Configuring Sun Java System Messaging Server and UltraSPARC T1/T2 Hardware SSL Acceleration

Durga Tirunagari, December 2006
Shane Hjorth, December 2008 (Updated)

This article describes how to configure Sun Java System Messaging Server for SSL and the Solaris Cryptographic Framework (SCF) to use the Cryptographic Accelerator of the UltraSPARC T1 and T2 processors. This is a three-step process where you configure Messaging Server for SSL (optional), configure the Solaris Cryptographic Framework, then configure Messaging Server to use SCF.

This article contains the following sections:

Note This article was initially published as Configuring Sun Java System Messaging Server 6.3 and Solaris Cryptographic Framework on Systems With UltraSPARC T1 Processors.

Introduction to the Components Discussed in This Article

This section describes the components discussed in this article.

About Sun Java System Messaging Server

Sun Java System Messaging Server is a high-performance, highly secure messaging platform. Scaling from thousands to millions of users, Messaging Server is suitable for both service providers and enterprises interested in consolidating email servers and reducing total cost of ownership of communications infrastructure. Messaging Server also provides extensive security features that help ensure the integrity of communications through user authentication, session encryption, and the appropriate content filtering to help prevent spam and viruses. Security is a very critical aspect of Messaging Server.

About the Solaris Cryptographic Framework

The Solaris Cryptographic Framework (SCF) provides a common store of algorithms and PKCS#11 libraries to handle cryptographic requirements. The PKCS#11 libraries are implemented according to the cryptography standard created by RSA Security Inc., PKCS#11 Cryptographic Token Interface (Cryptoki). See Chapter 8, Introduction to the Solaris Cryptographic Framework, in Solaris Security for Developers Guide and Further Reading for more information. The Solaris Cryptographic Framework is available in the Solaris 10 Operating System and Solaris Express releases.

A PKCS#11 module (also called a cryptographic module or a cryptographic service provider ) manages cryptographic services such as encryption and decryption via the PKCS#11 interface. PKCS#11 modules can be thought of as drivers for cryptographic devices that can be implemented in either software or hardware. A PKCS#11 module always has one or more slots, which can be implemented as physical hardware slots in some form of physical reader (for example, for smart cards) or as conceptual software slots. Each slot for a PKCS#11 module can in turn contain a token, which is the hardware or software device that actually provides cryptographic services and optionally stores certificates and keys. A hardware token is a PKCS#11 token implemented in physical devices, such as hardware accelerators and smart cards. A software token is a PKCS#11 token implemented entirely in software.

Messaging Server is by default configured to use the NSS built-in soft token for its cryptographic needs. Any PKCS#11 module that supports PKCS#11 can be used with NSS libraries, so the Solaris Cryptographic Framework can be used as the cryptographic service provider for Messaging Server.

About the UltraSPARC T1 Processor

Asymmetric Cryptography is also commonly called Public Key Infrastructure (PKI) cryptography. PKI cryptography is up to 1000 times more CPU intensive than symmetric cryptography. The Rivest, Shamir, Adelman (RSA) algorithm uses modular arithmetic to enable the concept of public and private keys. Typically, only the RSA operations that use public key cryptography are offloaded to a hardware accelerator. So the accelerator card performs the asymmetric cryptography operations and the symmetric cryptography operations are performed by the server's main processor.

RSA operations are an important component of the SSL full handshake. Each core of the UltraSPARC T1 Processor has a MAU (Modular Arithmetic Unit), which supports RSA and DSA operations. RSA operations utilize a compute-intensive algorithm that can be offloaded to the MAU. The MAU is capable of sustaining 14000 RSA operations per second. Moving RSA operations to the MAU speeds full handshake performance and frees the CPU. In terms of the Solaris Cryptographic Framework, the MAU is implemented as a Service Provider (ncp(7D)-Niagara crypto provider device driver). There is a great deal of performance improvement with a hardware accelerator.

About the UltraSPARC T2 Processor

Although the MAU (Modular Arithmetic Unit) provided in the UltraSPARC T1 helped to reduce the overhead of the computationally expensive SSL handshake, the role of encrypting/decrypting and hashing the data transferred between the client and the server was still performed by the CPU cores. The UltraSPARC T2 adds a per-core Streams Processing Unit (SPU) which offers an Encryption/Decryption and Hash-Operations offload engine. The SPU can be used to offload DES, 3DES, AES-128, AES-192, AES-256, RC4, MD5, SHA1, SHA256 operations. It also offers ECCp-160 and ECCb-163 used in Public Key exchange.

In addition to Encryption/Decryption/Hash functionality, the UltraSPARC T2 processor added an on-chip Random Number Generator which is normally used by cryptographic applications for entropy data.

High-Level Overview

Configuring Messaging Server to use the Sun Cryptographic Accelerator of the UltraSPARC T1 and T2 processor involves the following high-level operations:

1. Configuring Messaging Server for SSL
2. Configuring individual Messaging Server processes (servers) for SSL
3. Configuring the Solaris Cryptographic Framework (SCF) for Messaging Server
4. Configuring Messaging Server to use the external token
5. Starting Messaging Server services
6. Verifying the Operational SCF

Configuring Messaging Server for SSL

This section describes the procedures you use to create the secmod, key3, and cert8 databases, obtain a certificate, and install the certificate for the NSS built-in soft token. Completing such procedures enables SSL on your Messaging Server deployment.

If you already have a Messaging Server deployment configured for SSL, skip this section and proceed to Configuring Individual Messaging Processes for SSL.

About the msgcert Command

The msgcert command is the primary mechanism for managing certificates. It allows you to generate a certificate request, add a certificate to the certificate database, list certificates in the certificate database, and so on. The msgcert command, like all Messaging Server commands, runs as mailsrv. Thus, even if you execute msgcert as root, it executes as the Messaging Server user. The msgcert utility is located in the Messaging-Server-Root/sbin directory, where Messaging-Server-Root is the location of the Messaging Server installation, by default:

• Messaging Server 6.3: /opt/SUNWmsgsr
• Messaging Server 7 32-bit: /opt/sun/comms/messaging
• Messaging Server 7 64-bit: /opt/sun/comms/messaging64

For detailed information about the msgcert command, type:

Messaging-Server-Root/sbin/msgcert --help

To Create the Certificate Database and Add Certificate/Key Pairs

The following procedure generates secmod, key3 and cert8 databases and also creates the sslpassword.conf file. By default, certificates are generated in the Messaging-Server-Root/config directory.

You can also specify the location and prefix of the certificate databases by using the following configuration local.ssldbprefix parameter.

The Messaging Server user (for example, mailsrv) should be able to read and write to local.ssldbpath.

1. Change directories to the Messaging Server sbin directory, for example:

   cd /opt/sun/comms/messaging64/sbin
   

2. Run the following command:

   ./msgcert generate-certDB
   

   This utility prompts you for a password to protect the keys and certificates in the certificate database.

3. Choose the Certificate Database password. (The password is not echoed on the screen.)
4. Confirm the Certificate Database password. (The password is not echoed on the screen.)
5. Confirm that the required databases and the sslpassword.conf file were created.

   # ls -lrt ../config/*.db ../config/sslpassword.conf
   -rw-------   1 mailsrv  mail       32768 Nov 16 04:40 ../config/secmod.db
   -rw-------   1 mailsrv  mail       65536 Nov 16 04:40 ../config/cert8.db
   -rw-------   1 mailsrv  mail       32768 Nov 16 04:40 ../config/key3.db
   -rw-r-----   1 mailsrv  mail          36 Nov 16 04:40 ../config/sslpassword.conf
   
   # cat ../config/sslpassword.conf
   Internal (Software) Token:12345678
   

To Obtain a Certificate

By default, the msgcert command creates a self-signed-certificate with the nickname Server-Cert. You can either remove this or use the self-signed-certificate.

The following example shows how to remove this default self-signed-certificate:

./msgcert remove-cert -W Messaging-Server-Root/config/sslpassword Server-Cert

1. Request a CA-signed server certificate.
   Specify the cert request to be in ASCII format (the default is binary) for the msgcert request-cert command. The resulting certificate request is a PKCS#10 certificate request in Privacy Enhanced Mail (PEM) format. PEM is format specified by RFCs 1421 through 1424 (RFC 1421) and used to represent a base64-encoded certificate request in US-ASCII characters.
   For example:

   # echo "12345678" > /opt/sun/comms/messaging64/config/sslpassword
   

   Note This is the same password you used to generate the certificate database.

   # ./msgcert request-cert  -W /opt/sun/comms/messaging64/config/sslpassword
   --name "foobar.siroe.com" --org "Development" --org-unit "Comms" --city
   Santaclara --state California --country us -F ascii -o /tmp/MyCertRequest
   

   The content of the Certificate Signing Request (CSR) looks similar to this:

   # cat /tmp/MyCertRequest
   
   -----BEGIN NEW CERTIFICATE REQUEST-----
   MIIBvzCCASgCAQAwfzELMAkGA1UEBhMCdXMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
   EzARBgNVBAcTClNhbnRhY2xhcmExDjAMBgNVBAsTBWNvbW1zMRQwEgYDVQQKEwtE
   ZXZlbG9wbWVudDEgMB4GA1UEAxMXYmlvdGl0ZS5yZWQuaXBsYW5ldC5jb20wgZ8w
   DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALFCDfmu1uYFy3DtHAo/kJUFqXF6utq2
   ga+Tow2PNEyuX+70SqyZ0vFwiL8di9b1mLMHLp3WBDPmXjVfNkANHk6Q38RlfyzT
   7iYpvhi6+4OVthzC65FaqwnEEiodZ7z7yx8vRhj4lVxeoNJpJexGr1MHuYr8tobe
   ljgEmrLP17aNAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQANzqjEwcnnmdXjo/KH
   buolHi1hNEYoDsXWIlTi78xkH+7gtfCPkymFzTy5mS58PzAqyWm81MZKXj39C+Eq
   DOCJmZYRt3lG6wo0M8nMoQLHsVSHfGZxOyppupzYsmVfszhczr0EEHJP66itDPW2
   /jHGRbhXfeJNhKsisscd/YYkEQ==
   -----END NEW CERTIFICATE REQUEST-----
   

2. Transmit the CSR to your Certificate Authority, according to its procedures.
   The process for obtaining your Certificate Authority certificate differs depending on the certificate authority you use. Some commercial CAs provide a web site that enables you to automatically download the certificate. Other CAs email the certificate to you upon request. After you have sent your request, you must wait for the CA to respond with your certificate.
   
3. Save the certificate you receive back from the Certificate Authority.
   You should back up your certificates in a safe location. If you ever lose the certificates, you can reinstall them by using your backup file. You can save the certificates as text files. The PKCS#11 certificate in PEM format looks similar to the following:

   -----BEGIN CERTIFICATE-----
   MIIDmTCCAwKgAwIBAgIBZjANBgkqhkiG9w0BAQQFADCBhjELMAkGA1UEBhMCVVMx
   EzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAoTBlNTRS1TVzEPMA0GA1UECxMG
   UG9ydGFsMRgwFgYDVQQDEw9WZWVyYSBOYXRhcmFqYW4xJjAkBgkqhkiG9w0BCQEW
   F3ZlZXJhLm5hdGFyYWphbkBzdW4uY29tMB4XDTA2MTExNjA3MDIyN1oXDTA3MTEx
   NjA3MDIyN1owfzELMAkGA1UEBhMCdXMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzAR
   BgNVBAcTClNhbnRhY2xhcmExFDASBgNVBAoTC0RldmVsb3BtZW50MQ4wDAYDVQQL
   EwVjb21tczEgMB4GA1UEAxMXYmlvdGl0ZS5yZWQuaXBsYW5ldC5jb20wgZ8wDQYJ
   KoZIhvcNAQEBBQADgY0AMIGJAoGBALFCDfmu1uYFy3DtHAo/kJUFqXF6utq2ga+T
   ow2PNEyuX+70SqyZ0vFwiL8di9b1mLMHLp3WBDPmXjVfNkANHk6Q38RlfyzT7iYp
   vhi6+4OVthzC65FaqwnEEiodZ7z7yx8vRhj4lVxeoNJpJexGr1MHuYr8tobeljgE
   mrLP17aNAgMBAAGjggEbMIIBFzAJBgNVHRMEAjAAMDUGCWCGSAGG+EIBDQQoFiZT
   dW5PTkUtUFRTIFBvcnRhbDogT3BlblNTTCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
   wkhhgKwbt1P8SXrRHpesVuhel0gwgbMGA1UdIwSBqzCBqIAUIALOde3lgiZiUwXo
   PTiN/YaJKoihgYykgYkwgYYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
   bmlhMQ8wDQYDVQQKEwZTU0UtU1cxDzANBgNVBAsTBlBvcnRhbDEYMBYGA1UEAxMP
   VmVlcmEgTmF0YXJhamFuMSYwJAYJKoZIhvcNAQkBFhd2ZWVyYS5uYXRhcmFqYW5A
   c3VuLmNvbYIBADANBgkqhkiG9w0BAQQFAAOBgQAdsOxEygD/Rbj4NWHhTrAZcn2B
   mWv40MFS1oAgJSMc5BPTBGHcSnnLEh0ZApFLfWknVro4ubW3mb5ByaHoR3sOsxAO
   4705avDUgX2g+4V80ef2CVOo5AoZRNMgVMt4Ju3D1PDZsDWQstbfV3PTeMyAzy/7
   NZh1+adCuh8J+Rhl4Q==
   -----END CERTIFICATE-----
   

4. Follow the same steps described above to obtain additional certificates.

To Add Certificates to the NSS Software Token

1. Save the signed certificate into a temporary location, for example, /tmp/caissuedFirstCert.
   For this example, a second signed certificate was also obtained using the previous procedure and saved as /tmp/caissuedSecondCert.
   
2. Install the CA-signed server certificates, for example:

   ./msgcert add-cert  -W /opt/sun/comms/messaging64/config/sslpassword Server-Cert \
   /tmp/caissuedFirstCert
   
   ./msgcert add-cert  -W /opt/sun/comms/messaging64/config/sslpassword SolCrypto-Framework \
   /tmp/caissuedSecondCert
   

3. Repeat Steps 1 and 2 for other certificates you have obtained.
   
4. Verify that the certificates have been successfully installed, for example:

   ./msgcert list-certs -W /opt/sun/comms/messaging64/config/sslpassword
   ....
   2 certificates found
   

Configuring Individual Messaging Processes for SSL

This section describes the procedures you use to configure the various Messaging Server processes for SSL.

To Configure MMP for SSL

1. Set the SSL certificate nickname.
   Edit the ImapProxyAService.cfg and PopProxyAService.cfg files as follows, modifying the line default:SSLCertNickNames to "Server-Cert".

   # cd /opt/sun/comms/messaging64/data/config
   ImapProxyAService.cfg: default:SSLCertNicknames  "Server-Cert"
   PopProxyAService.cfg:  default:SSLCertNicknames  "Server-Cert"
   

2. To enable SSL and IMAP, edit the ImapProxyAService.cfg file and uncomment the relevant SSL settings.
   A sample ImapProxyAService.cfg file resembles the following:

   # SSL configuration
   #
   #  Enable SSL from client to MMP with this:
   default:SSLEnable        yes
   default:SSLPorts         993
   default:SSLCertNicknames  Server-Cert
   #  Password File for SSL server keys:
   default:SSLKeyPasswdFile /opt/sun/comms/messaging64/data/config/sslpassword.conf
   #  Where SSL session cache, secmod, cert, and key files are located:
   default:SSLCacheDir      /opt/sun/comms/messaging64/data/config
   #  Customizable SSL security module database file name:
   default:SSLSecmodFile     secmod.db
   #  Customizable SSL {{cert7.db}} and {{key3.db}} file prefixes:
   default:SSLCertPrefix     ""
   default:SSLKeyPrefix      ""
   #  Use SSL on this port when talking to the backend server (0 = don't use SSL)
   default:SSLBacksidePort   993
   

3. To enable SSL and POP, edit the PopProxyAService.cfg file and uncomment the relevant SSL settings.
   
4. Edit the AService.cfg file.
   For POP and SSL, add |995 after the 110 in the ServiceList setting.
   For IMAP and SSL, add |993 after 143.
   The AService.cfg file should resemble the following:

   default:ServiceList  /opt/sun/comms/messaging64/ImapProxyAService@143|993
   /opt/sun/comms/messaging64/lib/PopProxyAService@110|995
   

To Configure IMAP for SSL

1. Use the configutil command to set the following configuration parameters to enable SSL:

   ./configutil -o service.imap.enablesslport -v yes
   ./configutil -o service.imap.enable -v 1
   ./configutil -o service.imap.sslport -v 993
   ./configutil -o service.imap.sslusessl -v yes
   

2. Use the configutil command to set the SSL certificate nickname:

   ./configutil -o encryption.rsa.nssslpersonalityssl -v "Server-Cert"
   

To Configure POP for SSL

1. Use the configutil command to set the following configuration parameters to enable SSL:

   ./configutil -o service.pop.enablesslport -v yes
   ./configutil -o service.pop.enable -v 1
   ./configutil -o service.pop.sslport -v 995
   ./configutil -o service.pop.sslusessl -v yes
   

2. Use the configutil command to set the SSL certificate nickname:

   ./configutil -o encryption.rsa.nssslpersonalityssl -v "Server-Cert"
   

To Configure HTTP for SSL

1. Use the configutil command to set the following configuration parameters to enable SSL:

   ./configutil -o service.http.enablesslport -v yes
   ./configutil -o service.http.enable -v 1
   ./configutil -o service.http.sslport -v 443
   ./configutil -o service.http.sslusessl -v yes
   

2. Use the configutil command to set the SSL certificate nickname:

   ./configutil -o encryption.rsa.nssslpersonalityssl -v "Server-Cert"
   

To Configure SMTP for SSL

1. Use the configutil command to set the SSL certificate nickname:

   ./configutil -o encryption.rsa.nssslpersonalityssl -v "Server-Cert"
   

2. To enable SSL encryption for outgoing messages, modify the channel definitions to include the TLS channel keywords such as maytls, musttls, and so on.
3. Uncomment the TLS_PORT entry (in the dispatcher.cnf file located in the Messaging-Server-Root/config directory if you want to support SSL on an alternate port.
   For example: port 465

   TLS_PORT=465
   

   Note You can also use a per-service configuration setting for the SSL certificate nicknames. The configuration parameters, which have the same meaning (that is, the nickname) and override the encryption.rsa.sslpersonalityssl setting, are: local.imta.sslnicknames (for the SMTP and Submit Servers) local.imap.sslnicknames (for the IMAP Server) local.pop.sslnicknames (for the POP Server) local.http.sslnicknames (for the HTTP Server)

To Verify the SSL Configuration

1. Use the netstat command to verify that the service is running.

For example:

netstat -an | grep <service._service_.sslport>
(where _service_ is a keyword mmp, imap, pop, http, or smtp)

e.g.

# ./configutil -o service.imap.sslport 
993
# netstat -an | grep 993 
      *.993                *.*                0      0 49152      0 LISTEN

1. Check for errors in the Messaging Server log files.
   Log files are located in the Messaging-Server-Root/log directories. For example, check the imap log to make sure that there are no SSL initialization errors (ASockSSL_Init errors).

Configuring the Solaris Cryptographic Framework (SCF)

Because the Solaris Cryptographic Framework software token contains private information, you use the pktool(1) command to set a password on the token. This command initializes the user's default keystore by logging in to the system as the application owner (the Messaging Server user).

To Set Up the SCF Software Token Pin

Running the pktool setpin command initializes the soft token data store in the $HOME/.sunw/pkcs11_softtoken/ directory. These files are created to be accessible only to the owner, to protect their contents. This also means that you need to perform the initialization as the same user that is used to run Messaging Server (that is, mailsrv), so this user has access to the right data store.

1. Become the mailsrv user.

   su mailsrv
   

2. Run the id command to verify you are the mailsrv user.

   $ id
   uid=207023(mailsrv) gid=6(mail)
   

3. Run the pktool command.

   $ pktool setpin
   

4. Enter the current passphrase. The default initial passphrase is changeme
5. Create the new passphrase. (The passphrase is not echoed on the screen.)
   You use this passphrase to import the certificate/key pair into the SCF token.
6. Reenter the passphrase. (The passphrase is not echoed on the screen.)
   You are notified that the passphrase is changed.
7. Change to the mailsrv home directory e.g. /export/home/mailsrv

   cd /export/home/mailsrv
   

8. Check permissions.

   $ ls -alrR
   ..:
   total 6
   drwx------   3 mailsrv  mail         512 Nov 16 17:21 .sunw
   drwxr-xr-x   4 root     sys          512 Oct 31 12:31 ..
   drwxrwxrwx   3 root     root         512 Nov 16 17:21 .
   
   ../.sunw:
   total 6
   drwx------   4 mailsrv  mail         512 Nov 16 17:21 pkcs11_softtoken
   drwxrwxrwx   3 root     root         512 Nov 16 17:21 ..
   drwx------   3 mailsrv  mail         512 Nov 16 17:21 .
   
   ../.sunw/pkcs11_softtoken:
   total 10
   drwx------   2 mailsrv  mail         512 Nov 16 17:21 public
   drwx------   2 mailsrv  mail         512 Nov 16 17:21 private
   -rw-------   1 mailsrv  mail         103 Nov 16 17:21 objstore_info
   drwx------   3 mailsrv  mail         512 Nov 16 17:21 ..
   drwx------   4 mailsrv  mail         512 Nov 16 17:21 .
   
   ../.sunw/pkcs11_softtoken/public:
   total 4
   drwx------   4 mailsrv  mail         512 Nov 16 17:21 ..
   drwx------   2 mailsrv  mail         512 Nov 16 17:21 .
   
   ../.sunw/pkcs11_softtoken/private:
   total 4
   drwx------   4 mailsrv  mail         512 Nov 16 17:21 ..
   drwx------   2 mailsrv  mail         512 Nov 16 17:21 .
   

To Administer the Cryptographic Framework by Using cryptoadm

The cryptoadm utility displays cryptographic provider information for a system, configures the mechanisms for each provider, and installs or uninstalls a cryptographic provider. The Solaris Cryptographic Framework supports three types of providers: a user-level provider (a PKCS#11 shared library), a kernel provider (a loadable kernel software module), and a kernel hardware provider (a cryptographic hardware device). The cryptoadm utility provides subcommands to enable and disable the metaslot's features, list metaslot's configuration, and also configure the metaslot's mechanisms policy.

1. You can list all the service providers and their cryptographic mechanisms in the Solaris Cryptographic Framework by running the cryptoadm list -m. Verify that ncp and pkcs11_softtoken.so are available as cryptographic providers. Because NCP is a kernel provider, pkcs11_kernel.so should appear before pkcs11_softtoken.so in the output.
   Following is a partial output of this command on an UltraSPARC T1 based system e.g. T1000, T2000.

   # cryptoadm list -m
   
   User-level providers:
   =====================
   Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
   Mechanisms:
   CKM_DSA
   CKM_RSA_X_509
   CKM_RSA_PKCS
   
   Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
   Mechanisms:
   CKM_DES_CBC
   CKM_DES_CBC_PAD
   CKM_DES_ECB
   CKM_DES_KEY_GEN
   [.... so on ...]
   CKM_DSA
   CKM_DSA_SHA1
   CKM_DSA_KEY_PAIR_GEN
   [.... so on ...]
   CKM_TLS_MASTER_KEY_DERIVE_DH
   CKM_SSL3_KEY_AND_MAC_DERIVE
   CKM_TLS_KEY_AND_MAC_DERIVE
   CKM_TLS_PRF
   
   Kernel software providers:
   ==========================
   des: CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC
   aes: CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR
   [.... so on ...]
   sha1: CKM_SHA_1,CKM_SHA_1_HMAC,CKM_SHA_1_HMAC_GENERAL
   md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL
   rsa:CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS,CKM_SHA256_RSA_PKCS,
   CKM_SHA384_RSA_PKCS,CKM_SHA512_RSA_PKCS
   swrand: No mechanisms presented.
   
   Kernel hardware providers:
   ==========================
   ncp/0: CKM_DSA,CKM_RSA_X_509,CKM_RSA_PKCS
   

   Following is a partial output of this command on an UltraSPARC T2 based system e.g. T5120, T5220.

   User-level providers:
   =====================
   
   Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
   Mechanisms:
   CKM_DES_CBC                  
   CKM_DES_CBC_PAD              
   CKM_DES_ECB      
   [.... so on ...]                         
   CKM_ECDSA_KEY_PAIR_GEN       
   CKM_ECDH1_DERIVE             
   CKM_ECDSA                    
   
   Provider: /usr/lib/security/$ISA/pkcs11_softtoken_extra.so
   Mechanisms:
   CKM_DES_CBC                  
   CKM_DES_CBC_PAD              
   CKM_DES_ECB                  
   [.... so on ...]  
   CKM_SSL3_KEY_AND_MAC_DERIVE  
   CKM_TLS_KEY_AND_MAC_DERIVE   
   CKM_TLS_PRF                  
   
   Kernel software providers:
   ==========================
   des: CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC
   aes256: CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR
   arcfour2048: CKM_RC4
   [.... so on ...]
   md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL
   rsa: CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS,CKM_SHA256_RSA_PKCS,CKM_SHA384_RSA_PKCS
   ,CKM_SHA512_RSA_PKCS
   swrand: No mechanisms presented.
   
   Kernel hardware providers:
   ==========================
   n2cp/0: CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB,CKM_DES3_CBC,CKM_DES3_CBC_PAD,CKM_DES3_ECB,CKM_AES_CBC,CKM
   _AES_CBC_PAD,CKM_AES_ECB,CKM_AES_CTR,CKM_RC4,CKM_MD5,CKM_SHA_1,CKM_SHA256,CKM_MD5_HMAC,CKM_SHA_1_HMAC,CKM_
   SHA256_HMAC,CKM_MD5_HMAC_GENERAL,CKM_SHA_1_HMAC_GENERAL,CKM_SHA256_HMAC_GENERAL,CKM_SSL3_MD5_MAC,CKM_SSL3_
   SHA1_MAC
   ncp/0: CKM_DSA,CKM_RSA_X_509,CKM_RSA_PKCS,CKM_RSA_PKCS_KEY_PAIR_GEN,CKM_DH_PKCS_KEY_PAIR_GEN,CKM_DH_PKCS_D
   ERIVE,CKM_ECDSA_KEY_PAIR_GEN,CKM_ECDH1_DERIVE,CKM_ECDSA
   n2rng/0: No mechanisms presented.
   

2. Disable the use of the following user-level mechanisms, forcing them to be performed by the NCP.

   # cryptoadm disable provider=/usr/lib/security/'$ISA'/pkcs11_softtoken_extra.so \
   mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,\
   CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,\
   CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC
   

3. Verify that the user-level mechanisms are disabled.

   # cryptoadm list -p provider=/usr/lib/security/'$ISA'/pkcs11_softtoken_extra.so
   /usr/lib/security/$ISA/pkcs11_softtoken_extra.so: all mechanisms are enabled, except CKM_SSL3_SHA1_MAC,CKM_SSL3_MD5_MAC,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,
   CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_PRE_MASTER_KEY_GEN. random is enabled.
   

To Configure the SCF Provider

NSS uses secmod.db to keep track of the PKCS#11 modules available. You can use the security Module Database Tool modutil, a CLI that comes with NSS to manage PKCS#11 module information within secmod.db files. The Security Module Database Tool enables you to add and delete PKCS#11 modules, change passwords, set defaults, list module contents, and enable or disable slots.
As of Messaging Server 7, the modutil CLI tool is no longer bundled with the Messaging Server software. Rather it is provided as part of the SUNWtlsu NSS package which is distributed with Communication Suite 6 and above. By default this package installs to /usr/sfw/bin.
This example assumes that you are running modutil from the default install directory and cert8.db, secmod.db, and key3.db are located under the default Messaging Server 64-bit config directory.

1. List all the available PKCS#11 modules.
   Using modutil, you can list all the available PKCS#11 modules. By default, NSS has an internal PKCS#11 module.

   # /usr/sfw/bin/modutil -dbdir /opt/sun/comms/messaging64/config -nocertdb -list
   
   Using database directory /opt/sun/comms/messaging64/config...
   
   Listing of PKCS #11 Modules
   -----------------------------------------------------------
     1. NSS Internal PKCS #11 Module
            slots: 2 slots attached
           status: loaded
   
            slot: NSS Internal Cryptographic Services                            
           token: NSS Generic Crypto Services
   
            slot: NSS User Private Key and Certificate Services                  
           token: NSS Certificate DB
   -----------------------------------------------------------
   

2. List the contents of the default NSS soft token. The file sslpassword contains the password to the Certificate Database.

   # /opt/sun/comms/messaging64/bin/msgcert list-certs -W /opt/sun/comms/messaging64/config/sslpassword
   
   Alias                 Valid from           Expires on        Self-signed?      Issued by      Issued to
   
   Server-Cert           2006/11/15 23:02     2007/11/15 23:02        n
   CN=CA,OU=test,O=authority,ST=California,C=US CN=foobar.siroe.com,OU=comms,O=Dev,L=Santaclara,ST=California,C=us
   SolCrypto-Framework   2006/11/16 00:14     2007/11/16 00:14        n
   CN=CA,OU=test,O=authority,ST=California,C=US CN=SCF,OU=comms,O=Dev,L=Santaclara,ST=California,C=us
   2 certificates found
   

To Add the Solaris Cryptographic Framework as a Service Provider

Messaging Server is configured to use the NSS built-in soft token for its cryptographic needs, which employs PKCS#11 to access cryptography. You can modify the Messaging Server configuration to use the User-Level Cryptographic Framework of the Solaris Cryptographic Framework, out of the box, by linking to the Operating System libpkcs11.so library to get direct access to the PKCS#11 functionality. That is, you register the Solaris Cryptographic Framework as a PKCS#11 module.
Solaris provides two libpkcs11.so files, one for 32-bit applications (/usr/lib/libpkcs11.so) and the other for 64-bit applications (/usr/lib/sparcv9/libpkcs11.so).
The following steps will vary depending on whether you are running the 32-bit or 64-bit version of Messaging Server and whether you are using an UltraSPARC T1 or UltraSPARC T2 based processor system.

1. Register the libpkcs11.so PKCS#11 library with the Messaging Server software and enable the slot named Sun Metaslot.
   • For 32-bit Messaging Server on UltraSPARC T1 based systems.

     # /usr/sfw/bin/modutil -dbdir /opt/sun/comms/messaging/config/ -nocertdb -add "Solaris Crypto Framework" \
     -libfile /usr/lib/libpkcs11.so -mechanisms RSA
     
     WARNING: Performing this operation while the browser is running could cause corruption
     of your security databases. If the browser is currently running,
     you should exit browser before continuing this operation. Type 'q <enter>' to abort,
     or <enter> to continue:
     
     Using database directory ../config...
     
     Module "Solaris crypto Framework" added to database.
     

   • For 64-bit Messaging Server on UltraSPARC T1 based systems.

     # /usr/sfw/bin/sparcv9/modutil -dbdir /opt/sun/comms/messaging64/config/ -nocertdb -add \
     "Solaris Crypto Framework" -libfile /usr/lib/sparcv9/libpkcs11.so -mechanisms RSA
     
     WARNING: Performing this operation while the browser is running could cause corruption
     of your security databases. If the browser is currently running,
     you should exit browser before continuing this operation. Type 'q <enter>' to abort,
     or <enter> to continue:
     
     Using database directory ../config...
     
     Module "Solaris crypto Framework" added to database.
     

   • For 32-bit Messaging Server on UltraSPARC T2 based systems.

     # /usr/sfw/bin/modutil -dbdir /opt/sun/comms/messaging/config/ -nocertdb -add "Solaris Crypto Framework" \
     -libfile /usr/lib/libpkcs11.so -mechanisms RSA:RC4:AES:DES:MD5
     
     WARNING: Performing this operation while the browser is running could cause corruption
     of your security databases. If the browser is currently running,
     you should exit browser before continuing this operation. Type 'q <enter>' to abort,
     or <enter> to continue:
     
     Using database directory ../config...
     
     Module "Solaris crypto Framework" added to database.
     

   • For 64-bit Messaging Server on UltraSPARC T2 based systems.

     # /usr/sfw/bin/sparcv9/modutil -dbdir /opt/sun/comms/messaging64/config/ -nocertdb -add \
     "Solaris Crypto Framework" -libfile /usr/lib/sparcv9/libpkcs11.so -mechanisms RSA:RC4:AES:DES:MD5
     
     WARNING: Performing this operation while the browser is running could cause corruption
     of your security databases. If the browser is currently running,
     you should exit browser before continuing this operation. Type 'q <enter>' to abort,
     or <enter> to continue:
     
     Using database directory ../config...
     
     Module "Solaris crypto Framework" added to database.
     

2. Continue with the next task.

To Enable the Slot Named Sun Metaslot

1. Run the following modutil command.
   • For 32-bit Messaging Server on UltraSPARC T1 and T2 based systems.

     # /usr/sfw/bin/modutil -dbdir /opt/sun/comms/messaging/config/ -nocertdb \
     -disable "Solaris Crypto Framework"
     
     WARNING: Performing this operation while the browser is running
     could cause corruption of your security databases.
     If the browser is currently running,
     you should exit browser before continuing this operation.
     Type 'q <enter>' to abort, or <enter> to continue:
     Using database directory ../config...
     
     Slot "Sun Metaslot" disabled.
     Slot "ncp/0 Crypto Accel Asym 1.0" disabled.
     

   • For 64-bit Messaging Server on UltraSPARC T1 and T2 based systems.

     # /usr/sfw/bin/sparcv9/modutil -dbdir /opt/sun/comms/messaging64/config/ \
     -nocertdb -disable "Solaris Crypto Framework"
     
     WARNING: Performing this operation while the browser is running
     could cause corruption of your security databases.
     If the browser is currently running,
     you should exit browser before continuing this operation.
     Type 'q <enter>' to abort, or <enter> to continue:
     Using database directory ../config...
     
     Slot "Sun Metaslot" disabled.
     Slot "ncp/0 Crypto Accel Asym 1.0" disabled.
     

2. Run the following modutil command.
   • For 32-bit Messaging Server on UltraSPARC T1 and T2 based systems.

     # /usr/sfw/bin/modutil -dbdir /opt/sun/comms/messaging/config/ -nocertdb \
     -enable "Solaris Crypto Framework" -slot "Sun Metaslot"
     
     WARNING: Performing this operation while the browser is running
     could cause corruption of your security databases.
     If the browser is currently running,
     you should exit browser before continuing this operation.
     Type 'q <enter>' to abort, or <enter> to continue:
     
     Using database directory ../config...
     Slot "Sun Metaslot" enabled.
     

   • For 64-bit Messaging Server on UltraSPARC T1 and T2 based systems.

     # /usr/sfw/bin/sparcv9/modutil -dbdir /opt/sun/comms/messaging64/config/ -nocertdb \
     -enable "Solaris Crypto Framework" -slot "Sun Metaslot"
     
     WARNING: Performing this operation while the browser is running
     could cause corruption of your security databases.
     If the browser is currently running,
     you should exit browser before continuing this operation.
     Type 'q <enter>' to abort, or <enter> to continue:
     
     Using database directory ../config...
     Slot "Sun Metaslot" enabled.
     

3. Run the following modutil command to verify that the Solaris Crypto Framework is successfully added.
   • For 32-bit Messaging Server on UltraSPARC T1 and T2 based systems.

     # /usr/sfw/bin/modutil -dbdir /opt/sun/comms/messaging/config/ -nocertdb -list
     
     
     Using database directory ../config...
     
     Listing of PKCS #11 Modules
     -----------------------------------------------------------
       1. NSS Internal PKCS #11 Module
     
          slots: 2 slots attached
          status: loaded
     
          slot: NSS Internal Cryptographic Services
          token: NSS Generic Crypto Services
     
          slot: NSS User Private Key and Certificate Services
          token: NSS Certificate DB
     
       2. Solaris crypto Framework
     
          library name: /usr/lib/libpkcs11.so
     
          slots: 2 slots attached
          status: loaded
     
          slot: Sun Metaslot
          token: Sun Metaslot
     
          slot: ncp/0 Crypto Accel Asym 1.0
          token: ncp/0 Crypto Accel Asym 1.0
     -----------------------------------------------------------
     

   • For 64-bit Messaging Server on UltraSPARC T1 and T2 based systems.

     # /usr/sfw/bin/sparcv9/modutil -dbdir /opt/sun/comms/messaging64/config/ -nocertdb -list
     
     
     Using database directory ../config...
     
     Listing of PKCS #11 Modules
     -----------------------------------------------------------
       1. NSS Internal PKCS #11 Module
     
          slots: 2 slots attached
          status: loaded
     
          slot: NSS Internal Cryptographic Services
          token: NSS Generic Crypto Services
     
          slot: NSS User Private Key and Certificate Services
          token: NSS Certificate DB
     
       2. Solaris crypto Framework
     
          library name: /usr/lib/libpkcs11.so
     
          slots: 2 slots attached
          status: loaded
     
          slot: Sun Metaslot
          token: Sun Metaslot
     
          slot: ncp/0 Crypto Accel Asym 1.0
          token: ncp/0 Crypto Accel Asym 1.0
     -----------------------------------------------------------
     

To Export the Certificate/Key Pairs From the NSS Soft Token

This task describes how to export the certificate/key pairs from the NSS soft token (as PKCS#12 formatted files) to be imported in to the SCF software token. The following shows how to export two certificates found in the internal token.

1. Choose the PKCS#12 file password and copy it to a file called /tmp/pkcs12password

   # echo "pkcspassword" > /tmp/pkcs12password
   

2. Run the following commands to export the two certificates found in the Internal Token in to PKCS#12 formatted files.

   # ./msgcert export-cert -W Messaging-Server-Root/config/sslpassword \
   -o /tmp/Server-Certpk12 -O /tmp/pkcs12password Server-Cert
   
   # file /tmp/Server-Certpk12
   
   /tmp/Server-Certpk12:   data
   

3. Continue with the next task.

To Import the Key/Certificate Pairs to the Sun Metaslot (SCF)

1. Become the mailsrv user.

   su mailsrv
   

2. Run the id command.

   $ id
   uid=207023(mailsrv) gid=6(mail)
   

3. Run the following pk12util command.
   • For 32-bit Messaging Server on UltraSPARC T1 and T2 based systems.

     $ /usr/sfw/bin/pk12util -i /tmp/Server-Certpk12 -d /opt/sun/comms/messaging/config/ -h "Sun Metaslot"
     
     Enter Password or Pin for "Sun Metaslot":
     { This is the same password you entered, when running pktool setpin )
     Enter password for PKCS12 file:
     {PKCSpassword : password used to export certificates from the Internal Software Token }
     pk12util: PKCS12 IMPORT SUCCESSFUL
     

   • For 64-bit Messaging Server on UltraSPARC T1 and T2 based systems.

     $ /usr/sfw/bin/sparcv9/pk12util -i /tmp/Server-Certpk12 -d /opt/sun/comms/messaging64/config/ -h "Sun Metaslot"
     
     Enter Password or Pin for "Sun Metaslot":
     { This is the same password you entered, when running pktool setpin )
     Enter password for PKCS12 file:
     {PKCSpassword : password used to export certificates from the Internal Software Token }
     pk12util: PKCS12 IMPORT SUCCESSFUL
     

4. Continue with the next task.

To Verify the Successful Importation of the Certificate/Key Pairs

Use this task to verify that the certificate/key pairs were successfully imported to the token. You must be logged in as mailsrv (that is, the Messaging Server user).

1. Run the following certutil command.

   # su mailsrv
   $ ./certutil -L -d ../config/ -h "Sun Metaslot"
   
   Enter Password or Pin for "Sun Metaslot":
   ( This is the same password you entered, when running pktool setpin. )
   Sun Metaslot:Server-Cert                                       u,u,u
   Sun Metaslot:SolCrypto-Framework                               u,u,u
   

2. Run the following certutil command.$ ./certutil -K -d ../config/ -h "Sun Metaslot"

   Enter Password or Pin for "Sun Metaslot":
   ( This is the same password you entered, when running pktool setpin. )
   <0> Server-Cert
   <1> SolCrypto-Framework
   

3. Proceed to the next section to configure Messaging Server.

Configuring Messaging Server to Use the External Token

This section describes the procedures you use to configure the various Messaging Server processes to use the external token.

Verify Messaging Server and Solaris patch-levels

Solaris 10 update 4 and above introduced a change that caused hardware SSL acceleration to fail with Messaging Server 6.2 and 6.3 (Messaging Server bug #6647586).

Attempting to enable hardware SSL acceleration on Solaris 10 update 4 installation caused the following Messaging Server error messages:

[25/Apr/2008:14:57:20 +1000] server imapd[760]: General Error: SSL initialization error:
ASockSSL_Init: PK11 auth failed to Sun Metaslot (-8192)

20080425 145722 ImapProxyAService.cfg ASockSSL_Init: PK11 auth failed to Sun Metaslot

[07/Jan/2008:15:55:08 +1100] server [8209]: General Error: SSL initialization error: 
ASockSSL_Init: couldn't open slot Sun Metaslot (-8127)

This bug was rectified with the following Messaging Server patches:

• Messaging Server 6.2 (Point Patch) #125813-12
• Messaging Server 6.3 (32bit) #120228-29
• Messaging Server 6.3 (64bit) #126479-10

Messaging Server 7.0 and above is not affected by this problem.

To Configure Messaging Server Processes to Use the External Token

1. Configure MMP by editing the ImapProxyAService.cfg and PopProxyAService.cfg files as follows.

   # cd Messaging-Server-Root/data/config
   ImapProxyAService.cfg: default:SSLCertNicknames  "Sun Metaslot:Server-Cert"
   PopProxyAService.cfg:  default:SSLCertNicknames   "Sun Metaslot:Server-Cert"
   

2. Configure the IMAP server by setting the following configuration parameters to use the external token.

   ./configutil -o encryption.rsa.nssslpersonalityssl -v "Sun Metaslot:Server-Cert"
   OR
   ./configutil -o local.imap.sslnicknames -v "Sun Metaslot:Server-Cert"
   

3. Configure the POP server by setting the following configuration parameters to use the external token.

   ./configutil -o encryption.rsa.nssslpersonalityssl -v "Sun Metaslot:Server-Cert"
   OR
   ./configutil -o local.pop.sslnicknames -v "Sun Metaslot:Server-Cert"
   

4. Configure the HTTP server by setting the following configuration parameters to use the external token.

   ./configutil -o encryption.rsa.nssslpersonalityssl -v "Sun Metaslot:Server-Cert"
   OR
   # ./configutil -o local.http.sslnicknames -v "Sun Metaslot:Server-Cert"
   

5. Configure the SMTP server by setting the following configuration parameters to use the external token.
   Use the configutil command to set the SSL certificate nickname:

   ./configutil -o encryption.rsa.nssslpersonalityssl -v "Sun Metaslot:Server-Cert"
   OR
   ./configutil -o local.imta.sslnicknames -v "Sun Metaslot:Server-Cert"
   

   Note As shown previously, you can also use a per-service configuration setting for the SSL certificate nicknames. The configuration parameters, which have the same meaning (that is, the nickname) and override the_ encryption.rsa.sslpersonalityssl setting, are: local.imta.sslnicknames (for the SMTP and Submit Servers) local.imap.sslnicknames (for the IMAP Server) local.pop.sslnicknames (for the POP Server) local.http.sslnicknames (for the HTTP Server)

6. Save the "Sun Metaslot" password in to the sslpassword.conf file. The "Sun Metaslot" is protected by a password. The server prompts for a password every time it starts up. Instead of entering the password every time, Messaging Server reads the password from the sslpassword.conf file located in the Messaging-Server-Root/config directory. Edit this file as follows.

   # cat Messaging-Server-Root/data/config/sslpassword.conf
   Sun Metaslot:secret
   
   ( "secret" : This is the same password you entered, when running pktool setpin )
   

To Start and Debug Messaging Server Services

This task explains how to restart the Messaging Server services, check for errors, and verify the operational SCF environment.

1. Restart the Messaging Server services.

   # Messaging-Server-Root/sbin/start-msg
   Connecting to watcher ...
   Launching watcher ... 27351
   Starting ens server ... 27352
   Starting store server .... 27353
   Checking store server status .... ready
   Starting imap server .... 27354
   Starting pop server .... 27355
   Starting http server .... 27356
   Starting sched server ... 27357
   Starting dispatcher server .... 27359
   Starting job_controller server .... 27365
   

2. Make sure that there are no SSL_init errors in the log files, and no ASockSSL_init errors in any of the tcp_smpt,default, imap, pop, and http log files. You see something like the following when there is a problem.

   http:[31/Nov/2006:11:36:21 -0800] biotite httpd[27356]: General Error: SSLinitialization error:
   ASockSSL_Init: couldn't open slot Metaslot (-8127)
   imap:[31/Nov/2006:11:36:20 -0800] biotite imapd[27354]: General Error: SSLinitialization error:
   ASockSSL_Init: couldn't open slot Metaslot (-8127)
   pop:[31/Nov/2006:11:36:21 -0800] biotite popd[27355]: General Error:SSL initialization error:
   ASockSSL_Init: couldn't open slot Metaslot (-8127)
   tcp_smtp_server.log-0J8000L01MGM3Z00:[31/Nov/2006:11:36:22 -0800]
   biotite [27363]: General Error:SSL initialization error:
   ASockSSL_Init: couldn't open slot Metaslot (-8127)
   tcp_smtp_server.log-0J8000L03MGM3Z00:[31/Nov/2006:11:36:22 -0800]
   biotite [27364]: General Error:SSL initialization error:
   ASockSSL_Init: couldn't open slot Metaslot (-8127)
   

3. Verify that the SSL ports are listening.

   # netstat -an | grep 995
     *.995                *.*                0      0 49152      0 LISTEN
   # netstat -an | grep 443
     *.443                *.*                0      0 49152      0 LISTEN
   # netstat -an | grep 465
     *.465                *.*                0      0 49152      0 LISTEN
   

4. Once the application is operational on the Solaris Cryptographic Framework, use the kstat command to display the number of RSA public key decryptions performed using NCP since the last system boot. The number of RSA public key decryptions are shown as the rsapublic value in the kstat output. An incremental and a positive increase in the value of rsapublic shows that NCP is operational.

   # kstat -n ncp0 | grep rsa
   rsprivate                      X
   rsapublic                      X
   

   In this output:

   • rsaprivate -- Total number of jobs submitted to the device for RSA private key operations.
   • rsapublic -- Total number of jobs submitted to the device for RSA public key operations.
     By using a browser to connect to the HTTP SSL port and log in, you see how the count increases. For example:

     <Log in to https://host1.red.example.com>
     
     # kstat -n ncp0 | grep rsa
     rsaprivate	35
     rsapublic 	146
     
     # kstat -n ncp0 | grep rsa
     rsaprivate	38
     rsapublic 	149
     

Further Reading

Use these sources to learn more about the Solaris Cryptographic Framework:

• Part IV, "Solaris Cryptographic Services," in System Administration Guide: Security Services
• The Solaris Cryptographic Framework
• UltraSPARC Processors
• cvcd(1M)
• pktool(1)
• Using the Security Module Database
• Using the Certificate Database Tool