Meena Vyas

All | WebServer7.0
« Configuring reverse... | Main | Using HTTP compressi... »
20070919 Wednesday September 19, 2007

Using builtin hardware accelerators of Niagara 1 (Sun Fire T 2000) server with SSL enabled Sun Java System Web Server 7.0 instance
In my previous blog I talked about SCF framework and Sun Java System Web Server 7.0 in general. This time I tried to make use of builtin hardware accelerators of Niagara 1 (Sun Fire T 2000) server with my SSL enabled Sun Java System Web Server 7.0 U2 instance. Here is what I had to do to make it work.

Step 1 : Go to Webserver installation directory and start admin server

# ./admin-server/bin/startserv

Step 2 : Go to Web Server 7.0 instance's config directory and perform these manual steps
# cd https-test.sun.com/config/
First remove the existing database
# rm -rf /.sunw
Setpin
# pktool setpin
Create new passphrase: type-password-here
Re-enter new passphrase: type-password-here
Passphrase changed.
List the current PKCS#11modules
# ../../bin/modutil -list -dbdir .
Using database directory ....

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. Root Certs
        library name: libnssckbi.so
         slots: 1 slot attached
        status: loaded

         slot:
        token: Builtin Object Token
-----------------------------------------------------------
Add SCF module
# ../../bin/modutil  -dbdir . -add "Solaris Crypto Framework" -libfile /usr/lib/libpkcs11.so -mechanisms RSA

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Using database directory ....
Module "Solaris Crypto Framework" added to database.
Enable SCF module
# ../../bin/modutil -enable "Solaris Crypto Framework" -dbdir .

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Using database directory ....
Slot "Sun Metaslot" enabled.
Slot "ncp/0 Crypto Accel Asym 1.0" enabled.
List modules to make sure add and enable stuff above succeeded.
# ../../bin/modutil  -list -dbdir .
Using database directory ....

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. Solaris Crypto Framework
        library name: /usr/lib/libpkcs11.so
         slots: 2 slots attached
        status: loaded

         slot: Sun Metaslot
        token: Sun Metaslot

         slot: ncp/0 Crypto Accel Asym 1.0
        token: ncp/0 Crypto Accel Asym 1.0

  3. Root Certs
        library name: libnssckbi.so
         slots: 1 slot attached
        status: loaded

         slot:
        token: Builtin Object Token
-----------------------------------------------------------
Disable the following mechanisms
cryptoadm disable  provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC

List to make sure these were disabled
# cryptoadm list -p
User-level providers:
=====================
/usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled.
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, except CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_PRE_MASTER_KEY_GEN. random is enabled.

Kernel software providers:
==========================
des: all mechanisms are enabled.
aes: all mechanisms are enabled.
arcfour: all mechanisms are enabled.
blowfish: all mechanisms are enabled.
sha1: all mechanisms are enabled.
md5: all mechanisms are enabled.
rsa: all mechanisms are enabled.
swrand: random is enabled.
sha2: all mechanisms are enabled.

Kernel hardware providers:
==========================
ncp/0: all mechanisms are enabled.

Now run the following Web Server CLI commands
# ../../bin/wadm --user=admin
Please enter admin-user-password> type-admin-server-password-here
Connected to localhost:8990
Sun Java System Web Server 7.0U2 B09/11/2007 09:09
wadm> list-configs
test.sun.com
wadm> pull-config --config=test.sun.com test.sun.com
CLI201 Command 'pull-config' ran successfully
wadm> list-tokens --config=hercules55.india.sun.com
internal
Sun Metaslot
wadm>  create-selfsigned-cert --config=test.sun.com --server-name= --nickname=Server-Cert --token="Sun Metaslot"
Please enter token-pin> type-password-here
CLI201 Command 'create-selfsigned-cert' ran successfully
wadm> list-http-listeners  --config=test.sun.com
http-listener-1
wadm> set-ssl-prop --config=test.sun.com --http-listener=http-listener-1 server-cert-nickname="Sun Metaslot:Server-Cert" enabled=true
CLI201 Command 'set-ssl-prop' ran successfully
wadm>   deploy-config test.sun.com
CLI201 Command 'deploy-config' ran successfully
wadm>

If you are using older version of Web Server and you do not have Admin CLI, you can use the following command to create the self signed certificate
# ../../bin/certutil -S -n "Server-Cert" -x -t u,u,u -s "CN=test.sun.com" -d . -x -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot": type-password-here
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished. Press enter to continue:


Generating key. This may take a few moments...
#

Now manually double check if the certificate exists
# ../../bin/certutil -L -d . -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot": type-password-here
Sun Metaslot:Server-Cert                                     u,u,u

Check that server.xml contains server-cert-nickname element
 <http-listener>
    <name>http-listener-1</name>
    <port>80</port>
    <server-name>test.sun.com</server-name>
    <default-virtual-server-name>test.sun.com</default-virtual-server-name>
    <ssl>
      <server-cert-nickname>Sun Metaslot:Server-Cert</server-cert-nickname>
    </ssl>
  </http-listener>

Start the server
#../bin/startserv
Sun Java System Web Server 7.0U2 B09/11/2007 09:09
Please enter the PIN for the "Sun Metaslot" token: type-password-here
info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_12] from [Sun Microsystems Inc.]
info: HTTP3072: http-listener-1: https://test.sun.com:80 ready to accept requests
info: CORE3274: successful server startup


Now check if the server is functioning properly
# kstat -n ncp0 | grep rsa
        rsaprivate                      18
        rsapublic                       2001

Send a request through the browser to this server https://test.sun.com:80, it should show index.html

# kstat -n ncp0 | grep rsa
        rsaprivate                      19
        rsapublic                       2001

Shows an increase that means we are ok.



Posted by meena ( Sep 19 2007, 01:31:20 PM IST ) Permalink Comments [0]

Trackback URL: http://blogs.sun.com/meena/entry/using_builtin_hardware_accelerators_of
Comments:

Post a Comment:

Name:
E-Mail:
URL:

Your Comment:

HTML Syntax: NOT allowed

Calendar

Search

Links

RSS Feeds

Navigation

Referers