Thursday September 21, 2006 Meena Vyas
All
|
WebServer7.0
Thursday September 21, 2006 Solaris Cryptographic Framework and Sun Java System Web Server 7.0
Solaris Cryptographic Framework and Sun Java System Web Server 7.0
Here are my initial experiments to use
external PKCS#11 security module Solaris Cryptographic
Framework in Sun Java System Web Server 7.0. Some references I liked in this regard
are "man libpkcs11", "Using the Cryptographic Accelerator of the UltraSPARC T1 Processor" and Jyri's article "Configuring Solaris Cryptographic Framework and Sun Java System Web Server 7 on Systems With UltraSPARC T1 Processors" . Special Thanx to Basant who helped me.
Note that I
executed these commands from the server
instance's config
directory. For more
readability, the commands I used are shown in brown and the output
is shown in green.
Initial steps
First I removed .sunw
directory
$rm -rf $HOME/.sunw
$rm -rf $HOME/.sunw
Then I initialized password/pin
$pktool setpin
Enter new PIN:typed-my-password-here
Re-enter new PIN:typed-my-password-here
$pktool setpin
Enter new PIN:typed-my-password-here
Re-enter new PIN:typed-my-password-here
Then disabled the following
mechanisms
| Note that these commands
need to be executed as root. #cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_kernel.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC #cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC (if pkcs11_softtoken_extra.so is used, disable these machanisms in that also) #cryptoadm list -p user-level providers: ===================== /usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled, except CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_PRE_MASTER_KEY_GEN. /usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, except CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_PRE_MASTER_KEY_GEN. random is enabled. ... |
Registering PKCS#11 library
I have used PKCS#11 library
/usr/lib/libpkcs11.so (for 64
bit, it is /usr/lib/64/libpkcs11.so). The following command added
the Solaris crypto framework module to the NSS database in the config
directory :
$../../lib/modutil -dbdir . -nocertdb -add "scf" -libfile /usr/lib/libpkcs11.so -mechanisms RSA
...
Module "scf" added to database.
Verified the above steps,
$../../lib/modutil -dbdir . -nocertdb -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. scf
library name: /usr/lib/libpkcs11.so
slots: 1 slot attached
status: loaded
slot: Sun Crypto Softtoken
token: Sun Software PKCS#11 softtoken
3. Root Certs
library name: libnssckbi.so
slots: There are no slots attached to this module
status: Not loaded
-----------------------------------------------------------
Note that slot "Sun Crypto Softtoken" has token "Sun Software PKCS#11 softtoken". I will be using this token in the next stages.
$../../lib/modutil -dbdir . -nocertdb -add "scf" -libfile /usr/lib/libpkcs11.so -mechanisms RSA
...
Module "scf" added to database.
Verified the above steps,
$../../lib/modutil -dbdir . -nocertdb -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. scf
library name: /usr/lib/libpkcs11.so
slots: 1 slot attached
status: loaded
slot: Sun Crypto Softtoken
token: Sun Software PKCS#11 softtoken
3. Root Certs
library name: libnssckbi.so
slots: There are no slots attached to this module
status: Not loaded
-----------------------------------------------------------
Note that slot "Sun Crypto Softtoken" has token "Sun Software PKCS#11 softtoken". I will be using this token in the next stages.
Creating Server Certificates
The normal process for requesting and
installing certificates is used.
Only with a difference, create all certificate and keys in
that security module, not using
"internal" NSS database token,
but using the "Sun Software
PKCS#11 softtoken" token instead.
1. Exporting and Importing already existing certificates using pk12util
If I already had certificates in NSS database, I could have exported and imported them using pk12util
$pk12util –o server.pk12 –d . –n MyCert
$pk12util –i server.pk12 –d . –h “Sun Software PKCS#11 softtoken”
By default, certutil / pk12util searches for databases named cert8.db and key3.db, but some of the versions of Web Server use alternate names such as https-instance-hostname-cert8.db and https-instance-hostname-key3.db in that case add -P parameter for the prefix.
$pk12util –o server.pk12 –d . –n MyCert
$pk12util –i server.pk12 –d . –h “Sun Software PKCS#11 softtoken”
By default, certutil / pk12util searches for databases named cert8.db and key3.db, but some of the versions of Web Server use alternate names such as https-instance-hostname-cert8.db and https-instance-hostname-key3.db in that case add -P parameter for the prefix.
2. Using certutil to create self signed server certificate
I used NSS utility "certutil"
to create a self signed server certificates.
$../../bin/certutil -S -d . -n MyCert -s "CN=test.sun.com" -x -t "u,u,u" -h "Sun Software PKCS#11 softtoken" -5
Enter Password or Pin for "Sun Software PKCS#11 softtoken":typed-my-password-here
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
1
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
5
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
9
Is this a critical extension [y/N]?
y
Verified that the certificate was added to the database
$../../lib/certutil -L -d . -h "Sun Software PKCS#11 softtoken"
Enter Password or Pin for "Sun Software PKCS#11 softtoken":typed-my-password-here
Sun Software PKCS#11 softtoken:MyCert u,u,u
$../../bin/certutil -S -d . -n MyCert -s "CN=test.sun.com" -x -t "u,u,u" -h "Sun Software PKCS#11 softtoken" -5
Enter Password or Pin for "Sun Software PKCS#11 softtoken":typed-my-password-here
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
1
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
5
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
9
Is this a critical extension [y/N]?
y
Verified that the certificate was added to the database
$../../lib/certutil -L -d . -h "Sun Software PKCS#11 softtoken"
Enter Password or Pin for "Sun Software PKCS#11 softtoken":typed-my-password-here
Sun Software PKCS#11 softtoken:MyCert u,u,u
Enable SSL for the Web Server instance
In server.xml, enabled ssl
for http-listener
element, and added server certificate nickname correctly.
Note the prefix "Sun
Software PKCS#11 softtoken:".
| .... <http-listener> ... <ssl> <enabled>true</enabled> <server-cert-nickname>Sun Software PKCS#11 softtoken:MyCert</server-cert-nickname> </ssl> </http-listener> ... |
3. Using Administration CLI to create self signed certificate and enabling SSL
| Start admin-server, from <server-installation>/bin
directory, $wadm --user=admin Please enter admin-user-password>typed-admin-server-password-here Sun Java System Web Server 7.0-Technology-Preview-3 B09/20/2006 10:07 wadm>create-selfsigned-cert --config=test.sun.com --server-name=test.sun.com --nickname=MyCert --token="Sun Software PKCS#11 softtoken" ADMIN4099: Token 'Sun Software PKCS#11 softtoken' was not found wadm>list-tokens --config=test.sun.com internal The reason for this error is I ran modutil into server instance's config directory so I need to pull-config (I should have run modutil command from admin-server/config-store/test.sun.com/config directory to avoid this) wadm>pull-config --config=test.sun.com test.sun.com CLI201 Command 'pull-config' ran successfully wadm>list-tokens --config=test.sun.com internal Sun Software PKCS#11 softtoken This looks ok. wadm>create-selfsigned-cert --config=test.sun.com --server-name=test.sun.com --nickname=MyCert --token="Sun Software PKCS#11 softtoken" Please enter token-pin>typed-my-password-here CLI201 Command 'create-selfsigned-cert' ran successfully wadm>set-ssl-prop --config=test.sun.com --http-listener=http-listener-1 enabled=true server-cert-nickname="Sun Software PKCS#11 softtoken:MyCert" CLI201 Command 'set-ssl-prop' ran successfully wadm>deploy-config test.sun.com CLI201 Command 'deploy-config' ran success |
Now I started the Web Server,
$../bin/startserv
Sun Java System Web Server 7.0 B09/11/2006 12:04
Please enter the PIN for the "Sun Software PKCS#11 softtoken" token:typed-my-password-here
info: HTTP3072: http-listener-1: https://test.sun.com:2222 ready to accept requests
info: CORE3274: successful server startup
I sent a request through the browser to https://test.sun.com:2222, and the server served the request.
$../bin/startserv
Sun Java System Web Server 7.0 B09/11/2006 12:04
Please enter the PIN for the "Sun Software PKCS#11 softtoken" token:typed-my-password-here
info: HTTP3072: http-listener-1: https://test.sun.com:2222 ready to accept requests
info: CORE3274: successful server startup
I sent a request through the browser to https://test.sun.com:2222, and the server served the request.
More References
- Jyri's BigAdmin Article "Configuring Solaris Cryptographic Framework and Sun Java System Web Server 7 on Systems With UltraSPARC T1 Processors"
- Using the Cryptographic Accelerator of the UltraSPARC T1 Processor
- man libpkcs11
- man cryptoadm
- Sun crypto accelerator 6000 user's guide has chapter on Installing and configuring with Sun Java System Web Server 6.1.
Read my next blog Using builtin hardware accelerators of Niagara 1 (Sun Fire T 2000) server with SSL enabled Sun Java System Web Server 7.0 instance
Posted by meena ( Sep 21 2006, 02:06:49 PM IST ) Permalink Comments [0]
Trackback URL: http://blogs.sun.com/meena/entry/solaris_cryptographic_framework_and_web
Comments:
Post a Comment:
