Main | Sun Role Manager... »
Tuesday Nov 11, 2008

Hardware SSL for Sun Proxy Server 4.0

This is a short guide on how to configure the Sun Web Proxy 4.0 with the on board SSL crypto module that comes with the T2000 and newer models of the series.


Set PassPhrase/PIN
~~~~~~~~~~~~~~

# rm -rf /.sunw
# pktool setpin (module=nss/module=pkcs11)
Enter passphrase: changeme
Create new passphrase: type-password-here
Re-enter new passphrase: type-password-here
Passphrase changed.


Verify PKCS#11 modules
~~~~~~~~~~~~~~~~~~~~~~

goto alias directory
cd ..../alias

List the current PKCS#11modules
# modutil -list -dbdir .
Using database directory ....

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. Root Certs
        library name: libnssckbi.so
         slots: 1 slot attached
        status: loaded

         slot:
        token: Builtin Object Token
-----------------------------------------------------------


Add and Enable modules
~~~~~~~~~~~~~~~~~~~~~~

# modutil -dbdir . -add "Root Certs" -libfile /usr/lib/mps/libnssckbi.so -mechanisms RSA
# modutil -enable "Root Certs" -dbdir .

# modutil  -dbdir . -add "Solaris Crypto Framework" -libfile /usr/lib/libpkcs11.so -mechanisms RSA
# modutil -enable "Solaris Crypto Framework" -dbdir .

# modutil  -list -dbdir .

Using database directory ....

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. Solaris Crypto Framework
        library name: /usr/lib/libpkcs11.so
         slots: 2 slots attached
        status: loaded

         slot: Sun Metaslot
        token: Sun Metaslot

         slot: ncp/0 Crypto Accel Asym 1.0
        token: ncp/0 Crypto Accel Asym 1.0

  3. Root Certs
        library name: libnssckbi.so
         slots: 1 slot attached
        status: loaded

         slot:
        token: Builtin Object Token
-----------------------------------------------------------


Configure Crypto module
~~~~~~~~~~~~~~~~~~~~~~~

Disable the following mechanisms
# cryptoadm disable  provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC

List to make sure these were disabled
# cryptoadm list -p
User-level providers:
=====================
/usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled.
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, except CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_PRE_MASTER_KEY_GEN. random is enabled.

Kernel software providers:
==========================
des: all mechanisms are enabled.
aes: all mechanisms are enabled.
arcfour: all mechanisms are enabled.
blowfish: all mechanisms are enabled.
sha1: all mechanisms are enabled.
md5: all mechanisms are enabled.
rsa: all mechanisms are enabled.
swrand: random is enabled.
sha2: all mechanisms are enabled.

Kernel hardware providers:
==========================
ncp/0: all mechanisms are enabled.


Generate Self Signed Certificate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# certutil -S -s "CN=www.mydomain.com.au" -n MyServerCert -c SelfCA -x -t "CTu,C,C" -m 1 -d . -P "proxy-server1-www-"
# certutil -S -n "Server-Cert" -t u,u,u -s "CN=ewww.mydomain.com.au" -x -d . -P "proxy-server1-www-"
Generating key.  This may take a few moments...

Now manually double check if the certificate exists
# certutil -L -d . -P "proxy-server1-www-"
Server-Cert                                     u,u,u



Migrate Key and Certificate from NSS to Crytpo Module
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# pk12util -o key-cert-data.pk12 -n Server-Cert -d .
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL

# pk12util -i key-cert-data.pk12 -d . -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot":
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL

# certutil -L -d . -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot":
Sun Metaslot:Server-Cert                                u,u,u


Enable SSL in Proxy
~~~~~~~~~~~~~~~~~~~
Start admin server and connect to using browser
Select or create listener for port 443
Enable security for listener and select "Sun Metaslot:Server-Cert"
restart proxy server


Check hardware crypto is being used
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now check if the server is functioning properly
# kstat -n ncp0 | grep rsa
        rsaprivate                      18
        rsapublic                       2001

the numbers should increase when the crypto card is being used.


Enable auto startup of proxy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
create startup script in /etc/init.d and create appropriate links
create password.conf in proxy instance's config directory as follows:

internal:<password>
Sun Metaslot:<password>

Posted at 12:22PM Nov 11, 2008 by Han-Dat Luc in Sun  |  Comments[0]

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed