Wednesday Sep 19, 2007

Using built-in hardware crypto accelerators of SPARC Enterprise T5120 server (powered by UltraSPPARC T2 i.e. Niagara2 processor) in Oracle iPlanet Web Server 7.0


Using built-in hardware crypto accelerators of SPARC Enterprise T5120 server (powered by UltraSPARC T2 i.e. Nigara2 processor) in Oracle iPlanet Web Server 7.0 update 9


In my previous blog I talked about SCF framework and Sun Java System Web Server 7.0 in general. This time I tried to make use of built-in hardware crypto accelerators of SPARC Enterprise T5120 server (powered by Ultra SPARC-T2 i.e. Niagara 2 processor) in Oracle iPlanet Web Server 7.0 update 9.

T5120 server has intergrated onboard cryptographic acceleration supporting 10 embedded security industry-standard ciphers including DES, 3DES, AES, RC4, SHA1, SHA256, MD5, RSA to 2048 key, ECC, and CRC32.

Here is what I did :

Step 1 : Go to Webserver installation directory and start admin server

# ./admin-server/bin/startserv

Step 2.1 : Go to Web Server 7.0 instance's config directory and perform these manual steps

# cd https-foo.com/config/


2.2) First move the existing database to another directory

# mv /.sunw ./sunw.old

Setpin

# pktool setpin
Create new passphrase: type-password-here
Re-enter new passphrase: type-password-here
Passphrase changed.


2.3) List the current PKCS#11modules

# ../../bin/modutil -list -dbdir .

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. Root Certs
        library name: libnssckbi.so
         slots: 1 slot attached
        status: loaded

         slot: NSS Builtin Objects
        token: Builtin Object Token
-----------------------------------------------------------

2.4) Add SCF module

# ../../bin/modutil  -dbdir . -add "Solaris Crypto Framework" -libfile /usr/lib/libpkcs11.so -mechanisms RSA

...

Module "Solaris Crypto Framework" added to database.


2.5) Enable SCF module

# ../../bin/modutil -enable "Solaris Crypto Framework" -dbdir .
...

Slot "Sun Metaslot" enabled.
Slot "n2cp/0 Crypto Accel Bulk 1.0" enabled.
Slot "ncp/0 Crypto Accel Asym 1.0" enabled.
Slot "n2rng/0 SUNW_N2_Random_Number_Generator" enabled.



2.6) List modules to make sure add and enable stuff above succeeded.

# ../../bin/modutil  -list -dbdir .

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB


2. Solaris Crypto Framework
        library name: /usr/lib/libpkcs11.so
         slots: 4 slots attached
        status: loaded

         slot: Sun Metaslot
        token: Sun Metaslot

         slot: n2cp/0 Crypto Accel Bulk 1.0
        token: n2cp/0 Crypto Accel Bulk 1.0

         slot: ncp/0 Crypto Accel Asym 1.0
        token: ncp/0 Crypto Accel Asym 1.0

         slot: n2rng/0 SUNW_N2_Random_Number_Generator
        token: n2rng/0 SUNW_N2_RNG

  3. Root Certs
        library name: libnssckbi.so
         slots: 1 slot attached
        status: loaded

         slot: NSS Builtin Objects
        token: Builtin Object Token
-----------------------------------------------------------

2.7) List cryptoadm providers and their mechanisms:

# cryptoadm list -p

User-level providers:
=====================
/usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled. random is enabled.
/usr/lib/security/$ISA/pkcs11_softtoken_extra.so: all mechanisms are enabled. random is enabled.

Kernel software providers:
==========================
des: all mechanisms are enabled.
aes256: all mechanisms are enabled.
arcfour2048: all mechanisms are enabled.
blowfish448: all mechanisms are enabled.
sha1: all mechanisms are enabled.
sha2: all mechanisms are enabled.
md5: all mechanisms are enabled.
rsa: all mechanisms are enabled.
swrand: random is enabled.

Kernel hardware providers:
==========================
n2cp/0: all mechanisms are enabled.
ncp/0: all mechanisms are enabled.
n2rng/0: all mechanisms are enabled. random is enabled.


2.9) Disable the following mechanisms in User Level Providers

cryptoadm disable  provider=/usr/lib/security/\\$ISA/pkcs11_softtoken_extra.so \\  
             mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,\\
                       CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC

2.10) List to make sure these were disabled

# cryptoadm list -p
User-level providers:
=====================
/usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled. random is enabled.
/usr/lib/security/$ISA/pkcs11_softtoken_extra.so: all mechanisms are enabled, except CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,
CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_PRE_MASTER_KEY_GEN. random is enabled.

Kernel software providers:
==========================
des: all mechanisms are enabled.
aes256: all mechanisms are enabled.
arcfour2048: all mechanisms are enabled.
blowfish448: all mechanisms are enabled.
sha1: all mechanisms are enabled.
sha2: all mechanisms are enabled.
md5: all mechanisms are enabled.
rsa: all mechanisms are enabled.
swrand: random is enabled.

Kernel hardware providers:
==========================
n2cp/0: all mechanisms are enabled.
ncp/0: all mechanisms are enabled.
n2rng/0: all mechanisms are enabled. random is enabled.
2.11) a) Now run the following Web Server CLI commands

# ../../bin/wadm --user=admin
Please enter admin-user-password> type-admin-server-password-here
wadm> list-configs
foo
wadm> pull-config --config=foo foo
CLI201 Command 'pull-config' ran successfully
wadm> list-tokens --config=foo
internal
Sun Metaslot
wadm>  create-selfsigned-cert --config=foo --server-name=foo --nickname=Server-Cert --token="Sun Metaslot"
Please enter token-pin> type-password-here
CLI201 Command 'create-selfsigned-cert' ran successfully
wadm> list-http-listeners  --config=foo
http-listener-1
wadm> set-ssl-prop --config=foo --http-listener=http-listener-1 server-cert-nickname="Sun Metaslot:Server-Cert" enabled=true
CLI201 Command 'set-ssl-prop' ran successfully
wadm>  deploy-config foo
CLI201 Command 'deploy-config' ran successfully
wadm>

\*\*

2.11) b) If you are using older version of Web Server and you do not have Admin CLI, you can use the following command to create the self signed certificate
# ../../bin/certutil -S -x -n "Server-Cert" -t "u,u,u" -s "CN=foo" -d . -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot": type-password-here
...
Continue typing until the progress meter is full:

|\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*|

Finished. Press enter to continue:

     Generating key. This may take a few moments...
     #

2.11) c) OR you can create a self-signed certificate in NSS DB and export it and import it into Sun Metaslot :
# ../../bin/certutil -S -x -n "Server-Cert" -t "u,u,u" -s "CN=foo" -d .
Enter Password or Pin for "Sun Metaslot": type-password-here
...
Continue typing until the progress meter is full:

|\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*|


Finished. Press enter to continue:


Generating key. This may take a few moments...
#

# ../../bin/pk12util  -o key-cert-data.pk12 -n "Server-Cert" -d .
Enter password for PKCS12 file: type-a-new-password-here-or-press-enter
Re-enter password: type-a-new-password-here-or-press-enter
pk12util: PKCS12 EXPORT SUCCESSFUL

# ../../bin/pk12util -i key-cert-data.pk12 -d . -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot": type-password-here
Enter password for PKCS12 file: type-the-new-password-here
pk12util: PKCS12 IMPORT SUCCESSFUL

2.12) Now manually double check if the certificate exists
# ../../bin/certutil -L -d . -h "Sun Metaslot"
Certificate Nickname                Trust Attributes
                                   SSL,S/MIME,JAR/XPI
Enter Password or Pin for "Sun Metaslot": type-password-here
Sun Metaslot:Server-Cert                      u,u,u

Check that server.xml contains server-cert-nickname element
 <http-listener>
    <name>http-listener-1</name>
    <port>80</port>
    <server-name>foo</server-name>
    <default-virtual-server-name>foo</default-virtual-server-name>
    <ssl>
      <server-cert-nickname>Sun Metaslot:Server-Cert</server-cert-nickname>
    </ssl>
  </http-listener>

2.13) Start the server
#../bin/startserv
Oracle iPlanet Web Server 7.0.9 B07/04/2010 02:15
Please enter the PIN for the "Sun Metaslot" token: type-password-here
info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.6.0_20] from [Sun Microsystems Inc.]
info: HTTP3072: http-listener-1: https://foo:80 ready to accept requests
info: CORE3274: successful server startup

2.14) Check the statistics using kstat

# kstat -n ncp0 | grep rsa

        rsagenerate                     6
        rsaprivate                      18
        rsapublic                       15

Send a request through the browser (with a cipher containing RSA) to this server https://foo:80/test.html, it should show test.html
I used tstclnt (a client bundled with NSS) to send request to the server using cipher c i.e. SSL3 RSA WITH RC4 128 MD5.

# tstclnt -h accel -p 81 -d . -n Server-Cert  -T -f -o -v  -c c < req.txt
tstclnt: connecting to accel:81 (address=10.133.169.154)
...

      tstclnt: SSL version 3.0 using 128-bit RC4 with 128-bit MD5 MAC
      tstclnt: Server Auth: 1024-bit RSA, Key Exchange: 1024-bit RSA
      ...
      HTTP/1.1 200 OK
      Server: Oracle-iPlanet-Web-Server/7.0
      Content-type: text/html
      Last-modified: Mon, 10 Jan 2011 09:45:03 GMT
      Etag: "12-4d2ad51f"
      Accept-ranges: bytes
      Content-length: 18
      Date: Mon, 10 Jan 2011 09:45:23 GMT
      Connection: close

      This is test.html
      ...

Now run kstat again,  if it shows an increase that means we are ok.

kstat -n ncp0 | grep -i rsa 
    rsagenerate                     6 
    rsaprivate                      18

    rsapublic                       16


Note : If

1. Web server does not present the Intermediate CA certificates installed as Server Certificate Chain to the browser and that causes the certificate validation by the browser to fail.
or
2. Client authentication fails with the following error message in the errors log .  Root CA cert has been installed to the certificate database.

failure (16670): HTTP3068: Error receiving request from 123.45.67.897(SEC_ERROR_UNKNOWN_ISSUER: Peer's certificate is signed by an unknown issuer)

These two issues are caused by the /.sunw directory not being accessible by the web server running user "webservd". That directory has permissions 0700 and is owned by root. Web Server starts up as root and then changes (using setuid) to user "webservd".  Solution to this is
1) Have the web server running as root
2) Open up the permission on /.sunw so that it is readable by the web server running user
3) Set  the environment variable SOFTTOKEN_DIR to point to some directory that is owned by webservd before the web server is started. The SCF will then access the files in $SOFTTOKEN_DIR/pkcs11_softoken/ during execution.

References


\*\*If you get an error in list-configs command like : "CLI104 Unable to communicate with the administration server: No such file or directory" then you are probably seeing bug "6606384 SCF consumers crash after mechanisms are disabled using cryptoadm when using libumem". Upgrade to Solaris 10 update 9 or apply patches. core dump should look like

# mdb ../../admin-server/config/core.18103
>::stack
libc.so.1`_lwp_kill+8(6, 0, 20f04, ff34ba3c, ff36a000, ff36abdc)
libumem.so.1`umem_do_abort+0x1c(44, e4ced4e8, 6, 20e40, ff356ad8, 0)
libumem.so.1`umem_err_recoverable+0x7c(ff357b54, a, 20d38, 0, ff36d0e8, ff357b5f)
libumem.so.1`process_free+0x114(12d3ee8, 1, 0, 3e3a1000, 1ec08, ff)
libpkcs11.so.1`pkcs11_slottable_delete+0x158(12d3ee8, a11628, a11628, f97c6bb0, 1, 1)
libpkcs11.so.1`pkcs11_fini+0x4c(f97c6b8c, 1, f97ae1c8, f97c6000, 17aac, f97c6b84)
libc.so.1`_postfork_child_handler+0x30(1d18, fd543800, 1c00, 4, fba5ca00, fd543800)
libc.so.1`fork+0x144(0, 2, 0, 3c, fd543800, fba5ca00)
libns-httpd40.so`CHILDEXEC_ERR ChildExec::_startListener()+0x19c(...)
libns-httpd40.so`CHILDEXEC_ERR ChildExec::PerformListenerOp(ListenerOp,int&)+0x14(...)
libns-httpd40.so`CHILDEXEC_ERR ChildExec::StartListener(int&)+0x48(...)
libns-httpd40.so`CHILDEXEC_ERR ChildExec::initialize(int&)+0xa8(...)
libns-httpd40.so`PRStatus cgistub_child_exec_init()+0x2d0(...)
libns-httpd40.so`PRStatus cgistub_init()+0x58(...)
...

Wednesday Mar 07, 2007

Denial of Service (DoS) Prevention By Request Timeout in Sun Java System Web Server 7.0

Denial of Service (DoS) Prevention By Request Timeout in Sun Java System Web Server 7.0


Check out the new improvements we made in Sun Java System Web Server 7.0. In this blog I will talk about Denial Of Service (DoS) Prevention "Request Timeout" enhancements.

We have introduced two more timeouts in the server.xml's <http> element in addition to the existing <io-timeout>. They are <request-header-timeout> and <request-body-timeout>.

If you are a Web Server Administrator and you want to limit users to be sending all request headers in the first 10 minutes of the connection and request body in the next one hour, you can set these two parameters in server.xml like

...

<http> ...
    <request-header-timeout>600</request-header-timeout>
    <request-body-timeout>3600</request-body-timeout>
</http>
...

All other connections which last longer will be disconnected by the server automatically.

Other blogs on this topic are :

Monday Feb 26, 2007

Directory listing in Sun Java System Web Server 7.0

Directory listing in Sun Java System Web Server 7.0

Been getting a lot of questions about directory listing in Sun Java System Web Server 7.0

I have setup a Sun Java System Web Sever 7.0. I am not able see directory contents. I get a popup saying "Authentication Required". Under "Content Handling"->"General"->"Directory Listing", I tried setting "Listing Type" to 'Fancy' & 'Simple'.  But that did not help (I saved and re-deployed the server instance).

Here is the solution. Check in obj.conf configuration file if "index-common" service SAF is present:
Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"

Directory listing is not enabled by default. If you look at the default ACL file default.acl, (assuming you do not have any other other VS specific ACL file)
version 3.0;
acl "default";
authenticate (user, group) {
  prompt = "Sun Java System Web Server";
};
allow (read, execute, info) user = "anyone";
allow (list, write, delete) user = "all";

That shows "list" right is allowed to "all" (authenticated users only). And for directory listing, you need "list" rights. That means only authenticated users can see directory lists.

You can move this "list" right to "anyone" so that even unauthenticated users can see the directory lists.
So here is what the changed ACEs should look like :

allow (read, execute, info, list) user = "anyone";
allow (write, delete) user = "all";


Two more minor tips I would like to add

1. If you want to change the width of the columns of filename, last modified time, size, description in directory listing, add "cindex-init" directive in magnus.conf. For example
Init fn="cindex-init" widths="50,5,5,20"

2. If you want to change the directory listing to "simple" style where you will only see the list of filenames, you can change "index-common" to "index-simple" as shown below
Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-simple"

Saturday Jan 20, 2007

Creating Authentication Databases in Sun Java System Web Server 7.0

Creating Authentication Databases in Sun Java System Web Server 7.0

I tried out creating different authentication databases (keyfile, digestfile, LDAP, PAM) via Administration CLIs in Sun Java System Web Server 7.0. Writing it down in a blog. I went to server installation root and start Administration server and then started wadm.
./admin-server/bin/startserv
./bin/wadm --user=admin
Please enter admin-user-password>\*\*\*
wadm>

I created a file authentication database of type "keyfile" in config "test" and in virtual server "test".
wadm> create-file-authdb --vs=test --config=test --path=/space/mykeyfile mykeyfile
CLI201 Command 'create-file-authdb' ran successfully


Then created a file authentication database of type "digest", added "--syntax=digestfile" in the above command.
wadm> create-file-authdb --vs=test --config=test --syntax=digestfile --path=/space/mydigestfile mydigestfile
CLI201 Command 'create-file-authdb' ran successfully


To create authentication database of type PAM, I used "create-pam-authdb" CLI,
wadm> create-pam-authdb --vs=test --config=test mypamauthdb
CLI201 Command 'create-pam-authdb' ran successfully

Note that PAM realm and PAM auth-db's are only supported on Solaris 9 and 10 and the server instance must be running as root. Change in server.xml <user>webservd</user> to <user>root</user>

To add authentication database of type LDAP, I used "create-ldap-authdb" CLI. This CLI does not create LDAP database, it only configures it. I used an already existing Directory (LDAP) server located in server "test.sun.com", on port 389, with root suffix "o=TestCentral", bind dn "cn=Directory Manager",
wadm> create-ldap-authdb --vs=test --config=test --bind-dn="cn=Directory Manager" --ldap-url=ldap://test.sun.com:389/o=TestCentral --config=test myldapauthdb
Please enter bind-password> \*\*\*
CLI201 Command 'create-ldap-authdb' ran successfully


Note that if I had to add an LDAP server with SSL, all I had to do is change the url prefix from ldap:// to ldaps:// i.e. make LDAP url ldaps://test.sun.com:443/o=TestCentral instead. If CA of LDAP server is not a trusted CA (like Verisign etc.) then I would have to import LDAP Server's CA certificate into Web Server Instance's NSS database as well as in Web Server's admin-server's NSS database.

Listed the authentication databases to check whether the databases were created successfully.
wadm> list-authdbs --vs=test --config=test --all
mykeyfile      keyfile
mydigestfile   digestfile
mypamauthdb    pam
myldapauthdb   ldap

Added a user "user1" in "mykeyfile" authentication database.
wadm> create-user --authdb=mykeyfile --user-password=\*\*\* --vs=test --config=test user1
CLI201 Command 'create-user' ran successfully
Similarly we can add users in other databases also, but I am skipping that part in this blog.
List users to make sure everything is all right.
wadm> list-users --config=test --vs=test --authdb=mykeyfile --all
user1   -

After I was done with all my changes, I deployed the configuration,
wadm> deploy-config
CLI201 Command 'deploy-config' ran successfully

I double checked that "user1" exists in "mykeyfile"
>cat /space/mykeyfile
user1;{SSHA}\*\*\*;
Also I made sure that server.xml had all these auth-db entries :
>cat server.xml
    <virtual-server>
    <name>test</name>
...
    <auth-db>
      <name>mykeyfile</name>
      <url>file</url>
      <property>
        <name>keyfile</name>
        <value>/space/mykeyfile</value>
      </property>
      <property>
        <name>syntax</name>
        <value>keyfile</value>
      </property>
    </auth-db>

    <auth-db>

      <name>mydigestfile</name>
      <url>file</url>
      <property>
        <name>digestfile</name>
        <value>/space/mydigestfile</value>
      </property>
      <property>
        <name>syntax</name>
        <value>digest</value>
      </property>
    </auth-db>

    <auth-db>
      <name>mypamauthdb</name>
      <url>pam</url>
    </auth-db>

    <auth-db>
      <name>myldapauthdb</name>
      <url>ldap://test.sun.com:389/o%3dTestCentral</url>
      <property>
        <name>bindpw</name>
        <value>\*\*\*</value>
        <encoded>true</encoded>
      </property>
      <property>
        <name>binddn</name>
        <value>cn=Directory Manager</value>
      </property>
    </auth-db>
...

I went to "https-test/config" directory and added an ACL manually in the end of the virtual server's ACL file (in this case it is default.acl) which allows only "user1" access. I could have done this from wadm also but I forgot to do so at that time.
> tail -7 default.acl
acl "uri=/";
authenticate (user,group) {
        prompt = "Sun Java System Web Server";
        database = "mykeyfile";
};
deny (all) user = "anyone";
allow (all) user = "user1";
Note that database I have added is "mykeyfile" and should be the same as the name we specified during database creation.

Started the instance and sent a request with "user1", access logs showed that "user1" has been authenticated successfully.
$tail -f https-test/logs/access
123.456.78.90 - user1 [19/Jan/2007:15:00:44 +0530] "GET /a.txt HTTP/1.1" 200 14

NOTE THAT SERVER RESTART IS REQUIRED WHEN YOU ADD A NEW DIGESTFILE/KEYFILE AUTHENTICATION DATABASE.

Saturday Dec 02, 2006

Migrating from Apache to Sun Web Server

Migrating from Apache to Sun Web Server

After reading my blog about "Migrating JKS Keystore Entries to NSS DB in Sun Java System Web Server 7.0", somebody asked me how to migrate Apache certificates to Sun Java System Web Server 7.0. I found these nice blogs and articles Nelson has written about Apache Migration.

About

Meena Vyas

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today