On 08/19/09 10:49, Rishi Renjith wrote: > Hello, > The manual explains how to configure apache with mod_ssl. We want to use > mode_nss with apache. > > Also we tried disabling the softtoken by giving > modutil -disable "sun crypto accelerator" -slot "sun pkcs11 softtoken" > > but it doesn't seem working, it again shows as enabled!!! > > Also the sca manual mentions that you can configure metaslot to use the > h/w by using > Cryptoadm enable metaslot token=ks > This also we did but same result. > > Are we missing any more config here?
Possibly - I haven't set up apache with mod_nss and our card so I can't answer that question. Its odd that you can't seem to get away from using softtoken even though you've made the config changes I would have suggested... maybe someone from the solaris side will have an answer? -gary > ( the aes jobs are getting incremented in the kstat, so aes jobs are > done in the card) > > On 19-Aug-09, at 8:56 PM, Gary.Morton at Sun.COM wrote: > >> Look at the the SCA 6000 user's guide - configuring apache is documented. >> >> http://docs.sun.com/app/docs/prod/accel.600.brd?l=en&a=view >> >> -gary >> >> On 08/19/09 09:16, Gary.Morton at Sun.COM wrote: >>> It looks like you are configured to use softtoken so the rsa private >>> requests are handled there rather than the sca6000 >>> -gary >>> On 08/19/09 07:34, Rishi Renjith wrote: >>>> Hello, I tried creating a NSS database, linking it with crypto card >>>> and connecting using apache mod_nss. Everything works fine, except >>>> that the *rsaprivate *jobs are not getting increased in the kstat of >>>> the card. >>>> This is what I did. >>>> *bash-3.00# cd ../nssdb* *bash-3.00# rm ** *bash-3.00# certutil -N >>>> -d .* Enter a password which will be used to encrypt your keys. The >>>> password should be at least 8 characters long, and should contain at >>>> least one non-alphabetic character. >>>> Enter new password: Re-enter password: * * >>>> *bash-3.00# ls* cert8.db key3.db secmod.db *bash-3.00# chmod >>>> 777 ** *bash-3.00# modutil -dbdir . -nocertdb -force -add "Sun >>>> Crypto Accelerator" -libfile /usr/lib/libpkcs11.so -mechanisms >>>> RSA:DSA:RC4:DES* Module "Sun Crypto Accelerator" added to database. >>>> *bash-3.00# modutil -list -dbdir . * Listing of PKCS #11 Modules >>>> ----------------------------------------------------------- 1. NSS >>>> Internal PKCS #11 Module slots: 2 slots attached >>>> status: loaded >>>> slot: NSS Internal Cryptographic Services token: NSS >>>> Generic Crypto Services >>>> slot: NSS User Private Key and Certificate Services >>>> token: NSS Certificate DB >>>> 2. Sun Crypto Accelerator library name: >>>> /usr/lib/libpkcs11.so slots: 2 slots attached >>>> status: loaded >>>> slot: Sun Metaslot token: Sun Metaslot >>>> slot: Sun Crypto Softtoken token: Sun Software >>>> PKCS#11 softtoken >>>> ----------------------------------------------------------- >>>> *bash-3.00# certutil -S -x -n "cert309" -t "u,u,u" -k rsa -g 1024 -v >>>> 120 -s "cn=nobody,ou=Org,o=Sun,L=Santa Clara,ST=California,C=US" -d >>>> . -h "Sun Metaslot"* *Enter Password or Pin for "Sun Metaslot":* >>>> A random seed must be generated that will be used in the creation of >>>> your key. One of the easiest ways to create a random seed is to use >>>> the timing of keystrokes on a keyboard. >>>> To begin, type keys on the keyboard until this progress meter is >>>> full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! >>>> Continue typing until the progress meter is full: >>>> |************************************************************| >>>> Finished. Press enter to continue: >>>> Generating key. This may take a few moments... >>>> Enter Password or Pin for "Sun Software PKCS#11 softtoken": >>>> *bash-3.00# certutil -K -d .* certutil: Checking token "NSS >>>> Certificate DB" in slot "NSS User Private Key and Certificate >>>> Services" Enter Password or Pin for "NSS Certificate DB": certutil: >>>> no keys found *bash-3.00# certutil -K -d . -h "Sun Software PKCS#11 >>>> softtoken"* certutil: Checking token "Sun Software PKCS#11 >>>> softtoken" in slot "Sun Crypto Softtoken" Enter Password or Pin for >>>> "Sun Software PKCS#11 softtoken": certutil: no keys found >>>> *bash-3.00# certutil -K -d . -h "Sun Metaslot"* certutil: Checking >>>> token "Sun Metaslot" in slot "Sun Metaslot" Enter Password or Pin >>>> for "Sun Metaslot": < 0> rsa >>>> 204a23dbb2e82d7d8c1495e3374dcd4462423e4c Sun Metaslot:cert309 < 1> >>>> rsa 54ea6d93df1cfef13064aedc6f6c7f0dce34e7b6 Sun >>>> Metaslot:cert147 < 2> rsa >>>> 34d4a4974cf325e735dd23bb3a6b4680249f3550 (orphan) < 3> rsa >>>> 2018eecb4c05eb25cd30be4de6f13ccaeadcb43d Sun Metaslot:cert1151 < >>>> 4> rsa 61932a2d796fd8f6e82949059176e980cde5c55a sanCert < 5> >>>> rsa 4e752a9b4a76c1462d9aec76de1617e08d07ff42 Sun >>>> Metaslot:ismc_cert >>>> *bash-3.00# certutil -L -d .* >>>> Certificate Nickname Trust >>>> Attributes >>>> SSL,S/MIME,JAR/XPI >>>> *bash-3.00# certutil -L -d . -h "Sun Software PKCS#11 softtoken"* >>>> Certificate Nickname Trust >>>> Attributes >>>> SSL,S/MIME,JAR/XPI >>>> Enter Password or Pin for "Sun Software PKCS#11 softtoken": >>>> *bash-3.00# certutil -L -d . -h "Sun Metaslot"* >>>> Certificate Nickname Trust >>>> Attributes >>>> SSL,S/MIME,JAR/XPI >>>> Enter Password or Pin for "Sun Metaslot": Sun >>>> Metaslot:cert309 u,u,u Sun >>>> Metaslot:cert147 u,u,u Sun >>>> Metaslot:cert1151 u,u,u Sun >>>> Metaslot:sanCert u,u,u Sun >>>> Metaslot:CACERT CA ,, Sun >>>> Metaslot:ismc_cert u,u,u >>>> * modutil -disable "NSS Internal PKCS #11 Module" -dbdir .* >>>> WARNING: Performing this operation while the browser is running >>>> could cause corruption of your security databases. If the browser is >>>> currently running, you should exit browser before continuing this >>>> operation. Type 'q <enter>' to abort, or <enter> to continue: >>>> Slot "NSS Internal Cryptographic Services" disabled. Slot "NSS User >>>> Private Key and Certificate Services" disabled. >>>> *bash-3.00# modutil -enable "Sun Crypto Accelerator" -dbdir .* >>>> WARNING: Performing this operation while the browser is running >>>> could cause corruption of your security databases. If the browser is >>>> currently running, you should exit browser before continuing this >>>> operation. Type 'q <enter>' to abort, or <enter> to continue: >>>> Slot "Sun Metaslot" enabled. Slot "Sun Crypto Softtoken" enabled. >>>> --------------------------------------------------------------------------- >>>> >>>> ----------------------------------------------------------------------- >>>> Now when I check the kstat for each connection, the rsaprivate is >>>> not getting increased, only aesjobs are increased. also tried this >>>> test. *cryptoadm disable provider=mca/0 mechanism=all* >>>> In this case, the handshake fails. >>>> But..., if i disable only RSA in the card, cryptoadm disable >>>> provider=mca/0 mechanism=<all RSA mechanisms> *it works, which means >>>> that the card is currently used for AES jobs and RSA joba are done >>>> at the software level. * >>>> >>>> >>>> The cyrptoadm output is as below, which indicates the card is >>>> configured properly. >>>> bash-3.00# cryptoadm list >>>> User-level providers: Provider: >>>> /usr/lib/security/$ISA/pkcs11_kernel.so Provider: >>>> /usr/lib/security/$ISA/pkcs11_softtoken_extra.so >>>> Kernel software providers: des aes256 >>>> arcfour2048 blowfish448 sha1 sha2 >>>> md5 swrand >>>> Kernel hardware providers: mca/0 >>>> >>>> >>>> Please suggest. >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> _______________________________________________ >>>> crypto-discuss mailing list >>>> crypto-discuss at opensolaris.org >>>> http://mail.opensolaris.org/mailman/listinfo/crypto-discuss >>> _______________________________________________ >>> crypto-discuss mailing list >>> crypto-discuss at opensolaris.org >>> http://mail.opensolaris.org/mailman/listinfo/crypto-discuss >>
