X

Blogs about Deep Learning, Machine Learning, AI, NLP, Security, Oracle Traffic Director,Oracle iPlanet WebServer

  • September 21, 2006

Solaris Cryptographic Framework and Sun Java System Web Server 7.0

Solaris Cryptographic Framework and Sun Java System Web Server 7.0

Here are my initial experiments to use
external PKCS#11 security module Solaris Cryptographic
Framework in Sun Java System Web Server 7.0.  Some references I liked in this regard
are "man libpkcs11", "Using the Cryptographic Accelerator of the UltraSPARC T1 Processor" and Jyri's article "Configuring Solaris Cryptographic Framework and Sun Java System Web Server 7 on Systems With UltraSPARC T1 Processors" . Special Thanx to Basant who helped me.

Note that I
executed these commands from the server
instance's config
directory. 
For more
readability, the commands I used are shown in brown and the output
is shown in green.

Initial steps

First I move .sunw
directory
$mv $HOME/.sun $HOME/.sunw.OLD

Then I initialized password/pin
$pktool
setpin

Enter new
PIN
:typed-my-password-here
Re-enter
new PIN:
typed-my-password-here

Then disabled the following
mechanisms
Note that these commands
need to be executed as root.

#cryptoadm
disable provider=/usr/lib/security/\\$ISA/pkcs11_kernel.so
mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC


#cryptoadm
disable provider=/usr/lib/security/\\$ISA/pkcs11_softtoken.so
mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC


(if pkcs11_softtoken_extra.so
is used, disable these mechanisms in that also)

#cryptoadm
list -p
user-level providers:

=====================
/usr/lib/security/$ISA/pkcs11_kernel.so:
all mechanisms are enabled, except
CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_PRE_MASTER_KEY_GEN.

/usr/lib/security/$ISA/pkcs11_softtoken.so:
all mechanisms are enabled, except
CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_PRE_MASTER_KEY_GEN.
random is enabled.

...

Registering PKCS#11 library

I  have used PKCS#11 library
/usr/lib/libpkcs11.so
(for 64
bit, it is /usr/lib/64/libpkcs11.so).

The following command added
the Solaris crypto framework module to the NSS database in the config
directory :
$../../lib/modutil
-dbdir . -add "scf" -libfile /usr/lib/libpkcs11.so
-mechanisms RSA

...
Module
"scf" added to database.


$../../lib/modutil
-dbdir . -enable "scf"



Verified the above steps,
$../../lib/modutil -dbdir . -nocertdb
-list

Listing of
PKCS #11 Modules

-----------------------------------------------------------
  
1. NSS Internal PKCS #11 Module

         
slots: 2 slots attached

        
status: loaded


         
slot: NSS Internal Cryptographic Services

        
token: NSS Generic Crypto Services


         
slot: NSS User Private Key and Certificate Services

        
token: NSS Certificate DB


  
2. scf

        
library name: /usr/lib/libpkcs11.so

         
slots: 1 slot attached

        
status: loaded


         
slot: Sun Crypto Softtoken

        
token: Sun Software PKCS#11 softtoken


  
3. Root Certs

        
library name: libnssckbi.so

         
slots: There are no slots attached to this module

        
status: Not loaded

-----------------------------------------------------------

Note that slot "Sun Crypto Softtoken" has token
"Sun Software PKCS#11 softtoken".
I will be using this token in the next stages.

Creating Server Certificates

The normal process for requesting and
installing certificates is used.
Only with a difference, create all certificate and keys in
that security module, not using
"internal"
NSS database token,
but using the "Sun Software
PKCS#11 softtoken
" token instead.

1. Exporting and Importing already existing certificates using pk12util

If I already had certificates in NSS database, I could have exported and imported them using pk12util

$pk12util –o server.pk12 –d . –n MyCert

$pk12util –i server.pk12 –d . –h “Sun Software PKCS#11 softtoken”


By default, certutil / pk12util searches for databases named cert8.db and key3.db, but some of the versions of Web Server use alternate names such as https-instance-hostname-cert8.db and https-instance-hostname-key3.db in that case add -P parameter for the prefix.

2. Using certutil to create self signed server certificate

I used NSS utility "certutil"
to create a self signed server certificates.
$../../bin/certutil
-S -d . -n MyCert -s "CN=test.sun.com" -x -t "u,u,u" -h "Sun Software PKCS#11 softtoken"
-5

Enter Password or Pin for "Sun
Software PKCS#11 softtoken"
:typed-my-password-here
A random
seed must be generated that will be used in the

creation
of your key.  One of the easiest ways to create a

random
seed is to use the timing of keystrokes on a keyboard.


To begin,
type keys on the keyboard until this progress meter

is
full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!



Continue
typing until the progress meter is full:


|\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*|

Finished. 
Press enter to continue:



Generating
key.  This may take a few moments...


                          
0 - SSL Client

                          
1 - SSL Server

                          
2 - S/MIME

                          
3 - Object Signing

                          
4 - Reserved for future use

                          
5 - SSL CA

                          
6 - S/MIME CA

                          
7 - Object Signing CA

                          
Other to finish

1
                          
0 - SSL Client

                          
1 - SSL Server

                          
2 - S/MIME

                          
3 - Object Signing

                          
4 - Reserved for future use

                          
5 - SSL CA

                          
6 - S/MIME CA

                          
7 - Object Signing CA

                          
Other to finish

5
                          
0 - SSL Client

                          
1 - SSL Server

                          
2 - S/MIME

                          
3 - Object Signing

                          
4 - Reserved for future use

                          
5 - SSL CA

                          
6 - S/MIME CA

                          
7 - Object Signing CA

                          
Other to finish

9
Is this a
critical extension [y/N]?

y


Verified that the certificate was added to the database
$../../lib/certutil
-L -d . -h "Sun Software PKCS#11
softtoken"

Enter Password or Pin for "Sun Software
PKCS#11 softtoken":
typed-my-password-here
Sun
Software PKCS#11
softtoken:MyCert                       
u,u,u

Enable SSL for the Web Server
instance

In server.xml,  enabled ssl
for http-listener
element, and  added server certificate nickname correctly.

....
<http-listener>
  ...
<ssl>
 
<enabled>true</enabled>

 
<server-cert-nickname>Sun Software PKCS#11
softtoken:MyCert</server-cert-nickname>

 
</ssl>

</http-listener>

...

Note the prefix "Sun
Software PKCS#11 softtoken:".


3. Using Administration CLI to create self signed certificate and enabling SSL

Start admin-server, from <server-installation>/bin
directory,

$wadm --user=admin

Please enter
admin-user-password>
typed-admin-server-password-here
Sun Java System Web Server
7.0-Technology-Preview-3 B09/20/2006 10:07

wadm>create-selfsigned-cert
--config=test.sun.com --server-name=test.sun.com --nickname=MyCert
--token="Sun Software PKCS#11 softtoken"

ADMIN4099: Token 'Sun
Software PKCS#11 softtoken' was not found


wadm>list-tokens --config=test.sun.com
internal


The reason for this error is I ran modutil into server instance's
config directory so I need to pull-config (I should have run modutil
command from admin-server/config-store/test.sun.com/config directory to
avoid this)
wadm>pull-config 
--config=test.sun.com test.sun.com

CLI201 Command 'pull-config'
ran successfully


wadm>list-tokens --config=test.sun.com
internal
Sun
Software PKCS#11 softtoken


This looks ok.

wadm>create-selfsigned-cert
--config=test.sun.com --server-name=test.sun.com
--nickname=MyCert
--token="Sun Software PKCS#11 softtoken"

Please
enter token-pin>
typed-my-password-here
CLI201 Command
'create-selfsigned-cert' ran
successfully


wadm>set-ssl-prop --config=test.sun.com
--http-listener=http-listener-1 enabled=true
server-cert-nickname="Sun Software
PKCS#11 softtoken:MyCert
"

CLI201
Command 'set-ssl-prop' ran successfully


wadm>deploy-config
test.sun.com

CLI201 Command
'deploy-config' ran success


Now I started the Web Server,
$../bin/startserv
Sun Java
System Web Server 7.0 B09/11/2006 12:04

Please
enter the PIN for the "Sun Software PKCS#11 softtoken" token:
typed-my-password-here
info:
HTTP3072: http-listener-1: https://test.sun.com:2222 ready to accept
requests

info:
CORE3274: successful server startup



I sent a request through the browser to https://test.sun.com:2222, and
the server served the request.

More References


  1. Jyri's BigAdmin Article "Configuring Solaris Cryptographic Framework and Sun Java System Web Server 7 on Systems With UltraSPARC T1 Processors"

  2. Using the Cryptographic Accelerator of the UltraSPARC T1 Processor
  3. man libpkcs11
  4. man cryptoadm
  5. Sun crypto accelerator 6000 user's guide has chapter on Installing and configuring with Sun Java System Web Server 6.1.


Tip : If

1. Web server does not present the Intermediate CA certificates
installed as Server Certificate Chain to the browser and that causes the
certificate validation by the browser to fail.

or

2. Client authentication fails with the following error message in the
errors log .  Root CA cert has been installed to the certificate database.

failure (16670): HTTP3068: Error receiving
request from 123.45.67.897(SEC_ERROR_UNKNOWN_ISSUER: Peer's
certificate is signed by an unknown issuer)

These two issues are caused by the
/.sunw directory not being accessible by the web server running user
"webservd". That directory has permissions 0700 and is owned by root.
Web Server starts up as root and then changes (using setuid) to user
"webservd".  Solution to this is

1) Have the web server running as root


2) Open up the permission on /.sunw so that it is readable by the web
server running user

3) Set  the environment variable SOFTTOKEN_DIR to point to some
directory that is owned by webservd before the web server is started.
The SCF will then access the files in $SOFTTOKEN_DIR/pkcs11_softoken/
during execution.


Read my next blog Using builtin hardware accelerators of Niagara 1 (Sun Fire T 2000) server with SSL enabled Sun Java System Web Server 7.0 instance


Join the discussion

Comments ( 3 )
  • Ashwin Jayaprakash Thursday, November 20, 2008

    Hi,

    I read the PDF but I wasn't sure what the GC parameter "-Xsqnopause" meant. Do you happen to have any details?

    -Xms3g -Xmx3g -XX:NewSize=1g -server -Xsqnopause -XX:+UseParallelGC -XX:+UseParallelOldGC -XX:ParallelGCThreads=20

    Also, why use a ParallelGC instead of CMS + ParalleNew?


  • Ashwin Jayaprakash Thursday, November 20, 2008
  • meena Friday, November 21, 2008

    Comments for that article can also be sent at

    http://wikis.sun.com/display/BigAdmin/Sun+Blogs+-+A+Sun+Java+System+Web+Server+7.0+Reference+Deployment

    You can ask more questions about Sun Java System Web server in this forum:

    http://forums.sun.com/forum.jspa?forumID=759

    About your question about "-Xsqnopause" :

    $ /usr/java1.2/bin/java -X

    ...

    -Xsqnopause do not pause for user interaction on SIGQUIT

    A bug 4177576 ("SIGQUIT clean up and backwards compatibility") introduced -Xsqnopause which, if set, allows non-interactive dumping of all information available from SIGQUIT interface. This allows backwards compatibility, for those who desire it, with the old non-interactive behavior of this interface.

    I think this option is deprecated since JDK 1.3.1, but it's still accepted. The source code says (1.6.0_07 here) : "// EVM option, ignore silently for compatibility"

    > -Xms3g -Xmx3g -XX:NewSize=1g -server -XX:+UseParallelGC -XX:+UseParallelOldGC -XX:ParallelGCThreads=20

    >

    > Also, why use a ParallelGC instead of CMS + ParalleNew?

    Most probably the tuning example has been made for a Niagara based system. This is the kind of tuning very adapted to these kind of systems (in particular the two latest args).


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.