Hello, The manual explains how to configure apache with mod_ssl. We want to use mode_nss with apache.
Also we tried disabling the softtoken by giving modutil -disable "sun crypto accelerator" -slot "sun pkcs11 softtoken" but it doesn't seem working, it again shows as enabled!!! Also the sca manual mentions that you can configure metaslot to use the h/w by using Cryptoadm enable metaslot token=ks This also we did but same result. Are we missing any more config here? ( the aes jobs are getting incremented in the kstat, so aes jobs are done in the card) On 19-Aug-09, at 8:56 PM, Gary.Morton at Sun.COM wrote: > Look at the the SCA 6000 user's guide - configuring apache is > documented. > > http://docs.sun.com/app/docs/prod/accel.600.brd?l=en&a=view > > -gary > > On 08/19/09 09:16, Gary.Morton at Sun.COM wrote: >> It looks like you are configured to use softtoken so the rsa >> private requests are handled there rather than the sca6000 >> -gary >> On 08/19/09 07:34, Rishi Renjith wrote: >>> Hello, I tried creating a NSS database, linking it with crypto >>> card and connecting using apache mod_nss. Everything works fine, >>> except that the *rsaprivate *jobs are not getting increased in the >>> kstat of the card. >>> This is what I did. >>> *bash-3.00# cd ../nssdb* *bash-3.00# rm ** *bash-3.00# certutil -N >>> -d .* Enter a password which will be used to encrypt your keys. >>> The password should be at least 8 characters long, and should >>> contain at least one non-alphabetic character. >>> Enter new password: Re-enter password: * * >>> *bash-3.00# ls* cert8.db key3.db secmod.db *bash-3.00# chmod >>> 777 ** *bash-3.00# modutil -dbdir . -nocertdb -force -add "Sun >>> Crypto Accelerator" -libfile /usr/lib/libpkcs11.so -mechanisms >>> RSA:DSA:RC4:DES* Module "Sun Crypto Accelerator" added to >>> database. *bash-3.00# modutil -list -dbdir . * Listing of PKCS #11 >>> Modules >>> ----------------------------------------------------------- 1. >>> NSS Internal PKCS #11 Module slots: 2 slots >>> attached status: loaded >>> slot: NSS Internal Cryptographic Services token: >>> NSS Generic Crypto Services >>> slot: NSS User Private Key and Certificate >>> Services token: NSS Certificate DB >>> 2. Sun Crypto Accelerator library name: /usr/lib/ >>> libpkcs11.so slots: 2 slots attached status: loaded >>> slot: Sun Metaslot token: Sun Metaslot >>> slot: Sun Crypto Softtoken token: Sun Software >>> PKCS#11 softtoken >>> ----------------------------------------------------------- >>> *bash-3.00# certutil -S -x -n "cert309" -t "u,u,u" -k rsa -g 1024 - >>> v 120 -s "cn=nobody,ou=Org,o=Sun,L=Santa Clara,ST=California,C=US" >>> -d . -h "Sun Metaslot"* *Enter Password or Pin for "Sun Metaslot":* >>> A random seed must be generated that will be used in the creation >>> of your key. One of the easiest ways to create a random seed is >>> to use the timing of keystrokes on a keyboard. >>> To begin, type keys on the keyboard until this progress meter is >>> full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! >>> Continue typing until the progress meter is full: >>> |************************************************************| >>> Finished. Press enter to continue: >>> Generating key. This may take a few moments... >>> Enter Password or Pin for "Sun Software PKCS#11 softtoken": >>> *bash-3.00# certutil -K -d .* certutil: Checking token "NSS >>> Certificate DB" in slot "NSS User Private Key and Certificate >>> Services" Enter Password or Pin for "NSS Certificate DB": >>> certutil: no keys found *bash-3.00# certutil -K -d . -h "Sun >>> Software PKCS#11 softtoken"* certutil: Checking token "Sun >>> Software PKCS#11 softtoken" in slot "Sun Crypto Softtoken" Enter >>> Password or Pin for "Sun Software PKCS#11 softtoken": certutil: no >>> keys found *bash-3.00# certutil -K -d . -h "Sun Metaslot"* >>> certutil: Checking token "Sun Metaslot" in slot "Sun Metaslot" >>> Enter Password or Pin for "Sun Metaslot": < 0> rsa >>> 204a23dbb2e82d7d8c1495e3374dcd4462423e4c Sun Metaslot:cert309 < >>> 1> rsa 54ea6d93df1cfef13064aedc6f6c7f0dce34e7b6 Sun >>> Metaslot:cert147 < 2> rsa >>> 34d4a4974cf325e735dd23bb3a6b4680249f3550 (orphan) < 3> rsa >>> 2018eecb4c05eb25cd30be4de6f13ccaeadcb43d Sun Metaslot:cert1151 < >>> 4> rsa 61932a2d796fd8f6e82949059176e980cde5c55a sanCert < >>> 5> rsa 4e752a9b4a76c1462d9aec76de1617e08d07ff42 Sun >>> Metaslot:ismc_cert >>> *bash-3.00# certutil -L -d .* >>> Certificate Nickname Trust >>> Attributes >>> SSL,S/MIME,JAR/XPI >>> *bash-3.00# certutil -L -d . -h "Sun Software PKCS#11 softtoken"* >>> Certificate Nickname Trust >>> Attributes >>> SSL,S/MIME,JAR/XPI >>> Enter Password or Pin for "Sun Software PKCS#11 softtoken": >>> *bash-3.00# certutil -L -d . -h "Sun Metaslot"* >>> Certificate Nickname Trust >>> Attributes >>> SSL,S/MIME,JAR/XPI >>> Enter Password or Pin for "Sun Metaslot": Sun >>> Metaslot:cert309 u,u,u Sun >>> Metaslot:cert147 u,u,u Sun >>> Metaslot:cert1151 u,u,u Sun >>> Metaslot:sanCert u,u,u Sun >>> Metaslot:CACERT CA ,, Sun >>> Metaslot:ismc_cert u,u,u >>> * modutil -disable "NSS Internal PKCS #11 Module" -dbdir .* >>> WARNING: Performing this operation while the browser is running >>> could cause corruption of your security databases. If the browser >>> is currently running, you should exit browser before continuing >>> this operation. Type 'q <enter>' to abort, or <enter> to continue: >>> Slot "NSS Internal Cryptographic Services" disabled. Slot "NSS >>> User Private Key and Certificate Services" disabled. >>> *bash-3.00# modutil -enable "Sun Crypto Accelerator" -dbdir .* >>> WARNING: Performing this operation while the browser is running >>> could cause corruption of your security databases. If the browser >>> is currently running, you should exit browser before continuing >>> this operation. Type 'q <enter>' to abort, or <enter> to continue: >>> Slot "Sun Metaslot" enabled. Slot "Sun Crypto Softtoken" enabled. >>> --- >>> --- >>> --- >>> ------------------------------------------------------------------ >>> --- >>> -------------------------------------------------------------------- >>> Now when I check the kstat for each connection, the rsaprivate is >>> not getting increased, only aesjobs are increased. also tried >>> this test. *cryptoadm disable provider=mca/0 mechanism=all* >>> In this case, the handshake fails. >>> But..., if i disable only RSA in the card, cryptoadm disable >>> provider=mca/0 mechanism=<all RSA mechanisms> *it works, which >>> means that the card is currently used for AES jobs and RSA joba >>> are done at the software level. * >>> >>> >>> The cyrptoadm output is as below, which indicates the card is >>> configured properly. >>> bash-3.00# cryptoadm list >>> User-level providers: Provider: /usr/lib/security/$ISA/ >>> pkcs11_kernel.so Provider: /usr/lib/security/$ISA/ >>> pkcs11_softtoken_extra.so >>> Kernel software providers: des aes256 >>> arcfour2048 blowfish448 sha1 sha2 >>> md5 swrand >>> Kernel hardware providers: mca/0 >>> >>> >>> Please suggest. >>> >>> >>> --- >>> --- >>> ------------------------------------------------------------------ >>> >>> _______________________________________________ >>> crypto-discuss mailing list >>> crypto-discuss at opensolaris.org >>> http://mail.opensolaris.org/mailman/listinfo/crypto-discuss >> _______________________________________________ >> crypto-discuss mailing list >> crypto-discuss at opensolaris.org >> http://mail.opensolaris.org/mailman/listinfo/crypto-discuss >
