Configuring SCF and Java SWS7 on Systems With UltraSPARC T1/T2 Processors

A quick note from my archives based on documentation from Sun Microsystems.
Topic: How to configure hardware SCF to use hardware cryptography for SSL-layer traffic.
The high level steps are
  1. Initialize NCP system (cryptoadm and pktool)
  2. Load modules with modutil
  3. Configure Web server to utilize new service
NSS CLI tools from Mozilla.org:
  1. Certificate Database Tool (certutil)
  2. Security Module Database (modutil)
  3. PKCS#12 utility (pk12util)
Acronims
Secure Socket Layer (SSL)
Network Security Services (NSS)
Transport Level Security (TLS)
Solaris Cryptographic Framework (SCF) provides a common operating system-level framework for providing, consuming, and administering cryptographic services.
Solaris Cryptographic Framework also implements the PKCS#11 API.
ncp — Niagara Crypto Provider Device Driver
Modular Arithmetic Unit (MAU)
# list available and configured providers with cryptoadm list
cryptoadm list
User-level providers:
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
Kernel hardware providers:
          ncp/0
# As with the NSS built-in token, the SCF software token is protected by a password.
# Data store is in the $HOME/.sunw/pkcs11_softtoken/ directory
pktool setpin
Enter new PIN:
Re-enter new PIN:
%
# check configured modules in PKCS #11
modutil -list -dbdir .
Using database directory ….
Listing of PKCS #11 Modules
———————————————————–
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded
         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services
         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
  2. Root Certs
        library name: libnssckbi.so
         slots: There are no slots attached to this module
        status: Not loaded
In above output only one module is installed.
# add SCF provider
# 32bit = /usr/lib/libpkcs11.so
# 64bit = /usr/lib/64/libpkcs11.so
modutil -dbdir . -add “Solaris Crypto Framework” \
-libfile /usr/lib/libpkcs11.so \
-mechanisms RSA
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
‘q <enter>’ to abort, or <enter> to continue:
..
Using database directory ….
Module “Solaris Crypto Framework” added to database.
 Note! Ignore above warning.
# enable new module
modutil -enable “Solaris Crypto Framework” -dbdir .
Slot “Sun Metaslot” enabled.
Slot “ncp/0 Crypto Accel Asym 1.0” enabled.
Theory from Sun:
From the modutil help output you can see the list of mechanisms recognized by NSS. Adding the scf provider as the default provider for a given mechanism (via the -mechanism option) requests that this module should be used for operations that use that mechanism. However, operations involving private keys or material derived from private or secret data are “sticky” to the module containing the private key. So if the server commences a sequence of cryptographic operations that uses a private key from a given module, subsequent related operations will continue to be performed by that module even if they use mechanisms that would otherwise go to a different module. This is why I say that the default mechanism hints, rather than mandates, which module will perform those operations.
# check for newly configured modules in PKCS #11
modutil -list -dbdir .
Using database directory ….
Listing of PKCS #11 Modules
———————————————————–
  …
2. Solaris Crypto Framework
        library name: /usr/lib/libpkcs11.so
         slots: 2 slots attached
        status: loaded
         slot: Sun Metaslot
        token: Sun Metaslot
         slot: ncp/0 Crypto Accel Asym 1.0
        token: ncp/0 Crypto Accel Asym 1.0
# disable soft token mechanisms as we want these to run on hardware accelerated chip
cryptoadm disable provider=/usr/lib/security/$ISA/pkcs11_softtoken.so \
mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,\
CKM_SSL3_MASTER_KEY_DERIVE,\
CKM_SSL3_KEY_AND_MAC_DERIVE,\
CKM_SSL3_MASTER_KEY_DERIVE_DH,\
CKM_SSL3_MD5_MAC,\
CKM_SSL3_SHA1_MAC
# crytoadm should confirm above operation
cryptoadm list -p
User-level providers:
=====================
/usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled.
random is enabled.
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, except
CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,
CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE,
CKM_SSL3_PRE_MASTER_KEY_GEN.
random is enabled.
[…]
# migrate keys and certificate data
% pk12util -o key-cert-data.pk12 -n cert-hostname -d .
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL
% pk12util -i key-cert-data.pk12 -d . -h “Sun Metaslot”
Enter Password or Pin for “Sun Metaslot”:
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
% certutil -L -d . -h “Sun Metaslot”
Enter Password or Pin for “Sun Metaslot”:
Sun Metaslot:cert-hostname
# modify server.xml to use new certificate
from
<server-cert-nickname>cert-hostname</server-cert-nickname>
to
<server-cert-nickname>Sun Metaslot:cert-hostname</server-cert-nickname>
# start/restart the Web server
# use kstat to observe stats on Niagara Crypto Provider Device Driver
% kstat -n ncp0 | grep
rsa rsaprivate 10
rsapublic 10
Reference
– System Administration Guide: Security Services: Chapter 13. Solaris Cryptographic Framework (Overview)
– Solaris Security for Developers Guide: Chapter 8. Introduction to the Solaris Cryptographic Framework
– ncp in Solaris 10 Reference Manual Collection, man pages section 7: Device and Network Interfaces
– Sun Java System Web Server
– Overview of NSS
– UltraSPARC Processors Documentation

Leave a Reply

Your email address will not be published. Required fields are marked *