Wednesday September 19, 2007 Meena Vyas
All
|
DTrace Web Server 7.0
|
ACLs Web Server 7.0
|
General Web Server 7.0
|
HttpCompression Web Server 7.0
|
Intrusion Detection Web Server 7.0
|
Open Web Server
|
Reference Deployments of Web Server 7.0
|
Reverse Proxy Web Server 7.0
|
Security Web Server 7.0
|
Troubleshooting Web Server 7.0
|
WebDAV Web Server 7.0
Wednesday September 19, 2007 Using builtin hardware accelerators of Niagara 1 (Sun Fire T 2000) server with SSL enabled Sun Java System Web Server 7.0 instance
Using builtin hardware accelerators of Niagara 1 (Sun Fire T 2000) server with SSL enabled Sun Java System Web Server 7.0 instance
In my previous blog I talked about SCF framework and Sun Java System Web Server 7.0 in general. This time I tried to make use of builtin hardware accelerators of Niagara 1 (Sun Fire T 2000) server with my SSL enabled Sun Java System Web Server 7.0 U2 instance. Here is what I had to do to make it work.
Step 1 : Go to Webserver installation directory and start admin server
# ./admin-server/bin/startserv
Step 2 : Go to Web Server 7.0 instance's config
directory and perform these manual steps# cd https-test.sun.com/config/
First remove the existing database
# rm -rf /.sunw
Setpin
# pktool setpin
Create new passphrase: type-password-here
Re-enter new passphrase: type-password-here
Passphrase changed.
List the current PKCS#11modules
# ../../bin/modutil -list -dbdir .
Using database directory ....
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. Root Certs
library name: libnssckbi.so
slots: 1 slot attached
status: loaded
slot:
token: Builtin Object Token
-----------------------------------------------------------
Add SCF module
# ../../bin/modutil -dbdir . -add "Solaris Crypto Framework" -libfile /usr/lib/libpkcs11.so -mechanisms RSA
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Using database directory ....
Module "Solaris Crypto Framework" added to database.
Enable SCF module
# ../../bin/modutil -enable "Solaris Crypto Framework" -dbdir .
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Using database directory ....
Slot "Sun Metaslot" enabled.
Slot "ncp/0 Crypto Accel Asym 1.0" enabled.
List modules to make sure add and enable stuff above succeeded.
# ../../bin/modutil -list -dbdir .
Using database directory ....
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. Solaris Crypto Framework
library name: /usr/lib/libpkcs11.so
slots: 2 slots attached
status: loaded
slot: Sun Metaslot
token: Sun Metaslot
slot: ncp/0 Crypto Accel Asym 1.0
token: ncp/0 Crypto Accel Asym 1.0
3. Root Certs
library name: libnssckbi.so
slots: 1 slot attached
status: loaded
slot:
token: Builtin Object Token
-----------------------------------------------------------
Disable the following mechanisms
# cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC
List to make sure these were disabled
# cryptoadm list -p
User-level providers:
=====================
/usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled.
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, except CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_PRE_MASTER_KEY_GEN. random is enabled.
Kernel software providers:
==========================
des: all mechanisms are enabled.
aes: all mechanisms are enabled.
arcfour: all mechanisms are enabled.
blowfish: all mechanisms are enabled.
sha1: all mechanisms are enabled.
md5: all mechanisms are enabled.
rsa: all mechanisms are enabled.
swrand: random is enabled.
sha2: all mechanisms are enabled.
Kernel hardware providers:
==========================
ncp/0: all mechanisms are enabled.
First remove the existing database
# rm -rf /.sunw
Setpin
# pktool setpin
Create new passphrase: type-password-here
Re-enter new passphrase: type-password-here
Passphrase changed.
List the current PKCS#11modules
# ../../bin/modutil -list -dbdir .
Using database directory ....
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. Root Certs
library name: libnssckbi.so
slots: 1 slot attached
status: loaded
slot:
token: Builtin Object Token
-----------------------------------------------------------
Add SCF module
# ../../bin/modutil -dbdir . -add "Solaris Crypto Framework" -libfile /usr/lib/libpkcs11.so -mechanisms RSA
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Using database directory ....
Module "Solaris Crypto Framework" added to database.
Enable SCF module
# ../../bin/modutil -enable "Solaris Crypto Framework" -dbdir .
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Using database directory ....
Slot "Sun Metaslot" enabled.
Slot "ncp/0 Crypto Accel Asym 1.0" enabled.
List modules to make sure add and enable stuff above succeeded.
# ../../bin/modutil -list -dbdir .
Using database directory ....
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. Solaris Crypto Framework
library name: /usr/lib/libpkcs11.so
slots: 2 slots attached
status: loaded
slot: Sun Metaslot
token: Sun Metaslot
slot: ncp/0 Crypto Accel Asym 1.0
token: ncp/0 Crypto Accel Asym 1.0
3. Root Certs
library name: libnssckbi.so
slots: 1 slot attached
status: loaded
slot:
token: Builtin Object Token
-----------------------------------------------------------
Disable the following mechanisms
# cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC
List to make sure these were disabled
# cryptoadm list -p
User-level providers:
=====================
/usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled.
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, except CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_PRE_MASTER_KEY_GEN. random is enabled.
Kernel software providers:
==========================
des: all mechanisms are enabled.
aes: all mechanisms are enabled.
arcfour: all mechanisms are enabled.
blowfish: all mechanisms are enabled.
sha1: all mechanisms are enabled.
md5: all mechanisms are enabled.
rsa: all mechanisms are enabled.
swrand: random is enabled.
sha2: all mechanisms are enabled.
Kernel hardware providers:
==========================
ncp/0: all mechanisms are enabled.
Now run the following Web Server CLI commands
# ../../bin/wadm --user=admin
Please enter admin-user-password> type-admin-server-password-here
Connected to localhost:8990
Sun Java System Web Server 7.0U2 B09/11/2007 09:09
wadm> list-configs
test.sun.com
wadm> pull-config --config=test.sun.com test.sun.com
CLI201 Command 'pull-config' ran successfully
wadm> list-tokens --config=test.sun.com
internal
Sun Metaslot
wadm> create-selfsigned-cert --config=test.sun.com --server-name= --nickname=Server-Cert --token="Sun Metaslot"
Please enter token-pin> type-password-here
CLI201 Command 'create-selfsigned-cert' ran successfully
wadm> list-http-listeners --config=test.sun.com
http-listener-1
wadm> set-ssl-prop --config=test.sun.com --http-listener=http-listener-1 server-cert-nickname="Sun Metaslot:Server-Cert" enabled=true
CLI201 Command 'set-ssl-prop' ran successfully
wadm> deploy-config test.sun.com
CLI201 Command 'deploy-config' ran successfully
wadm>
Please enter admin-user-password> type-admin-server-password-here
Connected to localhost:8990
Sun Java System Web Server 7.0U2 B09/11/2007 09:09
wadm> list-configs
test.sun.com
wadm> pull-config --config=test.sun.com test.sun.com
CLI201 Command 'pull-config' ran successfully
wadm> list-tokens --config=test.sun.com
internal
Sun Metaslot
wadm> create-selfsigned-cert --config=test.sun.com --server-name= --nickname=Server-Cert --token="Sun Metaslot"
Please enter token-pin> type-password-here
CLI201 Command 'create-selfsigned-cert' ran successfully
wadm> list-http-listeners --config=test.sun.com
http-listener-1
wadm> set-ssl-prop --config=test.sun.com --http-listener=http-listener-1 server-cert-nickname="Sun Metaslot:Server-Cert" enabled=true
CLI201 Command 'set-ssl-prop' ran successfully
wadm> deploy-config test.sun.com
CLI201 Command 'deploy-config' ran successfully
wadm>
If you are using older version of Web Server and you do not have Admin CLI, you can use the following command to create the self signed certificate
# ../../bin/certutil -S -n "Server-Cert" -x -t u,u,u -s "CN=test.sun.com" -d . -x -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot": type-password-here
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Enter Password or Pin for "Sun Metaslot": type-password-here
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
#
Now manually double check if the certificate exists
# ../../bin/certutil -L -d . -h "Sun
Metaslot"
Enter Password or Pin for "Sun Metaslot": type-password-here
Sun Metaslot:Server-Cert u,u,u
Enter Password or Pin for "Sun Metaslot": type-password-here
Sun Metaslot:Server-Cert u,u,u
Check that server.xml contains server-cert-nickname element
<http-listener>
<name>http-listener-1</name>
<port>80</port>
<server-name>test.sun.com</server-name>
<default-virtual-server-name>test.sun.com</default-virtual-server-name>
<ssl>
<server-cert-nickname>Sun Metaslot:Server-Cert</server-cert-nickname>
</ssl>
</http-listener>
<name>http-listener-1</name>
<port>80</port>
<server-name>test.sun.com</server-name>
<default-virtual-server-name>test.sun.com</default-virtual-server-name>
<ssl>
<server-cert-nickname>Sun Metaslot:Server-Cert</server-cert-nickname>
</ssl>
</http-listener>
Start the server
#../bin/startserv
Sun Java System Web Server 7.0U2 B09/11/2007 09:09
Please enter the PIN for the "Sun Metaslot" token: type-password-here
info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_12] from [Sun Microsystems Inc.]
info: HTTP3072: http-listener-1: https://test.sun.com:80 ready to accept requests
info: CORE3274: successful server startup
Sun Java System Web Server 7.0U2 B09/11/2007 09:09
Please enter the PIN for the "Sun Metaslot" token: type-password-here
info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_12] from [Sun Microsystems Inc.]
info: HTTP3072: http-listener-1: https://test.sun.com:80 ready to accept requests
info: CORE3274: successful server startup
Now check if the server is functioning properly
#
kstat -n ncp0 | grep rsa
rsaprivate 18
rsapublic 2001
rsaprivate 18
rsapublic 2001
Send a request through the browser to this server https://test.sun.com:80, it should show index.html
#
kstat -n ncp0 | grep rsa
rsaprivate 19
rsapublic 2001
rsaprivate 19
rsapublic 2001
Shows an increase that means we are ok.
Tip : If
1. Web server does not present the Intermediate CA certificates
installed as Server Certificate Chain to the browser and that causes the
certificate validation by the browser to fail.
or
2. Client authentication fails with the following error message in the
errors log . Root CA cert has been installed to the certificate database.
failure (16670): HTTP3068: Error receiving request from 123.45.67.897(SEC_ERROR_UNKNOWN_ISSUER: Peer's certificate is signed by an unknown issuer)
These two issues are caused by the
/.sunw directory not being accessible by the web server running user
"webservd". That directory has permissions 0700 and is owned by root.
Web Server starts up as root and then changes (using setuid) to user
"webservd". Solution to this is
1) Have the web server running as root
2) Open up the permission on /.sunw so that it is readable by the web
server running user
3) Set the environment variable SOFTTOKEN_DIR to point to some
directory that is owned by webservd before the web server is started.
The SCF will then access the files in $SOFTTOKEN_DIR/pkcs11_softoken/
during execution.
Trackback URL: http://blogs.sun.com/meena/entry/using_builtin_hardware_accelerators_of
Comments:
Post a Comment:
This blog copyright 2009 by meena
