retrieve_object function is as follows TABLE 5 17 lists the parameters for the fs_retrieve_object function TABLE 5 16 fs_translate_key Function Return Values Retu...

Страница 155: ...anslations are done in this mode The syntax for the fs_status function is as follows The parameter for the fs_status function is as follows status Status buffer PIN Processing Functions The Sun Crypto...

Страница 156: ...account number field hexadecimal characters are defined in TABLE 5 20 C N P P P P P F P F P F P F P F P F P F P F F F TABLE 5 19 ANSI ISO Format 0 Cleartext PIN Hexadecimal Characters Field Name Value...

Страница 157: ...ssuer or a designated agent provides a PIN verification service PVS This service compares the cardholder s PIN to a cryptographic transformation of the PIN The PVV method is a two step process 1 When...

Страница 158: ...IN The PIN verification key PVK used in the PIN calculation algorithm and encrypted with the MFK Validation information for identifing the customer which is typically the customer s account number Che...

Страница 159: ...fication Visa PVV and IBM 3624 Additionally the board supports two types of PIN block formats ANSI ISO Format 0 and ISO Format 1 The syntax for the fs_pin_verify function is as follows TABLE 5 22 list...

Страница 160: ...ction to the credit card issuing bank the PAN Personal account number iPIN Encrypted input PIN data PIN algorithm specific data For Visa PVV data consists of PVKI Reference PVV For IBM 3624 data consi...

Страница 161: ...IN fPIN_t oPIN fsPAN_t PAN TABLE 5 24 fs_pin_translate Function Parameters Parameter Description handle Session handle returned by the fs_session_open function iPEK Input PEK used to encrypt the PIN t...

Страница 162: ...3 The fs_card_verify function provides credit card processing operations for the board s financial services API Verification for Visa MasterCard and American Express credit cards is supported The fs_...

Страница 163: ...ossible errors and their meanings fsInvalidHandle The session handle provided by handle is not valid fsVerifyFail The card verification failed fsInvalidCVK The CVK is corrupt or invalid fsInvalidState...

Страница 164: ...ultiple FSSOs per board to authenticate commands a security officer must enable Multi Admin mode which is described in Multi Admin Authentication on page 69 Direct Input Device A direct input device i...

Страница 165: ...length enable mfk Activates a new MFK and deletes the old one Use this command after all applications have translated their keys under the new MFK cancel mfk Cancels the MFK Must be initiated before...

Страница 166: ...load decimalization table Loads a decimalization table which is required for IBM 3624 PIN verification You are prompted for a label to associate with the decimalization table The entered decimalizatio...

Страница 167: ...ction This chapter includes the following sections Board Administration on page 146 Slot Descriptions on page 147 PKCS 11 and FIPS Mode on page 151 Developing Applications to Use PKCS 11 on page 152 D...

Страница 168: ...r utility See Chapter 3 When a keystore is first initialized scamgr prompts you to set up a keystore security officer KSO account This keystore security officer is not related to the PKCS 11 security...

Страница 169: ...slot The Hardware slot is bound to and dedicated to a hardware device These slots are directly accessible when the device is uninitialized or when it is in diagnostic mode There should be three Hardwa...

Страница 170: ...lots including the Oracle Solaris software implementation for the mechanisms not supported by the board The Sun Metaslot also supports failover For more details please refer to the Sun Metaslot docume...

Страница 171: ...the auto key migration is disabled sensitive token keys are not automatically migrated to other slots With this configuration if an operation with a sensitive token key fails on the Sun Crypto Accele...

Страница 172: ...n keys only The CA Hardware slot accelerates asymmetric operations such as RSA DSA and DH The OM Hardware slot allows key management operations such as key generation and key creation However the keys...

Страница 173: ...rd itself All keys and critical security parameters cross the PCI bus in encrypted form Certain additional integrity checks are done at startup and when keys and random numbers are generated Random nu...

Страница 174: ...he PKCS 11 administrative functions C_InitToken and C_InitPin are not implemented The C_Login function with the CKU_SO security officer flag is rejected Token Objects In PKCS 11 public token objects a...

Страница 175: ...for the hash operations CKM_SHA_1 and CKM_MD5 are not available from the user level of the PKCS 11 application However those mechanisms are available for the kernel consumers such as IPsec The tokens...

Страница 176: ...se CKA_APPLICATION empty string CKA_ATTR_TYPES empty string CKA_AUTH_PIN_FLAGS false CKA_DECRYPT true not enforced CKA_DERIVE false not enforced CKA_ENCRYPT true not enforced CKA_END_DATE empty string...

Страница 177: ...ftware will not return an error code The inconsistent attribute CKA_VALUE_LENGTH is simply ignored by the software Software Error Codes The error codes returned by the software are not always as speci...

Страница 178: ...Applications for Use With the Sun Crypto Accelerator 6000 Board on Linux Platforms The openCryptoki software is used as the PKCS 11 framework See Appendix B for details on openCryptoki software If th...

Страница 179: ...Java System Web Server 6 1 on page 163 Installing and Configuring Sun Java System Web Server 7 0 Update 1 on page 173 Installing and Configuring Sun Java System Web Server on Linux Platforms on page...

Страница 180: ...S 11 interface such as the Sun Java System Applications Note The Apache Web Server Chapter 8 does not use the keystore or user account features described in this chapter Users Within the context of th...

Страница 181: ...ticate and access specific keys Security officer accounts Accounts that provide access to key management functions through scamgr Note A single Sun Crypto Accelerator 6000 board must have exactly one...

Страница 182: ...Chapter 6 there are four kinds of slots presented through the Oracle Solaris Cryptographic Framework s PKCS 11 interface PKCS 11 application PKCS 11 layer Firmware PKCS 11 token sca4000 ks 1 PKCS 11 t...

Страница 183: ...ormance and fault tolerance Example If there are two boards mca0 and mca1 each is assigned a keystore name engineering and finance three slots are presented to the Sun Java System application engineer...

Страница 184: ...LE 7 1 Passwords Required for Sun Java System Web Servers Type of Password Description Sun Java System Web Server Administration Server Required to start up the Sun Java System Web Server Administrati...

Страница 185: ...his password users cannot access their keys There is no way to retrieve a lost password 4 Exit scamgr Installing and Configuring Sun Java System Web Server 6 1 This section describes how to install an...

Страница 186: ...ion directory and extract the web server software 3 Install the web server with the setup script from the command line The default path name for the server is opt SUNWwbsvr This chapter refers to the...

Страница 187: ...a System Web Server 6 1 Administration Server window is displayed 4 Create the trust database for the web server instance You might want to enable security on more than one web server instance If so r...

Страница 188: ...database of the Sun Java System Web Server using the modutil utility Note modutil is a utility developed by Mozilla and is available with the Sun Java System distribution By default the modutil is loc...

Страница 189: ...System Web Server setup enter admin for the user ID or the Sun Java System Web Server 6 1 Administration Server user name 3 Click OK The Sun Java System Web Server 6 1 Administration Server window is...

Страница 190: ...t using the following information a Select a New Certificate If you can directly post your certificate request to a web capable certificate authority or registration authority select the CA URL link O...

Страница 191: ...our certificate authority 10 Once the certificate is generated copy it along with the headers to the clipboard Note The certificate is different from the certificate request and is usually presented t...

Страница 192: ...authority and a certificate has been issued you must install the certificate in the Sun Java System Web Server 1 Click the Security tab near the top of the Sun Java System Web Server 6 1 Server Manag...

Страница 193: ...the web server for SSL Enable the Web Server for SSL 1 Select the Preferences tab near the top of the page 2 Select the Edit Listen Sockets link on the left panel The main panel lists all the listen...

Страница 194: ...his keystore user is the user that is authenticated with the username password 7 When you have chosen a certificate and confirmed all the security settings click OK 8 Select the Apply link in the far...

Страница 195: ...more information about installing and using Sun Java System Web Servers This section includes the following procedures 1 Install Sun Java System Web Server 7 0 on page 174 2 Register the Board With th...

Страница 196: ...web server with the setup script from the command line The default path name for the server is sun webserver7 This chapter refers to the default path If you decide to install the software in a differ...

Страница 197: ...name and password you selected while running setup Note If you used the default settings during Sun Java System Web Server setup enter admin for the User ID or the Sun Java System Web Server 7 0 Admin...

Страница 198: ...be used A new window pops up 6 Uncheck the Token State box that is disable the token 7 Click OK You can also pre set the password for tokens so that the Sun Java System Web Server can start up without...

Страница 199: ...and select Request Server Certificate under Configuration Tasks A new window pops up 2 Select a server from the scroll down menu and click the Next button 3 Select a token you would like to use from t...

Страница 200: ...for Step 4 of Install the Server Certificate on page 178 Install the Server Certificate Once your request has been approved by a certificate authority and a certificate has been issued you must insta...

Страница 201: ...r Certificate on page 177 into the Certificate Data text box Click Next 5 Type the nickname of the certificate and click Next In this example Server Cert is used FIGURE 7 5 Screenshot of the Sun Java...

Страница 202: ...s displayed The nickname is in the form token name Certificate Nickname Deploy the Change Whenever you make a change to a server instance the change is temporarily made to the copy of the server insta...

Страница 203: ...deploy the new configuration 3 Ensure that the deployment was successful and close the window Now that your web server and the Server Certificate are installed you must enable the web server for SSL...

Страница 204: ...Version 1 1 February 2013 4 Click the Apply button 5 Click SSL tab at the top of the window 6 Alter the following fields SSL choose Enabled Certificate choose the certificate you installed The certif...

Страница 205: ...un Java System Server Software 183 FIGURE 7 7 Screenshot of the Sun Java Web Server Edit HTTP Listener SSL Settings 7 Click the Apply button and close the window Note Ensure to deploy the change after...

Страница 206: ...with Red Hat Enterprise Linux 4 0 Both RHEL 4 0 and SuSE 9 are supported with the Sun Java Web Server software The installation and configuration of Sun Java System Web Server on Linux is similar to t...

Страница 207: ...so Manufacturer IBM Description Meta PKCS11 LIBRARY PKCS 11 Version 2 11 Library Version 2 2 Cipher Enable Flags None Default Mechanism Flags None Slot Linux 2 6 5 7 139 smp Linux SCA Slot Mechanism F...

Страница 208: ...n on Reboot You can enable the Sun Java System Web Servers to perform an unattended startup at reboot with an encrypted key Create an Encrypted Key for Automatic Startup of Sun Java System Web Servers...

Страница 209: ...es TABLE 7 1 for password definitions 3 Set the file ownership of the password file to the UNIX user ID that the web server runs as and set the file permissions to be readable only by the owner of the...

Страница 210: ...188 Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Страница 211: ...ver on Linux Platforms on page 192 Installing and Configuring Apache Web Server on Oracle Solaris Platforms This section provides instructions specific to Oracle Solaris platforms Create a Private Key...

Страница 212: ...Verifying password Enter PEM pass phrase openssl req new key usr local apache2 conf server key out crtreq csr TABLE 8 1 Certificate Field Descriptions Certificate Field Description Country Name The tw...

Страница 213: ...to Step 4 If you do not have a private key and certificate go to Create a Private Key and Certificate on page 189 Enter PEM pass phrase You are about to be asked to enter information that will be inc...

Страница 214: ...ing to the following URL Note The default port is 443 9 Verify that the Sun Crypto Accelerator 6000 board is being used Verify that the rsaprivate field is being incremented in the statistics Installi...

Страница 215: ...he required patches before configuring OpenSSL 4 Configure and compile OpenSSL Refer to the README pkcs11 and INSTALL file for more information tar zxvf openssl 0 9 7d tar gz gunzip pkcs11_engine 0 9...

Страница 216: ...e OpenSSL libraries 4 Compile and install Apache Refer to the INSTALL file for more information Note Using Apache 2 2 0 or 2 2 2 on SuSE with the x86_x64 architecture make could fail with an error mes...

Страница 217: ...n openssl for the OpenSSL command usr local apache2 conf server key and usr local apache2 conf server crt for the key and certificate files for Apache 2 x 4 Put the private key in the usr local apache...

Страница 218: ...s error occurs verify that pk11 libname usr lib64 pkcs11 PKCS11_API so is used for the OpenSSL configuration and also that usr lib64 pkcs11 PKCS11_API so is a link to the 64 bit openCryptoki PKCS 11 l...

Страница 219: ...r 6000 software provides three interactive utilities for running diagnostics on the board The first of these utilities SunVTS focuses on the system level network and cryptographic functionality of the...

Страница 220: ...nterface enables the security administrator to perform diagnostics on both an initialized and uninitialized board The scadiag interface provides less information regarding diagnostic failures then the...

Страница 221: ...reflect cryptographic activity on the board To determine whether cryptographic work requests are being performed on the board use the kstat 1M command to display the device usage Displaying the kstat...

Страница 222: ...vious example 0 is the instance number of the mca device This number should reflect the instance number of the board for which you are performing the kstat command kstat mca 0 module mca instance 0 na...

Страница 223: ...d does not contain lights or other indicators to reflect cryptographic activity on the board To determine whether cryptographic work requests are being performed on the board you must use the proc fil...

Страница 224: ...aprivate 0 rsapublic 1 dsasign 0 dsaverify 0 dhderive 0 dhkeygen 0 md5bytes 0 md5jobs 0 sha1bytes 0 sha1jobs 0 fsbytes 0 fsjobs 0 rngbytes 60 rngjobs 3 keygenjobs 0 wrapjobs 0 unwrapjobs 0 mode FIPS s...

Страница 225: ...00 board It contains the following sections Connectors on page 203 Physical Dimensions on page 204 Power Requirements on page 205 Environmental Specifications on page 205 Connectors FIGURE A 1 shows t...

Страница 226: ...s Guide for Version 1 1 February 2013 FIGURE A 1 Sun Crypto Accelerator 6000 Board Connectors Physical Dimensions TABLE A 1 Physical Dimensions Dimension Measurement Metric Measurement Length 6 6 inc...

Страница 227: ...ower Requirements Specification Measurement Maximum power consumption 6 25 W 5V 12 75 W 3 3V Voltage tolerance 5V 5 3 3V 5 TABLE A 3 Environmental Specifications Condition Operating Specification Stor...

Страница 228: ...206 Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Страница 229: ...ses openCryptoki as the interface for PKCS 11 applications Version 1 1 of the board uses the certified openCryptoki 2 2 4 release of the software The source rpm package is downloadable from the RedHat...

Страница 230: ...ry on 64 bit systems only Build and Install openCryptoki on RHEL4 Updates The openCryptoki binary packages for RHEL5 cannot install on RHEL4 due to dependencies The openCryptoki 2 2 4 source rpm packa...

Страница 231: ...started or restarted On RHEL systems start and stop openCryptoki with the following commands Build and Install openCryptoki Software on SUSE10 SP1 Platforms The openCryptoki binary packages for RHEL5...

Страница 232: ...and Start openCryptoki Note The openCryptoki packages must be installed before the Sun Crypto Accelerator 6000 packages are installed The Sun Crypto Accelerator 6000 installation modifies openCryptoki...

Страница 233: ...s Sun Ray Sun tm ONE and Sun tm Crypto Accelerator 6000 are trademarks or registered trademarks of Sun Microsystems Inc in the U S and other countries All SPARC trademarks are used under license and a...

Страница 234: ...y third parties Sun Sun Microsystems the Sun logo Java Jini Netra Solaris StarOffice Sun tm ONE FORTE SunVTS AnswerBook2 Sun Enterprise Sun Enterprise Volume Manager iPLANET SunSolve and Sun logo are...

Страница 235: ...ept as specifically authorized in any Supplemental License Terms you may not make copies of Software other than a single copy of Software for archival purposes Unless enforcement is prohibited by appl...

Страница 236: ...you have the responsibility to obtain such licenses to export re export or import as may be required after delivery to you 8 U S GOVERNMENT RESTRICTED RIGHTS If Software is being acquired by or on be...

Страница 237: ...ok2 Sun Enterprise Sun Enterprise Volume Manager and iPLANET trademarks and all SUN SOLARIS JAVA JINI FORTE STAROFFICE SunVTS AnswerBook2 Sun Enterprise Sun Enterprise Volume Manager and iPLANET relat...

Страница 238: ...er in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This pro...

Страница 239: ...etc code not just the SSL code The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson tjh cryptsoft com Copyright remains Er...

Страница 240: ...THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The licence and distribution terms for any publically available version or derivative of this code cannot be changed i e this code cann...

Страница 241: ...the following acknowledgment This product includes software developed by Ralf S Engelschall rse engelschall com for use in the mod_ssl project http www modssl org THIS SOFTWARE IS PROVIDED BY RALF S E...

Страница 242: ...220 Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Страница 243: ...mcactl 7d mca control device driver character based that provides an administrative interface to entities such as scad 1M and scadiag 1M scad 1m Daemon that provides keystore services scadiag 1m Util...

Страница 244: ...ent operations for the financial services API fs_card_verify 3 Command that provides credit card processing operations for the financial services API fs_pin_verify 3 Command that provides PIN manageme...

Страница 245: ...mgr program See Perform a Software Zeroize on the Board on page 81 Also refer to the online manual pages for scadiag 4 regarding removing all key material Note Performing a hardware zeroize on the boa...

Страница 246: ...s you can use dynamic reconfiguration DR to remove and replace the board as necessary for this procedure instead of powering off the system Refer to the documentation delivered with your system for th...

Страница 247: ...wer off the system 6 Remove the jumper from pins 0 and 1 of the jumper block and store the jumper in the original location Note You can safely store the jumper on pins 3 and 5 This location does not a...

Страница 248: ...rsion 1 1 February 2013 10 Reconnect to Sun Crypto Accelerator 6000 board with scamgr scamgr prompts you to either initialize the board with a new keystore or initialize the board to use an existing k...

Страница 249: ...r File Copyright 2006 Sun Microsystems Inc All rights reserved Use is subject to license terms ifndef_FINSVCS_H define_FINSVCS_H pragma ident finsvcs h1 506 04 19 SMI ifdef__cplusplus extern C endif i...

Страница 250: ...nvalidPinType invalid pin block format fsInvalidDectbl fsInvalidPan fsInvalidCmd fsInvalidState fsNotInitialized fsNotFound fsInvalidLibVersion fsReturn_t fs state typedef enum fsStateUninit fsStateNo...

Страница 251: ...R where N PIN length P PIN digit R random digit between o and 0xf typedef enum fsPinType ISOFormat0 ISOFormat1 fsPinType_t defineFS_PIN_SIZE8 Personal Identificatin Number PIN data type typedef struct...

Страница 252: ...ication Key KEK Key Encryption Key MACK MAC Key fsKeyUsage_t defineMAX_KEY_USAGE6 Financial Key Types DESx only currently typedef enum fsKeyType DES 1 Single length DES DES2 Double length DES DES3 3DE...

Страница 253: ...nibbles digits from 12 to 19 uint8_tpan FS_PAN_SIZE fsPan_t typedef enum fsObjectType fsObjDecTable fsObjKey fsObjectType_t typedef struct fsObjectData_s fsObjectType_ttype union fsDecTable_tdecTable...

Страница 254: ...uint8_t refCSC 3 csc data fsCardData_t if defined CPU_XSCALE defined _KERNEL Library prototypes general purpose routines fsLibHandle_tfs_lib_open char fsReturn_t fsReturn_tfs_lib_close fsLibHandle_t f...

Страница 255: ...turn_tfs_key_import fsSessHandle_t fsKeyUsage_t fsKey_t fsKey917_t fsKey_t boolean_t fsReturn_tfs_key_export fsSessHandle_t fsKeyUsage_t fsKey_t fsKey_t fsKey917_t boolean_t fsReturn_tfs_retrieve_obje...

Страница 256: ...234 Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Страница 257: ...235 APPENDIX G Supported PKCS 11 Mechanisms This appendix lists the PKCS 11 mechanisms supported by the Sun Crypto Accelerator 6000 board TABLE G 1 lists the mechanisms supported by the board...

Страница 258: ...or 32 byte CKM_MD5_HMAC 1 61439 bytes Multi Part is implemented in firmware Disabled by default CKM_SHA_1_HMAC 1 61439 bytes Multi Part is implemented in firmware Disabled by default CKM_SHA512_HMAC 1...

Страница 259: ...EY_PAIR_GEN 512 1024 bits CKM_DES_KEY_GEN 8 bytes CKM_DES2_KEY_GEN 16 bytes CKM_DES3_KEY_GEN 24 bytes CKM_AES_KEY_GEN 16 24 or 32 bytes CKM_RC2_CBC_PAD 8 1024 bits Disabled by default TABLE G 1 Suppor...

Страница 260: ...238 Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Страница 261: ...nds ldapmodify 111 modinfo 23 openssl 109 pkgadd 21 prtdiag 13 14 22 27 svcadm 111 zeroize 224 credit card processing 140 cryptographic algorithms acceleration 4 enabling optional algorithms 93 suppor...

Страница 262: ...personal account number 136 PIN 136 PVKI 137 security officers 142 setting mode 142 FIPS 140 2 mode 39 firmware 225 H hardware 10 hardware and software requirements 10 hardware zeroize 223 235 hexadec...

Страница 263: ...pdate 153 C_GetObjectSize 153 C_GetOperationState 153 C_SetOperationState 153 C_SignEncryptUpdate 153 CK_EFFECTIVELY_INFINITE 153 CKM_MD5 153 CKM_SHA_1 153 cryptoadm 148 developing applications 152 de...

Страница 264: ...a keystore with security officers 60 with users 61 prompt 43 quitting 48 setting auto logout 77 user name requirements 58 using 34 utility 34 security officer accounts 57 security officers 60 server...

Страница 265: ...key 125 TPK 125 trust database creating scamgr 38 Sun Java System Web Server 6 0 165 U user accounts 57 V Visa PVV Method 135 W web servers 158 Z zeroize command 224 zeroizing the hardware 223 235 zon...

Страница 266: ...244 Sun Crypto Accelerator 6000 Board User s Guide for Version 1 1 February 2013...

Отзывы: