Sun Microsystems Crypto Accelerator 4000 User Manual

Sun™ Crypto Accelerator 4000

Board Installation and User’s Guide

Sun Microsystems, Inc. 4150 Network Circle Santa Clara, CA 95054 U.S.A. 650-960-1300

Part No. 817-0431-10 May 2003, Revision A

Send comments about this document to: docfeedback@sun.com

Copyright 2003Sun Microsystems,Inc., 4150Network Circle,Santa Clara,CA 95054 U.S.A.All rights reserved. This product or documentis distributedunder licensesrestricting itsuse, copying,distribution, and decompilation.No partof thisproduct or

document maybe reproducedin anyform byany meanswithout priorwritten authorization ofSun andits licensors,if any. Third-party software,including font technology,is copyrighted andlicensed fromSun suppliers.

Parts ofthe productmay bederived fromBerkeley BSDsystems, licensedfrom theUniversity of California.UNIX isa registeredtrademark in the U.S.and othercountries, exclusivelylicensed throughX/Open Company, Ltd.

Sun, SunMicrosystems, theSun logo,SunVTS, AnswerBook2,docs.sun.com, SunONE, Sun Enterprise,Sun EnterpriseVolumeManager,Sun Fire,SunSolve, Netra, andSolaris aretrademarks, registeredtrademarks, orservice marksof SunMicrosystems, Inc.in the U.S. and other countries. AllSPARCtrademarks areused underlicense andare trademarksor registeredtrademarks ofSPARCInternational, Inc.in the U.S. and othercountries. Productsbearing SPARC trademarksare basedupon anarchitecture developedby SunMicrosystems, Inc.Netscape isa trademark orregisteredtrademark of NetscapeCommunications Corporation.This productincludes softwaredeveloped bythe OpenSSL Projectfor use inthe OpenSSLToolkit(http://www.openssl.org/).This productincludes cryptographicsoftware writtenby EricYoung (eay@cryptsoft.com).This product includessoftware developedby RalfS. Engelschall<rse@engelschall.com> for usein themod_ssl project (http://www.modssl.org/).

The OPENLOOK andSun™ GraphicalUser Interfacewas developed bySun Microsystems,Inc. forits usersand licensees. Sun acknowledges the pioneeringefforts ofXerox inresearchingand developing theconcept ofvisual orgraphical user interfaces for thecomputer industry. Sun holds anon-exclusive licensefrom Xeroxto theXerox GraphicalUser Interface,which licensealso covers Sun’slicensees whoimplement OPEN LOOK GUIsand otherwisecomply withSun’s writtenlicense agreements.

DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANYIMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FORA PARTICULAR PURPOSEOR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.

Copyright 2003Sun Microsystems,Inc., 4150Network Circle,Santa Clara,CA 95054Etats-Unis. Tousdroits réservés. Ce produitou documentest distribuéavec deslicences quien restreignentl’utilisation, lacopie, la distribution,et ladécompilation. Aucune

partie dece produitou documentne peutêtre reproduitesous aucuneforme, parquelque moyenque ce soit,sans l’autorisationpréalable et écrite deSun etde sesbailleurs delicence, s’il yen a.Le logicieldétenu par des tiers, etqui comprendla technologierelative auxpolices de caractères,est protégépar un copyrightet licenciépar desfournisseurs deSun.

Des partiesde ceproduit pourrontêtre dérivéesdes systèmesBerkeley BSDlicenciés parl’Université de Californie.UNIX estune marque déposée auxEtats-Unis etdans d’autrespays etlicenciée exclusivementpar X/Open Company,Ltd.

Sun, SunMicrosystems, lelogo Sun,SunVTS, AnswerBook2,docs.sun.com, SunONE, Sun Enterprise,Sun EnterpriseVolumeManager,Sun Fire,SunSolve, Netra, etSolaris sontdes marquesde fabriqueou desmarques déposées,ou marquesde service, deSun Microsystems,Inc. aux Etats-Unis etdans d’autrespays. Toutes lesmarques SPARC sontutilisées souslicence etsont des marquesde fabriqueou desmarques déposées deSPARCInternational, Inc.aux Etats-Uniset dansd’autres pays.Les produitsportant les marquesSPARCsont baséssur une architecturedéveloppée parSun Microsystems,Inc. Netscape estune marquede NetscapeCommunications Corporationaux Etats-Unis et dans d’autres pays. Ceproduit comprendle logicieldéveloppé parle ProjectOpenSSL pourl’utilisation dansle ToolkitOpenSSL (http://www.openssl.org/). Ceproduit comprendle logicielcryptographique écrite parEric Young(eay@cryptsoft.com). Ceproduit comprendle logiciel développépar RalfS. Engelschall <rse@engelschall.com>pour l’utilisationdans leprojet mod_ssl (http://www.modssl.org/).

L’interfaced’utilisation graphiqueOPEN LOOKet Sun™a été développéepar SunMicrosystems, Inc.pour sesutilisateurs et licenciés. Sun reconnaîtles effortsde pionniers deXerox pourla rechercheet ledéveloppement duconcept desinterfaces d’utilisation visuelle ou graphique pour l’industriede l’informatique.Sun détientune licencenon exclusive deXerox surl’interface d’utilisationgraphique Xerox,cette licence couvrant égalementles licenciésde Sunqui mettenten place l’interfaced’utilisation graphiqueOPEN LOOKet qui en outre seconforment aux licences écritesde Sun.

LA DOCUMENTATION EST FOURNIE “EN L’ETAT” ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES EXPRESSES OU TACITES SONTFORMELLEMENT EXCLUES,DANS LAMESURE AUTORISEEPARLA LOIAPPLICABLE, Y COMPRISNOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L’APTITUDE A UNE UTILISATION PARTICULIERE OU A L’ABSENCE DE CONTREFAÇON.

Please

Recycle

Declaration of Conformity (Fiber MMF)

Compliance Model Number: Venus-FI Product Family Name:

EMC

USA - FCC Class B This equipment complies with Part 15 of the FCC Rules. Operation is subject to the following two

conditions:

1) This equipment may not cause harmful interference.

2) This equipment must accept any interference that may cause undesired operation.

European Union

This equipment complies with the following requirements of the EMC Directive 89/336/EEC:

As Telecommunication Network Equipment (TNE) in both Telecom Centers and Other Than Telecom Centers per (as applicable):

EN300-386 V.1.3.1 (09-2001) Required Limits:

EN55022/CISPR22 Class B EN61000-3-2 Pass EN61000-3-3 Pass EN61000-4-2 6 kV (Direct), 8 kV (Air) EN61000-4-3 3 V/m 80-1000MHz, 10 V/m 800-960 MHz and 1400-2000 MHz EN61000-4-4 1 kV AC and DC Power Lines, 0.5 kV Signal Lines, EN61000-4-5 2 kV AC Line-Gnd, 1 kV AC Line-Line and Outdoor Signal Lines,

EN61000-4-6 3 V EN61000-4-11 Pass

Sun Crypto Accelerator 4000 - Fiber (X4012A)

0.5 kV Indoor Signal Lines > 10m.

As information Technology Equipment (ITE) Class B per (as applicable):

EN55022:1998/CISPR22:1997 Class B EN55024:1998 Required Limits:

EN61000-4-2 4 kV (Direct), 8 kV (Air) EN61000-4-3 3 V/m EN61000-4-4 1 kV AC Power Lines, 0.5 kV Signal and DC Power Lines EN61000-4-5 1 kV AC Line-Line and Outdoor Signal Lines, 2 kV AC Line-Gnd,

0.5 kV DC Power Lines EN61000-4-6 3 V EN61000-4-8 1 A/m EN61000-4-11 Pass

EN61000-3-2:1995 + A1, A2, A14 Pass EN61000-3-3:1995 Pass

Safety

This equipment complies with the following requirements of the Low Voltage Directive 73/23/EEC:

iii

EC Type Examination Certificates:

EN 60950:2000, 3rd Edition IEC 60950:2000, 3rd Edition

Evaluated to all CB Countries UL 60950, 3rd Edition, CSA C22.2 No. 60950-00

Supplementary Information

This product was tested and complies with all the requirements for the CE Mark.

/S/ /S/ Dennis P. Symanski

Manager, Compliance Engineering Sun Microsystems, Inc. 4150 Network Circle, MPK15-102 Santa Clara, CA 95054, USA Tel: 650-786-3255 Fax: 650-786-3723

Pamela J Dullaghan Quality Program Manager Sun Microsystems Scotland, Limited Springfield, Linlithgow West Lothian, EH49 7LR Scotland, United Kingdom Tel: +44 1 506 672 395 Fax: +44 1 506 672 855

Declaration of Conformity (Copper UTP)

Compliance Model Number: Venus-CU Product Family Name:

Sun Crypto Accelerator 4000 - Copper (X4011A)

EMC

USA - FCC Class B This equipment complies with Part 15 of the FCC Rules. Operation is subject to the following two

conditions:

1) This equipment may not cause harmful interference.

2) This equipment must accept any interference that may cause undesired operation.

European Union

This equipment complies with the following requirements of the EMC Directive 89/336/EEC:

As Telecommunication Network Equipment (TNE) in both Telecom Centers and Other Than Telecom Centers per (as applicable):

EN300-386 V.1.3.1 (09-2001) Required Limits:

EN55022/CISPR22 Class B EN61000-3-2 Pass EN61000-3-3 Pass

iv Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003

EN61000-4-2 6 kV (Direct), 8 kV (Air) EN61000-4-3 3 V/m 80-1000MHz, 10 V/m 800-960 MHz and 1400-2000 MHz EN61000-4-4 1 kV AC and DC Power Lines, 0.5 kV Signal Lines, EN61000-4-5 2 kV AC Line-Gnd, 1 kV AC Line-Line and Outdoor Signal Lines,

EN61000-4-6 3 V EN61000-4-11 Pass

As information Technology Equipment (ITE) Class B per (as applicable):

EN55022:1998/CISPR22:1997 Class B EN55024:1998 Required Limits:

EN61000-4-2 4 kV (Direct), 8 kV (Air) EN61000-4-3 3 V/m EN61000-4-4 1 kV AC Power Lines, 0.5 kV Signal and DC Power Lines EN61000-4-5 1 kV AC Line-Line and Outdoor Signal Lines, 2 kV AC Line-Gnd,

EN61000-4-6 3 V EN61000-4-8 1 A/m EN61000-4-11 Pass

EN61000-3-2:1995 + A1, A2, A14 Pass EN61000-3-3:1995 Pass

0.5 kV Indoor Signal Lines > 10m.

0.5 kV DC Power Lines

Safety

This equipment complies with the following requirements of the Low Voltage Directive 73/23/EEC: EC Type Examination Certificates:

EN 60950:2000, 3rd Edition IEC 60950:2000, 3rd Edition

Evaluated to all CB Countries UL 60950, 3rd Edition, CSA C22.2 No. 60950-00

Supplementary Information

This product was tested and complies with all the requirements for the CE Mark.

/S/ /S/ Dennis P. Symanski

Manager, Compliance Engineering Sun Microsystems, Inc. 4150 Network Circle, MPK15-102 Santa Clara, CA 95054, USA Tel: 650-786-3255 Fax: 650-786-3723

Pamela J Dullaghan Quality Program Manager Sun Microsystems Scotland, Limited Springfield, Linlithgow West Lothian, EH49 7LR Scotland, United Kingdom Tel: +44 1 506 672 395 Fax: +44 1 506 672 855

vi Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003

Regulatory Compliance Statements

Your Sun product is marked to indicate its compliance class:

• Federal Communications Commission (FCC) — USA

• Industry Canada Equipment Standard for Digital Equipment (ICES-003) — Canada

• Voluntary Control Council for Interference (VCCI) — Japan

• Bureau of Standards Metrology and Inspection (BSMI) — Taiwan Please read the appropriate section that corresponds to the marking on your Sun product before attempting to install the

product.

FCC Class A Notice

This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions:

1. This device may not cause harmful interference.

2. This device must accept any interference received, including interference that may cause undesired operation.

Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of

the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy, and if it is not installed andused in accordance with theinstructionmanual, it may cause harmful interferenceto radio communications. Operation of thisequipment in a residential areais likely to cause harmful interference,in which case the userwillbe required to correct the interference at his own expense.

Shielded Cables:Connectionsbetweenthe workstation and peripheralsmustbe made using shieldedcablesto comply with

FCC radio frequency emission limits. Networking connections can be made using unshielded twisted-pair (UTP) cables.

Modifications: Any modiﬁcations made to this device that are not approved by Sun Microsystems, Inc. may void the

authority granted to the user by the FCC to operate this equipment.

FCC Class B Notice

This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions:

1. This device may not cause harmful interference.

2. This device must accept any interference received, including interference that may cause undesired operation.

Note: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of

the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception,which can be determined byturningthe equipment off andon,the user is encouraged totry to correct the interference by one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

• Consult the dealer or an experienced radio/television technician for help.

Shielded Cables: Connections between the workstation and peripherals must be made using shielded cables in order to

maintain compliance with FCC radio frequency emission limits. Networking connections can be made using unshielded twisted pair (UTP) cables.

Modifications: Any modiﬁcations made to this device that are not approved by Sun Microsystems, Inc. may void the

authority granted to the user by the FCC to operate this equipment.

vii

ICES-003 Class A Notice - Avis NMB-003, Classe A

This Class A digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada.

ICES-003 Class B Notice - Avis NMB-003, Classe B

This Class B digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada.

viii Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003

BSMI Class A Notice

The following statement is applicable to products shipped to Taiwan and marked as Class A on the product compliance label.

x Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003

1. Product Overview 1

Product Features 1

Key Protocols and Interfaces 1 Key Features 2 Supported Applications 2 Supported Cryptographic Protocols 2 Diagnostic Support 3 Cryptographic Algorithm Acceleration 3

Supported Cryptographic Algorithms 3 Bulk Encryption 4

Hardware Overview 5

IPsec Hardware Acceleration 5 Sun Crypto Accelerator 4000 MMF Adapter 6

LED Displays 6

Sun Crypto Accelerator 4000 UTP Adapter 7

LED Displays 8

Dynamic Reconfiguration and High Availability 9 Load Sharing 9

Hardware and Software Requirements 10

Required Patches 10

Apache Web Server Patch 10

Solaris 8 Patches 11 Solaris 9 Patches 11

2. Installing the Sun Crypto Accelerator 4000 Board 13

Handling the Board 13 Installing the Board 14

▼ To Install the Hardware 14

Installing the Sun Crypto Accelerator 4000 Software 16

▼ To Install the Software 16

Installing the Optional Packages 18

Directories and Files 19 Removing the Software 21

▼ To Remove the Software 21

3. Configuring Driver Parameters 23

Sun Crypto Accelerator 4000 Ethernet Device Driver (vca) Parameters 23

Driver Parameter Values and Definitions 24 Advertised Link Parameters 25 Flow Control Parameters 27 Gigabit Forced Mode Parameter 28 Interpacket Gap Parameters 28 Interrupt Parameters 30 Random Early Drop Parameters 30 PCI Bus Interface Parameters 32

Setting vca Driver Parameters 33

Setting Parameters Using the ndd Utility 33

▼ To Specify Device Instances for the ndd Utility 33

xii Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003

Noninteractive and Interactive Modes 34 Setting Autonegotiation or Forced Mode 36

▼ To Disable Autonegotiation Mode 37

Setting Parameters Using the vca.conf File 38

▼ To Set Driver Parameters Using a vca.conf File 38

Setting Parameters for All Sun Crypto Accelerator 4000 vca Devices

With the vca.conf File 39

▼ To Set Parameters for All Sun Crypto Accelerator 4000 vca Devices

With the vca.conf File 40

Example vca.conf File 40

Enabling Autonegotiation or Forced Mode for Link Parameters With the

OpenBoot PROM 41

Sun Crypto Accelerator 4000 Cryptographic and Ethernet Driver Operating

Statistics 43 Cryptographic Driver Statistics 43

Ethernet Driver Statistics 44 Reporting the Link Partner Capabilities 48

▼ To Check Link Partner Settings 51

Network Configuration 52

Configuring the Network Host Files 52

4. Administering the Sun Crypto Accelerator 4000 Board With the vcaadm and vcadiag Utilities 55

Using vcaadm 55

Modes of Operation 56

Single-Command Mode 57 File Mode 57 Interactive Mode 58

Logging In and Out With vcaadm 58

Logging In to a Board With vcaadm 59

Contents xiii

Logging In to a New Board 59 Logging In to a Board With a Changed Remote Access Key 60 vcaadm Prompt 61

Logging Out of a Board With vcaadm 61

Entering Commands With vcaadm 63

Getting Help for Commands 64 Quitting the vcaadm Program in Interactive Mode 65

Initializing the Sun Crypto Accelerator 4000 Board With vcaadm 65

▼ To Initialize the Sun Crypto Accelerator 4000 Board With a New

Keystore 66

Initializing the Sun Crypto Accelerator 4000 Board to Use an Existing

Keystore 67

▼ To Initialize the Sun Crypto Accelerator 4000 Board to Use an Existing

Keystore 68

Managing Keystores With vcaadm 69

Naming Requirements 69 Password Requirements 69

Setting the Password Requirements 70

Populating a Keystore With Security Officers 70 Populating a Keystore With Users 71 Listing Users and Security Officers 72 Changing Passwords 72 Enabling or Disabling Users 73 Deleting Users 74 Deleting Security Officers 74 Backing Up the Master Key 74 Locking the Keystore to Prevent Backups 75

Managing Boards With vcaadm 76

Setting the Auto-Logout Time 76

xiv Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003

Displaying Board Status 77 Loading New Firmware 78 Resetting a Sun Crypto Accelerator 4000 Board 78 Rekeying a Sun Crypto Accelerator 4000 Board 79 Zeroizing a Sun Crypto Accelerator 4000 Board 80 Using the vcaadm diagnostics Command 80

Using vcadiag 81

5. Configuring Sun ONE Server Software for Use WiththeSunCryptoAccelerator 4000 Board 85

Administering Security for Sun ONE Web Servers 85

Concepts and Terminology 86 Tokens and Token Files 87

Token Files 87

Enabling and Disabling Bulk Encryption 88

Configuring Sun ONE Web Servers 89

Passwords 89 Populating a Keystore 90

▼ To Populate a Keystore 90

Overview for Enabling Sun ONE Web Servers 91

Installing and Configuring Sun ONE Web Server 4.1 92

Installing Sun ONE Web Server 4.1 92

▼ To Install Sun ONE Web Server 4.1 92 ▼ To Create a Trust Database 93 ▼ To Generate a Server Certificate 95 ▼ To Install the Server Certificate 98

Configuring Sun ONE Web Server 4.1 for SSL 99

▼ To Configure the Sun ONE Web Server 4.1 99

Contents xv

Installing and Configuring Sun ONE Web Server 6.0 101

Installing Sun ONE Web Server 6.0 101

▼ To Install Sun ONE Web Server 6.0 101 ▼ To Create a Trust Database 102 ▼ To Generate a Server Certificate 104 ▼ To Install the Server Certificate 107

Configuring Sun ONE Web Server 6.0 for SSL 108

▼ To Configure the Sun ONE Web Server 6.0 108

6. Configuring Apache Web Servers for Use With the Sun Crypto Accelerator 4000 Board 111

Enabling the Board for Apache Web Servers 112

Enabling Apache Web Servers 112

▼ To Enable the Apache Web Server 112

Creating a Certificate 114

▼ To Create a Certificate 115

7. Diagnostics and Troubleshooting 119

SunVTS Diagnostic Software 119

Installing SunVTS netlbtest and nettest Support for the vca

Driver 120

Using SunVTS Software to Perform vcatest, nettest, and

netlbtest 121

▼ To Perform vcatest 121

Test Parameter Options for vcatest 123 vcatest Command-Line Syntax 123

▼ To Perform netlbtest 124 ▼ To Perform nettest 125

Using kstat to Determine Cryptographic Activity 128 Using the OpenBoot PROM FCode Self-Test 129

xvi Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003

▼ Performing the Ethernet FCode Self-Test Diagnostic 129

Troubleshooting the Sun Crypto Accelerator 4000 Board 132

show-devs 132 .properties 133 watch-net 134

A. Specifications 135

Sun Crypto Accelerator 4000 MMF Adapter 135

Connectors 135 Physical Dimensions 137 Performance Specifications 137 Power Requirements 137 Interface Specifications 138 Environmental Specifications 138

Sun Crypto Accelerator 4000 UTP Adapter 138

Connectors 138 Physical Dimensions 140 Performance Specifications 140 Power Requirements 140 Interface Specifications 141 Environmental Specifications 141

B. SSL Configuration Directives for Apache Web Servers 143

C. Building Applications for Use With the Sun Crypto Accelerator 4000

Board 151

D. Software Licenses 153

Third Party License Terms 156

Contents xvii

E. Manual Pages 161

F. Zeroizing the Hardware 163

Zeroizing the Sun Crypto Accelerator 4000 Hardware to the Factory State 163

▼ To Zeroize the Sun Crypto Accelerator 4000 Board With the Hardware

Jumper 164

G. Frequently Asked Questions 167

How Do I Configure the Web Server to Startup Without User

Interaction on Reboot? 167

▼ To Create an Encrypted Key for Automatic Startup of Apache Web

Servers on Reboot 167

▼ To Create an Encrypted Key for Automatic Startup of Sun ONE Web

Servers on Reboot 168

How Do I Assign Different MAC Addresses to Multiple Boards

Installed in the Same Server? 168

▼ To Assign Different MAC Addresses From a Terminal Window 169 ▼ To Assign Different MAC Addresses From the OpenBoot PROM

Level 169

How Can I Configure the Sun Crypto Accelerator 1000 for Use With

Apache After I Have Installed the Sun Crypto Accelerator 4000 Software? 169

How Do I Self-Sign a Certificate for Testing? 170

xviii Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003

Tables

TABLE 1-1 IPsec Cryptographic Algorithms 3 TABLE 1-2 SSL Cryptographic Algorithms 3 TABLE 1-3 Supported SSL Algorithms 4 TABLE 1-4 Front Panel Display LEDs for the MMF Adapter 6 TABLE 1-5 Front Panel Display LEDs for the UTP Adapter 8 TABLE 1-6 Hardware and Software Requirements 10 TABLE 1-7 Required Solaris 8 Patches for Sun Crypto Accelerator 4000 Software 11 TABLE 2-1 Files in the /cdrom/cdrom0 Directory 17 TABLE 2-2 Sun Crypto Accelerator 4000 Directories 19 TABLE 3-1 vca Driver Parameter, Status, and Descriptions 24 TABLE 3-2 Operational Mode Parameters 26 TABLE 3-3 Read-Write Flow Control Keyword Descriptions 27 TABLE 3-4 Gigabit Forced Mode Parameter 28 TABLE 3-5 Parameters Defining enable-ipg0 and ipg0 29 TABLE 3-6 Read-Write Interpacket Gap Parameter Values and Descriptions 29 TABLE 3-7 RX Blanking Register for Alias Read 30 TABLE 3-8 RX Random Early Detecting 8-Bit Vectors 30 TABLE 3-9 PCI Bus Interface Parameters 32 TABLE 3-10 Device Path Name 39 TABLE 3-11 Local Link Network Device Parameters 41

xix

TABLE 3-12 Cryptographic Driver Statistics 43 TABLE 3-13 Ethernet Driver Statistics 44 TABLE 3-14 TX and RX MAC Counters 45 TABLE 3-15 Current Ethernet Link Properties 47 TABLE 3-16 Read-Only vca Device Capabilities 47 TABLE 3-17 Read-Only Link Partner Capabilities 48 TABLE 3-18 Driver-Specific Parameters 49 TABLE 4-1 vcaadm Options 56 TABLE 4-2 vcaadm Prompt Variable Definitions 61 TABLE 4-3 connect Command Optional Parameters 62 TABLE 4-4 Security Officer Name, User Name, and Keystore Name Requirements 69 TABLE 4-5 Password Requirement Settings 70 TABLE 4-6 Key Types 79 TABLE 4-7 vcadiag Options 82 TABLE 5-1 Passwords Required for Sun ONE Web Servers 89 TABLE 5-2 Requestor Information Fields 97 TABLE 5-3 Fields for the Certificate to Install 99 TABLE 5-4 Requestor Information Fields 106 TABLE 5-5 Fields for the Certificate to Install 108 TABLE 7-1 SunVTS netlbtest and nettest Required Software for the vca Driver 120 TABLE 7-2 vcatest Subtests 123 TABLE 7-3 vcatest Command-Line Syntax 124 TABLE A-1 SC Connector Link Characteristics (IEEE P802.3z) 136 TABLE A-2 Physical Dimensions 137 TABLE A-3 Performance Specifications 137 TABLE A-4 Power Requirements 137 TABLE A-5 Interface Specifications 138 TABLE A-6 Environmental Specifications 138 TABLE A-7 Cat-5 Connector Link Characteristics 139 TABLE A-8 Physical Dimensions 140

xx Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003

TABLE A-9 Performance Specifications 140 TABLE A-10 Power Requirements 140 TABLE A-11 Interface Specifications 141 TABLE A-12 Environmental Specifications 141 TABLE B-1 SSL Protocols 144 TABLE B-2 Available SSL Ciphers 145 TABLE B-3 SSL Aliases 146 TABLE B-4 Special Characters to Configure Cipher Preference 147 TABLE B-5 SSL Verify Client Levels 148 TABLE B-6 SSL Log Level Values 149 TABLE B-7 Available SSL Options 150 TABLE E-1 Sun Crypto Accelerator 4000 Online Manual Pages 161

Tables xxi

xxii Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003

Preface

The Sun Crypto Accelerator 4000 Board Installation and User’s Guide lists the features, protocols, and interfaces of the Sun™ Crypto Accelerator 4000 board and describes how to install, configure, and manage the board in your system.

This book assumes that you are a network administrator with experience configuring one or more of the following: Solaris™ operating environment, Sun platforms with PCI I/O cards, Sun™ ONE and Apache Web Servers, IPsec, SunVTS™ software, and certification authority acquisitions.

How This Book Is Organized

This book is organized as follows:

■ Chapter 1 lists the product features, protocols, and interfaces of the Sun Crypto

Accelerator 4000 board, and describes the hardware and software requirements.

■ Chapter 2 describes how to install and remove the Sun Crypto Accelerator 4000

hardware and software.

■ Chapter 3 defines the Sun Crypto Accelerator 4000 tunable driver parameters and

describes how to configure them with the ndd utility and the vca.conf file. This chapter also describes how to enable autonegotiation or forced mode for link parameters at the OpenBoot™ PROM interface and how to configure the network hosts file.

■ Chapter 4 describes how to configure the Sun Crypto Accelerator 4000 board and

manage keystores with the vcaadm and vcadiag utilities.

■ Chapter 5 explains how to configure the Sun Crypto Accelerator 4000 board for

use with Sun ONE Web Servers.

■ Chapter 6 explains how to configure the Sun Crypto Accelerator 4000 board for

use with Apache Web Servers.

xxiii

■ Chapter 7 describes how to test the Sun Crypto Accelerator 4000 board with the

SunVTS diagnostic application and the onboard FCode self-test. This chapter also provides troubleshooting techniques with OpenBoot PROM commands.

■ Appendix A lists the specifications for the Sun Crypto Accelerator 4000 board.

■ Appendix B lists directives for using Sun Crypto Accelerator 4000 software to

configure SSL support for Apache Web Servers.

■ Appendix C describes the software supplied with the Sun Crypto Accelerator

4000 board and how to build OpenSSL-compatible applications to take advantage of the cryptographic acceleration features of the board.

■ Appendix D provides software notices and licenses from other software

organizations that govern the use of third-party software used with the Sun Crypto Accelerator 4000 board.

■ Appendix E provides a description of the Sun Crypto Accelerator 4000 commands

and lists the online manual pages for each command.

■ Appendix F describes how to zeroize the Sun Crypto Accelerator 4000 board to

the factory state which is the failsafe mode for the board.

■ Appendix G provides answers to frequently asked questions.

Using UNIX Commands

This document does not contain information on basic UNIX®commands and procedures such as shutting down the system, booting the system, and configuring devices.

See one or more of the following for this information:

■ Solaris Hardware Platform Guide

■ Online documentation for the Solaris operating environment available at:

http://docs.sun.com

■ Other software documentation that you received with your system

xxiv Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003

Typographic Conventions

Typeface Meaning Examples

AaBbCc123 The names of commands, files,

and directories; on-screen computer output

AaBbCc123

AaBbCc123 Book titles, new words or terms,

What you type, when contrasted with on-screen computer output

words to be emphasized

Edit your .login file. Use ls -a to list all files.

% You have mail. % su

Password:

Read Chapter 6 in the User’s Guide. These are called class options. You must be superuser to do this.

Command-line variable; replace with a real name or value

To delete a file, type rm filename.

Shell Prompts

Shell Prompt

C shell machine_name% C shell superuser machine_name# Bourne shell and Korn shell $ Bourne shell and Korn shell superuser #

Preface xxv

Accessing Sun Documentation Online

You can view, print, or purchase a broad selection of Sun documentation, including localized versions, at:

http://www.sun.com/documentation

Sun Welcomes Your Comments

Sun is interested in improving its documentation and welcomes your comments and suggestions. You can email your comments to Sun at:

docfeedback@sun.com

Please include the part number (817-0431-10) of your document in the subject line of your email.

xxvi Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003

CHAPTER

Product Overview

This chapter provides an overview of the Sun Crypto Accelerator 4000 board, and contains the following sections:

■ “Product Features” on page 1

■ “Hardware Overview” on page 5

■ “Hardware and Software Requirements” on page 10

Product Features

The Sun Crypto Accelerator 4000 board is a Gigabit Ethernet-based network interface card that supports cryptographic hardware acceleration for IPsec and SSL (both symmetric and asymmetric) on Sun servers. In addition to operating as a standard Gigabit Ethernet network interface card for unencrypted network traffic, the board contains cryptographic hardware to support a higher throughput for encrypted IPsec traffic than the standard software solution.

Key Protocols and Interfaces

The Sun Crypto Accelerator 4000 board is interoperable with existing Ethernet equipment assuming standard Ethernet minimum and maximum frame size (64 to 1518 bytes), frame format, and compliance with the following standards and protocols:

■ Full-size PCI 33/66 Mhz, 32/64-bit

■ IEEE 802.3 CSMA/CD (Ethernet)

■ IEEE 802.2 Logical Link Control

■ SNMP (limited MIB)

■ Full- and half-duplex Gigabit Ethernet interface (IEEE 802.z)

■ Universal dual voltage signaling (3.3V and 5V)

Key Features

■ Gigabit Ethernet with either copper or fiber interface

■ Accelerates IPsec and SSL cryptographic functions

■ Session establishment rate: up to 4300 operations per second

■ Bulk encryption rate: up to 800 Mbps

■ Provides up to 2048-bit RSA encryption

■ Delivers up to 10 times faster 3DES bulk data encryption

■ Provides tamper-proof, centralized security key and certificate administration for

Sun ONE Web Server for increased security and simplified key management

■ Designed for FIPS 140-2 Level 3 certification

■ Low CPU utilization—frees up server system resource and bandwidth

■ Secure private key storage and management

■ Dynamic reconfiguration (DR) and redundancy/failover support on Sun’s

midframe and high-end servers

■ Load balancing for RX packets among multiple CPUs

■ Full flow control support (IEEE 802.3x)

The Sun Crypto Accelerator 4000 boards are designed to comply with the security requirements for cryptographic modules as documented in the Federal Information Processing Standard (FIPS) 140-2, Level 3.

Supported Applications

■ Solaris 8 and 9 operating environments (IPsec VPN)

■ Sun ONE Web Server

■ Apache Web Server

Supported Cryptographic Protocols

The board supports the following protocols:

■ IPsec for IPv4 and IPv6, including IKE

■ SSLv2, SSLv3, TLSv1

The board accelerates the following IPsec functions:

■ ESP (DES, 3DES) Encryption

The board accelerates the following SSL functions:

■ Secure establishment of a set of cryptographic parameters and secret keys

between a client and a server

■ Secure key storage on the board—keys are encrypted if they leave the board

2 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003

Diagnostic Support

■ User-executable self-test using OpenBoot™ PROM

■ SunVTS™ diagnostic tests

Cryptographic Algorithm Acceleration

The Sun Crypto Accelerator 4000 board accelerates cryptographic algorithms in both hardware and software. The reason for this complexity is that the cost of accelerating cryptographic algorithms is not uniform across all algorithms. Some cryptographic algorithms were designed specifically to be implemented in hardware, others were designed to be implemented in software. For hardware acceleration, there is the additional cost of moving data from the user application to the hardware acceleration device, and moving the results back to the user application. Note that a few cryptographic algorithms can be performed by highly tuned software as quickly as they can be performed in dedicated hardware.

Supported Cryptographic Algorithms

The Sun Crypto Accelerator 4000 driver (vca) examines each cryptographic request and determines the best location for the acceleration (host processor or Sun Crypto Accelerator 4000), to achieve maximum throughput. Load distribution is based on the cryptographic algorithm, the current job load, and the data size.

Sun Crypto Accelerator 4000 board accelerates the following IPsec algorithms.

TABLE1-1 IPsec Cryptographic Algorithms

Type Algorithm

Symmetric DES, 3DES

The Sun Crypto Accelerator 4000 board accelerates the following SSL algorithms.

TABLE1-2 SSL Cryptographic Algorithms

Type Algorithm

Symmetric DES, 3DES, ARCFOUR Asymmetric Diffie-Hellman (Apache only) and RSA (up to 2048 bit key), DSA Hash MD5, SHA1

Chapter 1 Product Overview 3

SSL Acceleration

TABLE 1-3 shows which SSL accelerated algorithms may be off-loaded to hardware

and which software algorithms are provided for Sun ONE and Apache Web Servers.

TABLE1-3 Supported SSL Algorithms

Sun ONE Web Servers Apache Web Ser vers

Algorithm Hardware Software Hardware Software

RSA XXXX DSA XXXX ARCFOUR X Diffie-Hellman X X DES XXXX 3DES XXXX MD5 X X SHA1 X X

Bulk Encryption

The Sun Crypto Accelerator 4000 bulk encryption feature for Sun ONE server software is disabled by default. You must manually enable this feature by creating a file and restarting the Sun ONE server software.

To enable Sun ONE server software to use bulk encryption on the Sun Crypto Accelerator 4000 board, you simply create an empty file in the /etc/opt/SUNWconn/cryptov2/ directory named sslreg, and restart the server software.

# touch /etc/opt/SUNWconn/cryptov2/sslreg

To disable the bulk encryption feature, you must delete the sslreg file and restart the server software.

# rm /etc/opt/SUNWconn/cryptov2/sslreg

The bulk encryption feature for Apache Web Server software is enabled by default and cannot be disabled.

4 Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003

+ 174 hidden pages