Sun Crypto Accelerator 6000 Board Version 1.1
User’s Guide
Part No.: E39851-01
February 2013
Copyright ©2006, 2013,Oracle and/orits affiliates.All rightsreserved.
This softwareand related documentation are provided under a license agreement containingrestrictions on use and disclosure and areprotected by
intellectual propertylaws. Exceptas expressly permitted in your license agreementor allowedby law,you maynot use,copy, reproduce, translate,
broadcast, modify, license,transmit, distribute,exhibit, perform,publish, ordisplay anypart, inany form,or byany means.Reverse engineering,
disassembly, or decompilation of this software, unlessrequired by law for interoperability, is prohibited.
The informationcontained hereinis subjectto changewithout noticeand isnot warrantedto beerror-free.If youfind anyerrors, please report them to us
in writing.
If thisis softwareor related softwaredocumentation thatis delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the
following noticeis applicable:
U.S. GOVERNMENTEND USERS.Oracle programs,including anyoperating system,integrated software, any programs installedon thehardware,
and/or documentation,delivered toU.S. Governmentend usersare "commercial computer software" pursuantto theapplicable FederalAcquisition
Regulation andagency-specific supplementalregulations. Assuch, use,duplication, disclosure, modification, and adaptation of the programs, including
any operatingsystem, integratedsoftware, anyprograms installed on the hardware,and/or documentation,shall besubject tolicense termsand license
restrictions applicableto theprograms. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use ina varietyof informationmanagement applications. It is not developed or intended foruse inany
inherently dangerous applications, including applications that may create arisk ofpersonal injury. If you use this softwareor hardware indangerous
applications, thenyou shallbe responsibleto takeall appropriate fail-safe, backup, redundancy, and other measuresto ensure its safe use. Oracle
Corporation andits affiliatesdisclaim anyliability forany damagescaused byuse ofthis software or hardware in dangerous applications.
Oracle andJava areregistered trademarks of Oracle and/or its affiliates.Other namesmay betrademarks oftheir respective owners.
Intel andIntel Xeonare trademarksor registered trademarksof IntelCorporation. AllSPARC trademarks are used under license and are trademarksor
registered trademarks of SPARCInternational, Inc. AMD, Opteron, theAMD logo,and theAMD Opteron logo are trademarksor registered trademarksof
Advanced MicroDevices. UNIXis aregistered trademark of The Open Group.
This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle
Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and
services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party
content, products, or services.
Copyright ©2006, 2013,Oracle et/ouses affiliés.Tous droits réservés.
Ce logicielet ladocumentation quil’accompagne sontprotégés parles loissur lapropriété intellectuelle. Ils sont concédés sous licence et soumis à des
restrictions d’utilisationet dedivulgation. Saufdisposition devotre contrat de licence ou de la loi, vous ne pouvez pas copier, reproduire, traduire,
diffuser, modifier, breveter, transmettre,distribuer,exposer, exécuter, publier ou afficher lelogiciel, mêmepartiellement, sousquelque formeet par
quelque procédéque cesoit. Parailleurs, ilest interdit de procéder àtoute ingénierieinverse dulogiciel, dele désassemblerou dele décompiler, excepté à
des finsd’interopérabilité avecdes logicielstiers outel queprescrit par la loi.
Les informationsfournies dansce documentsont susceptiblesde modificationsans préavis.Par ailleurs,Oracle Corporationne garantitpas qu’elles
soient exemptesd’erreurs etvous invite,le caséchéant, àlui enfaire part par écrit.
Si celogiciel, oula documentationqui l’accompagne,est concédésous licenceau Gouvernementdes Etats-Unis,ou àtoute entitéqui délivrela licencede
ce logicielou l’utilisepour lecompte duGouvernement desEtats-Unis, lanotice suivantes’applique :
U.S. GOVERNMENTEND USERS.Oracle programs,including anyoperating system,integrated software, any programs installedon thehardware,
and/or documentation,delivered toU.S. Governmentend usersare "commercial computer software" pursuantto theapplicable FederalAcquisition
Regulation andagency-specific supplementalregulations. Assuch, use,duplication, disclosure, modification, and adaptation of the programs, including
any operatingsystem, integratedsoftware, anyprograms installed on the hardware,and/or documentation,shall besubject tolicense termsand license
restrictions applicableto theprograms. No other rights are granted to the U.S. Government.
Ce logicielou matériela étédéveloppé pourun usagegénéral dansle cadred’applications degestion desinformations. Celogiciel oumatériel n’estpas
conçu nin’est destinéà êtreutilisé dansdes applicationsà risque,notamment dansdes applicationspouvant causerdes dommagescorporels. Si vous
utilisez celogiciel oumatériel dansle cadred’applications dangereuses, il est de votre responsabilité de prendre toutes les mesures de secours, de
sauvegarde, deredondance et autres mesures nécessaires à son utilisation dans des conditions optimales de sécurité. Oracle Corporation et ses affiliés
déclinent touteresponsabilité quantaux dommagescausés parl’utilisation dece logicielou matérielpour cetype d’applications.
Oracle etJava sontdes marquesdéposées d’OracleCorporation et/oude sesaffiliés.Tout autre nommentionné peutcorrespondre à des marques
appartenant àd’autres propriétaires qu’Oracle.
Intel etIntel Xeonsont desmarques oudes marques déposées d’Intel Corporation. Toutes les marques SPARC sont utilisées sous licence et sont des
marques oudes marques déposées de SPARC International, Inc. AMD, Opteron, le logo AMD et le logo AMD Opteron sont des marquesou desmarques
déposées d’AdvancedMicro Devices.UNIX estune marque déposée d’The Open Group.
Ce logicielou matérielet ladocumentation quil’accompagne peuventfournir desinformations oudes liensdonnant accèsà descontenus, desproduits et
des servicesémanant detiers. OracleCorporation etses affiliésdéclinent touteresponsabilité ou garantie expresse quant aux contenus, produits ou
services émanantde tiers.En aucuncas, OracleCorporation etses affiliésne sauraientêtre tenus pour responsables des pertes subies, des coûts
occasionnés oudes dommagescausés parl’accès àdes contenus,produits ouservices tiers,ou àleur utilisation.
Please
Recycle
Contents
Regulatory Compliance Statements xv
Preface xix
1. Product Overview 1
Product Features 1
New Features in the 1.1 Release 2
Key Features 2
Financial Services Support 3
Supported Applications 3
Supported Cryptographic Protocols and Algorithms 3
Diagnostic Support 4
Cryptographic Algorithm Acceleration 4
Hardware Overview 5
LED Displays 6
Direct Input Devices 7
Serial Port 7
USB Port 8
Dynamic Reconfiguration and High Availability 9
Load Sharing 9
iii
Hardware and Software Requirements 10
Oracle Solaris 10 OS on SPARC and x86 Platforms 10
x86 AMD Opteron Platforms Running Linux 10
Required Patches 10
2. Installing the Sun Crypto Accelerator 6000 Board 11
Handling the Board 12
Installing the Board on Oracle Solaris Platforms 12
▼ Install the Hardware 12
Installing the Sun Crypto Accelerator 6000 Software With the install Script 14
▼ Install the Software With the install Script 14
Directories and Files for Oracle Solaris Platforms 18
Removing the Sun Crypto Accelerator 6000 Software on Oracle Solaris Platforms
With the remove Script 19
▼ Remove the Software With the remove Script on the CD-ROM 19
▼ For Oracle Solaris 11, Remove the Software With the remove Script 20
Installing the Software on Oracle Solaris Platforms Without the Installation
Script 21
▼ Install the Software Without the install Script 21
Removing the Software on Oracle Solaris Platforms Without the remove Script
23
▼ Delete Existing Keystores 23
▼ Remove the Software Without the remove Script 24
Installing the Sun Crypto Accelerator 6000 Board on Linux Platforms 24
▼ Install the Sun Crypto Accelerator 6000 Hardware on Linux Platforms 25
▼ Install the Sun Crypto Accelerator 6000 Software on Linux Platforms With
the install Script 25
Installing the Sun Crypto Accelerator 6000 Software on Linux Platforms
Without the install Script 26
▼ Install the Software Without the install Script 26
Directories and Files for Linux Platforms 27
iv Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
Removing the Sun Crypto Accelerator 6000 Software on Linux Platforms 28
Removing the Sun Crypto Accelerator 6000 Software With the remove
Script 28
▼ Remove the Software With the remove Script 29
▼ Remove the Software Without the remove Script 29
Migrating Back to Version 1.0 From 1.1 30
▼ Back Up the 1.0 Keystore 30
▼ Restore the 1.0 Software and Firmware: 30
3. Administering the Sun Crypto Accelerator 6000 Board 33
Using the scamgr Utility 34
Device and Keystore Security Officers 34
scamgr Syntax 35
scamgr Options 35
Modes of Operation 36
Interactive Mode 37
Single-Command Mode 37
File Mode 37
scamgr Secure Communication 38
Initializing the Board With scamgr 38
Board Initialization 39
▼ Perform a Board Initialization 39
Keystore Initialization 40
▼ Perform a Keystore Initialization and Create a New Keystore 40
Performing a Keystore Initialization to Use an Existing Keystore 41
▼ Perform a Keystore Initialization and Use an Existing Keystore 42
Authentication and Logging In and Out With scamgr 43
scamgr Prompt 43
▼ Log In To a Board With scamgr 44
Contents v
▼ Log In To a New Board 44
▼ Log In To a Board With a Changed Remote Access Key 45
▼ Log Out Of a Board With scamgr 46
▼ Log In To Another Board 47
Quitting the scamgr Utility 48
▼ Quit the scamgr Utility 48
Entering Commands With scamgr 48
Entering scamgr Commands 48
scamgr Commands 49
Getting Help for Commands 56
Managing Keystores With scamgr 57
Multiple Keystore Support 57
Naming Requirements 58
Password Requirements 59
▼ Set the Password Requirements 59
▼ Change Password Requirements 59
▼ Change Passwords 60
Managing Security Officers and Users 60
▼ Populate a Keystore With Security Officers 60
▼ Populate a Keystore With Users 61
▼ List Users 62
▼ List Security Officers 62
▼ Disable Users 63
▼ Enable Users 63
▼ Delete Users 63
▼ Delete Security Officers 64
Backing Up Configuration and Keystore Data 64
▼ Back Up a Device Configuration 64
vi Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
▼ Back Up a Master Key 65
▼ Backup A Keystore 66
Locking Keystores to Restrict Access 67
▼ Lock a Master Key to Prevent Backups 67
▼ Lock a Keystore To Restrict Access 68
▼ Enable a Locked Keystore To Enable Access 68
▼ Disable a Locked Keystore To Prevent Access 69
Multi-Admin Authentication 69
Managing Multi-Admin Mode With scamgr 70
▼ Assign Security Officers the Multi-Admin Role 70
▼ Remove a Security Officer From the Multi-Admin Role 70
▼ Set the Minimum Number of Security Officers Required to
Authenticate Multi-Admin Commands 71
▼ Set a Multi-Admin Command Timeout 71
▼ Enable Multi-Admin Mode 72
▼ Disable Multi-Admin Mode 72
▼ Add Additional Security Officers to the Multi-Admin Role 73
▼ Cancel a Multi-Admin Command Originated by the Initiating
Security Officer 74
▼ Allow a Multi-Admin Command to Time Out 75
▼ Log In to a Board During a Multi-Admin Command as a Security
Officer Not in the Multi-Admin Role 76
▼ Attempt to Execute a Multi-Admin Command Without Multi-Admin
Role Permissions 76
Managing Boards With scamgr 77
▼ Set the Auto-Logout Time 77
▼ Display Board Status 77
▼ Load New Firmware 78
▼ Reset the Board 79
▼ Rekey the Board 79
Contents vii
▼ Perform a Software Zeroize on the Board 81
▼ Use the scamgr diagnostics Command 81
Direct Board Administration 82
USB Backup Support 83
Using the scadiag Utility 85
scadiag Options 86
scadiag Option Examples 87
Managing Services for Oracle Solaris Platforms 90
▼ Start and Stop the Services 90
Service Configuration Parameters 91
▼ List Service Configuration Parameters 92
▼ Modify Service Configuration Parameters 93
Enabling Optional Cryptographic Algorithms 93
▼ Enable the SHA-512 Algorithm 93
▼ Enable the RC2 CBC Algorithm 94
▼ Enable the Multi-part MD5 Algorithm 94
▼ Enable the Multi-part SHA1 Algorithm 94
▼ Enable the Multi-part SHA512 Algorithm 94
▼ Enable the HMAC (MD5 or SHA1) Algorithm 94
Additional Instructions for Administering the Board on Linux Platforms 94
scamgr Program 95
▼ Stop the Board on a Linux Platform 95
▼ Start the Board on a Linux Platform 95
scadiag Program 95
4. Configuring Centralized Keystores 97
Centralized Keystore Overview 97
Keystore Virtualization 98
Configuring Centralized Keystores 99
viii Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
Configuring the Directory Server With the scakscfg Utility 99
Configuring the scakiod Service to Use CKS 101
scakiod Service Configuration Options 102
▼ Configure the scakiod Service to Use CKS (Oracle Solaris) 104
▼ Configure the scakiod Service to Use CKS (Linux) 105
Configuring the scakiod Service to Use SSL With Simple Authentication
105
▼ Configure scakiod for Simple Authentication Over SSL 105
Configuring the scakiod Service to Use SSL With Client Certificate
Authentication 107
▼ Configure the scakiod Service to Use SSL With Client Certificate
Authentication 107
Adding the Certificate to the Agent Entry in the Directory Server 110
▼ Add the Certificate to the Agent Entry in the DS 110
Configuring the Board to Join a Centralized Keystore 112
▼ Join a Previously Configured Board to a Centralized Keystore 112
▼ Join an Unconfigured Board to a Centralized Keystore 112
Troubleshooting CKS Issues 114
Cannot Contact Server 117
Initial Keystore Search Failed 117
Failed Binding to Server 117
Failed Binding to Server 118
Client Authentication Initialization Failed 118
5. Developing and Administering Financial Services 119
Financial Service Components Overview 120
Financial Services Library Initialization 121
Library Open Function fs_lib_open() 122
Library Shutdown Function fs_lib_close() 122
Session Establishment Function fs_session_open() 123
Contents ix
Session Shutdown Function fs_session_close() 124
Financial Services Data Types 124
Key Management Overview 125
Key Separation and Compartmentalization of Risk 125
Permitted Key Forms 126
Direct Key Loading 126
▼ Load the MFK 126
▼ Enable the MFK 126
▼ Load the KEKs 127
▼ Change the MFK 127
Key Management Functions 127
Generate Key Function fs_generate_key() 128
Import Key Function fs_import_key() 129
Export Key Function fs_export_key() 130
Translate Key Function fs_translate_key() 131
Retrieve Object Function fs_retrieve_object() 132
Status Function fs_status() 133
PIN Processing Functions 133
PIN Block Formats 134
ANSI/ISO Format 0 134
ISO Format 1 135
PIN Calculation Methods 135
Visa PVV Method 135
IBM-3624 Method 136
Personal Account Number 136
PIN 136
PVKI 137
PIN Verify Function fs_pin_verify() 137
x Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
PIN Translate Function fs_pin_translate() 138
Credit Card Processing Overview 140
Financial Services Library Function fs_card_verify(3) 140
Enabling the Financial Services Feature 141
▼ Enable Financial Services 141
Administering Financial Services 142
Financial Services Security Officers 142
Direct Input Device 142
Setting Financial Services Mode 142
Administrative Commands 142
6. Developing PKCS#11 Applications for Use With the Sun Crypto Accelerator
6000 Board 145
Board Administration 146
Slot Descriptions 147
Keystore Slot 147
Sun Metaslot 148
Configuring Sun Metaslot to Use the Sun Crypto Accelerator 6000
Keystore 148
Configuring Secure Failover for Sun Metaslot 149
Hardware Slot 150
PKCS#11 and FIPS Mode 151
Developing Applications to Use PKCS#11 152
Sun Crypto Accelerator 6000 PKCS#11 Implementation Specifics 152
Token Objects 152
Supported and Unsupported Functions 153
Random Number Generator 153
Software Attributes 154
Software Error Codes 155
Token Object Handles 156
Contents xi
Developing PKCS#11 Applications for Use With the Sun Crypto Accelerator 6000
Board on Linux Platforms 156
7. Installing and Configuring Sun Java System Server Software 157
Administering Security for Sun Java System Web Servers 158
Web Server Concepts and Terminology 158
Users 158
Keystores 159
Slots and Tokens 160
Preparing to Configure Sun Java System Web Servers 161
Populating a Keystore 162
▼ Populate a Keystore 162
Installing and Configuring Sun Java System Web Server 6.1 163
▼ Install Sun Java System Web Server 6.1 164
▼ Create a Trust Database 165
▼ Register the Board With the Web Server 166
▼ Generate a Server Certificate 167
▼ Install the Server Certificate 170
▼ Enable the Web Server for SSL 171
Installing and Configuring Sun Java System Web Server 7.0 Update 1 173
▼ Install Sun Java System Web Server 7.0 174
▼ Register the Board With the Web Server 174
▼ Start the Sun Java System Web Server Administration Server 175
▼ Manage the Tokens 176
▼ Disable Unused Tokens 176
▼ Pre-Set the Password for Tokens 176
▼ Generate a Server Certificate 177
▼ Install the Server Certificate 178
▼ Deploy the Change 180
xii Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
▼ Enable the Web Server for SSL 181
▼ Start the Web Server 184
Installing and Configuring Sun Java System Web Server on Linux Platforms 184
Configuring Sun Java System Web Servers to Start Up Without User Interaction
on Reboot 186
▼ Create an Encrypted Key for Automatic Startup of Sun Java System Web
Servers on Reboot 186
8. Installing and Configuring Apache Web Server Software 189
Installing and Configuring Apache Web Server on Oracle Solaris Platforms 189
▼ Create a Private Key and Certificate 189
▼ Enable Apache Web Server 191
Installing and Configuring Apache Web Server on Linux Platforms 192
▼ Prepare OpenSSL Libraries 193
▼ Compile Apache Web Server 194
▼ Configure and Start Apache Web Server 194
9. Diagnostics and Troubleshooting 197
Diagnostic Software 197
Performing SunVTS Diagnostics 197
Performing scamgr Diagnostics 198
Performing scadiag Diagnostics 198
Disabling Crypto Traffic on Other Hardware Providers in Your System 198
▼ Disable Other Hardware Providers 199
▼ Reenable Other Hardware Providers 199
Examining and Reporting Kernel Statistics 199
▼ Determine Cryptographic Activity With the kstat Utility 200
Determining Cryptographic Activity on Linux Platforms 201
▼ Determine Cryptographic Activity on Linux Platforms 201
A. Sun Crypto Accelerator 6000 Board Specifications 203
Contents xiii
Connectors 203
Physical Dimensions 204
Power Requirements 205
Environmental Specifications 205
B. Installing and Configuring openCryptoki Software for Linux 207
Overview 207
Installing openCryptoki Software 208
▼ Install openCryptoki Software on RHEL5 208
▼ Build and Install openCryptoki on RHEL4 Updates 208
▼ Build and Install openCryptoki Software on SUSE10 SP1 Platforms 209
C. Software Licenses 211
Third Party License Terms 216
D. Manual Pages 221
E. Zeroizing the Hardware 223
Zeroizing the Sun Crypto Accelerator 6000 Hardware to the Factory State 223
▼ Zeroize the Sun Crypto Accelerator 6000 Board With a Hardware
Jumper 224
F. Financial Services Header File 227
G. Supported PKCS#11 Mechanisms 235
Index 239
xiv Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
Your Sun product is marked to indicate its compliance class:
■ Federal Communications Commission (FCC) — USA
■ Industry Canada Equipment Standard for Digital Equipment (ICES-003) — Canada
■ Voluntary Control Council for Interference (VCCI) — Japan
■ Bureau of Standards Metrology and Inspection (BSMI) — Taiwan
Please read the appropriate section that corresponds to the marking on your Sun product before attempting to install
the product.
FCC Class B Notice
This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions:
1. This device may not cause harmful interference.
2. This device must accept any interference received, including interference that may cause undesired operation.
Note: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to
Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in
a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed
and used in accordance with the instructions, may cause harmful interference to radio communications. However,
there is no guarantee thatinterference will not occur in a particular installation. If this equipment does cause harmful
interference to radio or television reception, which can be determined by turning the equipment off and on, the user
is encouraged to try to correct the interference by one or more of the following measures:
■ Reorient or relocate the receiving antenna.
■ Increase the separation between the equipment and receiver.
■ Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
■ Consult the dealer or an experienced radio/television technician for help.
Regulatory Compliance Statements
Shielded Cables: Connections between the workstation and peripherals must be made using shielded cables in
order to maintain compliancewith FCC radio frequency emission limits. Networking connections can be madeusing
unshielded twisted pair (UTP) cables.
Modifications: Any modifications made to this device that are not approved by Sun Microsystems, Inc. may void
the authority granted to the user by the FCC to operate this equipment.
ICES-003 Class B Notice - Avis NMB-003, Classe B
This Class B digital apparatus complies with Canadian ICES-003.
Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada.
xv
xvi Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
BSMI Class A Notice
The following statement is applicable to products shipped to Taiwan and marked as Class A on the product
compliance
label.
xvii
xviii Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
Preface
This guide lists the features, protocols, and interfaces of the Sun Crypto Accelerator
6000 Board from Oracle and describes how to install, configure, and manage the
board in your system.
This guide assumes that you are a network administrator with experience
configuring one or more of the following
■ Oracle Solaris Operating System (OS)
■ Sun platforms with PCI I/O cards
■ Sun Java Web System Servers and Apache Web Servers
■ IPsec
■ SunVTS software
■ certification authority acquisitions.
Note – In this document these x86 related terms mean the following:
– “x86” refers to the larger family of 64-bit and 32-bit x86 compatible products.
– “x64” points out specific 64-bit information about AMD64 or EM64T systems.
– “32-bit x86” points out specific 32-bit information about x86 base systems. For
supported systems, see “Hardware and Software Requirements” on page 10.
Product Notes
For late-breaking information and known issues about this product, refer to the
products notes at:
http://docs.oracle.com/cd/E19321-01/index.html
xix
Related Documentation
Documentation Link
All Oracle products http://www.oracle.com/documentation
Sun Crypto Accelerator 6000
Board
Sun Crypto Accelerator 4000 PCI
Card
Oracle Solaris OS and systems
software library
Feedback
Provide feedback about this documentation at:
http://www.oracle.com/goto/docfeedback
Access to Oracle Support (R)
http://docs.oracle.com/cd/E19321-01/index.html
http://docs.oracle.com/cd/E19877-01/index.html
http://www.oracle.com/technetwork/indexes/documentation/
index.html#sys_sw
Oracle customers have access to electronic support through My Oracle Support. For
information visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=
info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs
if you are hearing impaired.
xx Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
Preface xxi
xxii Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
CHAPTER
1
Product Overview
This chapter provides an overview of the Sun Crypto Accelerator 6000 board, and
contains the following sections:
■ “Product Features” on page 1
■ “Hardware Overview” on page 5
■ “Hardware and Software Requirements” on page 10
Product Features
The Sun Crypto Accelerator 6000 board is an 8-lane PCI Express based host bus
adapter (HBA) that combines IPsec and SSL cryptographic acceleration with
hardware security module (HSM) features. The Sun Crypto Accelerator 6000 board
provides improved performance, additional security features, and support for new
Oracle Solaris OS on SPARC and x86 platforms, and x86 AMD Opteron platforms
running Linux. The combination of a dedicated HSM, advanced cryptographic
security, and secure key management specifically meets the security and
performance needs for financial services.
Once installed, the board is initialized and configured with the scamgr utility, which
manages the keystore and user information, and determines the level of security in
which the board operates. Once a keystore and security officer account are
configured, Java and PKCS#11 applications such as Sun Java System server software,
and OpenSSL applications such as Apache can be configured to use the board for
cryptographic acceleration.
1
New Features in the 1.1 Release
■ Centralized key management (see Chapter 4 for details)
■ Multiple keystore support (see Chapter 3 for details)
■ Firmware based ECC
■ Firmware based SHA-512
■ Improved keystore backup (see Chapter 3 for details)
■ Improved Auditing (see Chapter 3 for details)
Key Features
■ Low-profile, half-length PCE Express, 8-lane (bi-8)
■ Support for Oracle Solaris Cryptographic Framework
■ Accelerates IPsec and SSL cryptographic functions
■ Session establishment rate – up to 13,000 operations per second
■ Bulk encryption rate – up to 1 Gbps
■ Provides up to 2048-bit RSA encryption
■ Provides tamper-resistant secure key storage and crypto acceleration benefits for
PKCS#11-aware applications such as Sun Java System Server products
■ Provides centralized keystore support, enabling multiple machines to access a
common key repository
■ FIPS 140-2 Level 3 certification
■ Low CPU utilization – frees up server system resource and bandwidth
■ Secure private key storage and management
■ Dynamic reconfiguration (DR), and redundancy and failover support on Sun’s
midframe and high-end servers
■ Support for Oracle Solaris 10 OS and future compatible releases
■ Support for Linux: Red Hat EL 4.0, Red Hat EL Server 5, SuSE Enterprise 10 SP 1
■ Support for openCryoptoki software
■ Support for the Service Management Facility (SMF), which is an improved
mechanism for controlling system startup and the relationship between services.
■ Multi-Admin keystore security, supporting the requirement of multiple security
officers to authenticate keystore backup and restore operations.
■ Serial port for direct input adminstration interface
■ USB port for keystore backup and restore to USB mass storage devices
2 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
Note – IPsec cryptographic hardware acceleration is not supported on the current
Linux distributions.
Financial Services Support
The Sun Crypto Accelerator 6000 board supports PIN and credit card related
functionality, ensuring the security of sensitive customer data by performing the
entire operation within the secure cryptographic boundary of the board. Specialized
key management capabilities, and a new user library (libfinsvcs.so) and
associated application interface are provided to support this feature. See Chapter 5
for details.
Supported Applications
■ Java applications
■ Sun Java System Servers
■ Apache Web Server
■ PKCS#11 applications
Supported Cryptographic Protocols and
Algorithms
The board supports the following protocols:
■ SSLv2
■ SSLv3
■ TLSv1
■ IPsec
Chapter 1 Product Overview 3
The board accelerates the following cryptographic algorithms.
TABLE 1-1 Cryptographic Algorithms
Type Algorithm
Symmetric DES, 3DES, AES, SHA1, SHA512, and MD5
Asymmetric Diffie-Hellman, RSA (up to 2048 bit key), DSA, and ECC
The following is a list of the supported ECC curves:
nistp256/prime256v1/secp256r1, nistp384/secp384r1
nistp521/secp521r, nistk163/sect163k1
nistb163/sect163r2, nistk233/sect233k1
nistb233/sect233r1, nistk283/sect283k1
nistb283/sect283r1, nistk409/sect409k1
nistb409/sect409r1, nistk571/sect571k1
nistb571/sect571r1, nistp192/secp192r1
nistp224/secp224r1
The board accelerates the following SSL functions:
■ Secure establishment of a set of cryptographic parameters, and secret keys
between a client and a server.
■ Secure key storage on the board. Keys are encrypted if they leave the board.
Diagnostic Support
■ SunVTS diagnostic tests
■ Security officer initiated diagnostics (scadiag and scamgr)
Cryptographic Algorithm Acceleration
Together with the Oracle Solaris Cryptographic Framework, the board accelerates
cryptographic algorithms in both hardware and software. The reason for this
complexity is that the cost of accelerating cryptographic algorithms is not uniform
across all algorithms. Some cryptographic algorithms were designed specifically to
be implemented in hardware, others were designed to be implemented in software.
For hardware acceleration, there is the additional cost of moving data from the user
application to the hardware acceleration device, and moving the results back to the
user application. Note that a few cryptographic algorithms can be performed by
highly tuned software as quickly as they can be performed in dedicated hardware.
4 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
Hardware Overview
The Sun Crypto Accelerator 6000 hardware is a low-profile, half-length (6.6 inches
[1.67.64 mm] by 2.54 inches [64.41 mm]) 8-lane PCI Express based HBA that
enhances the performance of IPsec and SSL, and provides robust security features.
FIGURE 1-1 provides an illustration of the board.
FIGURE 1-1 Sun Crypto Accelerator 6000 Board
Chapter 1 Product Overview 5
LED Displays
TABLE 1-2 describes the LED displays.
TABLE 1-2 Front Panel LEDs
Label Color Indication
STATUS Green/Red • Off when bootstrap firmware executes
• Green in POST, and DISABLED states (driver not attached)
• Flashing green in IDLE, OPERATIONAL, and FAILSAFE
states (heart beat)
• Red when board is in the HALTED (fatal error) state or
when a low-level hardware initialization failure occurs
• Flashing red if an error occurrs during the boot process
FIPS Green/Yellow • Off in non-FIPS mode
• Green when operating in FIPS mode
• Flashing yellow when zeroize jumper is present
INIT Green/Yellow • Off if the board has not been initialized
• Green if the card has been initialized by a security officer
• Yellow in POST, DIAGNOSTICS, and FAILSAFE (firmware
not upgraded) states
• Flashing yellow when running DIAGNOSTICS
FIGURE 1-2 shows the location of the LEDs.
6 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
FIGURE 1-2 LED Locations
Direct Input Devices
The Sun Crypto Accelerator 6000 board has three direct input devices: an RJ-11 serial
port, a USB port, and a Point of Presence button.
Serial Port
The six-wire RJ-11 port connector enables direct input adminstration. The port
operates at a baud rate of 9600-8N1. The pinout specifications are described in
TABLE 1-3 and shown in FIGURE 1-3.
TABLE 1-3 RJ-11 Port Connector Pins and Signals
Pin Signal Definition
1 PWR 5 volt DC power
2 NC Not connected
3 NC Not connected
Chapter 1 Product Overview 7
TABLE 1-3 RJ-11 Port Connector Pins and Signals (Continued)
Pin Signal Definition
4 XMIT Transmit data
5 RECV Data receive
6 GND Signal ground
Serial Device
Any device with a properly configured serial port and cable can be used for direct
input administration of the device. However, for maximum security a stateless handheld device ensures that sensitive information and keying material are not
compromised. One such device tested is the Termiflex OT/30 hand-held terminal
from Warner Power. A Termiflex OT/30 terminal has been configured specifically for
use with the Sun Crypto Accelerator 6000 board and can be ordered directly from
Warner Power using part number 99-3619-04001 (http://www.termiflex.com/).
FIGURE 1-3 RJ-11 Port Connector Pins
USB Port
The standard size USB connector enables you to back up and restore the on-board
keystore. The port is USB 1.1 compliant and is compatible with standard USB mass
storage devices (bulk-only).
USB Device
Although other USB mass-storage devices will work, only a few devices have been
fully tested and qualified for use with the Sun Crypto Accelerator 6000 board. Before
using another device for backup and restore operations, verify that diagnostics run
successfully with the USB device installed. Choose devices with high transfer speeds
and quick response times for the best compatibility with the board.
The following devices have been verified to work with the board:
8 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
■ JetFlash 2.0 USB Flash Drive from Transcend
■ DataTravler 100 USB Flash Drive from Kingston
■ Attache Optima Pro High Speed USB 2.0 Drive from PNY
Point of Presence Button
The Point of Presence button provides physical presence verification when pressed.
The physical pressing of this button cannot be emulated remotely.
Dynamic Reconfiguration and High Availability
The Sun Crypto Accelerator 6000 hardware and associated software provide the
capability to work effectively on SPARC platforms supporting dynamic
reconfiguration (DR) and hot-plugging. During a DR or hot-plug operation, the Sun
Crypto Accelerator 6000 software layer automatically detects the addition or
removal of a board, and adjusts the scheduling algorithms to accommodate the
change in hardware resources.
Note – DR is supported on SPARC platforms only.
For High Availability (HA) configurations, multiple Sun Crypto Accelerator 6000
boards can be installed within a system or domain to insure that hardware
acceleration is continuously available. In the unlikely event of a Sun Crypto
Accelerator 6000 hardware failure, the software layer detects the failure and removes
the failed board from the list of available hardware cryptographic accelerators. Sun
Crypto Accelerator 6000 software adjusts the scheduling algorithms to accommodate
the reduction in hardware resources. Subsequent cryptographic requests are
scheduled to the remaining boards.
The Sun Crypto Accelerator 6000 hardware provides a source for high-quality
entropy for the generation of long-term keys. If all the Sun Crypto Accelerator 6000
boards within a domain or system are removed, long-term keys are generated with
lower-quality entropy.
Load Sharing
The Sun Crypto Accelerator 6000 software enables the distribution of load across as
many boards as are installed within the Oracle Solaris domain or system. In order to
use load sharing, each board must be configured to use the same keystore. See
Chapter 4.
Chapter 1 Product Overview 9
Hardware and Software Requirements
TABLE 1-4 provides a summary of the hardware and software requirements for the
Sun Crypto Accelerator 6000 board.
TABLE 1-4 Hardware and Software Requirements
Hardware and Software Requirements
Hardware • Sun Fire T1000, T2000, x2100, x2200, x4200, x4600 servers
• Sun SPARC Enterprise T5120 and T5220 servers
• Sun Ultra 40, 20
Operating system Oracle Solaris 10, Red Hat EL 4.0, Red Hat EL Server 4 and 5, and
SuSE Enterprise 10 SP1 Linux*, and future compatible releases of
these operating systems.
*Note – 1 Gbyte of memory is suggested for Linux operating systems.
Oracle Solaris 10 OS on SPARC and x86 Platforms
The Sun Crypto Accelerator 6000 board supports the Oracle Solaris 10 Operating
System on both SPARC and x86 AMD Opteron Linux platforms. The board acts as a
cryptographic service provider to the Oracle Solaris Cryptographic Framework,
allowing applications to access the board’s functionality with PKCS#11, OpenSSL,
and Java (J2SE).
x86 AMD Opteron Platforms Running Linux
The openCryptoki software interface is used in Linux environments to access the
Sun Crypto Accelerator 6000 board. The openCryptoki software provides a user
level interface that enables selecting specific cryptographic providers.
Required Patches
Refer to the Sun Crypto Accelerator 6000 Board Product Notes for Version 1.1 (820-4145)
for required patch information.
10 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
CHAPTER
2
Installing the Sun Crypto
Accelerator 6000 Board
This chapter describes how to install the Sun Crypto Accelerator 6000 hardware on
both the Oracle Solaris and Linux operating systems, how to install and remove the
software, and also how to migrate back to 1.0 software and firmware.
This chapter includes the following sections:
■ “Handling the Board” on page 12
■ “Installing the Board on Oracle Solaris Platforms” on page 12
■ “Installing the Sun Crypto Accelerator 6000 Software With the install Script”
on page 14
■ “Directories and Files for Oracle Solaris Platforms” on page 18
■ “Removing the Sun Crypto Accelerator 6000 Software on Oracle Solaris Platforms
With the remove Script” on page 19
■ “Installing the Software on Oracle Solaris Platforms Without the Installation
Script” on page 21
■ “Removing the Software on Oracle Solaris Platforms Without the remove Script”
on page 23
■ “Installing the Sun Crypto Accelerator 6000 Board on Linux Platforms” on
page 24
■ “Directories and Files for Linux Platforms” on page 27
■ “Removing the Sun Crypto Accelerator 6000 Software on Linux Platforms” on
page 28
■ “Migrating Back to Version 1.0 From 1.1” on page 30
Caution – If you want the ability to return to a Version 1.0 environment, you must
make a backup of the 1.0 keystore and master key prior to upgrading to 1.1. See
“Migrating Back to Version 1.0 From 1.1” on page 30.
11
Once you have installed the hardware and software of the board, you must initialize
the board with configuration and keystore information. See “Initializing the Board
With scamgr” on page 38 for information on how to initialize the board.
Handling the Board
Each board is packed in a special antistatic bag to protect it during shipping and
storage. To avoid damaging the static-sensitive components on the board, reduce
any static electricity on your body before touching the board by using one of the
following methods:
■ Touch the metal frame of the computer.
■ Attach an antistatic wrist strap to your wrist and to a grounded metal surface.
Caution – To avoid damaging the sensitive components on the board, wear an
antistatic wrist strap when handling the board, hold the board by its edges only, and
always place the board on an antistatic surface (such as the plastic bag it came in).
Installing the Board on Oracle Solaris
Platforms
Installing the Sun Crypto Accelerator 6000 board involves inserting the board into
the system and loading the software tools. The hardware installation instructions
include only general steps for installing the board. Refer to the documentation that
came with your system for specific installation instructions.
▼ Install the Hardware
1. As superuser, follow the instructions that came with your system to shut down
and power off the computer, disconnect the power cord, and remove the
computer cover.
2. Locate an unused PCI slot (preferrably an x8 PCI Express slot).
3. Attach an antistatic wrist strap to your wrist, and attach the other end to a
grounded metal surface.
12 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
4. Using a Phillips screwdriver, remove the screw from the PCI slot cover.
Save the screw to hold the bracket in Step 6.
5. Holding the Sun Crypto Accelerator 6000 board by its edges only, take it out of
the plastic bag and insert it into the PCI slot.
6. Secure the screw on the rear bracket.
7. Replace the computer cover, reconnect the power cord, and power on the
system.
8. Verify that the board is properly installed.
■ For Oracle Solaris SPARC platforms, enter the prtdiag command from a
terminal:
% prtdiag
========================= IO Configuration =========================
IO
Location Type Slot Path Name Model
---------- ---- ---- ----------------------------------- ------------- --------IOBD/NET0 PCIE IOBD /pci@780/pci@0/pci@1/network@0 network-pciex8086,105e
IOBD/NET1 PCIE IOBD /pci@780/pci@0/pci@1/network@0,1 network-pciex8086,105e
IOBD/PCIE0 PCIE 0 /pci@780/pci@0/pci@8/pci@0/pci108e,5ca0@e pci108e,5ca0
IOBD/PCIX PCIX IOBD /pci@7c0/pci@0/pci@1/pci@0/isa@2 isa
IOBD/PCIX PCIX IOBD /pci@7c0/pci@0/pci@1/pci@0/usb@5 usb-pciclass,0c0310
IOBD/PCIX PCIX IOBD /pci@7c0/pci@0/pci@1/pci@0/usb@6 usb-pciclass,0c0310
IOBD/PCIX PCIX IOBD /pci@7c0/pci@0/pci@1/pci@0/ide@8 ide-pci10b9,5229
IOBD/PCIX PCIX PCIX /pci@7c0/pci@0/pci@1/pci@0,2/LSILogic,sas@2 LSILogic,saspci1000,50 LSI,1064
IOBD/NET2 PCIE IOBD /pci@7c0/pci@0/pci@2/network@0 network-pciex8086,105e
IOBD/NET3 PCIE IOBD /pci@7c0/pci@0/pci@2/network@0,1 network-pciex8086,105e
In the preceding example, the
/pci@780/pci@0/pci@8/pci@0/pci108e,5ca0@e identifies the device
path to the Sun Crypto Accelerator 6000 board. There is one such line for each
board in the system.
■ For Oracle Solaris x86 platforms, enter the scanpci command from a terminal:
# /usr/X11/bin/scanpci
...
pci bus 0x0082 cardnum 0x0e function 0x00: vendor 0x108e device
0x5ca0
Sun Microsystems Computer Corp. Device unknown
Chapter 2 Installing the Sun Crypto Accelerator 6000 Board 13
Installing the Sun Crypto Accelerator
6000 Software With the install Script
There are two methods to install the software, manually or with the install script.
This section describes how to install the software with the install script. To install
the software manually, refer to “Installing the Software on Oracle Solaris Platforms
Without the Installation Script” on page 21.
The install script identifies which platform you are installing on (Oracle Solaris
SPARC or x86, Linux x86 or x64) and calls the appropriate installation scripts for
your platform. The install script also automatically installs the required patches
before installing the software.
In addition to the software provided on the product CD, required software is
provided at My Oracle Support (http://support.oracle.com).
For CD installations, the install script path is as follows:
/cdrom/cdrom0/Sun_Crypto_Acc_6000
Otherwise, the install script paths for Solaris 10 and Solaris 11 are as follows:
Solaris 10 – Sun_Crypto_Acc_6000-1_1-u2-Solaris/Solaris10
Solaris 11 – Sun_Crypto_Acc_6000-1_1-u2-Solaris/Solaris11
▼ Install the Software With the install Script
1. If installing from a CD, insert the Sun Crypto Accelerator 6000 CD into a CDROM drive that is connected to your system.
■ If your system is running Sun Enterprise Volume Manager, the system should
automatically mount the CD-ROM to the /cdrom/cdrom0 directory.
■ If your system is not running Sun Enterprise Volume Manager, mount the CD-
ROM as follows:
# mount -F hsfs -o ro /dev/dsk/c0t6d0s2 /cdrom
14 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
You see the following files and directories in the
/cdrom/cdrom0
TABLE 2-1 Files in the /cdrom/cdrom0/Sun_Crypto_Acc_6000 Directory
File or Directory Contents
README
Copyright U.S. copyright file
FR_Copyright French copyright file
install Script that installs the Sun Crypto Accelerator 6000 packages for both Oracle
Solaris SPARC and x86 systems, and for Linux x86 or x64 systems
Solaris/sparc Contains the Oracle Solaris SPARC software packages:
• SUNWmcact – Activation file
• SUNWmcadevfw – Development firmware
• SUNWmcaf – FMA support
• SUNWmcafw – Firmware
• SUNWmcamn – Manual pages
• SUNWmcar – Drivers
• SUNWmcau – User components
• SUNWscafsu – Financial services (usr)
• SUNWscafsm – Financial services manual pages
• SUNWscamga – Administration client
• SUNWscamgm – Administration manual pages
• SUNWscamgr – Administration (root)
• SUNWscamgu – Administration (usr)
Solaris/i386/ Contains the Oracle Solaris i386 software packages:
• SUNWmcact – Activation file
• SUNWmcaf – FMA support
• SUNWmcafw – Firmware
• SUNWmcamn – Manual pages
• SUNWmcar – Drivers
• SUNWmcau – User components
• SUNWscafsu – Financial services (usr)
• SUNWscafsm – Financial services manual pages
• SUNWscamga – Administration client
• SUNWscamgm – Administration manual pages
• SUNWscamgr – Administration (root)
• SUNWscamgu – Administration (usr)
Solaris/install Script that installs the software packages for both Oracle Solaris SPARC and x86
systems. This script is normally called by the main install script.
Solaris/remove Script that removes the software packages for Oracle Solaris SPARC and x86
systems.
/Sun_Crypto_Acc_6000 directory:
Chapter 2 Installing the Sun Crypto Accelerator 6000 Board 15
TABLE 2-1 Files in the /cdrom/cdrom0/Sun_Crypto_Acc_6000 Directory (Continued)
File or Directory Contents
Linux/supported-kernel Contains the Linux x86 or x64 software rpm packages:
• sun-sca6000 – software and drivers
• sun-sca6000 – admin – administration utilities
• sun-sca6000 – config – configuration files for administration and keystore
I/O services
• sun-sca6000-man – user documentation
• sun-sca6000-var – variable length files
• sun-sca6000-libs – supporting libraries
• sun-nss – Netscape Security Services libraries and tools
• sun-nspr – Netscape Portable Runtime Layer libraries
Linux/install Script that installs the Sun Crypto Accelerator 6000 packages for Linux systems.
This script is normally called by the main install script.
Linux/remove Script that removes the Sun Crypto Accelerator 6000 packages for Linux x86
systems.
docs Contains the PDF pointer document that links to the required software and the
latest user’s guide (this document) and product notes (820-4145).
2. Install the required software by typing:
# cd path_to_install_script
# ./install
The install script analyzes the system to identify the system architecture and the
required patches. The install script then installs those patches, and installs the
main software appropriate for your system. The following is an example of running
the install script on a Oracle Solaris SPARC system.
Note – The copyright and license information is omitted from the following
example. Refer to Appendix C for copyright and software licenses.
# ./install
[Licensing Text Output]
Do you accept the license agreement? [y/n]: y
This program installs the software for the Sun Crypto Accelerator
6000, Version 1.1.
Copyright 2007 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
16 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
The Sun Crypto Accelerator 6000 Board User's Guide (820-4144) and the
Sun Crypto Accelerator 6000 Board Release Notes (820-4145) can be
found at:
http://docs.oracle.com
Please read and understand these documents prior to software installation.
Do you wish to continue the installation? [y,n,?] y
Checking for optional package dependencies...
Do you wish to install the optional Crypto IPsec Acceleration software
(SUNWmcact)? [y,n,?,q] y
This script is about to take the following actions:
- Install Sun Crypto Accelerator 6000 support for Solaris 10
- Install Optional Crypto IPsec Acceleration software
To cancel installation of this software, press 'q' followed by a Return.
**OR**
Press Return key to begin installation:
*** Installing Sun Crypto Accelerator 6000 software for Solaris 10...
Installing packages:
SUNWmcafw SUNWmcact SUNWmcamn SUNWmcar SUNWmcau SUNWscafsm SUNWscafsu
SUNWscamga SUNWscamgm SUNWscamgr SUNWscamgu
Installing SUNWmcafw...
was successful.
Installing SUNWmcact...
was successful.
Installing SUNWmcamn...
was successful.
Installing SUNWmcar...
was successful.
Installing SUNWmcau...
was successful.
Installing SUNWscafsm...
was successful.
Installing SUNWscafsu...
was successful.
Installing SUNWscamga...
was successful.
Installing SUNWscamgm...
was successful.
Installing SUNWscamgr...
was successful.
Installing SUNWscamgu...
was successful.
Chapter 2 Installing the Sun Crypto Accelerator 6000 Board 17
*** Installation complete.
To remove this software, use the 'remove' script on this CDROM, or
the following script:
/var/tmp/crypto_acc.remove
A log of this installation can be found at:
/var/tmp/crypto_acc.install.2007.10.18.0743
Directories and Files for Oracle Solaris
Platforms
TABLE 2-2 shows the directories created on your system by the default installation of
the Sun Crypto Accelerator 6000 software.
TABLE 2-2 Sun Crypto Accelerator 6000 Directories and Files for Solaris Platforms
Directory Contents
/kernel/drv
/kernel/drv/sparcv9
/kernel/drv/amd64
/opt/SUNWsca/include
/opt/SUNWsca/lib
/opt/SUNWsca/lib/sparcv9
/opt/SUNWsca/lib/amd64
/opt/SUNWsca/man
/usr/lib/crypto
/usr/lib/crypto/firmware/sca
/usr/lib/rcm/scripts
/usr/man
/usr/sbin
/var/sca/keydata
/var/sca/log
Driver configuration files
64-bit SPARC drivers
64-bit AMD drivers
Financial services header files
Financial services libraries
Financial services libraries
Financial services libraries
Financial services man pages
Services
Firmware files
RCM scripts
Man pages
Administration utilities
Keystore files (encrypted)
Service log files
18 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
TABLE 2-2 Sun Crypto Accelerator 6000 Directories and Files for Solaris Platforms
Directory Contents
/var/sca/cfg
/var/sca/private
/var/svc/manifest/device
Note – Once you install the Sun Crypto Accelerator 6000 hardware and software,
you need to initialize the board with configuration and keystore information. See
“Initializing the Board With scamgr” on page 38 for information on how to initialize
the board.
Centralized keystore (CKS) bootstrap files
Security files for the CKS
Service manifests
Removing the Sun Crypto Accelerator
6000 Software on Oracle Solaris
Platforms With the remove Script
If you used the install script to install the software, use the remove script on the
CD-ROM to remove the software. If you installed the software without the install
script, see “Removing the Software on Oracle Solaris Platforms Without the remove
Script” on page 23.
▼ Remove the Software With the remove Script on
the CD-ROM
1. Insert the Sun Crypto Accelerator 6000 CD-ROM.
Chapter 2 Installing the Sun Crypto Accelerator 6000 Board 19
2. Type the following:
# /var/tmp/crypto_acc.remove
All required software for the Sun Crypto Accelerator 6000
software will be REMOVED.
The following packages will be removed:
SUNWscamgu SUNWscamgr SUNWscamgm SUNWscamga SUNWscafsu SUNWscafsm
SUNWmcau SUNWmcar SUNWmcamn SUNWmcafw SUNWmcact
To cancel removal of this software, press ’q’ followed by a Return.
**OR**
Press Return key to begin package removal:
*** Found the following packages to remove:
SUNWscamgu SUNWscamgr SUNWscamgm SUNWscamga SUNWscafsu
SUNWscafsm SUNWmcau SUNWmcar SUNWmcamn SUNWmcafw SUNWmcact
*** Removing old package(s)...
Stopping scad Service
Removing scad Service from SMF
Stopping scakiod Service
Removing scakiod Service from SMF
Removal of <...> was successful.
...
*** Done. A log of this removal can be found at:
/var/tmp/crypt_acc.remove.2007.10.18
▼ For Oracle Solaris 11, Remove the Software With
the remove Script
1. Change to the Solaris11 directory.
# cd Sun_Crypto_Acc_6000-1_1-u2-Solaris/Solaris11
2. Enter the following.
# ./remove
20 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
Installing the Software on Oracle Solaris
Platforms Without the Installation Script
This section describes how to install the software manually without using the
installation script provided on the product CD.
Refer to the latest version of the Sun Crypto Accelerator 6000 Board Product Notes for
Version 1.1 (820-4145) for a list of the required patches. You must install all of the
required patches before installing the main software. The latest product notes are
available at: http://docs.oracle.com/cd/E19321-01/820-4145-16/820-
4145-16.pdf
Note – The install script automatically identifies your system architecture,
installs the required patches, and installs the main software appropriate for your
system.
In addition to the software provided on the product CD, required software is
provided at My Oracle Support (http://support.oracle.com).
▼ Install the Software Without the install Script
1. If installing from a CD, insert the Sun Crypto Accelerator 6000 CD into a CDROM drive that is connected to your system.
■ If your system is running Sun Enterprise Volume Manager, the system should
automatically mount the CD-ROM to the /cdrom/cdrom0 directory.
■ If your system is not running Sun Enterprise Volume Manager, mount the CD-
ROM as follows:
# mount -F hsfs -o ro /dev/dsk/c0t6d0s2 /cdrom
The required packages must be installed in a specific order and must be installed
before installing any optional packages. Once the required packages are installed,
you can install and remove the optional packages in any order.
2. If installing from a CD, install the required software packages by typing:
# cd /cdrom/cdrom0/Sun_Crypto_Acc_6000/Packages
# pkgadd -d . SUNWmcafw SUNWmcact SUNWmcamn SUNWmcar SUNWmcau SUNWscafsm
SUNWscafsu SUNWscamga SUNWscamgm SUNWscamgr SUNWscamgu
Chapter 2 Installing the Sun Crypto Accelerator 6000 Board 21
3. If not installing from a CD, enter the following commands:
# cd /Sun_Crypto_Acc_6000-1_1-u2-Solaris/Solaris11
# pkg install -g repo SUNWmcact SUNWmcafw SUNWmcamn SUNWmcar SUNWmcau SUNWscafsm
SUNWscafsu SUNWscamga SUNWscamgm SUNWscamgr
# pkg install -g repo SUNWscamgu
4. (Optional) To verify that the software is installed properly, run the pkginfo
command.
# pkginfo SUNWmcafw SUNWmcact SUNWmcamn SUNWmcar SUNWmcau SUNWscafsm SUNWscafsu
SUNWscamga SUNWscamgm SUNWscamgr SUNWscamgu
system SUNWmcact Sun Crypto Accelerator 6000 Activation File
system SUNWmcafw Sun Crypto Accelerator 6000 Firmware
system SUNWmcamn Sun Crypto Accelerator 6000 Manual Pages
system SUNWmcar Sun Crypto Accelerator 6000 Drivers
system SUNWmcau Sun Crypto Accelerator 6000 User Components
system SUNWscafsu Sun Crypto Accelerator Financial Services
system SUNWscafsm Sun Crypto Accelerator Financial Services Man Pages
system SUNWscamga Sun Crypto Accelerator Administration Client
system SUNWscamgm Sun Crypto Accelerator Administration Man Pages
system SUNWscamgr Sun Crypto Accelerator Administration (root)
system SUNWscamgu Sun Crypto Accelerator Administration (usr)
5. (Optional) To ensure that the driver is attached, use one of the following
commands:
■ For Oracle Solaris SPARC platforms, use the prtdiag command.
# prtdiag -v
Refer to the prtdiag(1M) online manual pages.
■ For Oracle Solaris x86 platforms, use the scanpci command.
# /usr/X11/bin/scanpci
...
pci bus 0x0082 cardnum 0x0e function 0x00: vendor 0x108e device
0x5ca0
Sun Microsystems Computer Corp. Device unknown
22 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
6. (Optional) Use the modinfo command to see that modules are loaded.
# modinfo | grep Crypto
62 1317f62 20b1f 198 1 crypto (MCA Crypto 1.0)
197 136d5d6 19b0 199 1 cryptoadm (MCA Crypto Control 1.0)
See “Directories and Files for Oracle Solaris Platforms” on page 18 for a
description of the directories and files in the default installation.
Removing the Software on Oracle Solaris
Platforms Without the remove Script
Note – Remove the Sun Crypto Accelerator 6000 software manually only if you did
not use the install script to install the software. If you installed the software with
the installation script, to remove the software, see “Removing the Sun Crypto
Accelerator 6000 Software on Oracle Solaris Platforms With the remove Script” on
page 19.
If you have created keystores (see “Managing Keystores With scamgr” on page 57),
you must delete the keystore information that the Sun Crypto Accelerator 6000
board is configured with before removing the software. The zeroize command
removes all key material, but does not delete the keystore files that are stored in the
file system of the physical host in which the board is installed. See the “Perform a
Software Zeroize on the Board” on page 81 for details on the zeroize command. If
you have not yet created any keystores, you can skip this procedure.
▼ Delete Existing Keystores
1. Become superuser.
2. Remove the keystore files with the rm command.
Caution – Do not delete a keystore that is currently in use or that is shared by other
users and keystores. To free references to keystores, you might have to shut down
the web server, administration server, or both.
Chapter 2 Installing the Sun Crypto Accelerator 6000 Board 23
For example:
# rm /var/sca/keydata
▼ Remove the Software Without the remove Script
Caution – Before removing the Sun Crypto Accelerator 6000 software, disable any
web servers you have enabled for use with the Sun Crypto Accelerator 6000 board.
Failure to do so leaves those web servers nonfunctional.
● As superuser, use the pkgrm command (for Solaris 10) or pkg uninstall
command (for Solaris 11) to remove only the software packages you installed.
Caution – Installed packages must be removed in the order shown. Failure to
remove them in this order could result in dependency warnings and leave kernel
modules loaded.
For Solaris 10, if you installed all the packages, you would remove them as
follows:
# pkgrm SUNWscamgu SUNWscamgr SUNWscamgm SUNWscamga SUNWscafsu
SUNWscafsm SUNWmcau SUNWmcar SUNWmcamn SUNWmcafw SUNWmcact
For Solaris 11, if you installed all the packages, you would remove them as
follows:
# pkg uninstall SUNWmcact SUNWmcafw SUNWmcamn SUNWmcar SUNWmcau SUNWscafsm
SUNWscafsu SUNWscamga SUNWscamgm SUNWscamgr
# pkg uninstall SUNWscamgu
Installing the Sun Crypto Accelerator
6000 Board on Linux Platforms
openCryptoki software is required for the board on Linux platforms. You must
install openCryptoki before installing the software. Refer to Appendix B to install the
openCryptoki software.
24 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
▼ Install the Sun Crypto Accelerator 6000
Hardware on Linux Platforms
Note – openCryptoki must be installed before installing the Sun Crypto Accelerator
6000 packages.
1. Follow the steps in “Install the Hardware” on page 12.
2. After the system is running, type the following command to verify the board is
installed properly:
% lspci
The output of the previous command should contain the following line:
Network and computing encryption device: Sun Microsystems Computer
Corp.: Unknown device 5ca0
▼ Install the Sun Crypto Accelerator 6000 Software
on Linux Platforms With the install Script
1. Insert the Sun Crypto Accelerator 6000 CD into a CD-ROM drive that is
connected to your system and enter the following command:
% ./install
Do you accept the license agreement? [y/n]: y
Installing required packages:
sun-nspr-4.6.7-2.i386.rpm
sun-nss-3.11.7-2.i386.rpm
sun-sca6000-admin-1.1-1.i386.rpm
sun-sca6000-var-1.1-1.i386.rpm
sun-sca6000-config-1.1-1.i386.rpm
sun-sca6000-libs-1.1-1.i386.rpm
sun-sca6000-1.1-1.i386.rpm
sun-sca6000-man-1.1-1.i386.rpm
sun-sca6000-firmware-1.1-1.i386.rpm
To remove this software, use the ’remove’ script on this CDROM, or
the following script:
/var/tmp/crypto_acc.remove
A log of this installation can be found at:
/var/tmp/crypto_acc.install.2007.10.31.1009
Chapter 2 Installing the Sun Crypto Accelerator 6000 Board 25
Installing the Sun Crypto Accelerator 6000
Software on Linux Platforms Without the
install Script
The packages for SuSE Linux Enterprise Server 9 Service Pack 3 are in the
2.6.5-7.244-smp-x86_64 directory. The packages for Red Hat Enterprise Linux
4.0 Update 2 are in the 2.6.9-22.ELsmp-x86_64 directory. The packages are as
follows:
■ sun-nspr-4.6.7-2.x86_64.rpm
■ sun-nss-3.11.7-2.x86_64.rpm
■ sun-sca6000-1.1-1.x86_64.rpm
■ sun-sca6000-admin-1.1-1.x86_64.rpm
■ sun-sca6000-config-1.1-1.x86_64.rpm
■ sun-sca6000-firmware-1.1-1.x86_64.rpm
■ sun-sca6000-libs-1.1-1.x86_64.rpm
■ sun-sca6000-man-1.1-1.x86_64.rpm
■ sun-sca6000-var-1.1-1.x86_64.rpm
▼ Install the Software Without the install Script
1. If it is not already on the system, install the NSPR and NSS libraries and
tools:
% rpm -i sun-nspr-4.6.7-2.x86_64.rpm sun-nss-3.11.7-2.x86_64.rpm
% rpm -i sun-sca6000-admin-1.1-1.x86_64.rpm sun-sca6000-config-1.1-1.x86_64.rpm
sun-sca6000-firmware-1.1-1.x86_64.rpm sun-sca6000-libs-1.1-1.x86_64.rpm
sun-sca6000-var-1.1-1.x86_64.rpm sun-sca6000-1.1-1.x86_64.rpm
2. Change to the appropriate directory for your platform and enter the following
command:
% rpm -i sun-sca6000-man-1.1-1.x86_64.rpm sun-sca6000-admin-1.1-
1.x86_64.rpm sun-sca6000-var-1.1-1.x86_64.rpm sun-sca6000-config-
1.1-1.x86_64.rpm sun-sca6000-1.1-1.x86_64.rpm sun-sca6000firmware-1.1-1.x86_64.rpm
26 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
3. (Optional) To ensure that the driver is attached, use the scanpci command.
# /usr/X11R6/bin/scanpci
...
pci bus 0x0082 cardnum 0x0e function 0x00: vendor 0x108e device
0x5ca0
Sun Microsystems Computer Corp. Device unknown
Directories and Files for Linux Platforms
TABLE 2-3 shows the directories created on your system by the default installation of
the Sun Crypto Accelerator 6000 software.
TABLE 2-3 Directories and Files for Linux Platforms
Directory Contents
/etc/init.d
/etc/rc5.d
/etc/opt/sun/sca6000
/opt/sun/sca6000/bin
/opt/sun/sca6000/bin/drv
/opt/sun/sca6000/firmware
/opt/sun/sca6000/lib
/opt/sun/sca6000/man
/opt/sun/sca6000/sbin
/opt/sun/sca6000/private/lib
/opt/sun/sca6000/private/lib64
/usr/local/lib/opencryptoki/stdll/
/var/opt/sun/sca6000/keydata
/var/opt/sun/sca6000/lock
Start and stop scripts (links)
Service configuration files
Daemon configuration files
Application executables, drivers, and the
scamgr utility
Driver files
Firmware files
openCryptoki plug-in and application
libraries
Man pages
Administration utilities and services and
daemon executables
Support libraries
Support libraries
openCryptoki plug-in files
Keystore files (encrypted)
Service lock files
Chapter 2 Installing the Sun Crypto Accelerator 6000 Board 27
TABLE 2-3 Directories and Files for Linux Platforms (Continued)
Directory Contents
/var/opt/sun/sca6000/log
/var/opt/sun/sca6000/private
/var/opt/sun/sca6000/cfg
Note – Once you install the Sun Crypto Accelerator 6000 hardware and software,
you must initialize the board with configuration and keystore information. See
“Initializing the Board With scamgr” on page 38 for information on how to initialize
the board.
Service log files
Security files for centralized
keystore
Centralized keystore (CKS) bootstrap files
Removing the Sun Crypto Accelerator
6000 Software on Linux Platforms
Removing the Sun Crypto Accelerator 6000
Software With the remove Script
All applications, such as Sun Java System and Apache Web Servers, that are using
the board must be stopped before uninstalling the Sun Crypto Accelerator 6000
software.
28 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
▼ Remove the Software With the remove Script
1. Enter the following command.
# /var/tmp/crypto_acc.remove
All required software for the Sun Crypto Accelerator 6000
software will be REMOVED.
The following packages will be removed:
sun-sca6000-firmware-1.1-1 sun-sca6000-man-1.1-1 sun-sca6000-
1.1-1 sun-sca6000-libs-1.1-1 sun-sca6000-config-1.1-1 sunsca6000-var-1.1-1 sun-sca6000-admin-1.1-1
To cancel removal of this software, press ’q’ followed by a Return.
**OR**
Press Return key to begin package removal.
*** Found the following packages to remove:
sun-sca6000-firmware-1.1-1 sun-sca6000-man-1.1-1 sunsca6000-1.1-1 sun-sca6000-libs-1.1-1 sun-sca6000-config-1.1-1
sun-sca6000-var-1.1-1 sun-sca6000-admin-1.1-1
*** Removing old package(s)...
Removing sun-sca6000-firmware-1.1-1 package...
Removing sun-sca6000-man-1.1-1 package...
Removing sun-sca6000-1.1-1 package...
Removing sun-sca6000-libs-1.1-1 package...
Removing sun-sca6000-config-1.1-1 package...
Removing sun-sca6000-var-1.1-1 package...
Removing sun-sca6000-admin-1.1-1 package...
*** Done. A log of this removal can be found at:
/var/tmp/crypt_acc.remove.2007.10.31
▼ Remove the Software Without the remove Script
1. Enter one of the following command on one line:
% rpm -e sun-sca6000-1.0-1.x86_64.rpm sun-sca6000-man-1.0-
1.x86_64.rpm sun-sca6000-admin-1.0-1.x86_64.rpm sun-sca6000-var-
1.0-1.x86_64.rpm sun-sca6000-config-1.0-1.x86_64.rpm sun-sca6000firmware-1.0-1.x86_64.rpm
% rpm -e sun-sca6000 sun-sca6000-libs sun-sca6000-admin sunsca6000-var sun-sca6000-config sun-sca6000-firmware
Additionally, if no other components are using it on the system:
% rpm -e sun-nss sun-nspr
Chapter 2 Installing the Sun Crypto Accelerator 6000 Board 29
Migrating Back to Version 1.0 From 1.1
There are changes in the keystore implementation for the board that make it
incompatible with Version 1.0 firmware. If you want the ability to return to a Version
1.0 environment, you must make a backup of the 1.0 keystore and master key prior
to upgrading to 1.1.
▼ Back Up the 1.0 Keystore
1. With the 1.0 software and firmware running, use scamgr to log into the board
and run the show status command. Make a note of the Keystore Name and
Keystore ID fields. For details, see “Using the scamgr Utility” on page 34.
2. Type the backup command to save the master key.
3. Change to /var/sca/keydata and archive the correct keystore directory and
configuration file.
The keystore name and ID are shown in the filename for the .conf file and the
corresponding directory.
For example, if the keystore name is ks.600054 and the keystore ID is
0000000069efe289, then you will find the following files and directories in
/var/sca/keydata:
ks.600054.{69efe289} ks.600054.{69efe289}.conf
4. Use the tar command to archive both the .conf file and the entire contents of
the directory:
# tar cvfz ks.600054.{69efe289}.tar ks.600054.{69efe289}.conf ks.600054.{69efe289}
5. Place the master key backup and keystore tar file in a safe location.
You can now safely upgrade to the 1.1 software and retain the ability to revert back
to 1.0 software and firmware.
▼ Restore the 1.0 Software and Firmware:
1. While the 1.1 software and firmware is still running, log into the board as the
device security officer using scamgr -D and type the zeroize command.
30 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
2. Change directories into /var/sca/keydata and remove the .conf file and
correspinding keystore directory.
3. Using scadiag -u, load the 1.0 firmware onto the system.
4. After the 1.0 firmware loads, reset the board with the scadiag -r command.
# scadiag -u firmware-file device
# scadiag -r device
5. When the board finishes resetting, it will be placed in failsafe mode.
6. Execute the remove script to remove the Sun Crypto Accelerator 6000 1.1
software components from the system.
7. From the 1.0 installation media, execute the install script to load the 1.0
software components.
8. Apply any 1.0 software and firmware patches that are necessary.
Refer to the Sun Crypto Accelerator 6000 Board Product Notes for Version 1.1 (819-
5537) at: http://docs.oracle.com/cd/E19321-01/index.html
9. Unpack the 1.0 keystore tar file into /var/sca/keydata
# cd /var/sca/keydata
# tar xvf path-to-tar-file
10. Verify that the .conf file and all the contents of the keystore directory are
owned by daemon. If not, set them to that ownership:
# chown -R daemon:other keystore.conf-file keystore-directory
11. Start the scamgr utility and initialize the board to use an existing keystore,
providing the master key backup file in the process.
You have now restored the 1.0 keystore.
Chapter 2 Installing the Sun Crypto Accelerator 6000 Board 31
32 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
CHAPTER
3
Administering the Sun Crypto
Accelerator 6000 Board
This chapter provides an overview of administering the board on both Oracle Solaris
and Linux platforms with the scamgr and scadiag utilities, and the scad and
scakiod service daemons. Additional instructions for Linux platforms are included
in the last section. The chapter contains the following sections:
■ “Using the scamgr Utility” on page 34
■ “Authentication and Logging In and Out With scamgr” on page 43
■ “Entering Commands With scamgr” on page 48
■ “Initializing the Board With scamgr” on page 38
■ “Managing Keystores With scamgr” on page 57
■ “Multi-Admin Authentication” on page 69
■ “Managing Boards With scamgr” on page 77
■ “Using the scadiag Utility” on page 85
■ “Managing Services for Oracle Solaris Platforms” on page 90
■ “Enabling Optional Cryptographic Algorithms” on page 93
■ “Additional Instructions for Administering the Board on Linux Platforms” on
page 94
33
Using the scamgr Utility
The scamgr utility offers a command-line interface to the Sun Crypto Accelerator
6000 board that can be accessed remotely. Only users designated as device or
keystore security officers are permitted to use the scamgr utility. When you first
connect to a board with scamgr, you are prompted to create an initial device
security officer and password.
Device and Keystore Security Officers
There are two types of security officers, device security officers (DSOs) and keystore
security officers (KSOs). The first DSO is created when the board is initialized. The
first KSO is created when the first keystore is created. DSOs can create other DSO
accounts and KSOs can create other KSO accounts. The default behavior for scamgr
is to log in as a KSO. To log in as a DSO, you must sun scamgr with the -D
command line option. If you have already started an scamgr session but are logged
out from all devices, you can use the connect command with the dso keyword to
log in as a DSO (see
Note – KSOs can make changes to keystores only. DSOs can make changes global to
the board.
TABLE 3-1).
DSOs configure the physical board and can affect keystores globally. DSO
capabilities include, but are not limited to the following:
■ Performing hardware level operations such as:
■ Firmware upgrades
■ Zeroization
■ Displaying the list of keystores on the board
KSOs use a set of commands that pertain only to a single instance of a keystore. KSO
capabilities include:
■ Creating and deleting user entries within a keystore
■ Configuring and enabling Multi-Admin mode
■ Performing keystore operations such as:
■ Conversions between local and centralized keystores
■ Renaming and deleting keystores and master keys
34 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
scamgr Syntax
The scamgr command-line syntax is:
■ /usr/sbin/scamgr [-?]
■ /usr/sbin/scamgr [-H]
■ /usr/sbin/scamgr [-V]
■ /usr/sbin/scamgr [-y][-h hostname][-p port][-d device][-D | -k
keystorename][-f filename]
■ /usr/sbin/scamgr [-y][-h hostname][-p port][-d device][-D | -k
keystorename] command
Note – When using the -d option, mcaN is the board’s device name, where N
corresponds to the Sun Crypto Accelerator 6000 device instance number.
Note – Certain shells interpret the ? character when using -? option on the
command line. To avoid this, use the escape character (\) directly in front of the ?.
For example in the C shell, the command is changed to scamgr -\?.
scamgr Options
TABLE 3-1 shows the options for the scamgr utility.
TABLE 3-1 scamgr Options
Option Meaning
-? Displays help files for scamgr commands and exits.
-H Displays help files for scamgr commands and exits.
-d device Connects to the Sun Crypto Accelerator 6000 board that has N as the
driver instance number. For example, -d mca1 connects to device
mca1, where mca is a string in the board’s device name and 1 is the
instance number of the device. This value defaults to mca0 and must
be in the form of mcaN, where N corresponds to the device instance
number.
-D Logs into the board as a device security officer (DSO). This option
cannot be used with the -k option.
-f filename Interprets the commands in the file specified with filename and exits.
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 35
TABLE 3-1 scamgr Options (Continued)
Option Meaning
-h hostname Connects to the board on hostname.The value for hostname can be a
host name or an IP address, and defaults to the loopback address
(localhost).
-k keystorename Logs into the specified keystore. If a partial name is provided that
matches more than one keystore, a list of all matches is displayed. If
no keystore matches the value provided in keystorename, a list
containing all keystores is displayed.
-p portnumber Connects the board to a remote host with the specified port.Ifno
port number is specified the board attempts to the default port 6871.
-V Displays version information for scamgr.
-y Forces a yes answer to any command that would normally prompt
for a confirmation. This option is ignored when the board is in
Interactive mode.
Note – The variable sec-officer is used throughout this document as an example
security officer name.
See “Authentication and Logging In and Out With scamgr” on page 43 for more
information.
Modes of Operation
scamgr can run in one of three modes. These modes differ mainly in how
commands are passed into scamgr. The three modes are Single-Command mode,
File mode, and Interactive mode.
Note – To use scamgr, you must authenticate as security officer. How often you
need to authenticate as security officer is determined by which operating mode you
are using.
36 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
Interactive Mode
In Interactive mode, you must authenticate as security officer every time you
connect to a board. This is the default operating mode for scamgr, and is initiated
by not specifying filename or any parameters when starting scamgr. To log out of
scamgr in Interactive mode, use the logout command. Refer to “Authentication
and Logging In and Out With scamgr” on page 43.
Interactive mode presents the user with an interface similar to ftp(1), where
commands can be entered one at a time. The -y option is not supported in
Interactive mode. Security officers must answer all confirmation questions.
Single-Command Mode
In Single-Command mode, you must authenticate as security officer for every
command. Once the command is executed, you are logged out of scamgr.
When entering commands in Single-Command mode, you specify the command to
be run after all the command-line switches are specified. For example, in SingleCommand mode, the following command would show all the users in a given
keystore and return the user to the command shell prompt.
$ scamgr show user
Security Officer Name: sec-officer
Security Officer Password:
All output from Single-Command mode goes to the standard output stream. This
output can be redirected using standard UNIX shell-based methods.
File Mode
In File mode, you must authenticate as security officer for every file you run. You are
logged out of scamgr after the commands in the command file are executed.
To enter commands in File mode, you specify a file from which scamgr reads one or
more commands. The file must be ASCII text, consisting of one command per line.
Begin each comment with a hash (#) character. If the File mode option is set, scamgr
ignores any command-line arguments after the last option. The following example
runs the commands in the deluser.scr file and answers all prompts in the
affirmative:
$ scamgr -f deluser.scr -y
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 37
scamgr Secure Communication
The scamgr utility establishes an encrypted network connection (channel) between
the scamgr application and the Sun Crypto Accelerator 6000 firmware running on a
specific board. This point-to-point encrypted channel is not visible to any of the
other software components between scamgr and the device (for example, the mca
device driver). This encrypted channel allows scamgr to run safely and securely
over the network. The key exchange is performed with RSA 1024-bit keys while the
bulk data is protected using AES-128. SHA1 HMACs provide data integrity for each
command data payload.
During setup of the encrypted channel, boards identify themselves by their
hardware serial ID address and an RSA public key. A trust database
($HOME/.sunw/sca/trustdb) is created the first time scamgr connects to a board.
This file contains all of the boards that are currently trusted by the security officer.
When the firmware gives scamgr an RSA public key, a SHA-1 hash is taken on the
modulus. This action forms a key fingerprint that can be stored in a database in the
UNIX user's home directory. When a connection is made and an unrecognized key is
given to scamgr by the firmware, scamgr prompts the security officer to either
abort the connection, accept the key for this one session, or accept the key
permanently as a trusted key in the trust database. If a key to a previously trusted
card changes, scamgr offers the same choices except that when accepting the key as
a trusted key it overwrites the old key with the new one.
Note – The Sun Crypto Accelerator 6000 board is preprogrammed with a unique
remote access key for connecting to an uninitialized board. The fingerprint for this
remote access key is printed on the board and must be verified when logging into a
board for the first time to ensure that a secure channel is established with the correct
board.
Initializing the Board With scamgr
The first step in configuring a Sun Crypto Accelerator 6000 board is to initialize it.
There are two types of initialization. The first is board initialization and the second is
keystore initialization. When you first connect to an uninitialized board with
scamgr, you are prompted to perform a board initialization, which creates a device
security officer (DSO) account. Once the board is initialized, you are prompted to
perform a keystore initiailiztion, which creates a keystore security officer (KSO)
account. For more information on DSOs and KSO, see “Device and Keystore Security
Officers” on page 34.
38 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
Board Initialization
Board initialization occurs only when the board is uninitialized. Board initialization
enables the administrator to select whether the board (and all its keystores) will run
in FIPS mode or not, and creates the first DSO. DSOs can perform tasks that affect
the board as a whole, such as firmware upgrades and board zerioization. No
keystores can be created until the board itself has been initialized. To log in as a
DSO, you must start scamgr with the -D or dso option.
Board initialization is secured using a factory key, which is an RSA key that is
permanently stored in the hardware. This key is only used to secure communications
to an uninitialized board. After any successful board initialization, a new remote
access key is created. This new key is used to secure communications when new
keystores are initialized and administered.
▼ Perform a Board Initialization
1. Select FIPS 140-2 mode or non-FIPS mode.
When in FIPS mode the board is FIPS 140-2, level 3 compliant. FIPS 140-2 is a
Federal Information Processing Standard that requires tamper-resistance and a
high level of data integrity and security. Refer to the FIPS 140-2 document located
at:
http://www.nist.gov
Run in FIPS 140-2 mode? (Y/Yes/N/No) [No]: y
2. Create an initial DSO name and password.
See “Naming Requirements” on page 58.
Initial Security Officer Name: device-sec-officer
Initial Security Officer Password:
Confirm Password:
Note – Before an essential parameter is changed or deleted, or before a command is
executed that might have drastic consequences, scamgr prompts you to enter Y,
Yes, N,orNo to confirm. These values are not case-sensitive; the default is No.
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 39
3. Verify the configuration information:
Board initialization parameters:
----------------------------------------------------Initial Security Officer Name: device-sec-officer
Keystore name: keystore-name
Run in FIPS 140-2 Mode: Yes
-----------------------------------------------------
Is this correct? (Y/Yes/N/No) [No]: y
Initializing crypto accelerator board... This may take a few
minutes...Done.
Keystore Initialization
Once the board is initialized, connecting to it with scamgr displays a menu of any
existing keystores, and also allows the keystore security officer (KSO) to create a new
keystore. For details on keystores, see “Web Server Concepts and Terminology” on
page 158. Keystore creation creates the first KSO. The KSO then creates the name of
the keystore and decides whether the keystore is local or cenralized (see “Perform a
Keystore Initialization and Use an Existing Keystore” on page 42).
In addition, a keystore can be restored to an initialized board by loading it from a
backup (see “Perform a Keystore Initialization and Use an Existing Keystore” on
page 42). The scamgr utility prompts for the backup file location and uploads the
file to the board as part of the keystore initialization process. This option can be used
to recover a keystore when a board or host system is damaged, or to configure a
second Sun Crypto Accelerator 6000 board work with an existing keystore in a faulttolerant architecture.
▼ Perform a Keystore Initialization and Create a New
Keystore
Use this procedure when you are initializing the board for the first time, or when
you do not want to initialize an existing keystore.
1. Connect to the board with the scamgr command.
■ If the board is installed locally, enter scamgr at the system prompt
■ If the system is remote, enter scamgr -h hostname
40 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
2. Enter 2 then 1 as shown in the following example:
# scamgr -h hostname
Please select an action:
1. Abort this connection
2. Trust the board for this session only.
3. Replace the trusted key with the new key.
Your Choice --> 2
This board is uninitialized.
You will now initialize the board. You may either
completely initialize the board and start with a new
keystore or initialize the board to use an existing
keystore, providing a backup file in the process.
1. Initialize the board with a new keystore
2. Initialize the board to use an existing keystore
Your Choice (0 to exit) --> 1
3. Create a keystore name.
See “Naming Requirements” on page 58.
Keystore Name: keystore-name
Performing a Keystore Initialization to Use an Existing
Keystore
If you are adding multiple boards to a single keystore, you might want to initialize
all of the boards to use the same keystore information. In addition, you might want
to restore a Sun Crypto Accelerator 6000 board to the original keystore
configuration. This section describes how to initialize a board to use an existing
keystore that is stored in a backup file.
You must first create a backup file of an existing board configuration before
performing this procedure. Creating and restoring a backup file requires a password
to encrypt and decrypt the data in the backup file. (See “Back Up a Master Key” on
page 65.)
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 41
Note – To initialize a board from a previous backup, both the master key backup file
and the encrypted keystore data files are required. The encrypted keystore files must
exist in the keystore directory (/var/sca/keydata by default). There are three files
that must be placed in the top level keystore directory on the machine to which the
keystore is being restored. The first file is the config file for the keystore, which has
the filename keystore-name.serial-number.{keystore-id}.conf. The second and third are
the user.db and object.db files, which are located in the subdirectory under the toplevel keystore directory named keystore-name.serial-number.{keystore-id}.
▼ Perform a Keystore Initialization and Use an Existing
Keystore
1. Initialize the board with the scamgr command.
■ If the board is installed locally, enter scamgr at the system prompt
■ If the system is remote, enter scamgr -h hostname
2. Enter 2 as shown in the following example:
# scamgr -h hostname
This board is uninitialized.
You will now initialize the board. You may
either completely initialize the board and
start with a new keystore or restore the board
using a backup file.
1. Initialize the board with a new keystore
2. Initialize the board to use an existing keystore
Your Choice (0 to exit) --> 2
3. Enter the path and password to the backup file:
Note – If the backup file was created in Multi-Admin mode, authentication is
required by multiple security officers assigned the Multi-Admin role.
Enter the path to the backup file: /tmp/board-backup
Password for restore file:
42 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
4. Verify the configuration information.
Board restore parameters:
---------------------------------------------------------------Path to backup file: /tmp/board-backup
Keystore name: sca6000-keystore
Requires Multi-Admin auth: No
----------------------------------------------------------------
Is this correct? (Y/Yes/N/No) [No]: y
Restoring data to crypto accelerator board...
Authentication and Logging In and Out
With scamgr
Only security officers can log into a Sun Crypto Accelerator 6000 board with this
utility. It is not possible to log into a user account using scamgr. User accounts are
for applications that use the card (for example, with the PKCS#11 interface).
In accordance with FIPS 140-2 guidelines, no security officer can issue commands
without first authenticating. Authentication is identity-based. A valid security officer
name and password must exist in the card's keystore before access is granted.
When you use scamgr from the command line and specify host, port, and device
using the -h, -p, and -d options respectively, you are immediately prompted to log
in as security officer if a successful network connection was made. See “scamgr
Syntax” on page 35 and “scamgr Options” on page 35 for more information.
scamgr Prompt
The scamgr prompt in Interactive mode is displayed as follows:
scamgr{mcaN@hostname, sec-officer}> command
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 43
The following table defines the variables in the scamgr prompt:
TABLE 3-2 scamgr Prompt Variable Definitions
Prompt Variable Definition
mcaN mca is a string that represents the Sun Crypto Accelerator 6000
board. N is the device instance number (unit address) that is in the
device path name of the board.
hostname The name of the host for which the Sun Crypto Accelerator 6000
board is physically connected. You may replace hostname with the
physical host’s IP address.
sec-officer The name of the security officer that is currently logged in to the
board.
▼ Log In To a Board With scamgr
● Type:
# scamgr -h hostname
■ If the security officer connects to a new board, scamgr notifies the security officer
and prompts with the following options:
1. Abort this connection
2. Trust the board for this session only
3. Trust the board for all future sessions
■ If the security officer connects to a board that has a remote access key that has
been changed, scamgr notifies the security officer and prompts the following
three options:
1. Abort this connection
2. Trust the board for this session only
3. Replace the trusted key with the new key
▼ Log In To a New Board
Note – The remaining examples in this chapter were created with the Interactive
mode of scamgr.
44 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
When connecting to a new board, scamgr must create a new entry in the trust
database.
● Type the scamgr command.
For example:
# scamgr -h hostname
Warning: Serial ID and Public Key Not Found
-------------------------------------------------------------The Serial ID and public key presented by this board were
not found in your trust database.
Serial ID: 36:30:30:30:30:33
Key Fingerprint: baa4-17f8-1128-1c6a-9a18-3719-988f-64a0-a4a5f72f
-------------------------------------------------------------Please select an action:
1. Abort this connection
2. Trust the board for this session only.
3. Trust the board for all future sessions.
Your Choice -->
▼ Log In To a Board With a Changed Remote
Access Key
When connecting to a board that has a changed remote access key, you must use
scamgr to change the entry corresponding to the board in the trust database.
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 45
● Type the scamgr command.
For example:
# scamgr -h hostname
Warning: Public Key Conflict
-------------------------------------------------------------The public key presented by the board you are connecting
to is different than the public key that is trusted for
this Serial ID.
Serial ID: 36:30:30:30:30:33
New Key Fingerprint: baa4-17f8-1128-1c6a-9a18-3719-988f-64a0a4a5-f72f
Trusted Key Fingerprint: e207-6ff7-41f4-3766-bafd-5910-973d-a32b46e8-6e73
-------------------------------------------------------------Please select an action:
1. Abort this connection
2. Trust the board for this session only.
3. Replace the trusted key with the new key.
Your Choice -->
▼ Log Out Of a Board With scamgr
If you are working in Interactive mode, you might want to disconnect from one
board and connect to another board without completely exiting scamgr.
● Type the logout command.
For example:
scamgr{mcaN@hostname, sec-officer}> logout
scamgr>
46 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
▼ Log In To Another Board
● Type the connect command.
For example:
scamgr{mcaN@hostname, sec-officer}> logout
scamgr> connect host hostname dev mca2
Security Officer Login: sec-officer
Security Officer Password:
scamgr{mca2@hostname, sec-officer}>
In the previous example, notice that the scamgr> prompt no longer displays the
device instance number, hostname, or security officer name. To log into another
device, type the connect command with the following optional parameters.
TABLE 3-3 connect Command Optional Parameters for Connecting to Another Board
Parameter Meaning
dev mcaN Connects to the Sun Crypto Accelerator 6000 board with the driver
instance number of N. For example -d mca1 connects to the device
mca1. The default is device mca0.
host hostname Connects to the Sun Crypto Accelerator 6000 board on hostname. The
default is the loopback address. You may replace hostname with the
physical host’s IP address.
port port Connects to the Sun Crypto Accelerator 6000 board on port port
(defaults to 6870).
scamgr does not allow you to issue the connect command if you are already
connected to a Sun Crypto Accelerator 6000 board. You must first log out and then
issue the connect command.
Each new connection causes scamgr and the target Sun Crypto Accelerator 6000
firmware to renegotiate new session keys to protect the administrative data that is
sent.
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 47
Quitting the scamgr Utility
Use one of the following actions to quit the scamgr utility.
▼ Quit the scamgr Utility
● Take one of the following actions:
■ Type scamgr - quit.
■ Type exit.
■ Type Ctrl-D.
Entering Commands With scamgr
This section lists the available scamgr commands and describes their usage.
Entering scamgr Commands
The scamgr utility has a command language that must be used to interact with the
Sun Crypto Accelerator 6000 board. You enter commands using all or part of a
command (enough to uniquely identify that command from any other command).
Entering sh instead of show would work, but re is ambiguous because it could be
reset or rekey.
The following example shows entering commands using entire words:
scamgr{mcaN@hostname, sec-officer}> show user
User Status
----------------------------------------------------web-admin Enabled
Tom Enabled
-----------------------------------------------------
The same information can be obtained in the previous example using partial words
as commands, such as sh us.
48 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
An ambiguous command produces an explanatory response:
scamgr{mcaN@hostname, sec-officer}> re
Ambiguous command: re
scamgr Commands
TABLE 3-4 lists the scamgr commands.
TABLE 3-4 scamgr Commands
Command Description
backup device pathname (DSO only) Backs up the master key and device configuration
to the path specified by pathname. If no path is specified
scamgr prompts the user for the pathname. Any successful
backup increments the backup counter by one (see show
status). If Multi-Admin mode is enabled when this
command is entered it requires authentication by multiple
security officers with the Multi-Admin role.
backup keystore
pathname
backup master-key
pathname
connect host hostname
port portnumber dev
mcaN keystore
keystorename dso
(KSO only) Performs a full keystore backup including all user
and key objects, log messages, and the master key and
keystore configuration. These are collected, encrypted and
placed in the file referenced by pathname. If no path is
specified, scamgr prompts for one. Successful backups
increment the backup counter by one (see show status). If
Multi-Admin mode is enabled when this command is
entered, it requires authentication by multiple security
officers with the Multi-Admin role.
(KSO only) Backs up the master key only, encrypting it and
placing it in the file specified by pathname. This backup file
can be used to import the master key into one or more other
boards so they can make use of the same keystore.
Attempts to establish a connection to a Sun Crypto
Accelerator board. If the host option is specified, it must be
followed by a valid host name or IP address. If the port
option is specified, it must be followed by a valid port
number. If the dev option is specified, it must be followed by
a valid device instance number (followed by the mca string).
If the keystore option is specified, it must be a full or
partial keystore name. The dso option logs in as a device
security officer rather than a keystore security officer. The
default values for these arguments are the same as for the -h,
-p, -d, and -k options (see
TABLE 3-1).
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 49
TABLE 3-4 scamgr Commands (Continued)
Command Description
convert keystore (KSO only) Converts a keystore from a local keystore to a
centralized one or vice-versa, depending on the current
keystore type.
copy keystore
newkeystorename
(KSO only) Copies the existing keystore (including all users,
security officers, and key objects) to a new keystore named
newkeystorename.
create so sec-officer Creates the named security officer. If the security officer name
is not specified in sec-officer, scamgr prompts for one. Valid
names must begin with an alphabetical character and be
between 1 and 63 characters. Valid characters consist of
alphanumeric characters and the hyphen (-), underscore (_),
and period (.) characters. When creating a new security
officer the current security officer will be asked to set the new
security officer's password and then asked to confirm it.
create user username (KSO only) Creates a user named username.Ifusername is not
specified, scamgr prompts for one. The name restrictions are
identical to those in the create so command. When
creating a user, the security officer is asked to set the new
user's password, then asked to confirm it.
delete keystore (KSO only) Ensure that you create a full keystore backup if
you want to be able to restore a keystore before deleting it
(see the backup keystore command). This command
deletes a keystore from an existing board. The master key
and configuration are deleted, along with the keystore
database. The only way to restore a keystore once it has been
deleted is to restore it from a full keystore backup.
delete master-key
keystorename
Deletes the master key named keystorename from the board.
This will not remove any key database files or entries. Only
the master key from the board on which the command is run
is removed.
delete so sec-officer Deletes the security officer named sec-officer from the
keystore. Confirmation is requested unless the -y option is
entered when scamgr is executed. If the board is in MultiAdmin mode and the security officer to be deleted also has
the Multi-Admin role, the security officer cannot be removed.
The security officer must first be removed from the MultiAdmin role and then deleted (see the disable authmember
command).
delete user username (KSO only) Deletes the user named username from the
keystore. All key material owned by the user is also deleted.
Confirmation is requested unless the -y option is supplied
when scamgr is started.
50 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
TABLE 3-4 scamgr Commands (Continued)
Command Description
diagnostics Performs firmware diagnostics on the board. This command
tests the general hardware and cryptographic subsystems.
This command returns a PASS value for each passing
subsystem. If a subsystem fails, this command attempts to
identify the specific failure. Tests that normally follow a
failed test do not occur.
disable authmember
sec-officer
Removes the Multi-Admin role from the security officer secofficer. If this command is entered when Multi-Admin mode
is enabled, it requires authentication by multiple security
officers with the Multi-Admin role assigned. This command
does not execute if the command would reduce the required
minimum numbers of security officers with the Multi-Admin
role.
disable keystore (KSO only) Prevents users and kernel consumers from using
the keystore named keystorename. The keystore being disabled
must be locked for this command to execute correctly.
disable multiadmin Takes the board out of Multi-Admin mode. This command
requires authentication by multiple security officers with the
Multi-Admin role.
disable new-keystores (DSO only) Disables keystore creation functions on the board.
With this setting disabled, no new keystores can be created.
disable user username (KSO only) Disable the user named username in the keystore.
A disabled user cannot log in and cannot access key material.
enable authmember
sec-officer
Gives the security officer named sec-officer the Multi-Admin
role. If this command is entered while Multi-Admin mode is
enabled, it requires authentication by multiple security
officers with the Multi-Admin role.
enable keystore (KSO only) Enables a keystore for use by users and kernel
consumers. This command can only be executed on a locked
keystore. When a locked keystore is enabled, it remains
enabled only until the next reset.
enable multiadmin Enables Multi-Admin mode. When enabled, certain
enable new-keystores (DSO only) Enables new keystores to be created on the board.
enable user username Enables the user named username in the keystore.
commands require multiple security officers to authenticate
before the command can complete successfully. When this
command is executed, the security officer is presented with
the current Multi- Admin mode settings and is given the
opportunity to change these values before the command
completes. This command does not identify the -y option.
Keystore creation is enabled by default.
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 51
TABLE 3-4 scamgr Commands (Continued)
Command Description
exit Exits scamgr.
load firmware
firmwarepath
(DSO only) Loads a firmware image specified in firmwarepath
to the board. Firmware images must be digitally-signed code
from Sun. When new firmware is successfully uploaded, the
device continues to run the current firmware until it is
manually reset (see the reset command).
lock keystore (KSO only) Locks the keystore (keystorename) which prevents
the keystore from being used until it is enabled (see the
enable keystorename command). Keystores that are locked
are disabled by default. Once the keystore is enabled, it stays
enabled until the board is reset either explicitly or through a
power cycle. A keystore can be unlocked which turns off this
default disable behavior (see the unlock keystorename
command). If this command is entered while Multi-Admin
mode is enabled, it requires authentication by a quorum of
security officers with the Multi-Admin role.
lock master-key Locks the master key. Once locked, the master key cannot be
backed up using the backup master-key command. If the
master key lock is set, new master keys created through the
rekey command are automatically locked and cannot be
backed up. Once set, a locked master key cannot be unset. If
the master key is locked by a DSO, a board zeroize is
required to clear it. If it is locked by a KSO, the lock cannot be
cleared without deleting the keystore itself.
Systems that use multiple boards on a single keystore should
use this command with care, understanding that the need to
rekey the master key is tantamount to needing to reinitialize
all boards using that keystore on the system. For single-board
systems, this command can be used more freely with the
rekey command, with the understanding that recoverability
of the data in the keystore is completely lost once a rekey
happens.
logout Discards the current authentication credentials and closes the
quit Exits scamgr.
rekey master-key (KSO only) Generates a new master key for the keystore.
52 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
connection to the device. This will not end the execution of
scamgr. The only command that can be executed when not
logged into a board is the connect command.
Keystore files are automatically re-encrypted in the new
master key. Other boards working with the same keystore
need to have this new master key loaded to be able to
continue working with this keystore (see the zeroize
command and the section on initialization).
TABLE 3-4 scamgr Commands (Continued)
Command Description
rekey remote-access (DSO only) Rekeys the remote access key. This command logs
the security officer out of the existing session when
successful.
reset (DSO only) Resets the board. This command logs the security
officer out from the board and closes the session.
set audit-level loglevel
(KSO only) Sets the keystore audit log level. The log level is
an integer value from zero to seven, with each successive log
level being incremented. The description of the log levels are
as follows:
• 0 – Keystore auditing is disabled
• 1 – Notices
• 2 – Administration
• 3 – Logins (Security officers and Users)
• 4 – User (creation, deletion, or password changes)
• 5 – PKCS#11 (session creation, deletion, etc.)
• 6 – Token Objects (key creation, deletion, etc.)
• 7 – Session Objects (key creation, deletion, etc.)
set lock This command is deprecated. Please use the lock master-
key command instead.
set multiadmin
minauth number-of-
minimum-admin-role-secofficers
This command sets the quorum of security officers required
for the successful completion of a Multi-Admin mode
command. This value must be at least 2 and less than or
equal to the total number of security officers on the system.
In addition, if Multi-Admin mode is already enabled, the
new value cannot exceed the number of security officers in
the Multi-Admin role. If the board is in Multi-Admin mode
then the command will require authentication by multiple
security officers with the Multi-Admin role.
set multiadmin
timeout number-of-
minutes
set password Changes the password for the currently logged in security
Changes the timeout for commands requiring Multi-Admin
mode authentication. This value is in minutes and must be
between 1 and 1440 (1 day). If a value larger than 1440 is
specified, the value will be set to 1440. If the board is already
in Multi-Admin mode, it requires authentication by multiple
security officers with the Multi-Admin role.
officer. To change passwords for keystore users, the PKCS#11
interface must be used. See Appendix E.
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 53
TABLE 3-4 scamgr Commands (Continued)
Command Description
set passreq Changes the password requirement setting. There are three
levels of password requirements:
• Low – No password requirements
• Med – Minimum 6 characters—at least three characters
must be alphabetic, and at least one must be
nonalphabetic.
• High – Minimum 8 characters—at least three characters
must be alphabetic and at least one must be nonalphabetic.
The system defaults to the Low security level when not in
FIPS 140-2 mode and defaults to Med security level when in
FIPS 140-2 mode. In FIPS mode, the board cannot be set
below the Med security level.
set timeout number-ofminutes
Changes the connection timeout value for administrative
sessions. This parameter takes a value between 1 and 1440 as
the number of minutes before the firmware will drop the
authentication credentials of the logged in security officer
and drop the connection. Values less than 1 disable the
timeout completely. Values greater than 1440 minutes (1 day)
are shortened to 1440.
show audit-log path
outfile range logrange
(KSO only) Displays the current keystore audit log. Audit
logs are displayed to standard out by default, but can be sent
to the file outfile using the path option keyword. The number
of log messages displayed can be controlled with the range
option, with the input value (logrange) being either a positive
or negative integer that displays the log range of newest or
oldest log entries, respectively. By default the entire log is
displayed.
show domains (DSO only) Displays all the domains that have keystores
loaded onto a given board.
show keystores (DSO only) Lists all the keystores that a given board has
master keys for. It also displays the type of keystore it is:
centralized, local, or disconnected. A disconnected keystore is
one where the master key is loaded but the actual key
database is unavailable for some reason. Also, the domain
that the keystore exists in is shown.
show old-audit-log (KSO only) Behaves identically to the show audit-log
show so Shows all security officer accounts set for the keystore and
54 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
command, except that it works on the set of audit logs that
have been rotated into the old audit log pool. For more
details on controlling the size of the audit logs, see the man
page for scakiod(1M).
whether they have the Multi-Admin role.
TABLE 3-4 scamgr Commands (Continued)
Command Description
show status Shows device and keystore parameters. The information is
broken down into categories: version information, keystore
information, and security settings.
show user (KSO only) Shows all user accounts created in the keystore,
and whether the users are enabled or disabled.
unlock keystore (KSO only) Unlocks a locked keystore (see the lock
keystorename command for details on locked keystores). This
command requires a quorum of security officers with the
Multi-Admin role to authenticate if Multi-Admin mode is
enabled.
zeroize (DSO only) Cleans the board of all security parameters, and
returns the board to its uninitialized factory state. The board
uses the factory remote access key to secure any connections
to it while in the uninitialized state. Firmware upgrades done
to the board prior to the zeroize command are preserved.
Zeroizing a board does not delete the keystore file on the
disk. Zeroizing a board without backing up its master key
makes all data in the keystore that board was working with
unrecoverable.
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 55
Getting Help for Commands
scamgr has built-in help functions. To get help, you must enter a question mark (?)
character following the command you want more help on. If you enter an entire
command and a “?” exists anywhere on the line, you get the syntax for the
command, for example:
scamgr{mcaN@hostname, sec-officer}> create ?
Sub-Command Description
----------------------------------------------------so Create a new security officer
user Create a new user
scamgr{mcaN@hostname, sec-officer}> create user ?
Usage: create user [<username>]
scamgr{mcaN@hostname, sec-officer}> set ?
Sub-Command Description
----------------------------------------------------lock Lock master key (Prevents key backup)
multiadmin Configure Multi-Admin mode
passreq Set password security level
password Change password for security officer
timeout Set firmware auto-logout timer
You can also enter a question mark at the scamgr prompt to see a list of all of the
scamgr commands and their description, for example:
scamgr{mcaN@hostname, sec-officer}> ?
Sub-Command Description
---------------------------------------------------------------backup Backup device and keystore data
convert Convert data items
copy Copy data items
create Create users and accounts
delete Delete users, accounts and keystores
disable Disable users, modes or options
enable Enable users, modes or options
exit Exit scamgr
lock Lock data items
logout Logout current session
quit Exit scamgr
rekey Generate new system keys
rename Rename data items
set Set operating parameters
show Show system settings
unlock Unlock data items
56 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
Note – When not in scamgr Interactive mode, the “?” character could be
interpreted by the shell in which you are working. In this case, ensure that you use
the command shell escape character before the question mark. For example in the C
shell, you you must type \?
Managing Keystores With scamgr
Note – You must log in to scamgr as a keystore security officer (KSO) to manage
keystores as described in this section. Device security officers (DSOs) cannot perform
the procedures in this section. For information on KSOs and DSOs, see “Device and
Keystore Security Officers” on page 34.
A keystore is a repository for key material. Associated with a keystore are keystore
security officers (KSOs) and users. Keystores not only provide storage, but a means
for key objects to be owned by user accounts. This situation enables keys to be
hidden from applications that do not authenticate as the owner. Keystores have three
components:
■ Key objects – Long-term keys that are stored for applications such as the Sun
Java System Web Server.
■ User accounts – Accounts that provide applications a means to authenticate and
access specific keys.
■ Security officer accounts – Accounts that provide access to key management
functions through scamgr.
Multiple Keystore Support
The scamgr utility supports multiple keystores running on a single board. Keystores
must be uniquely named. Each individual keystore contains its own set of security
officers, users, and key objects.
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 57
FIGURE 3-1 Multiple Keystore Support
At connection time, scamgr displays a list of keystores that can be logged into.
Security officers can specify a keystore by name using the -k keystorename option.
See
TABLE 3-1.
Note – Multiple boards can be configured to collectively work with the same
keystore to provide additional performance and fault tolerance.
Naming Requirements
Security officer names, user names, and keystore names must meet the following
requirements:
TABLE 3-5 Security Officer Name, User Name, and Keystore Name Requirements
Name Requirement Description
Minimum length At least one character.
Maximum length 63 characters for security officer names and user names.
32 characters for keystore names.
Valid characters Alphanumeric, underscore (_), dash (-), and dot (.).
First character Must be alphabetic.
58 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
Password Requirements
Password requirements vary based on the current set passreq setting (low,
med,orhigh).
▼ Set the Password Requirements
1. Start the scamgr utility.
2. Type set passreq.
This command sets the password character requirements for any password
prompted by scamgr. There are three settings for password requirements, as
shown in the following table:
TABLE 3-6 Password Requirement Settings
Password Setting Requirements
low Does not require any password restrictions. This is the default while
the board is in non-FIPS mode.
med Requires six characters minimum. Three characters must be
alphabetic and one character must be nonalphabetic. This is the
default setting while the board is in FIPS 140-2 mode and is the
minimum password requirement allowed in FIPS 140-2 mode.
high Requires eight characters minimum. Three characters must be
alphabetic, and one character must be nonalphabetic. This is not a
default setting and must be configured manually.
▼ Change Password Requirements
1. Start the scamgr utility.
2. Type the set passreq command followed by low, med,orhigh.
The following commands set the password requirements for a Sun Crypto
Accelerator 6000 board to high:
scamgr{mcaN@hostname, sec-officer}> set passreq high
scamgr{mcaN@hostname, sec-officer}> set passreq
Password security level (low/med/high): high
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 59
▼ Change Passwords
Only security officer passwords may be changed with scamgr. Security officers can
change their own password.
1. Start the scamgr utility.
2. Type set password.
For example:
scamgr{mcaN@hostname, sec-officer}> set password
Enter new security officer password:
Confirm password:
Security Officer password has been set.
User passwords may be changed through the PKCS#11 interface with the Sun Java
System Web Server modutil utility. Refer to the Sun Java System Web Server
documentation for details.
Managing Security Officers and Users
This section describes how to populate keystores and how to list, enable, disable,
and delete security officers and users.
▼ Populate a Keystore With Security Officers
There might be more than one security officer for a keystore. Security officer names
are known only within the domain of the Sun Crypto Accelerator 6000 board and do
not need to be identical to any user name on the host system.
1. Start the scamgr utility.
60 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
2. Type create so.
When creating a security officer, the name is an optional parameter on the
command line. If the security officer name is omitted, scamgr prompts you for
the name. (See “Naming Requirements” on page 58.) For example:
scamgr{mcaN@hostname, sec-officer}> create so Alice
Enter new security officer password:
Confirm password:
Security Officer Alice created successfully.
scamgr{mcaN@hostname, sec-officer}> create so
New security officer name: Bob
Enter new security officer password:
Confirm password:
Security Officer Bob created successfully.
▼ Populate a Keystore With Users
User names are known only within the domain of the Sun Crypto Accelerator 6000
board and do not need to be identical to the UNIX user name for the web server
process.
1. Start the scamgr utility.
2. Type create user user-name.
When creating a user, the user name is an optional parameter on the command line.
If the user name is omitted, scamgr prompts you for the user name. (See “Naming
Requirements” on page 58.) For example:
scamgr{mcaN@hostname, sec-officer}> create user web-admin
Enter new user password:
Confirm password:
User web-admin created successfully.
scamgr{mcaN@hostname, sec-officer}> create user
New user name: To m
Enter new user password:
Confirm password:
User Tom created successfully.
Users must use this password when authenticating during a web server startup.
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 61
Caution – Users must remember their password so they can access their keys. There
is no way to retrieve a lost password.
Note – The user account is logged out if no commands are entered for more than
five minutes. This is a tunable option. See “Set the Auto-Logout Time” on page 77
for details.
▼ List Users
You can list users associated with a keystore.
1. Start the scamgr utility.
2. Type the show user command.
For example:
scamgr{mcaN@hostname, sec-officer}> show user
User Status
----------------------------------------------------web-admin Enabled
Tom Enabled
-----------------------------------------------------
▼ List Security Officers
You can list security officers associated with a keystore.
1. Start the scamgr utility.
2. Type the show so command. For example:
scamgr{mcaN@hostname, sec-officer}> show so
Security Officer Multi-Admin Role
---------------------------------------------------------------sec-officer1 Enabled
sec-officer2 Enabled
sec-officer3 Enabled
sec-officer4 Disabled
----------------------------------------------------------------
62 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
▼ Disable Users
Note – Security officers cannot be disabled. Once a security officer is created, it is
enabled until it is deleted.
Users and security officers are enabled by default. Users may be disabled. Disabled
users cannot access their key material with the PKCS#11 interface. Enabling a
disabled user restores access to all of that user’s key material.
1. Start the scamgr utility.
2. Type disable user user-name.
When enabling or disabling a user, the user name is an optional parameter on the
command line. If the user name is omitted, scamgr prompts you for the user
name. For example:
scamgr{mcaN@hostname, sec-officer}> disable user To m
User Tom disabled.
scamgr{mcaN@hostname, sec-officer}> disable user
User name: web-admin
User web-admin disabled.
▼ Enable Users
1. Start the scamgr utility.
2. Type the enable user user-name command.
When enabling a user, the user name is optional. For example:
scamgr{mcaN@hostname, sec-officer}> enable user To m
User Tom enabled.
scamgr{mcaN@hostname, sec-officer}> enable user
User name: web-admin
User web-admin enabled.
▼ Delete Users
1. Start the scamgr utility.
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 63
2. Type delete user user-name.
When deleting a user, the user name is an optional parameter on the command
line. If the user name is omitted, scamgr prompts you for the user name. For
example:
scamgr{mcaN@hostname, sec-officer}> delete user web-admin
Delete user web-admin? (Y/Yes/N/No) [No]: y
User web-admin deleted successfully.
scamgr{mcaN@hostname, sec-officer}> delete user
User name: Tom
Delete user Tom? (Y/Yes/N/No) [No]: y
User Tom deleted successfully.
▼ Delete Security Officers
1. Start the scamgr utility.
2. Type delete so so-name.
When deleting a security officer, the security officer name is an optional
parameter on the command line. If the security officer name is omitted, scamgr
prompts you for the security officer name. For example:
scamgr{mcaN@hostname, sec-officer}> delete so Bob
Delete Security Officer Bob? (Y/Yes/N/No) [No]: y
Security Officer Bob deleted.
scamgr{mcaN@hostname, sec-officer}> delete so
Security Officer name: Alice
Delete Security Officer Alice? (Y/Yes/N/No) [No]: y
Security Officer Alice deleted.
Backing Up Configuration and Keystore Data
There are three types of backups that can be performed with the board: Device
Configuration, Master Key, and Keystore.
▼ Back Up a Device Configuration
This type of backup saves the global device configuration including FIPS 140-2
settings, DSO accounts and other settings. Only DSOs can perform this type of
backup.
64 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
1. Start the scamgr utility.
2. Type backup device /var/tmp/devconf.bak
An optional filename for the backup file can be supplied on the command line. If
the filename is not supplied, you are prompted for it when the command is
executed.
scamgr{mcaN@hostname, sec-officer}> backup device /var/tmp/devconf.bak
Enter a password to protect the data:
Confirm password:
Backup to /var/tmp/devconf.bak successful.
▼ Back Up a Master Key
This backup is used with a specific keystore, and therefore must be done by a KSO.
This backs up only the master key and other keystore specific settings, but does not
backup the keystore data. This backup is useful for having new boards join an
existing local or centralized keystore, where one board is already fully configured.
Keystores are stored on the host and encrypted in a master key. The master key for
each keystore is stored in the firmware. For another board to use an existing
keystore, the master key for that keystore must be loaded to that board using a
master key backup file. Only the keystore security officer can backup a master key.
1. Start the scamgr utility.
2. Type backup master-key /opt/backup-directory-name/master.bak.
The path name can be placed on the command line or if omitted, scamgr prompts
you for the path name.
Note – If the following command is executed in Multi-Admin mode, authentication
is required by multiple security officers assigned the Multi-Admin role.
scamgr{mcaN@hostname, sec-officer}> backup master-key /opt/SUNWconn/mca/backups/master.bak
Enter a password to protect the data:
Confirm password:
Backup to /opt/SUNWconn/mca/backups/master.bak successful.
3. Set a password for the backup data.
This password encrypts the master key in the backup file.
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 65
Caution – Choose a password that is very difficult to guess when making backup
files, because this password protects the master key for your keystore. You must also
remember the password you enter. Without the password, you cannot access the
master key backup file. There is no way to retrieve the data protected by a lost
password.
Note – To load a keystore to a board from a previous master key backup, both the
master key backup file and the encrypted keystore data files are required. The
encrypted keystore files must exist in the keystore directory (/var/sca/keydata
by default). There are three files that must be placed in the top-level keystore
directory on the machine to which the keystore is being restored. The first file is the
config file for the keystore, which has the filename keystore-name.serial-
number.{keystore-id}.conf. The second and third files are the user.db and object.db
files, which are located in the subdirectory under the top-level keystore directory
named keystore-name.serial-number.{keystore-id}.
▼ Backup A Keystore
This is done on a specific keystore and must be done by KSOs only. This backs up
the same data as a Master Key Backup, but additionally retrieves all the keystore
data, and security officer and user accounts. You can use a full keystore backup file
to completely restore a keystore when that keystore does not exist on the system
(local) or in the LDAP repository (centralized).
Keystores are stored on the host and encrypted in a master key. The master key for
each keystore is stored in the Sun Crypto Accelerator 6000 firmware. The entire
keystore including the master key can be backed up for disaster recovery. This
backup is good for disaster recovery.
1. Start the scamgr utility.
2. Type backup keystore /opt/backup-directory-name/bkup.data.
The path name can be placed on the command line or if omitted, scamgr prompts
you for the path name.
66 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
Note – If the following command is executed in Multi-Admin mode, authentication
is required by multiple security officers assigned the Multi-Admin role.
scamgr{mcaN@hostname, sec-officer}> backup keystore /opt/SUNWconn/mca/backups/bkup.data
Enter a password to protect the data:
Confirm password:
Backup to /opt/SUNWconn/mca/backups/bkup.data successful.
3. Set a password for the backup data.
This password encrypts the master key in the backup file.
Caution – Choose a password that is very difficult to guess when making backup
files, because this password protects the master key for your keystore. You must also
remember the password you enter. Without the password, you cannot access the
master key backup file. There is no way to retrieve the data protected by a lost
password.
Note – To load a keystore to a board from a previous keystore backup, only the
keystore backup file is required. The required keystore files will automatically be
created in the keystore directory (/var/sca/keydata by default). If keystore files
for a keystore with the same name as the keystore backup already exist in the
keystore directory, the backup will not be allowed. A keystore backup file can also
be used to load just the master key to a card if the data base files are already in the
keystore directory.
Locking Keystores to Restrict Access
▼ Lock a Master Key to Prevent Backups
A site might have a strict security policy that does not permit the master key for a
keystore to leave the hardware.
Caution – Once this command is entered, all attempts to back up the master key
will fail. This lock persists even if the master key is rekeyed. The only way to clear
this setting is to delete the keystore from the Sun Crypto Accelerator 6000 board
with the delete keystore command. (See TABLE 3-4.)
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 67
1. Start the scamgr utility.
2. Type lock master-key. For example:
scamgr{mcaN@hostname, sec-officer}> lock master-key
WARNING: Issuing this command will lock the
master key. You will be unable to back
up your master key once this command
is issued. Once set, the only way to
remove this lock is to delete the keystore.
Do you wish to lock the master key? (Y/Yes/N/No) [No]: y
The master key is now locked.
▼ Lock a Keystore To Restrict Access
A site might have a security policy that does not permit access to a keystore after
the board has been reset or powered off without approval by a keystore security
officer (KSO). To restrict keystore access, a KSO can lock a keystore. Once a
keystore is locked, it can be used only if it is enabled by a KSO using the enable
keystore command. If the Sun Crypto Accelerator 6000 board is reset or
powered off, the keystore will default back to the disabled state until it is reenabled by a KSO.
1. Start the scamgr utility
2. Type lock keystore. For example:
scamgr{mcaN@hostname, sec-officer}> lock keystore
Keystore locked.
▼ Enable a Locked Keystore To Enable Access
After a reset or power cycle, a keystore that has been locked to prevent access can
be accessed only if enabled by a KSO.
1. Start the scamgr utility.
2. Type enable keystore. For example:
scamgr{mcaN@hostname, sec-officer}> enable keystore
Keystore enabled.
68 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
▼ Disable a Locked Keystore To Prevent Access
A keystore that has been locked to prevent access will default to the disabled state
if the board is reset or powered off. A KSO can also disable the keystore manually.
1. Start the scamgr utility.
2. Type disable keystore. For example:
scamgr{mcaN@hostname, sec-officer}> disable keystore
Keystore disabled.
Multi-Admin Authentication
The scamgr utility includes a special mode of operation called Multi-Admin mode.
In this mode, certain commands require multiple security officers to authenticate
and approve the command before it can complete successfully. Security officers must
be in the Multi-Admin role before they can authenticate Multi-Admin commands.
When a Multi-Admin command is issued, no other general administration on the
board can take place until either the command times out, is canceled by the security
officer who started the command, or completes successfully. A timeout from 1 to 15
minutes must be set at or before Multi-Admin mode is enabled. See “Set a Multi-
Admin Command Timeout” on page 71 for more information. Also security officers
must set the number of Multi-Admin role members required to authenticate any
Multi-Admin command.
When a Multi-Admin command is initiated, the scamgr session from which it is
started waits until one of three conditions occur: The command completes
successfully, the command fails, or the command times out. Other Multi-Admin role
members log in to the device using their respective scamgr sessions. During MultiAdmin mode commands, these role members can only authenticate the command in
progress. If the initiating security officer’s scamgr session terminates unexpectedly,
the security officer can log back in to the device and cancel the command.
Otherwise, the board cannot be administered normally until the command times out.
The following commands require multi-admin authentication:
■ backup master-key
■ backup keystore
■ convert keystore
■ copy keystore
■ delete master-key
■ delete keystore
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 69
■ disable authmember
■ disable keystore
■ disable multiadmin
■ enable authmember
■ enable keystore
■ lock master-key
■ lock keystore
■ rename keystore
■ set lock
■ set multiauth timeout
■ set multiauth minauth
■ unlock keystore
Managing Multi-Admin Mode With scamgr
This section describes how to configure and manage Multi-Admin mode with the
scamgr utility. First, you must identify your security officers and place them in the
Multi-Admin role. You must have enough security officers in that role to satisfy the
minimum number set with the set multiadmin minauth command. See “Set the
Minimum Number of Security Officers Required to Authenticate Multi-Admin
Commands” on page 71. If the number of Multi-Admin role members is below the
minimum threshold, you cannot enable Multi-Admin mode.
▼ Assign Security Officers the Multi-Admin Role
1. Start the scamgr utility.
2. Type enable authmember sec-officer.
If executed in Multi-Admin mode, this command requires authentication by
multiple security officers assigned the Multi-Admin role. The following command
assigns a security officer the Multi-Admin role.
scamgr{mcaN@hostname, sec-officer}> enable authmember sec-officer
Added multi-admin role to Security Officer sec-officer.
▼ Remove a Security Officer From the Multi-Admin Role
1. Start the scamgr utility.
70 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
2. Type disable authmember so-name.
If executed in Multi-Admin mode, this command requires authentication by
multiple security officers assigned the Multi-Admin role. For example:
scamgr{mcaN@hostname, sec-officer}> disable authmember sec-officer
Removed multi-admin role from Security Officer rew.
This command removes security officers from the Multi-Admin role only if they are
in addition to the minimum required. This command exits only if a minimum
number of security officers are assigned the Multi-Admin role. See “Set the
Minimum Number of Security Officers Required to Authenticate Multi-Admin
Commands” on page 71.
▼ Set the Minimum Number of Security Officers Required
to Authenticate Multi-Admin Commands
1. Start the scamgr utility.
2. Type set multiadmin minauth minimum-role-members.
The minimum-role-members value must be at least two, and less than or equal to
the total number of security officers on the system. In addition, if Multi-Admin
mode is already enabled, the new value cannot exceed the number of members
with the Multi-Admin role. If executed in Multi-Admin mode, this command
requires authentication by multiple security officers assigned the Multi-Admin
role.
For example, the following command sets the minimum number of required
security officers to authenticate Multi-Admin commands.
scamgr{mcaN@hostname, sec-officer}> set multiadmin minauth 3
Multi-admin mode now requires 3 security officers to authenticate.
▼ Set a Multi-Admin Command Timeout
1. Start the scamgr utility.
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 71
2. Type set multiadmin timeout minutes.
The minutes value must be between 1 and 1440 minutes (1 day). If a value larger
than 1440 is specified, the value will be set to 1440. If executed in Multi-Admin
mode, this command requires authentication by multiple security officers
assigned the Multi-Admin role.
For example, the following command changes the timeout for commands that
require Multi-Admin mode authentication.
scamgr{mcaN@hostname, sec-officer}> set multiadmin timeout 3
New multi-admin timeout value is 3 minutes.
▼ Enable Multi-Admin Mode
1. Start the scamgr utility.
2. Type enable multiadmin.
When enabled, certain commands require multiple security officers to
authenticate before the command can complete successfully. When this command
is executed, the security officer is presented with the current Multi-Admin mode
settings and is given the opportunity to change these settings before the
command completes. This command does not accept the -y (yes to all) flag.
For example, the following command enables Multi-Admin mode.
scamgr{mcaN@hostname, sec-officer}> enable multiadmin
WARNING: This command will place the device in multi admin mode. This mode will require multiple
security officers to authenticate for certain
commands to be executed.
Enable Multi-Admin Mode? (Y/Yes/N/No) [No]: y
Multi-Admin mode parameters:
---------------------------------------------------------------Minimum number of admins: 3
Multi-Admin command timeout: 3 minutes
----------------------------------------------------------------
Is this correct? (Y/Yes/N/No) [No]: y
The board is now in multi-admin mode.
▼ Disable Multi-Admin Mode
1. Start the scamgr utility.
72 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
2. Type disable multiadmin.
This command requires authentication by multiple security officers assigned the
Multi-Admin role.
For example, the following command disables Multi-Admin mode.
scamgr{mcaN@hostname, sec-officer}> disable multiadmin
▼ Add Additional Security Officers to the Multi-Admin
Role
1. Start the scamgr utility.
2. Type enable authmember sec-officerN.
where N is the number of the security officer.
For example, with the minimum number of required security officers set to three,
adding additional security officers requires the authorization of three different
security officers, including the initiating security officer, to authenticate before
this command can complete.
Execute the following command on the initiating security officer’s scamgr
session.
scamgr{mca0@localhost, sec-officer1}> enable authmember sec-officer4
NOTICE: Please wait while the other required 2 administrators
authenticate this command. This command will time out
in 3 minutes.
Update: Authenticated security officers: sec-officer1
Update: Authenticated security officers: sec-officer1 sec-officer3
Update: Authenticated security officers: sec-officer1 sec-officer3 sec-officer2
Added multi-admin role to Security Officer sec-officer4.
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 73
3. Ask other security officers to log in from their respective scamgr sessions and
authorize the command.
# scamgr
Security Officer Login: sec-officer3
Security Officer Password:
NOTICE: A Multi-Admin command is currently in progress.
You are a member of the Multi-Admin role and
may approve this command.
Command: enable authmember sec-officer4
Initiating SO: sec-officer1
Authorize this command? (Y/Yes/N/No) [No]: y
Authorization successful
# scamgr
Security Officer Login: sec-officer2
Security Officer Password:
NOTICE: A Multi-Admin command is currently in progress.
You are a member of the Multi-Admin role and
may approve this command.
Command: enable authmember sec-officer4
Initiating SO: sec-officer1
Authorize this command? (Y/Yes/N/No) [No]: y
Authorization successful
▼ Cancel a Multi-Admin Command Originated by the
Initiating Security Officer
1. Start the scamgr utility.
2. Type disable authmember sec-officerN.
where N is the number of the security officer.
For example, the following command is canceled. This command must be entered
on the initiating security officer’s scamgr session.
scamgr{mca0@localhost, sec-officer1}> disable authmember sec-officer4
NOTICE: Please wait while the other required 2 administrators
authenticate this command. This command will time out
in 3 minutes.
Update: Authenticated security officers: sec-officer1
74 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
To cancel the command, the initiating security officer must either close the current
scamgr session or log in with a second scamgr session.
# scamgr
Security Officer Login: sec-officer1
Security Officer Password:
NOTICE: A Multi-Admin command is currently in progress.
Since you are the admin that initiated this
command, you have the option of cancelling it.
If you choose not to cancel the command, you
will be logged out and the board will continue
with the command.
Cancel this command? (Y/Yes/N/No) [No]: y
Authorization successful
If the scamgr session from which the command was initiated is still active, the
following message is displayed.
Failed to remove role from Security Officer sec-officer4: Command cancelled
▼ Allow a Multi-Admin Command to Time Out
1. Start the scamgr utility.
2. Type a command.
3. Ensure that other security officers do not authenticate the command.
For example, the following command is issued by security officer.
scamgr{mca0@localhost, sec-officer1}> disable authmember sec-officer4
WARNING: Issuing this command will remove the
multi-admin role from this security
officer. Once complete, this security
officer will not be able to validate multi admin commands.
Proceed with change? (Y/Yes/N/No) [No]: y
NOTICE: Please wait while the other required 2 administrators
authenticate this command. This command will time out
in 3 minutes.
Update: Authenticated security officers: sec-officer1
Update: Authenticated security officers: sec-officer1 sec-officer2
Failed to remove role from Security Officer sec-officer4: Multi-Admin command
timeout
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 75
▼ Log In to a Board During a Multi-Admin Command as
a Security Officer Not in the Multi-Admin Role
1. Log in as a non-Multi-Admin security officer.
2. Ask Multi-Admin security officers to log in and athorize the command (if they
don’t the connection is closed).
If the Multi-Admin security officers do not authorize the command, the
connection is closed.
# scamgr
Security Officer Login: new-sec-officer
Security Officer Password:
You have authenticated successfully but this board is
currently waiting for all needed approvals for a
Multi-Admin mode command. Since you are not a member
of the Multi-Admin role, you will not be able to
administer this board until this command has completed.
Connection closed.
▼ Attempt to Execute a Multi-Admin Command Without
Multi-Admin Role Permissions
1. Start the scamgr utility.
2. Type a command as a security officer without Multi-Admin role permissions.
The command fails. For example:
scamgr{mca0@localhost, new-so}> disable multiadmin
WARNING: Issuing this command will take the board
out of multi-admin mode and return it to the
single-administrator mode of authentication.
Proceed with change? (Y/Yes/N/No) [No]: y
Failed disabling Multi-admin mode: Unauthorized command
76 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
Managing Boards With scamgr
Note – You must log into scamgr as a device security officer (DSO) to perform the
procedures in this section. You cannot manage boards if you are logged in as a
keystore security officer (KSO). For information on DSOs and KSOs, see “Device and
Keystore Security Officers” on page 34.
You can access the scamgr utility remotely or locally with a direct input device (see
“Direct Board Administration” on page 82.
▼ Set the Auto-Logout Time
1. Start the scamgr utility by logging in as a DSO.
2. Type set timeout N.
where N is the number of minutes before a security officer is automatically logged
out. A value of 0 disables the automatic logout feature. The maximum delay is
1,440 minutes (1 day). A newly initialized board defaults to 5 minutes.
The following command changes the auto-logout time for a security officer to 10
minutes:
scamgr{mcaN@hostname, sec-officer}> set timeout 10
▼ Display Board Status
1. Start the scamgr utility by logging in as a DSO.
Chapter 3 Administering the Sun Crypto Accelerator 6000 Board 77
2. Type show status.
This command displays the hardware and firmware versions for that board, the
MAC address of the network interface, the status (Up, Down, speed, duplex, and
so on) of the network interface, and the keystore name and ID. For example:
scamgr{mcaN@hostname, sec-officer}> show status
Board Status
------------------------------------------------------------Version Info:
* Hardware Version: 1.2
* Firmware Version: 1.0
* Serial Number: 36:30:30:30:30:33
Keystore Info:
* Keystore Name: sca6000-keystore.600003
* Keystore ID: c3270900c3270900
* Keystore Lock: Disabled
* FIPS 140-2 Mode: Disabled
Security Settings:
* Login Session Timeout (in minutes): 5
* Password Policy Security Level: LOW
* Number of Master Key Backups: 0
* Multiadmin Mode: Enabled
* Minimum Number of Authenticators: 2
* Multiadmin Timeout: 5 Minutes
-------------------------------------------------------------
▼ Load New Firmware
You can update the firmware for the Sun Crypto Accelerator 6000 board as new
features are added.
1. Start the scamgr utility by logging in as a DSO.
2. Type load firmware path-name.
where path-name is the path to the firmware file.
78 Sun Crypto Accelerator 6000 Board User’s Guide for Version 1.1 • February 2013
Loading...