Sun Crypto Accelerator 6000 Card

Similar Messages

• Sun Crypto accelerator 6000 + Sun One Web Server 6.1

  hi,
  I want 3des to be the firts of ciphers for clients to utilize my Crypto Accelerator. Also, I want RC4 to be the second one.
  But all browsers uses RC4 by default!
  This string doesn't work in server.xml, what did i miss?
  <SSLPARAMS servercertnickname="Sun Metaslot:Server-Cert" ssl2="off" ssl2ciphers="-desede3,-rc4,-rc4export,-rc2,-rc2export,-des" ssl3="on" tls="on" ssl3tlsciphers="+rsa_3des_sha,+rsa_rc4_128_sha" tlsrollback="on" clientauth="off"/>
  Resume: Why I need crypto accelerator if all traffic is RC4 ? :)
  Message was edited by:
  mpech

  You cannot get that behavior.
  When an SSL client and server negotiate the connection, the client sends a list of all the cipher suites it supports. From that list the server will pick the most secure cipher suite which it also supports (if the server doesn't support any of the cipher suites proposed by the client, the connection establishment will fail).
  RC4 (128bit) is more secure than 3DES (112 bit). Thus, a server will never pick 3DES above RC4_128 if both are valid options (i.e. when both client and server support both). If you really wanted to force use of 3DES you need to disable RC4_128 in the server (or all the clients; or both).

• Sun Crypto 1000 and Solaris 10

  hi,
  I have some "Sun Crypto Accelerator 1000" cards.
  Is it possible to run it on Solaris 10 w/ Web servers 6 or 7 ???
  --mpech                                                                                                                                                                                                                                                               

  Sun PCI 3 runs fine with Solaris 10 - running on SB2500 with PCI3. Running Win2K and RH Linux.
  I cannot recall any problem with the exception that the driver files were not there for solaris 10. Resolved by the following (google news groups for SunPCI and Solaris 10).
  1) install the SunPCI software
  2) Create the following links with the "ln -s" command(as root) for solaris 10.
  lrwxrwxrwx 1 root root 13 Mar 8 2005 sunpcidrv.2100 ->
  sunpcidrv.290*
  lrwxrwxrwx 1 root root 16 Mar 8 2005 sunpcidrv.2100.64
  -> sunpcidrv.290.64*
  The links are in /opt/SUNWspci3/drivers/solaris directory. My existing SUNPCI3 PC+Linux file systems moved over from Solaris 9 with no issues when starting up with Solaris 10.
  As for upgrading to Solaris 10 from 9, 10 seems to have a bigger filesystem space requirement. I re-partioned my disks with a larger root partion and did a clean install rather than perform the upgrade.
  Also note on the Solaris 10 upgrade you need to get to grips with the new SMF. A man of inetconv(1M) will get you going and there is lots of help on the news groups.
  Best of Luck.
  Jon.

• SUN Cypto Accelerator 4000 -- IBM Websphere supported?

  Hi,
  We have IBM Websphere Express 5.1 and want to off-load SSL processing to a SUN Crypto Accelerator 4000, preferably SCA V2.0.
  From what I have read, SUN One and Apache Web Application Servers are supported. Does anyone know if the IBM Websphere Application Server V5.1 or later, is supported? Also, what about Webtrends.
  Any and all information would be appreciated.
  Thanks,
  ieee

  PS supports only on WebSphere 5.1 Express Edition.
  No testing has been done on Websphere ND Clustered.

• Enabling kssl in case of sun crypto 6000 card failure.

  Can anyone provide me with some documentation that how exactly kssl is supposed to work.
  I am using a sun crypto 6000 accerlator card and want to enable the kernel level SSL in case of the card failover.
  Can anyone please let me know if this possible and if so, how.
  Regards
  Manik gupta

  Just for your info and hope it helps...
  Jan 23 12:33:52 shark01 snmpXdmid: [ID 216524 daemon.error] Registration with DMI failed. err = 831.
  Jan 23 12:33:52 shark01 syslogd: /dev/sysmsg: I/O error
  Jan 23 12:37:11 shark01 ebus: [ID 521012 kern.info] su1 at ebus0: offset 0,2e8
  Jan 23 12:37:11 shark01 genunix: [ID 936769 kern.info] su1 is /pci@1f,0/isa@7/serial@0,2e8
  =====================================
  Jan 23 12:33:52 shark01 syslogd: /dev/sysmsg: I/O error
  <-------- Got an I/O error here. And Syslogd is the daemon running the syslog to write logs on /var filesystem. Could be some problem in your /var filesystem.
  ======================================
  Jan 23 12:37:11 shark01 genunix: [ID 936769 kern.info] su1 is /pci@1f,0/isa@7/serial@0,2e8
  <------- this is pointing to your TTYB or serial port B. You may something connected there that is having a problem.
  =====================================
  Are you using a SYSLOG server ?
  Edited by: Noel.del@Rosario on Feb 20, 2008 4:24 AM

• Sun Crypto 6000 accerlator card

  Hello
  I have installed a Sun Crypto 6000 SSL accerlator card in a sunfire machine and want to enable the automatic fallback of the SSL accerlation on the kernel level providers in case of the hardware card failure. I could not find documentation related to this and I would like to know if this can be done or no. If so, How?
  Any help will be really appreciated...
  Regards
  Manik

  You cannot get that behavior.
  When an SSL client and server negotiate the connection, the client sends a list of all the cipher suites it supports. From that list the server will pick the most secure cipher suite which it also supports (if the server doesn't support any of the cipher suites proposed by the client, the connection establishment will fail).
  RC4 (128bit) is more secure than 3DES (112 bit). Thus, a server will never pick 3DES above RC4_128 if both are valid options (i.e. when both client and server support both). If you really wanted to force use of 3DES you need to disable RC4_128 in the server (or all the clients; or both).

• The Tesla C2075 card & Quadro 6000 card + Nvidia Maximus configuration (CS 5.5.2 update)

  Could somebody kindly discuss in more detail the improvement of the Nvidia Maximus configuration? The Tesla C2075 card and the Quadro 6000 card appear to be identical cards. If a PC computer had both cards installed + an AJA KONA 3G card + the Premier Pro CS 5.5.2 update, what would the advantage be in comparison to a computer that only has a Quadro 6000 card + an AJA KONA 3G card installed (no C2075?)  Adobe Master Collection would be installed in this PC computer.  Thank you.

  Here is what one of the Nvidia folks said when a similar question was asked elsewhere:
  "That’s right; a Quadro 6000 and Tesla C2075 are not identical but they are very similar and you can expect similar performance. There are a few reasons you might want to use a Maximus configuration for Premiere Pro rather than a single Quadro 6000:
  1.  Having both a Quadro and Tesla GPU in the system means when the Tesla is cranking full-out on Mercury Playback Engine the Quadro is unaffected, so you can, say, open After Effects or other application that may take advantage of the Quadro, and system performance on that app will be better than if it was competing for resources with MPE on a single GPU.
  2.  In the future, we expect many users will want to run an animation application (using the Quadro) and a simulation application (on the Tesla) at the same time to provide animators with a level of interactivity they don’t have without Maximus technology. Example video is here. (http://youtu.be/_LagqqsVO28)
  3.  It costs less. A typical Maximus configuration has a mid-range Quadro (e.g. a Quadro 2000) and a Tesla C2075, which in that instance costs hundreds of dollars less than a single Quadro 6000 and offers similar performance plus the workflow advantage listed above.Of course, some users may want to run a Quadro 6000 and a Tesla C2075 and get maximum performance, but others can actually get the best MPE acceleration for less money with Maximus technology."

• Ssl and Sun Crypto card 1000 Solaris 9

  Hi
  First time i have used a crypto card and and 1st time in using ssl.
  The crypto card came with an install script to compile ssl, apache and crypto libraries. Documentation says that should come pre-installed with Apache 1.3.26 and have only supplied the ssl.lib.so.1-3-26 files for Apache 1.3.26. The actual version supplied was Apache 1.3.33 and the script exits with wrong apache version.
  Have tried renaming the lib.so files to 1.3.33 but script still fails.
  Don't want to roll back to earlier version of apache but don't know how/where to get updated lib.so files from.
  Sorry if this is a stupid question but any help would be much appreciated

  This might be one of the exceedingly rare instances where I suggest that someone cross-post to another forum.
  On the off-chance that others that use the software may have already worked on this, you might consider asking your question on one of the Java Enterprise System forums. (iPlanet has been branded as JES since 2003).
  [http://forums.sun.com/index.jspa?tab=es]
  In particular, there is an archived JES/Security forum where previous discussions may have already covered this.
  I haven't a clue as to what your software might need for a "best" configuration.

• Solaris 10 x86 goes to reboot mode after installing Sun x4 PCIe Quad card

  I have an x4200 server installed with solaris 10 x86 11/06 OS. After installing the OS it comes up fine.
  Now, When I install an SUN x4 PCIe Quad Gigabit Ethernet card on PCI slot 0 and on the power up server does not comes up. It gpes into the reboot mode.
  bash-3.00# uname -a
  SunOS server1-1 5.10 Generic_118855-33 i86pc i386 i86pc
  Does any one has face this issue..

  Solution found:
  First tried to login using "console login" when solaris booted up, before the desktop login window appeared. Then, run command "kdmconfig", changed the video device to X86 VESA compatible device, which is from the x86 driver and porting kit for solaris, then test/save and exit. After that, reboot the system. Now it is working, not perfect though (due to my old monitor) :)-

• Flash player BSOD crashes when using Hardware acceleration (+ATI card?)

  Hello,  I get frequent and recurrent BSOD crashes with the latest Flash player, watching some videos on Youtube.  I own a ATI Radeon 5700 video card and use the latest (v11.5) Catalyst drivers on Windows XP SP3, if this can help.  If I disable hardware acceleration through dxdiag, or in the Flash player options, the crashes cease.  Will this be fixed ?  If it won't, could hardware acceleration be disabled by default on next versions of the Flash player ?  Thank you.

  First thing to acknowledge is: BSOD crashes are 99.9999999% of the time due to critical OS problems or hardware. 0.0000001% of the time they are due to software, be it Microsoft or third party.
  If turning off the HW acceleration causes the BSODs to stop, I'd say there is a hardware problem (most likely) but there is also a slim chance that you have a memory fault your video card runs into when using software to accelerate the card.
  The BSOD gives information about the cause. If you have that it would help to point to the source of the Fatal Exception, and determine what steps youneed to take.

• How to setup Glashfish 2.1 with sun crypto hardware inside T2 processor

  Dear Expert,
  I had setup comm 7 at guest os (ldom guest) on sun fire t5240 , All running well (mail,calender,im) , I also read
  http://wikis.sun.com/display/BluePrints/Taking%20Advantage%20of%20Wire-Speed%20Cryptography
  Does any body have guide step by step How to integrated glasshfish with sun    Cryptography hardware ?
  thanks
  Hadi

  singautara,
  SLIM is trying to tell you that SUSE 9.x will just not work.
  Period.
  SUSE 9.x is for Intel and AMD chips and the computers that use them. Your Ultra-60 does not have x86 compatible components in it.
  It does not have a BIOS. It has an OpenBootProm .
  The last distribution ever ported by SUSE to Sun's SPARC cpu architecture was something like version 7.3. That is from 5 years ago !
  What's wrong with the Operating Environment that was developed by the same company that manufactured your computer?
  Use the SunOS on the Sun system !
  http://sunsolve.sun.com/handbook_pub/Software/
  Tell you what ...
  Find the "Related Documentation" link at this page in the Sun System Handbook and research what sort of system you have.
  http://sunsolve.sun.com/handbook_pub/Systems/U60/U60.html

• AES-256, BouncyCastle, Sun Crypto Providers, Default Padding

  Hi,
  The subject alsmost says it all, but in a nutshell, I would like to use BC for AES-256. I also wanted to compare the ciphered outputs from both BC and SUN to make sure everything was working ok (I have installed the Unlimited Strength Jurisdiction Policy Files 6 for the Sun JRE 6).
  I have noticed the following, when the data input is a multiple of 16, the ciphered data generated by both engines are the same (Sun = AES, BC = PaddedBufferedBlockCipher(AES Engine) + PKCS7Padding).
  However, when the data input is not of a multiple of 16 - the ciphered output is different.
  Hence my question: What is the default padding and mode used by the Sun JCE when doing a getInstance("AES") ?
  How to make sure that the ciphered data is the same for both engines, regardless of the data input length pls?
  Thx

  Hi,
  So what is the problem with using the BC provider?
  The problem with using the BC provider is that if you have a web started application, the lambda user should not worry about installing an extra set of files for the JRE. And that lambda user might not know at all how to install the policy file as well. (Note that this policy is only required on Windows - works fine on Mac). All of this for AES-256 should be transparent.
  Code for Sun JCE
  public String encryptToBase64(String data) throws Exception {
            Cipher cipher = Cipher.getInstance(aesCipher); // "AES"
           cipher.init(Cipher.ENCRYPT_MODE, secretKey);
           final byte[] newData = EncryptionUtils.getBytes(data);
           final byte[] edata = cipher.doFinal(newData);
           return Base64.encodeBase64String(edata);
  Code for BC Provider works fine (with policy) - same output
  Only difference comes from:
  Security.addProvider(new BouncyCastleProvider());and
  Cipher cipher = Cipher.getInstance(aesCipher, "BC");What I am just trying to do is to use the BC API directly - no provider - so that my AES-256 ciphered output is the same that the Sun and BC provider with policy installed.
  I managed to do it - but by padding manually the data myself so that it is a multiple of 16 in length (I would llike to avoid this):
  public String encryptToBase64(String data) throws Exception {
            final byte[] newData = EncryptionUtils.getBytes(data);
            return Base64.encodeBase64String(encode(newData));
  }     private byte[] encode(byte[] inputBytes) throws Exception {
           final BufferedBlockCipher cipher = getCipher(true);
           final byte[] outputBytes = new byte[cipher.getOutputSize(inputBytes.length)];
           int outputLen = cipher.processBytes(inputBytes, 0, inputBytes.length, outputBytes, 0);
           outputLen += cipher.doFinal(outputBytes, outputLen);
           final byte[] finalBytes = new byte[outputLen];
           System.arraycopy(outputBytes, 0, finalBytes, 0, outputLen);
           return finalBytes;
  private BufferedBlockCipher getCipher(final boolean forEncryption) {
            final BlockCipher aesEngine = new AESEngine();
            final BufferedBlockCipher cipher = new PaddedBufferedBlockCipher(aesEngine, new PKCS7Padding());
           cipher.init(forEncryption, new KeyParameter(rawKey));
           return cipher;
  }with
  public class EncryptionUtils {
       public static final int DEFAULT_BLOCK_SIZE = 16;
       public static final String pad = "                ";
       public static byte[] getBytes(final String str) {
            if (str.length() == DEFAULT_BLOCK_SIZE) {
                 return str.getBytes();
            final int padding = 16 - str.length() % 16;
            final int newSize = str.length() + padding;
            return (str + pad).substring(0, newSize).getBytes();
  }Apologies if I was not clear.
  On top of that - if your code is deciphered on Android for ex, using BC makes sense as I think it is the provider for Android.
  thx

• SCA6000 software download

  Hi all,
  I need to download the software package for the Sun Crypto Accelerator 6000 card for the linux operating system.
  The product page on the public oracle.com website simply redirect me to MOS while stating that software download should be done on edelivery site. I've been searching both MOS and edlivery but only found a patch (in MOS), which only contains updated RPMs.
  Same situation about the Solaris OS. Where can i find this software? The card is useless without it!
  Many thanks in advance.

  I found a patch, sized 32 mb with unknown contents (i've been trying to download it for a while now, but no progress).
  Here is a link to the patch (named 10264428).
  https://support.oracle.com/CSP/ui/flash.html#tab=PatchHomePage(page=PatchHomePage&id=()),(page=PatchSearchResultsHome&id=(from=bookmark&viewItem=0&flag=search&search=%3CSearch%3E%0A%20%20%3CFilter%20name=%22product%22%20op=%22IS%22%20value=%2217548%22%20type=%22product%22/%3E%0A%20%20%3CFilter%20name=%22release%22%20op=%22IS%22%20value=%22500012311200,400009910000%22%20type=%22release%22/%3E%0A%20%20%3CFilter%20name=%22platform%22%20op=%22IS%22%20value=%22226%22%20type=%22platform%22/%3E%0A%3C/Search%3E))
  To find it:
  Within My Oracle Support click the "Patches and Update" tab, then click "Product or Family (Advanced Search)".
  Product is: "Sun Crypto Accelerator 6000 Board"
  - and - Release is: Sun Crypto Accelerator 6000 Board 1.12
  - and - Platform is: Linux x86-64
  HTH! it was what i could find :p Othervise you could try and contact oracle :p
  .7/M.

• CKR_MECHANISM_INVALID but cryptoadm says VALID

  Hi everybody, this is a real though one.
  Using libpkcs11.so to access the sign-function of a crypto accelerator card (Sun Crypto Accelerator 6000) in my program
  CK_MECHANISM sign_mechanism = { CKM_RSA_PKCS, NULL, 0 };
  rv = C_SignInit(session, &sign_mechanism, key);I get a CKR_MECHANISM_INVALID error. But if I use the cryptoadm tool to check if the hardware provider supports the requested mechanism (CKM_RSA_PKCS) the output says that it should be supported (its the mca/0 interface):
  $cryptoadm list -m
  Kernel hardware providers:
  ==========================
  ncp/0: CKM_DSA,CKM_RSA_X_509,CKM_RSA_PKCS,CKM_RSA_PKCS_KEY_PAIR_GEN,CKM_DH_PKCS_KEY_PAIR_GEN,
  CKM_DH_PKCS_DERIVE,CKM_ECDSA_KEY_PAIR_GEN,CKM_ECDH1_DERIVE,CKM_ECDSA
  mca/0: CKM_SHA_1,CKM_MD5,CKM_DES_CBC,CKM_DES3_CBC,CKM_AES_CBC,CKM_AES_CTR,CKM_DES_CBC_PAD,CKM_DES3_CBC_PAD,
  CKM_AES_CBC_PAD,CKM_RSA_X_509,CKM_RSA_PKCS,CKM_DSA,CKM_DH_PKCS_KEY_PAIR_GEN,CKM_DH_PKCS_DERIVE,CKM_ECDSA_KEY_PAIR_GEN,
  CKM_ECDH1_DERIVE,CKM_ECDSA,CKM_RSA_PKCS_KEY_PAIR_GEN,CKM_DSA_KEY_PAIR_GEN,CKM_DES_KEY_GEN,CKM_DES2_KEY_GEN,
  CKM_DES3_KEY_GEN,CKM_AES_KEY_GEN,CKM_DES_CBC_PAD,CKM_DES3_CBC_PAD,CKM_AES_CBC_PAD,CKM_RC2_CBC_PAD,CKM_DES_CBC,
  CKM_DES3_CBC,CKM_AES_CBC,CKM_AES_CTR,CKM_RSA_X_509,CKM_RSA_PKCS,0x80004653a) Does anyone know about an error in cryptoadm? or my output interpretation?
  b) Because the code was tested on linux (but other hardware), am I wrong assuming that the library functions can be called in the same way?
  Thank you very much for any input about this! I appreciate also advices about next steps you would take in such a situation.
  René

  It seems to be a frequent problem. Read
  iTunes Store: My credit card's security code or zip code does not match my bank's records
  If that doesn't work just delete the card entirely and add it again.

• Same certificates for two servers using Sun Java WS 6.1sp5 with Crypto card

  Hi,
  I have 2 Sun java webserver 6.1 sp5 installed on two machines as :
  Single webserver1 instance on hostmachine1
  Single webserver1 instance on hostmachine2.
  (both instance names are same)
  I have created server certificate and installed it using External cryptographic module: Sun Crypto Accelerator 500 on hostmachine1.
  It is perfectly working fine.
  Now,for hostmachine2, I created trust database with same password as for hostmachine1, I copied the two files
  https-webserver1-hostmachine1-key3.db and
  https-webserver1-hostmachine1-cert8.db from hostmachines1 and then put on the hostmachines2 (in an serverroot/alias folder ) and then renamed them as
  https-webserver1-hostmachine2-key3.db and
  https-webserver1-hostmachine2-cert8.db
  Then I went to preferences->Edit socket listen, but security was disabled.
  I restarted the webserver, but security was still disabled.
  What is the problem??
  Please inform me as well as at my email address [email protected]
  Please do reply me as I am waiting anxiously.
  Thanks.
  Taqi

  Hello,
  The problem you are reporting is not expected.
  Hope you are not trying on admin server.
  I am not sure why you removed all files from alias directory.
  Please do the following in a fresh installation:-
  1) install ws6.1sp5.
  2) copy cert and key db from the working systems to the alias
  directory of the instance.
  3) move the db files to the new name (make this name right).
  4) through admin server GUI select instance (Manage server).
  5) go to edit listen socket.
  6) turn on security and select OK.
  7) then press Apply button.
  8) then press Apply changes.
  9) it will restart your instance server and will ask you for the password.
  10) supply the security password of the first server.
  11) it will restart your instance server in https mode.
  This works fine.