Thursday Nov 08, 2012

Configuring Oracle iPlanet WebServer / Oracle Traffic Director to use crypto accelerators on T4-1 servers

Configuring Oracle iPlanet Web Server / Oracle Traffic Director to use crypto accelerators on T4-1 servers

Jyri had written a technical article on Configuring Solaris Cryptographic Framework and Sun Java System Web Server 7 on Systems With UltraSPARC T1 Processors. I tried to find out what has changed since then in T4.

I have used a T4-1 SPARC system with Solaris 10. Results slightly vary for Solaris 11.  For Solaris 11, the T4 optimization was implemented in libsoftcrypto.so while it was in pkcs11_softtoken_extra.so for Solaris 10.

Overview of T4 processors is here in this blog.

Many thanx to Chi-Chang Lin and Julien for their help.

1. Install Oracle iPlanet Web Server / Oracle Traffic Director.  Go to instance/config directory.

 # cd /opt/oracle/webserver7/https-hostname.fqdn/config

2. List default PKCS#11 Modules

# ../../bin/modutil -dbdir . -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded

slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services

slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB

2. Root Certs
library name: libnssckbi.so
slots: 1 slot attached
status: loaded

slot: NSS Builtin Objects
token: Builtin Object Token
-----------------------------------------------------------

3. Initialize the soft token data store in the $HOME/.sunw/pkcs11_softtoken/ directory

# pktool setpin keystore=pkcs11
Enter token passphrase: olderpassword
Create new passphrase: password
Re-enter new passphrase: password
Passphrase changed.

4. Offload crypto operations to Solaris Crypto Framework on T4

$ ../../bin/modutil -dbdir . -nocertdb -add SCF -libfile /usr/lib/libpkcs11.so -mechanisms RSA:AES:SHA1:MD5

Module "SCF" added to database.

Note that

  • -nocertdb means modutil won't try to open the NSS softoken key database. It doesn't even have to be present.

  • PKCS#11 library used is /usr/lib/libpkcs11.so. If the server is running in 64 bit mode, we have to use /usr/lib/64/libpkcs11.so

  • Unlike T1 and T2, in T4 we do not have to disable mechanisms in softtoken provider using cryptoadm.

5. List again to check that a new module SCF is added

# ../../bin/modutil -dbdir . -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded

slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services

slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB

2. SCF
library name: /usr/lib/libpkcs11.so
slots: 2 slots attached
status: loaded

slot: Sun Metaslot
token: Sun Metaslot

slot: n2rng/0 SUNW_N2_Random_Number_Generator
token: n2rng/0 SUNW_N2_RNG
3. Root Certs
library name: libnssckbi.so
slots: 1 slot attached
status: loaded
slot: NSS Builtin Objects
token: Builtin Object Token
-----------------------------------------------------------

6.  Create certificate in “Sun Metaslot” :

I have used certutil, but you must use Admin Server CLI / GUI


# ../../bin/certutil -S -x -n "Server-Cert" -t "CT,CT,CT" -s "CN=*.fqdn" -d . -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot": password

7. Verify that the certificate is created properly in “Sun Metslaot”

# ../../bin/certutil -L -d . -h "Sun Metaslot"
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Enter Password or Pin for "Sun Metaslot": password
Sun Metaslot:Server-Cert CTu,Cu,Cu
#

8. Associate this newly created certificate to http listener using Admin CLI/GUI. After that server.xml should have

<http-listener> ...
    <ssl>
        <server-cert-nickname>Sun Metaslot:Server-Cert</server-cert-nicknamer>
    </ssl>


Note the prefix "Sun Metaslot"

9. Disable PKCS#11 bypass

To use the accelerated AES algorithm, turn off PKCS#11 bypass, and configure modutil to have the AES mechanism go to the Metaslot.

After you disable PKCS#11 bypasss using Admin GUI/CLI,  check that server.xml should have


<server> ....
    <pkcs11>
        <enabled>1</enabled>
        <allow-bypass>0</allow-bypass>
    </pkcs11>


With PKCS#11 bypass enabled, Oracle iPlanet Web Server will only use the RSA capability of the T4, provided certificate and key are stored in the T4 slot (Metaslot). Actually, the RSA op is never bypassed in NSS, it's always done with PKCS#11 calls. So the bypass settings won't affect the behavior of the probes for RSA at all. The only thing that matters if where the RSA key and certificate live, ie. which PKCS#11 token, and thus which PKCS#11 module gets called to do the work. If your certificate/key are in the NSS certificate/key db, you will see libsoftokn3/libfreebl libraries doing the RSA work. If they are in the Sun Metaslot, it should be the Solaris code.

10. Start the server instance

# ../bin/startserv
Oracle iPlanet Web Server 7.0.16 B09/14/2012 03:33
Please enter the PIN for the "Sun Metaslot" token: password
...
info: HTTP3072: http-listener-1: https://hostname.fqdn:80 ready to accept requests
info: CORE3274: successful server startup

11. Figure out which process to run this DTrace script on

# ps -eaf | grep webservd | grep -v dog
webservd
18224 18223 0 13:17:25 ? 0:07 webservd -d /opt/oracle/webserver7/https-hostname.fqdn/config -r /opt/
root
18225 18224 0 13:17:25 ? 0:00 webservd -d /opt/oracle/webserver7/https-hostname.fqdn/config -r /opt/

(For Oracle Traffic Director look for process named "trafficd")

We see that the child process id is “18225

12. Clients for testing :

You can use any browser. I used NSS tool tstclnt for testing

$cat > req.txt
GET /index.html HTTP/1.0

For checking both RSA and AES, I used cipher “:0035” which is TLS_RSA_WITH_AES_256_CBC_SHA

$./tstclnt -h hostname -p 80 -d . -T -f -o -v -c “:0035” < req.txt

13. How do I make sure that crypto accelerator is being used

13.1 Create DTrace script

The following D script should be able to uncover whether T4-specific crypto routine are being called or not. It also displays stats per second.

# cat > t4crypto.d
#!/usr/sbin/dtrace -s

pid$target::*rsa*:entry,
pid$target::*yf*:entry
{
    @ops[probemod, probefunc] = count();
}

tick-1sec
{
    printa(@ops);
    trunc(@ops);
}

Invoke with './t4crypto.d -p <pid> '

13.2 EXPECTED PROBES FOR Solaris 10 :

If offloading to T4 HW are correctly set up, the expected DTrace output would have these probes and libraries

library

Operations

PROBES

pkcs11_softtoken_extra.so

RSA

soft_decrypt_rsa_pkcs_decode, soft_encrypt_rsa_pkcs_encode soft_rsa_crypt_init_common soft_rsa_decrypt, soft_rsa_encrypt soft_rsa_decrypt_common, soft_rsa_encrypt_common

AES

yf_aes_instructions_present yf_aes_expand256, yf_aes256_cbc_decrypt, yf_aes256_cbc_encrypt, yf_aes256_load_keys_for_decrypt, yf_aes256_load_keys_for_encrypt,

Note that these are for 256, same for 128, 192...

these are for cbc, same for ecb, ctr, cfb128...

DES

yf_des_expand, yf_des_instructions_present yf_des_encrypt

libmd_psr.so

MD5

yf_md5_multiblock, yf_md5_instruction_present

SHA1

yf_sha1_instruction_present, yf_sha1_multibloc



13.3 SAMPLE OUTPUT FOR CIPHER TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) ON T4 SPARC SOLARIS 10 WITHOUT PKCS#11 BYPASS

# ./t4crypto.d -p 18225
pkcs11_softtoken_extra.so.1   soft_decrypt_rsa_pkcs_decode    1
pkcs11_softtoken_extra.so.1   soft_rsa_crypt_init_common      1
pkcs11_softtoken_extra.so.1   soft_rsa_decrypt                1
pkcs11_softtoken_extra.so.1   big_mp_mul_yf                   2
pkcs11_softtoken_extra.so.1   mpm_yf_mpmul                    2
pkcs11_softtoken_extra.so.1   mpmul_arr_yf                    2
pkcs11_softtoken_extra.so.1   rijndael_key_setup_enc_yf       2
pkcs11_softtoken_extra.so.1   soft_rsa_decrypt_common         2
pkcs11_softtoken_extra.so.1   yf_aes_expand256                2
pkcs11_softtoken_extra.so.1   yf_aes256_cbc_decrypt           3
pkcs11_softtoken_extra.so.1   yf_aes256_load_keys_for_decrypt 3
pkcs11_softtoken_extra.so.1   big_mont_mul_yf                 6
pkcs11_softtoken_extra.so.1   mm_yf_montmul                   6
pkcs11_softtoken_extra.so.1   yf_des_instructions_present     6
pkcs11_softtoken_extra.so.1   yf_aes256_cbc_encrypt           8
pkcs11_softtoken_extra.so.1   yf_aes256_load_keys_for_encrypt 8
pkcs11_softtoken_extra.so.1   yf_mpmul_present                8
pkcs11_softtoken_extra.so.1   yf_aes_instructions_present    13
pkcs11_softtoken_extra.so.1   yf_des_encrypt                 18
libmd_psr.so.1                yf_md5_multiblock              41
libmd_psr.so.1                yf_md5_instruction_present     72
libmd_psr.so.1                yf_sha1_instruction_present    82
libmd_psr.so.1                yf_sha1_multiblock             82

This indicates that both RSA and AES ops are done in Solaris Crypto Framework.

13.4 SAMPLE OUTPUT FOR CIPHER TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) ON T4 SPARC SOLARIS 10 WITH PKCS#11 BYPASS

# ./t4crypto.d -p 18225
pkcs11_softtoken_extra.so.1   soft_decrypt_rsa_pkcs_decode 1
pkcs11_softtoken_extra.so.1   soft_rsa_crypt_init_common   1
pkcs11_softtoken_extra.so.1   soft_rsa_decrypt             1
pkcs11_softtoken_extra.so.1   soft_rsa_decrypt_common      1
pkcs11_softtoken_extra.so.1   big_mp_mul_yf                2
pkcs11_softtoken_extra.so.1   mpm_yf_mpmul                 2
pkcs11_softtoken_extra.so.1   mpmul_arr_yf                 2
pkcs11_softtoken_extra.so.1   big_mont_mul_yf              6
pkcs11_softtoken_extra.so.1   mm_yf_montmul                6
pkcs11_softtoken_extra.so.1   yf_mpmul_present             8

For this cipher, when I enable PKCS#11 bypass, Only RSA probes are being hit AES probes are not being hit.

13.5 ustack() for RSA operations / probefunc == "soft_rsa_decrypt" /

Shows that libnss3.so is calling C_* functions of libpkcs11.so which is calling functions of pkcs11_softtoken_extra.so for both cases with and without bypass.

When PKCS#11 bypass is disabled (allow-bypass is 0)

pkcs11_softtoken_extra.so.1`soft_rsa_decrypt
pkcs11_softtoken_extra.so.1`soft_rsa_decrypt_common+0x94
pkcs11_softtoken_extra.so.1`soft_unwrapkey+0x258
pkcs11_softtoken_extra.so.1`C_UnwrapKey+0x1ec
libpkcs11.so.1`meta_unwrap_key+0x17c
libpkcs11.so.1`meta_UnwrapKey+0xc4
libpkcs11.so.1`C_UnwrapKey+0xfc
libnss3.so`pk11_AnyUnwrapKey+0x6b8
libnss3.so`PK11_PubUnwrapSymKey+0x8c
libssl3.so`ssl3_HandleRSAClientKeyExchange+0x1a0
libssl3.so`ssl3_HandleClientKeyExchange+0x154
libssl3.so`ssl3_HandleHandshakeMessage+0x440
libssl3.so`ssl3_HandleHandshake+0x11c
libssl3.so`ssl3_HandleRecord+0x5e8
libssl3.so`ssl3_GatherCompleteHandshake+0x5c
libssl3.so`ssl_GatherRecord1stHandshake+0x30
libssl3.so`ssl_Do1stHandshake+0xec
libssl3.so`ssl_SecureRecv+0x1c8
libssl3.so`ssl_Recv+0x9c
libns-httpd40.so`__1cNDaemonSessionDrun6M_v_+0x2dc

When PKCS#11 bypass is enabled (allow-bypass is 1)

pkcs11_softtoken_extra.so.1`soft_rsa_decrypt
pkcs11_softtoken_extra.so.1`soft_rsa_decrypt_common+0x94
pkcs11_softtoken_extra.so.1`C_Decrypt+0x164
libpkcs11.so.1`meta_do_operation+0x27c
libpkcs11.so.1`meta_Decrypt+0x4c
libpkcs11.so.1`C_Decrypt+0xcc
libnss3.so`PK11_PrivDecryptPKCS1+0x1ac
libssl3.so`ssl3_HandleRSAClientKeyExchange+0xe4
libssl3.so`ssl3_HandleClientKeyExchange+0x154
libssl3.so`ssl3_HandleHandshakeMessage+0x440
libssl3.so`ssl3_HandleHandshake+0x11c
libssl3.so`ssl3_HandleRecord+0x5e8
libssl3.so`ssl3_GatherCompleteHandshake+0x5c
libssl3.so`ssl_GatherRecord1stHandshake+0x30
libssl3.so`ssl_Do1stHandshake+0xec
libssl3.so`ssl_SecureRecv+0x1c8
libssl3.so`ssl_Recv+0x9c
libns-httpd40.so`__1cNDaemonSessionDrun6M_v_+0x2dc
libnsprwrap.so`ThreadMain+0x1c
libnspr4.so`_pt_root+0xe8

13.6 ustack() FOR AES operations / probefunc == "yf_aes256_cbc_encrypt" /

When PKCS#11 bypass is disabled (allow-bypass is 0)

pkcs11_softtoken_extra.so.1`yf_aes256_cbc_encrypt
pkcs11_softtoken_extra.so.1`aes_block_process_contiguous_whole_blocks+0xb4
pkcs11_softtoken_extra.so.1`aes_crypt_contiguous_blocks+0x1cc
pkcs11_softtoken_extra.so.1`soft_aes_encrypt_common+0x22c
pkcs11_softtoken_extra.so.1`C_EncryptUpdate+0x10c
libpkcs11.so.1`meta_do_operation+0x1fc
libpkcs11.so.1`meta_EncryptUpdate+0x4c
libpkcs11.so.1`C_EncryptUpdate+0xcc
libnss3.so`PK11_CipherOp+0x1a0
libssl3.so`ssl3_CompressMACEncryptRecord+0x264
libssl3.so`ssl3_SendRecord+0x300
libssl3.so`ssl3_FlushHandshake+0x54
libssl3.so`ssl3_SendFinished+0x1fc
libssl3.so`ssl3_HandleFinished+0x314
libssl3.so`ssl3_HandleHandshakeMessage+0x4ac
libssl3.so`ssl3_HandleHandshake+0x11c
libssl3.so`ssl3_HandleRecord+0x5e8
libssl3.so`ssl3_GatherCompleteHandshake+0x5c
libssl3.so`ssl_GatherRecord1stHandshake+0x30
libssl3.so`ssl_Do1stHandshake+0xec

Shows that libnss3.so is calling C_* functions of libpkcs11.so which is calling functions of pkcs11_softtoken_extra.so

However when PKCS#11 bypass is disabled (allow-bypass is 1) this stack isn't getting called.

14. LIST OF ALL THE PROBES MATCHED BY D SCRIPT FOR REFERENCE

# ./t4crypto.d -p 18225 -l
ID PROVIDER MODULE FUNCTION NAME
...
55720 pid18225 libmd_psr.so.1 yf_md5_instruction_present entry
55721 pid18225 libmd_psr.so.1 yf_sha256_instruction_present entry
55722 pid18225 libmd_psr.so.1 yf_sha512_instruction_present entry
55723 pid18225 libmd_psr.so.1 yf_sha1_instruction_present entry
55724 pid18225 libmd_psr.so.1 yf_sha256 entry
55725 pid18225 libmd_psr.so.1 yf_sha256_multiblock entry
55726 pid18225 libmd_psr.so.1 yf_sha512 entry
55727 pid18225 libmd_psr.so.1 yf_sha512_multiblock entry
55728 pid18225 libmd_psr.so.1 yf_sha1 entry
55729 pid18225 libmd_psr.so.1 yf_sha1_multiblock entry
55730 pid18225 libmd_psr.so.1 yf_md5 entry
55731 pid18225 libmd_psr.so.1 yf_md5_multiblock entry
55732 pid18225 pkcs11_softtoken_extra.so.1 yf_aes_instructions_present entry
55733 pid18225 pkcs11_softtoken_extra.so.1 rijndael_key_setup_enc_yf entry
55734 pid18225 pkcs11_softtoken_extra.so.1 yf_aes_expand128 entry
55735 pid18225 pkcs11_softtoken_extra.so.1 yf_aes_encrypt128 entry
55736 pid18225 pkcs11_softtoken_extra.so.1 yf_aes_decrypt128 entry
55737 pid18225 pkcs11_softtoken_extra.so.1 yf_aes_expand192 entry
55738 pid18225 pkcs11_softtoken_extra.so.1 yf_aes_encrypt192 entry
55739 pid18225 pkcs11_softtoken_extra.so.1 yf_aes_decrypt192 entry
55740 pid18225 pkcs11_softtoken_extra.so.1 yf_aes_expand256 entry
55741 pid18225 pkcs11_softtoken_extra.so.1 yf_aes_encrypt256 entry
55742 pid18225 pkcs11_softtoken_extra.so.1 yf_aes_decrypt256 entry
55743 pid18225 pkcs11_softtoken_extra.so.1 yf_aes128_load_keys_for_encrypt entry
55744 pid18225 pkcs11_softtoken_extra.so.1 yf_aes192_load_keys_for_encrypt entry
55745 pid18225 pkcs11_softtoken_extra.so.1 yf_aes256_load_keys_for_encrypt entry
55746 pid18225 pkcs11_softtoken_extra.so.1 yf_aes128_ecb_encrypt entry
55747 pid18225 pkcs11_softtoken_extra.so.1 yf_aes192_ecb_encrypt entry
55748 pid18225 pkcs11_softtoken_extra.so.1 yf_aes256_ecb_encrypt entry
55749 pid18225 pkcs11_softtoken_extra.so.1 yf_aes128_cbc_encrypt entry
55750 pid18225 pkcs11_softtoken_extra.so.1 yf_aes192_cbc_encrypt entry
55751 pid18225 pkcs11_softtoken_extra.so.1 yf_aes256_cbc_encrypt entry
55752 pid18225 pkcs11_softtoken_extra.so.1 yf_aes128_ctr_crypt entry
55753 pid18225 pkcs11_softtoken_extra.so.1 yf_aes192_ctr_crypt entry
55754 pid18225 pkcs11_softtoken_extra.so.1 yf_aes256_ctr_crypt entry
55755 pid18225 pkcs11_softtoken_extra.so.1 yf_aes128_cfb128_encrypt entry
55756 pid18225 pkcs11_softtoken_extra.so.1 yf_aes192_cfb128_encrypt entry
55757 pid18225 pkcs11_softtoken_extra.so.1 yf_aes256_cfb128_encrypt entry
55758 pid18225 pkcs11_softtoken_extra.so.1 yf_aes128_load_keys_for_decrypt entry
55759 pid18225 pkcs11_softtoken_extra.so.1 yf_aes192_load_keys_for_decrypt entry
55760 pid18225 pkcs11_softtoken_extra.so.1 yf_aes256_load_keys_for_decrypt entry
55761 pid18225 pkcs11_softtoken_extra.so.1 yf_aes128_ecb_decrypt entry
55762 pid18225 pkcs11_softtoken_extra.so.1 yf_aes192_ecb_decrypt entry
55763 pid18225 pkcs11_softtoken_extra.so.1 yf_aes256_ecb_decrypt entry
55764 pid18225 pkcs11_softtoken_extra.so.1 yf_aes128_cbc_decrypt entry
55765 pid18225 pkcs11_softtoken_extra.so.1 yf_aes192_cbc_decrypt entry
55766 pid18225 pkcs11_softtoken_extra.so.1 yf_aes256_cbc_decrypt entry
55767 pid18225 pkcs11_softtoken_extra.so.1 yf_aes128_cfb128_decrypt entry
55768 pid18225 pkcs11_softtoken_extra.so.1 yf_aes192_cfb128_decrypt entry
55769 pid18225 pkcs11_softtoken_extra.so.1 yf_aes256_cfb128_decrypt entry
55771 pid18225 pkcs11_softtoken_extra.so.1 yf_des_instructions_present entry
55772 pid18225 pkcs11_softtoken_extra.so.1 yf_des_expand entry
55773 pid18225 pkcs11_softtoken_extra.so.1 yf_des_encrypt entry
55774 pid18225 pkcs11_softtoken_extra.so.1 yf_mpmul_present entry
55775 pid18225 pkcs11_softtoken_extra.so.1 yf_montmul_present entry
55776 pid18225 pkcs11_softtoken_extra.so.1 mm_yf_montmul entry
55777 pid18225 pkcs11_softtoken_extra.so.1 mm_yf_montsqr entry
55778 pid18225 pkcs11_softtoken_extra.so.1 mm_yf_restore_func entry
55779 pid18225 pkcs11_softtoken_extra.so.1 mm_yf_ret_from_mont_func entry
55780 pid18225 pkcs11_softtoken_extra.so.1 mm_yf_execute_slp entry
55781 pid18225 pkcs11_softtoken_extra.so.1 big_modexp_ncp_yf entry
55782 pid18225 pkcs11_softtoken_extra.so.1 big_mont_mul_yf entry
55783 pid18225 pkcs11_softtoken_extra.so.1 mpmul_arr_yf entry
55784 pid18225 pkcs11_softtoken_extra.so.1 big_mp_mul_yf entry
55785 pid18225 pkcs11_softtoken_extra.so.1 mpm_yf_mpmul entry
55786 pid18225 libns-httpd40.so nsapi_rsa_set_priv_fn entry
...
55795 pid18225 libnss3.so prepare_rsa_priv_key_export_for_asn1 entry
55796 pid18225 libresolv.so.2 sunw_dst_rsaref_init entry
55797 pid18225 libnssutil3.so NSS_Get_SEC_UniversalStringTemplate entry
...
55813 pid18225 libsoftokn3.so prepare_low_rsa_priv_key_for_asn1 entry
55814 pid18225 libsoftokn3.so rsa_FormatOneBlock entry
55815 pid18225 libsoftokn3.so rsa_FormatBlock entry
55816 pid18225 libnssdbm3.so lg_prepare_low_rsa_priv_key_for_asn1 entry
55817 pid18225 libfreebl_32fpu_3.so rsa_build_from_primes entry
55818 pid18225 libfreebl_32fpu_3.so rsa_is_prime entry
55819 pid18225 libfreebl_32fpu_3.so rsa_get_primes_from_exponents entry
55820 pid18225 libfreebl_32fpu_3.so rsa_PrivateKeyOpNoCRT entry
55821 pid18225 libfreebl_32fpu_3.so rsa_PrivateKeyOpCRTNoCheck entry
55822 pid18225 libfreebl_32fpu_3.so rsa_PrivateKeyOpCRTCheckedPubKey entry
55823 pid18225 pkcs11_kernel.so.1 key_gen_rsa_by_value entry
55824 pid18225 pkcs11_kernel.so.1 get_rsa_private_key entry
55825 pid18225 pkcs11_kernel.so.1 get_rsa_public_key entry
55826 pid18225 pkcs11_softtoken_extra.so.1 soft_rsa_encrypt entry
55827 pid18225 pkcs11_softtoken_extra.so.1 soft_rsa_decrypt entry
55828 pid18225 pkcs11_softtoken_extra.so.1 soft_rsa_crypt_init_common entry
55829 pid18225 pkcs11_softtoken_extra.so.1 soft_rsa_encrypt_common entry
55830 pid18225 pkcs11_softtoken_extra.so.1 soft_rsa_decrypt_common entry
55831 pid18225 pkcs11_softtoken_extra.so.1 soft_rsa_sign_verify_init_common entry
55832 pid18225 pkcs11_softtoken_extra.so.1 soft_rsa_sign_common entry
55833 pid18225 pkcs11_softtoken_extra.so.1 soft_rsa_verify_common entry
55834 pid18225 pkcs11_softtoken_extra.so.1 generate_rsa_key entry
55835 pid18225 pkcs11_softtoken_extra.so.1 soft_rsa_genkey_pair entry
55836 pid18225 pkcs11_softtoken_extra.so.1 get_rsa_sha1_prefix entry
55837 pid18225 pkcs11_softtoken_extra.so.1 soft_rsa_digest_sign_common entry
55838 pid18225 pkcs11_softtoken_extra.so.1 soft_rsa_digest_verify_common entry
55839 pid18225 pkcs11_softtoken_extra.so.1 soft_rsa_verify_recover entry
55840 pid18225 pkcs11_softtoken_extra.so.1 rsa_pri_to_asn1 entry
55841 pid18225 pkcs11_softtoken_extra.so.1 asn1_to_rsa_pri entry
55842 pid18225 pkcs11_softtoken_extra.so.1 soft_encrypt_rsa_pkcs_encode entry
55843 pid18225 pkcs11_softtoken_extra.so.1 soft_decrypt_rsa_pkcs_decode entry
55844 pid18225 pkcs11_softtoken_extra.so.1 soft_sign_rsa_pkcs_encode entry
55845 pid18225 pkcs11_softtoken_extra.so.1 soft_verify_rsa_pkcs_decode entry
55770 profile tick-1sec




Wednesday Sep 19, 2007

Using built-in hardware crypto accelerators of SPARC Enterprise T5120 server (powered by UltraSPPARC T2 i.e. Niagara2 processor) in Oracle iPlanet Web Server 7.0


Using built-in hardware crypto accelerators of SPARC Enterprise T5120 server (powered by UltraSPARC T2 i.e. Nigara2 processor) in Oracle iPlanet Web Server 7.0 update 9


In my previous blog I talked about SCF framework and Sun Java System Web Server 7.0 in general. This time I tried to make use of built-in hardware crypto accelerators of SPARC Enterprise T5120 server (powered by Ultra SPARC-T2 i.e. Niagara 2 processor) in Oracle iPlanet Web Server 7.0 update 9.

T5120 server has intergrated onboard cryptographic acceleration supporting 10 embedded security industry-standard ciphers including DES, 3DES, AES, RC4, SHA1, SHA256, MD5, RSA to 2048 key, ECC, and CRC32.

Here is what I did :

Step 1 : Go to Webserver installation directory and start admin server

# ./admin-server/bin/startserv

Step 2.1 : Go to Web Server 7.0 instance's config directory and perform these manual steps

# cd https-foo.com/config/


2.2) First move the existing database to another directory

# mv /.sunw ./sunw.old

Setpin

# pktool setpin
Create new passphrase: type-password-here
Re-enter new passphrase: type-password-here
Passphrase changed.


2.3) List the current PKCS#11modules

# ../../bin/modutil -list -dbdir .

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. Root Certs
        library name: libnssckbi.so
         slots: 1 slot attached
        status: loaded

         slot: NSS Builtin Objects
        token: Builtin Object Token
-----------------------------------------------------------

2.4) Add SCF module

# ../../bin/modutil  -dbdir . -add "Solaris Crypto Framework" -libfile /usr/lib/libpkcs11.so -mechanisms RSA

...

Module "Solaris Crypto Framework" added to database.


2.5) Enable SCF module

# ../../bin/modutil -enable "Solaris Crypto Framework" -dbdir .
...

Slot "Sun Metaslot" enabled.
Slot "n2cp/0 Crypto Accel Bulk 1.0" enabled.
Slot "ncp/0 Crypto Accel Asym 1.0" enabled.
Slot "n2rng/0 SUNW_N2_Random_Number_Generator" enabled.



2.6) List modules to make sure add and enable stuff above succeeded.

# ../../bin/modutil  -list -dbdir .

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB


2. Solaris Crypto Framework
        library name: /usr/lib/libpkcs11.so
         slots: 4 slots attached
        status: loaded

         slot: Sun Metaslot
        token: Sun Metaslot

         slot: n2cp/0 Crypto Accel Bulk 1.0
        token: n2cp/0 Crypto Accel Bulk 1.0

         slot: ncp/0 Crypto Accel Asym 1.0
        token: ncp/0 Crypto Accel Asym 1.0

         slot: n2rng/0 SUNW_N2_Random_Number_Generator
        token: n2rng/0 SUNW_N2_RNG

  3. Root Certs
        library name: libnssckbi.so
         slots: 1 slot attached
        status: loaded

         slot: NSS Builtin Objects
        token: Builtin Object Token
-----------------------------------------------------------

2.7) List cryptoadm providers and their mechanisms:

# cryptoadm list -p

User-level providers:
=====================
/usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled. random is enabled.
/usr/lib/security/$ISA/pkcs11_softtoken_extra.so: all mechanisms are enabled. random is enabled.

Kernel software providers:
==========================
des: all mechanisms are enabled.
aes256: all mechanisms are enabled.
arcfour2048: all mechanisms are enabled.
blowfish448: all mechanisms are enabled.
sha1: all mechanisms are enabled.
sha2: all mechanisms are enabled.
md5: all mechanisms are enabled.
rsa: all mechanisms are enabled.
swrand: random is enabled.

Kernel hardware providers:
==========================
n2cp/0: all mechanisms are enabled.
ncp/0: all mechanisms are enabled.
n2rng/0: all mechanisms are enabled. random is enabled.


2.9) Disable the following mechanisms in User Level Providers

cryptoadm disable  provider=/usr/lib/security/\\$ISA/pkcs11_softtoken_extra.so \\  
             mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,\\
                       CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC

2.10) List to make sure these were disabled

# cryptoadm list -p
User-level providers:
=====================
/usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled. random is enabled.
/usr/lib/security/$ISA/pkcs11_softtoken_extra.so: all mechanisms are enabled, except CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,
CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_PRE_MASTER_KEY_GEN. random is enabled.

Kernel software providers:
==========================
des: all mechanisms are enabled.
aes256: all mechanisms are enabled.
arcfour2048: all mechanisms are enabled.
blowfish448: all mechanisms are enabled.
sha1: all mechanisms are enabled.
sha2: all mechanisms are enabled.
md5: all mechanisms are enabled.
rsa: all mechanisms are enabled.
swrand: random is enabled.

Kernel hardware providers:
==========================
n2cp/0: all mechanisms are enabled.
ncp/0: all mechanisms are enabled.
n2rng/0: all mechanisms are enabled. random is enabled.
2.11) a) Now run the following Web Server CLI commands

# ../../bin/wadm --user=admin
Please enter admin-user-password> type-admin-server-password-here
wadm> list-configs
foo
wadm> pull-config --config=foo foo
CLI201 Command 'pull-config' ran successfully
wadm> list-tokens --config=foo
internal
Sun Metaslot
wadm>  create-selfsigned-cert --config=foo --server-name=foo --nickname=Server-Cert --token="Sun Metaslot"
Please enter token-pin> type-password-here
CLI201 Command 'create-selfsigned-cert' ran successfully
wadm> list-http-listeners  --config=foo
http-listener-1
wadm> set-ssl-prop --config=foo --http-listener=http-listener-1 server-cert-nickname="Sun Metaslot:Server-Cert" enabled=true
CLI201 Command 'set-ssl-prop' ran successfully
wadm>  deploy-config foo
CLI201 Command 'deploy-config' ran successfully
wadm>

\*\*

2.11) b) If you are using older version of Web Server and you do not have Admin CLI, you can use the following command to create the self signed certificate
# ../../bin/certutil -S -x -n "Server-Cert" -t "u,u,u" -s "CN=foo" -d . -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot": type-password-here
...
Continue typing until the progress meter is full:

|\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*|

Finished. Press enter to continue:

     Generating key. This may take a few moments...
     #

2.11) c) OR you can create a self-signed certificate in NSS DB and export it and import it into Sun Metaslot :
# ../../bin/certutil -S -x -n "Server-Cert" -t "u,u,u" -s "CN=foo" -d .
Enter Password or Pin for "Sun Metaslot": type-password-here
...
Continue typing until the progress meter is full:

|\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*|


Finished. Press enter to continue:


Generating key. This may take a few moments...
#

# ../../bin/pk12util  -o key-cert-data.pk12 -n "Server-Cert" -d .
Enter password for PKCS12 file: type-a-new-password-here-or-press-enter
Re-enter password: type-a-new-password-here-or-press-enter
pk12util: PKCS12 EXPORT SUCCESSFUL

# ../../bin/pk12util -i key-cert-data.pk12 -d . -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot": type-password-here
Enter password for PKCS12 file: type-the-new-password-here
pk12util: PKCS12 IMPORT SUCCESSFUL

2.12) Now manually double check if the certificate exists
# ../../bin/certutil -L -d . -h "Sun Metaslot"
Certificate Nickname                Trust Attributes
                                   SSL,S/MIME,JAR/XPI
Enter Password or Pin for "Sun Metaslot": type-password-here
Sun Metaslot:Server-Cert                      u,u,u

Check that server.xml contains server-cert-nickname element
 <http-listener>
    <name>http-listener-1</name>
    <port>80</port>
    <server-name>foo</server-name>
    <default-virtual-server-name>foo</default-virtual-server-name>
    <ssl>
      <server-cert-nickname>Sun Metaslot:Server-Cert</server-cert-nickname>
    </ssl>
  </http-listener>

2.13) Start the server
#../bin/startserv
Oracle iPlanet Web Server 7.0.9 B07/04/2010 02:15
Please enter the PIN for the "Sun Metaslot" token: type-password-here
info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.6.0_20] from [Sun Microsystems Inc.]
info: HTTP3072: http-listener-1: https://foo:80 ready to accept requests
info: CORE3274: successful server startup

2.14) Check the statistics using kstat

# kstat -n ncp0 | grep rsa

        rsagenerate                     6
        rsaprivate                      18
        rsapublic                       15

Send a request through the browser (with a cipher containing RSA) to this server https://foo:80/test.html, it should show test.html
I used tstclnt (a client bundled with NSS) to send request to the server using cipher c i.e. SSL3 RSA WITH RC4 128 MD5.

# tstclnt -h accel -p 81 -d . -n Server-Cert  -T -f -o -v  -c c < req.txt
tstclnt: connecting to accel:81 (address=10.133.169.154)
...

      tstclnt: SSL version 3.0 using 128-bit RC4 with 128-bit MD5 MAC
      tstclnt: Server Auth: 1024-bit RSA, Key Exchange: 1024-bit RSA
      ...
      HTTP/1.1 200 OK
      Server: Oracle-iPlanet-Web-Server/7.0
      Content-type: text/html
      Last-modified: Mon, 10 Jan 2011 09:45:03 GMT
      Etag: "12-4d2ad51f"
      Accept-ranges: bytes
      Content-length: 18
      Date: Mon, 10 Jan 2011 09:45:23 GMT
      Connection: close

      This is test.html
      ...

Now run kstat again,  if it shows an increase that means we are ok.

kstat -n ncp0 | grep -i rsa 
    rsagenerate                     6 
    rsaprivate                      18

    rsapublic                       16


Note : If

1. Web server does not present the Intermediate CA certificates installed as Server Certificate Chain to the browser and that causes the certificate validation by the browser to fail.
or
2. Client authentication fails with the following error message in the errors log .  Root CA cert has been installed to the certificate database.

failure (16670): HTTP3068: Error receiving request from 123.45.67.897(SEC_ERROR_UNKNOWN_ISSUER: Peer's certificate is signed by an unknown issuer)

These two issues are caused by the /.sunw directory not being accessible by the web server running user "webservd". That directory has permissions 0700 and is owned by root. Web Server starts up as root and then changes (using setuid) to user "webservd".  Solution to this is
1) Have the web server running as root
2) Open up the permission on /.sunw so that it is readable by the web server running user
3) Set  the environment variable SOFTTOKEN_DIR to point to some directory that is owned by webservd before the web server is started. The SCF will then access the files in $SOFTTOKEN_DIR/pkcs11_softoken/ during execution.

References


\*\*If you get an error in list-configs command like : "CLI104 Unable to communicate with the administration server: No such file or directory" then you are probably seeing bug "6606384 SCF consumers crash after mechanisms are disabled using cryptoadm when using libumem". Upgrade to Solaris 10 update 9 or apply patches. core dump should look like

# mdb ../../admin-server/config/core.18103
>::stack
libc.so.1`_lwp_kill+8(6, 0, 20f04, ff34ba3c, ff36a000, ff36abdc)
libumem.so.1`umem_do_abort+0x1c(44, e4ced4e8, 6, 20e40, ff356ad8, 0)
libumem.so.1`umem_err_recoverable+0x7c(ff357b54, a, 20d38, 0, ff36d0e8, ff357b5f)
libumem.so.1`process_free+0x114(12d3ee8, 1, 0, 3e3a1000, 1ec08, ff)
libpkcs11.so.1`pkcs11_slottable_delete+0x158(12d3ee8, a11628, a11628, f97c6bb0, 1, 1)
libpkcs11.so.1`pkcs11_fini+0x4c(f97c6b8c, 1, f97ae1c8, f97c6000, 17aac, f97c6b84)
libc.so.1`_postfork_child_handler+0x30(1d18, fd543800, 1c00, 4, fba5ca00, fd543800)
libc.so.1`fork+0x144(0, 2, 0, 3c, fd543800, fba5ca00)
libns-httpd40.so`CHILDEXEC_ERR ChildExec::_startListener()+0x19c(...)
libns-httpd40.so`CHILDEXEC_ERR ChildExec::PerformListenerOp(ListenerOp,int&)+0x14(...)
libns-httpd40.so`CHILDEXEC_ERR ChildExec::StartListener(int&)+0x48(...)
libns-httpd40.so`CHILDEXEC_ERR ChildExec::initialize(int&)+0xa8(...)
libns-httpd40.so`PRStatus cgistub_child_exec_init()+0x2d0(...)
libns-httpd40.so`PRStatus cgistub_init()+0x58(...)
...

Thursday Sep 21, 2006

Solaris Cryptographic Framework and Sun Java System Web Server 7.0

Solaris Cryptographic Framework and Sun Java System Web Server 7.0

Here are my initial experiments to use external PKCS#11 security module Solaris Cryptographic Framework in Sun Java System Web Server 7.0.  Some references I liked in this regard are "man libpkcs11", "Using the Cryptographic Accelerator of the UltraSPARC T1 Processor" and Jyri's article "Configuring Solaris Cryptographic Framework and Sun Java System Web Server 7 on Systems With UltraSPARC T1 Processors" . Special Thanx to Basant who helped me.

Note that I executed these commands from the server instance's config directory.  For more readability, the commands I used are shown in brown and the output is shown in green.

Initial steps

First I move .sunw directory
$mv $HOME/.sun $HOME/.sunw.OLD

Then I initialized password/pin
$pktool setpin
Enter new PIN:typed-my-password-here
Re-enter new PIN:typed-my-password-here

Then disabled the following mechanisms
Note that these commands need to be executed as root.
#cryptoadm disable provider=/usr/lib/security/\\$ISA/pkcs11_kernel.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC

#cryptoadm disable provider=/usr/lib/security/\\$ISA/pkcs11_softtoken.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC
(if pkcs11_softtoken_extra.so is used, disable these mechanisms in that also)

#cryptoadm list -p
user-level providers:

=====================
/usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled, except CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_PRE_MASTER_KEY_GEN.
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, except CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_PRE_MASTER_KEY_GEN. random is enabled.
...

Registering PKCS#11 library

I  have used PKCS#11 library /usr/lib/libpkcs11.so (for 64 bit, it is /usr/lib/64/libpkcs11.so).

The following command added the Solaris crypto framework module to the NSS database in the config directory :
$../../lib/modutil -dbdir . -add "scf" -libfile /usr/lib/libpkcs11.so -mechanisms RSA
...
Module "scf" added to database.


$../../lib/modutil -dbdir . -enable "scf"


Verified the above steps,
$../../lib/modutil -dbdir . -nocertdb -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
   1. NSS Internal PKCS #11 Module
          slots: 2 slots attached
         status: loaded

          slot: NSS Internal Cryptographic Services
         token: NSS Generic Crypto Services

          slot: NSS User Private Key and Certificate Services
         token: NSS Certificate DB

   2. scf
         library name: /usr/lib/libpkcs11.so
          slots: 1 slot attached
         status: loaded

          slot: Sun Crypto Softtoken
         token: Sun Software PKCS#11 softtoken

   3. Root Certs
         library name: libnssckbi.so
          slots: There are no slots attached to this module
         status: Not loaded
-----------------------------------------------------------
Note that slot "Sun Crypto Softtoken" has token "Sun Software PKCS#11 softtoken". I will be using this token in the next stages.

Creating Server Certificates

The normal process for requesting and installing certificates is used. Only with a difference, create all certificate and keys in that security module, not using "internal" NSS database token, but using the "Sun Software PKCS#11 softtoken" token instead.

1. Exporting and Importing already existing certificates using pk12util

If I already had certificates in NSS database, I could have exported and imported them using pk12util
$pk12util –o server.pk12 –d . –n MyCert
$pk12util –i server.pk12 –d . –h “Sun Software PKCS#11 softtoken”

By default, certutil / pk12util searches for databases named cert8.db and key3.db, but some of the versions of Web Server use alternate names such as https-instance-hostname-cert8.db and https-instance-hostname-key3.db in that case add -P parameter for the prefix.

2. Using certutil to create self signed server certificate

I used NSS utility "certutil" to create a self signed server certificates.
$../../bin/certutil -S -d . -n MyCert -s "CN=test.sun.com" -x -t "u,u,u" -h "Sun Software PKCS#11 softtoken" -5
Enter Password or Pin for "Sun Software PKCS#11 softtoken":typed-my-password-here
A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*|

Finished.  Press enter to continue:


Generating key.  This may take a few moments...

                           0 - SSL Client
                           1 - SSL Server
                           2 - S/MIME
                           3 - Object Signing
                           4 - Reserved for future use
                           5 - SSL CA
                           6 - S/MIME CA
                           7 - Object Signing CA
                           Other to finish
1
                           0 - SSL Client
                           1 - SSL Server
                           2 - S/MIME
                           3 - Object Signing
                           4 - Reserved for future use
                           5 - SSL CA
                           6 - S/MIME CA
                           7 - Object Signing CA
                           Other to finish
5
                           0 - SSL Client
                           1 - SSL Server
                           2 - S/MIME
                           3 - Object Signing
                           4 - Reserved for future use
                           5 - SSL CA
                           6 - S/MIME CA
                           7 - Object Signing CA
                           Other to finish
9
Is this a critical extension [y/N]?
y

Verified that the certificate was added to the database
$../../lib/certutil -L -d . -h "Sun Software PKCS#11 softtoken"
Enter Password or Pin for "Sun Software PKCS#11 softtoken":typed-my-password-here
Sun Software PKCS#11 softtoken:MyCert                        u,u,u

Enable SSL for the Web Server instance

In server.xml,  enabled ssl for http-listener element, and  added server certificate nickname correctly.

....
<http-listener>
  ...
<ssl>
  <enabled>true</enabled>
  <server-cert-nickname>Sun Software PKCS#11 softtoken:MyCert</server-cert-nickname>
  </ssl>
</http-listener>
...
Note the prefix "Sun Software PKCS#11 softtoken:".

3. Using Administration CLI to create self signed certificate and enabling SSL

Start admin-server, from <server-installation>/bin directory,
$wadm --user=admin

Please enter admin-user-password>typed-admin-server-password-here
Sun Java System Web Server 7.0-Technology-Preview-3 B09/20/2006 10:07

wadm>create-selfsigned-cert --config=test.sun.com --server-name=test.sun.com --nickname=MyCert --token="Sun Software PKCS#11 softtoken"
ADMIN4099: Token 'Sun Software PKCS#11 softtoken' was not found

wadm>list-tokens --config=test.sun.com
internal

The reason for this error is I ran modutil into server instance's config directory so I need to pull-config (I should have run modutil command from admin-server/config-store/test.sun.com/config directory to avoid this)
wadm>pull-config  --config=test.sun.com test.sun.com
CLI201 Command 'pull-config' ran successfully

wadm>list-tokens --config=test.sun.com
internal
Sun Software PKCS#11 softtoken
This looks ok.

wadm>create-selfsigned-cert --config=test.sun.com --server-name=test.sun.com --nickname=MyCert --token="Sun Software PKCS#11 softtoken"
Please enter token-pin>typed-my-password-here
CLI201 Command 'create-selfsigned-cert' ran successfully

wadm>set-ssl-prop --config=test.sun.com --http-listener=http-listener-1 enabled=true server-cert-nickname="Sun Software PKCS#11 softtoken:MyCert"
CLI201 Command 'set-ssl-prop' ran successfully

wadm>deploy-config test.sun.com
CLI201 Command 'deploy-config' ran success


Now I started the Web Server,
$../bin/startserv
Sun Java System Web Server 7.0 B09/11/2006 12:04
Please enter the PIN for the "Sun Software PKCS#11 softtoken" token:typed-my-password-here
info: HTTP3072: http-listener-1: https://test.sun.com:2222 ready to accept requests
info: CORE3274: successful server startup

I sent a request through the browser to https://test.sun.com:2222, and the server served the request.

More References

  1. Jyri's BigAdmin Article "Configuring Solaris Cryptographic Framework and Sun Java System Web Server 7 on Systems With UltraSPARC T1 Processors"
  2. Using the Cryptographic Accelerator of the UltraSPARC T1 Processor
  3. man libpkcs11
  4. man cryptoadm
  5. Sun crypto accelerator 6000 user's guide has chapter on Installing and configuring with Sun Java System Web Server 6.1.


Tip : If
1. Web server does not present the Intermediate CA certificates installed as Server Certificate Chain to the browser and that causes the certificate validation by the browser to fail.
or
2. Client authentication fails with the following error message in the errors log .  Root CA cert has been installed to the certificate database.

failure (16670): HTTP3068: Error receiving request from 123.45.67.897(SEC_ERROR_UNKNOWN_ISSUER: Peer's certificate is signed by an unknown issuer)

These two issues are caused by the /.sunw directory not being accessible by the web server running user "webservd". That directory has permissions 0700 and is owned by root. Web Server starts up as root and then changes (using setuid) to user "webservd".  Solution to this is
1) Have the web server running as root
2) Open up the permission on /.sunw so that it is readable by the web server running user
3) Set  the environment variable SOFTTOKEN_DIR to point to some directory that is owned by webservd before the web server is started. The SCF will then access the files in $SOFTTOKEN_DIR/pkcs11_softoken/ during execution.

Read my next blog Using builtin hardware accelerators of Niagara 1 (Sun Fire T 2000) server with SSL enabled Sun Java System Web Server 7.0 instance


About

Meena Vyas

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today