Look at the the SCA 6000 user's guide - configuring apache is documented. http://docs.sun.com/app/docs/prod/accel.600.brd?l=en&a=view
-gary On 08/19/09 09:16, Gary.Morton at Sun.COM wrote: > It looks like you are configured to use softtoken so the rsa private > requests are handled there rather than the sca6000 > > -gary > > > > On 08/19/09 07:34, Rishi Renjith wrote: >> Hello, I tried creating a NSS database, linking it with crypto card >> and connecting using apache mod_nss. Everything works fine, except >> that the *rsaprivate *jobs are not getting increased in the kstat of >> the card. >> This is what I did. >> *bash-3.00# cd ../nssdb* *bash-3.00# rm ** *bash-3.00# certutil -N -d >> .* Enter a password which will be used to encrypt your keys. The >> password should be at least 8 characters long, and should contain at >> least one non-alphabetic character. >> Enter new password: Re-enter password: * * >> *bash-3.00# ls* cert8.db key3.db secmod.db *bash-3.00# chmod 777 >> ** *bash-3.00# modutil -dbdir . -nocertdb -force -add "Sun Crypto >> Accelerator" -libfile /usr/lib/libpkcs11.so -mechanisms >> RSA:DSA:RC4:DES* Module "Sun Crypto Accelerator" added to database. >> *bash-3.00# modutil -list -dbdir . * Listing of PKCS #11 Modules >> ----------------------------------------------------------- 1. NSS >> Internal PKCS #11 Module slots: 2 slots attached >> status: loaded >> slot: NSS Internal Cryptographic Services token: NSS >> Generic Crypto Services >> slot: NSS User Private Key and Certificate Services >> token: NSS Certificate DB >> 2. Sun Crypto Accelerator library name: >> /usr/lib/libpkcs11.so slots: 2 slots attached status: >> loaded >> slot: Sun Metaslot token: Sun Metaslot >> slot: Sun Crypto Softtoken token: Sun Software >> PKCS#11 softtoken >> ----------------------------------------------------------- >> *bash-3.00# certutil -S -x -n "cert309" -t "u,u,u" -k rsa -g 1024 -v >> 120 -s "cn=nobody,ou=Org,o=Sun,L=Santa Clara,ST=California,C=US" -d . >> -h "Sun Metaslot"* *Enter Password or Pin for "Sun Metaslot":* >> A random seed must be generated that will be used in the creation of >> your key. One of the easiest ways to create a random seed is to use >> the timing of keystrokes on a keyboard. >> To begin, type keys on the keyboard until this progress meter is >> full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! >> Continue typing until the progress meter is full: >> |************************************************************| >> Finished. Press enter to continue: >> Generating key. This may take a few moments... >> Enter Password or Pin for "Sun Software PKCS#11 softtoken": >> *bash-3.00# certutil -K -d .* certutil: Checking token "NSS >> Certificate DB" in slot "NSS User Private Key and Certificate >> Services" Enter Password or Pin for "NSS Certificate DB": certutil: no >> keys found *bash-3.00# certutil -K -d . -h "Sun Software PKCS#11 >> softtoken"* certutil: Checking token "Sun Software PKCS#11 softtoken" >> in slot "Sun Crypto Softtoken" Enter Password or Pin for "Sun Software >> PKCS#11 softtoken": certutil: no keys found *bash-3.00# certutil -K -d >> . -h "Sun Metaslot"* certutil: Checking token "Sun Metaslot" in slot >> "Sun Metaslot" Enter Password or Pin for "Sun Metaslot": < 0> rsa >> 204a23dbb2e82d7d8c1495e3374dcd4462423e4c Sun Metaslot:cert309 < 1> >> rsa 54ea6d93df1cfef13064aedc6f6c7f0dce34e7b6 Sun >> Metaslot:cert147 < 2> rsa >> 34d4a4974cf325e735dd23bb3a6b4680249f3550 (orphan) < 3> rsa >> 2018eecb4c05eb25cd30be4de6f13ccaeadcb43d Sun Metaslot:cert1151 < 4> >> rsa 61932a2d796fd8f6e82949059176e980cde5c55a sanCert < 5> >> rsa 4e752a9b4a76c1462d9aec76de1617e08d07ff42 Sun >> Metaslot:ismc_cert >> *bash-3.00# certutil -L -d .* >> Certificate Nickname Trust >> Attributes >> SSL,S/MIME,JAR/XPI >> *bash-3.00# certutil -L -d . -h "Sun Software PKCS#11 softtoken"* >> Certificate Nickname Trust >> Attributes >> SSL,S/MIME,JAR/XPI >> Enter Password or Pin for "Sun Software PKCS#11 softtoken": >> *bash-3.00# certutil -L -d . -h "Sun Metaslot"* >> Certificate Nickname Trust >> Attributes >> SSL,S/MIME,JAR/XPI >> Enter Password or Pin for "Sun Metaslot": Sun >> Metaslot:cert309 u,u,u Sun >> Metaslot:cert147 u,u,u Sun >> Metaslot:cert1151 u,u,u Sun >> Metaslot:sanCert u,u,u Sun >> Metaslot:CACERT CA ,, Sun >> Metaslot:ismc_cert u,u,u >> * modutil -disable "NSS Internal PKCS #11 Module" -dbdir .* >> WARNING: Performing this operation while the browser is running could >> cause corruption of your security databases. If the browser is >> currently running, you should exit browser before continuing this >> operation. Type 'q <enter>' to abort, or <enter> to continue: >> Slot "NSS Internal Cryptographic Services" disabled. Slot "NSS User >> Private Key and Certificate Services" disabled. >> *bash-3.00# modutil -enable "Sun Crypto Accelerator" -dbdir .* >> WARNING: Performing this operation while the browser is running could >> cause corruption of your security databases. If the browser is >> currently running, you should exit browser before continuing this >> operation. Type 'q <enter>' to abort, or <enter> to continue: >> Slot "Sun Metaslot" enabled. Slot "Sun Crypto Softtoken" enabled. >> --------------------------------------------------------------------------- >> ----------------------------------------------------------------------- >> Now when I check the kstat for each connection, the rsaprivate is not >> getting increased, only aesjobs are increased. also tried this test. >> *cryptoadm disable provider=mca/0 mechanism=all* >> In this case, the handshake fails. >> But..., if i disable only RSA in the card, cryptoadm disable >> provider=mca/0 mechanism=<all RSA mechanisms> *it works, which means >> that the card is currently used for AES jobs and RSA joba are done at >> the software level. * >> >> >> The cyrptoadm output is as below, which indicates the card is >> configured properly. >> bash-3.00# cryptoadm list >> User-level providers: Provider: >> /usr/lib/security/$ISA/pkcs11_kernel.so Provider: >> /usr/lib/security/$ISA/pkcs11_softtoken_extra.so >> Kernel software providers: des aes256 >> arcfour2048 blowfish448 sha1 sha2 md5 >> swrand >> Kernel hardware providers: mca/0 >> >> >> Please suggest. >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> crypto-discuss mailing list >> crypto-discuss at opensolaris.org >> http://mail.opensolaris.org/mailman/listinfo/crypto-discuss > > _______________________________________________ > crypto-discuss mailing list > crypto-discuss at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/crypto-discuss
