Wednesday September 19, 2007 Meena Vyas
All
|
WebServer7.0
Wednesday September 19, 2007
Using builtin hardware accelerators of Niagara 1 (Sun Fire T 2000) server with SSL enabled Sun Java System Web Server 7.0 instance
In my previous
blog I talked about SCF framework and Sun Java System Web Server
7.0 in general. This time I tried to make use of builtin hardware
accelerators of Niagara 1 (Sun
Fire T 2000) server with my SSL enabled Sun Java System Web Server 7.0
U2
instance. Here is what I had to do to make it work.
Step 1 : Go to Webserver installation directory and start admin
server
# ./admin-server/bin/startserv
Step 2 : Go to Web Server 7.0 instance's config
directory and perform these manual steps# cd https-test.sun.com/config/
First remove the existing database
# rm -rf /.sunw
Setpin
# pktool setpin
Create new passphrase: type-password-here
Re-enter new passphrase: type-password-here
Passphrase changed.
List the current PKCS#11modules
# ../../bin/modutil -list -dbdir .
Using database directory ....
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. Root Certs
library name: libnssckbi.so
slots: 1 slot attached
status: loaded
slot:
token: Builtin Object Token
-----------------------------------------------------------
Add SCF module
# ../../bin/modutil -dbdir . -add "Solaris Crypto Framework" -libfile /usr/lib/libpkcs11.so -mechanisms RSA
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Using database directory ....
Module "Solaris Crypto Framework" added to database.
Enable SCF module
# ../../bin/modutil -enable "Solaris Crypto Framework" -dbdir .
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Using database directory ....
Slot "Sun Metaslot" enabled.
Slot "ncp/0 Crypto Accel Asym 1.0" enabled.
List modules to make sure add and enable stuff above succeeded.
# ../../bin/modutil -list -dbdir .
Using database directory ....
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. Solaris Crypto Framework
library name: /usr/lib/libpkcs11.so
slots: 2 slots attached
status: loaded
slot: Sun Metaslot
token: Sun Metaslot
slot: ncp/0 Crypto Accel Asym 1.0
token: ncp/0 Crypto Accel Asym 1.0
3. Root Certs
library name: libnssckbi.so
slots: 1 slot attached
status: loaded
slot:
token: Builtin Object Token
-----------------------------------------------------------
Disable the following mechanisms
# cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC
List to make sure these were disabled
# cryptoadm list -p
User-level providers:
=====================
/usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled.
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, except CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_PRE_MASTER_KEY_GEN. random is enabled.
Kernel software providers:
==========================
des: all mechanisms are enabled.
aes: all mechanisms are enabled.
arcfour: all mechanisms are enabled.
blowfish: all mechanisms are enabled.
sha1: all mechanisms are enabled.
md5: all mechanisms are enabled.
rsa: all mechanisms are enabled.
swrand: random is enabled.
sha2: all mechanisms are enabled.
Kernel hardware providers:
==========================
ncp/0: all mechanisms are enabled.
First remove the existing database
# rm -rf /.sunw
Setpin
# pktool setpin
Create new passphrase: type-password-here
Re-enter new passphrase: type-password-here
Passphrase changed.
List the current PKCS#11modules
# ../../bin/modutil -list -dbdir .
Using database directory ....
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. Root Certs
library name: libnssckbi.so
slots: 1 slot attached
status: loaded
slot:
token: Builtin Object Token
-----------------------------------------------------------
Add SCF module
# ../../bin/modutil -dbdir . -add "Solaris Crypto Framework" -libfile /usr/lib/libpkcs11.so -mechanisms RSA
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Using database directory ....
Module "Solaris Crypto Framework" added to database.
Enable SCF module
# ../../bin/modutil -enable "Solaris Crypto Framework" -dbdir .
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Using database directory ....
Slot "Sun Metaslot" enabled.
Slot "ncp/0 Crypto Accel Asym 1.0" enabled.
List modules to make sure add and enable stuff above succeeded.
# ../../bin/modutil -list -dbdir .
Using database directory ....
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. Solaris Crypto Framework
library name: /usr/lib/libpkcs11.so
slots: 2 slots attached
status: loaded
slot: Sun Metaslot
token: Sun Metaslot
slot: ncp/0 Crypto Accel Asym 1.0
token: ncp/0 Crypto Accel Asym 1.0
3. Root Certs
library name: libnssckbi.so
slots: 1 slot attached
status: loaded
slot:
token: Builtin Object Token
-----------------------------------------------------------
Disable the following mechanisms
# cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC
List to make sure these were disabled
# cryptoadm list -p
User-level providers:
=====================
/usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled.
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, except CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_PRE_MASTER_KEY_GEN. random is enabled.
Kernel software providers:
==========================
des: all mechanisms are enabled.
aes: all mechanisms are enabled.
arcfour: all mechanisms are enabled.
blowfish: all mechanisms are enabled.
sha1: all mechanisms are enabled.
md5: all mechanisms are enabled.
rsa: all mechanisms are enabled.
swrand: random is enabled.
sha2: all mechanisms are enabled.
Kernel hardware providers:
==========================
ncp/0: all mechanisms are enabled.
Now run the following Web Server CLI commands
# ../../bin/wadm --user=admin
Please enter admin-user-password> type-admin-server-password-here
Connected to localhost:8990
Sun Java System Web Server 7.0U2 B09/11/2007 09:09
wadm> list-configs
test.sun.com
wadm> pull-config --config=test.sun.com test.sun.com
CLI201 Command 'pull-config' ran successfully
wadm> list-tokens --config=hercules55.india.sun.com
internal
Sun Metaslot
wadm> create-selfsigned-cert --config=test.sun.com --server-name= --nickname=Server-Cert --token="Sun Metaslot"
Please enter token-pin> type-password-here
CLI201 Command 'create-selfsigned-cert' ran successfully
wadm> list-http-listeners --config=test.sun.com
http-listener-1
wadm> set-ssl-prop --config=test.sun.com --http-listener=http-listener-1 server-cert-nickname="Sun Metaslot:Server-Cert" enabled=true
CLI201 Command 'set-ssl-prop' ran successfully
wadm> deploy-config test.sun.com
CLI201 Command 'deploy-config' ran successfully
wadm>
Please enter admin-user-password> type-admin-server-password-here
Connected to localhost:8990
Sun Java System Web Server 7.0U2 B09/11/2007 09:09
wadm> list-configs
test.sun.com
wadm> pull-config --config=test.sun.com test.sun.com
CLI201 Command 'pull-config' ran successfully
wadm> list-tokens --config=hercules55.india.sun.com
internal
Sun Metaslot
wadm> create-selfsigned-cert --config=test.sun.com --server-name= --nickname=Server-Cert --token="Sun Metaslot"
Please enter token-pin> type-password-here
CLI201 Command 'create-selfsigned-cert' ran successfully
wadm> list-http-listeners --config=test.sun.com
http-listener-1
wadm> set-ssl-prop --config=test.sun.com --http-listener=http-listener-1 server-cert-nickname="Sun Metaslot:Server-Cert" enabled=true
CLI201 Command 'set-ssl-prop' ran successfully
wadm> deploy-config test.sun.com
CLI201 Command 'deploy-config' ran successfully
wadm>
If you are using older version of Web Server and you do not have Admin CLI, you can use the following command to create the self signed certificate
#
../../bin/certutil -S -n "Server-Cert" -x -t u,u,u -s "CN=test.sun.com" -d . -x -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot": type-password-here
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Enter Password or Pin for "Sun Metaslot": type-password-here
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
#
Now manually double check if the certificate exists
# ../../bin/certutil -L -d . -h "Sun
Metaslot"
Enter Password or Pin for "Sun Metaslot": type-password-here
Sun Metaslot:Server-Cert u,u,u
Enter Password or Pin for "Sun Metaslot": type-password-here
Sun Metaslot:Server-Cert u,u,u
Check that server.xml contains server-cert-nickname element
<http-listener>
<name>http-listener-1</name>
<port>80</port>
<server-name>test.sun.com</server-name>
<default-virtual-server-name>test.sun.com</default-virtual-server-name>
<ssl>
<server-cert-nickname>Sun Metaslot:Server-Cert</server-cert-nickname>
</ssl>
</http-listener>
<name>http-listener-1</name>
<port>80</port>
<server-name>test.sun.com</server-name>
<default-virtual-server-name>test.sun.com</default-virtual-server-name>
<ssl>
<server-cert-nickname>Sun Metaslot:Server-Cert</server-cert-nickname>
</ssl>
</http-listener>
Start the server
#../bin/startserv
Sun Java System Web Server 7.0U2 B09/11/2007 09:09
Please enter the PIN for the "Sun Metaslot" token: type-password-here
info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_12] from [Sun Microsystems Inc.]
info: HTTP3072: http-listener-1: https://test.sun.com:80 ready to accept requests
info: CORE3274: successful server startup
Sun Java System Web Server 7.0U2 B09/11/2007 09:09
Please enter the PIN for the "Sun Metaslot" token: type-password-here
info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_12] from [Sun Microsystems Inc.]
info: HTTP3072: http-listener-1: https://test.sun.com:80 ready to accept requests
info: CORE3274: successful server startup
Now check if the server is functioning properly
#
kstat -n ncp0 | grep rsa
rsaprivate 18
rsapublic 2001
rsaprivate 18
rsapublic 2001
Send a request through the browser to this server https://test.sun.com:80, it should show index.html
#
kstat -n ncp0 | grep rsa
rsaprivate 19
rsapublic 2001
rsaprivate 19
rsapublic 2001
Shows an increase that means we are ok.
Posted by meena ( Sep 19 2007, 01:31:20 PM IST ) Permalink Comments [0]
Trackback URL: http://blogs.sun.com/meena/entry/using_builtin_hardware_accelerators_of
Comments:
Post a Comment:
