Configuring SCF and IHS on Systems With UltraSPARC T1/T2/T4

A quick note from my archives based on documentation from Sun Microsystems.
Topic: How to configure hardware SCF to use hardware cryptography for SSL-layer traffic.
The high level steps are
  1. Initialize NCP system (cryptoadm and pktool)
  2. Load modules with modutil
  3. Configure Web server to utilize new service
NSS CLI tools from
  1. Certificate Database Tool (certutil)
  2. Security Module Database (modutil)
  3. PKCS#12 utility (pk12util)
Secure Socket Layer (SSL)
Network Security Services (NSS)
Transport Level Security (TLS)
Solaris Cryptographic Framework (SCF) provides a common operating system-level framework for providing, consuming, and administering cryptographic services.
Solaris Cryptographic Framework also implements the PKCS#11 API.
ncp — Niagara Crypto Provider Device Driver
Modular Arithmetic Unit (MAU)
# list available and configured providers with cryptoadm list
cryptoadm list
User-level providers:
Provider: /usr/lib/security/$ISA/
Provider: /usr/lib/security/$ISA/
Kernel hardware providers:
# As with the NSS built-in token, the SCF software token is protected by a password.
# Data store is in the $HOME/.sunw/pkcs11_softtoken/ directory
pktool setpin
Enter new PIN:
Re-enter new PIN:
# check configured modules in PKCS #11
modutil -list -dbdir .
Using database directory ….
Listing of PKCS #11 Modules
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded
         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services
         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
  2. Root Certs
        library name:
         slots: There are no slots attached to this module
        status: Not loaded
In above output only one module is installed.
# add SCF provider
# 32bit = /usr/lib/
# 64bit = /usr/lib/64/
modutil -dbdir . -add “Solaris Crypto Framework” \
-libfile /usr/lib/ \
-mechanisms RSA
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
‘q <enter>’ to abort, or <enter> to continue:
Using database directory ….
Module “Solaris Crypto Framework” added to database.
 Note! Ignore above warning.
# enable new module
modutil -enable “Solaris Crypto Framework” -dbdir .
Slot “Sun Metaslot” enabled.
Slot “ncp/0 Crypto Accel Asym 1.0” enabled.
Theory from Sun:
From the modutil help output you can see the list of mechanisms recognized by NSS. Adding the scf provider as the default provider for a given mechanism (via the -mechanism option) requests that this module should be used for operations that use that mechanism. However, operations involving private keys or material derived from private or secret data are “sticky” to the module containing the private key. So if the server commences a sequence of cryptographic operations that uses a private key from a given module, subsequent related operations will continue to be performed by that module even if they use mechanisms that would otherwise go to a different module. This is why I say that the default mechanism hints, rather than mandates, which module will perform those operations.
# check for newly configured modules in PKCS #11
modutil -list -dbdir .
Using database directory ….
Listing of PKCS #11 Modules
2. Solaris Crypto Framework
        library name: /usr/lib/
         slots: 2 slots attached
        status: loaded
         slot: Sun Metaslot
        token: Sun Metaslot
         slot: ncp/0 Crypto Accel Asym 1.0
        token: ncp/0 Crypto Accel Asym 1.0
# disable soft token mechanisms as we want these to run on hardware accelerated chip
cryptoadm disable provider=/usr/lib/security/$ISA/ \
# crytoadm should confirm above operation
cryptoadm list -p
User-level providers:
/usr/lib/security/$ISA/ all mechanisms are enabled.
random is enabled.
/usr/lib/security/$ISA/ all mechanisms are enabled, except
random is enabled.
# migrate keys and certificate data
% pk12util -o key-cert-data.pk12 -n cert-hostname -d .
Enter password for PKCS12 file:
Re-enter password:
% pk12util -i key-cert-data.pk12 -d . -h “Sun Metaslot”
Enter Password or Pin for “Sun Metaslot”:
Enter password for PKCS12 file:
% certutil -L -d . -h “Sun Metaslot”
Enter Password or Pin for “Sun Metaslot”:
Sun Metaslot:cert-hostname
# edit IHS httpd.conf to use new certificate
SSLPKCSDriver /usr/lib/
SSLStashFile /path/crypto.stash
SSLServerCert Sun Metaslot:cert-hostname
SSLPKCSPassword=<full path of this file containing password>
Keyfile /path/keystore.kdb
#LogLevel debug
SSLProtocolDisable SSLv2
# start/restart the Web server
# use kstat to observe stats on Niagara Crypto Provider Device Driver
% kstat -n ncp0 | grep
rsa rsaprivate 10
rsapublic 10
– System Administration Guide: Security Services: Chapter 13. Solaris Cryptographic Framework (Overview)
– Solaris Security for Developers Guide: Chapter 8. Introduction to the Solaris Cryptographic Framework
– ncp in Solaris 10 Reference Manual Collection, man pages section 7: Device and Network Interfaces
– Sun Java System Web Server
– Overview of NSS
– UltraSPARC Processors Documentation
– IBM IHS Web Server Red Book

Leave a Reply

Your email address will not be published. Required fields are marked *