Oracle Directory Server Enterprise Edition 11 and pkcs11 on-chip crypto on SPARC-64 X+/X
We recently migrated a bunch of DSEE 11 applications from Fujitsu M4000 machines to Fujitsu M10 servers and somehow they're not using the SPARC64-X+/X on-chip AES/SHA crypto capabilities.
# isainfo -v
64-bit sparcv9 applications
fjorclnum fjieeedec fjaes ima fjdes fjathhpc fmaf asi_blk_init vis2
vis popc
# truss -u libucrypto::athena_\* -c -p $(pgrep ns-slapd)
... wait till some ldaps connection were served...
^C
...nothing :-(
Let's fix that.
According to SPARC64™ X+/X On-Chip Cryptographic Processing Capabilities
the M10 CPUs are capable of:
SPARC64™ X+/X processors support AES, DES, 3DES, RSA, SHA and DSA encryption models.
We keep that list in mind. To get things started we need to find the directory with the NSS certificate database files.
# find /local/ds -name "*-cert8.db" -type f /local/ds/alias/slapd-cert8.db
We have to export the default cert in there and tell our running DSEE instance to use the M10's cryptographic hardware. We don't do this as root but as the dsee user.
$ pktool setpin Enter token passphrase: # default password is changeme Create new passphrase: Re-enter new passphrase: Passphrase changed. $ dsadm export-cert -o ns-slapd.crt /local/ds defaultCert Choose the PKCS#12 file password: Confirm the PKCS#12 file password: $ dsconf set-server-prop 'ssl-rsa-security-device:Sun Metaslot' Directory Server must be restarted for changes to take effect.
Let's disable ns-slapd for a second to add the pkcs11 module. The slapd-pin.txt password is the one we entered while running pktool setpin. The mechanism list should represent what the SPARC64-X CPUs support.
$ dsadm stop /local/ds
$ modutil -add "Solaris Kernel Crypto Driver" -libfile \
/usr/lib/64/libpkcs11.so -dbdir /local/ds/alias -dbprefix slapd- \
-mechanisms AES:DES:RSA:SHA1:SHA256:SHA512:DSA
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
$ modutil -enable "Solaris Kernel Crypto Driver" \
-dbdir /local/ds/alias -dbprefix slapd-
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Slot "Sun Metaslot" enabled.
$ pk12util -i ns-slapd.crt -d /local/ds/alias/ -P slapd- -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot":
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
$ certutil -M -n "Sun Metaslot:defaultCert" -t CTu -d /local/ds/alias -P slapd-
Enter Password or Pin for "Sun Metaslot":
$ echo "Sun Metaslot:XXXpassword" > /local/ds/alias/slapd-pin.txt
$ certutil -L -d /local/ds/alias -P slapd-
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Unix Dep CA ,,
$ certutil -M -n "Unix Dep CA" -t CT -d /local/ds/alias/ -P slapd-
$ dsadm start /local/ds
Are we there yet?
# pldd $(pgrep ns-slapd) | grep pkcs11 /usr/lib/sparcv9/libpkcs11.so.1 /usr/lib/security/sparcv9/pkcs11_softtoken.so.1 # truss -u libucrypto::athena_\* -c -p $(pgrep ns-slapd) ... start some ldaps:// or STARTTLS ldapsearch'es... ^C ibrary: Function calls libucrypto: athena_sha1_block 418 libucrypto: athena_sha1_multiblock 246 libucrypto: athena_sha256_block 118 libucrypto: athena_sha256_multiblock 30 ... $ dsadm show-access-log /local/ds/alias ... [26/Apr/2017:08:57:41 +0200] conn=228 op=-1 msgId=-1 - SSL 128-bit AES-128-GCM ...
Well... That's rather disappointing. We see Athena library calls for hardware checksums but nothing for any symmetric crypto. Seems like the LDAP clients use ciphers our SPARC64-X+/X can't do in hardware.
So we're not quite done yet. Let's enable only SPARC64-X+/X friendly ciphers.
$ dsconf get-server-prop -h $(uname -n) -P 1636 ssl-supported-ciphers | grep AES | grep -v AESGCM ... ssl-supported-ciphers : TLS_RSA_WITH_AES_128_CBC_SHA ssl-supported-ciphers : TLS_RSA_WITH_AES_256_CBC_SHA ... $ dsconf set-server-prop -h $(uname -n) -P 1636 \ ssl-cipher-family:TLS_RSA_WITH_AES_128_CBC_SHA \ ssl-cipher-family:TLS_RSA_WITH_AES_256_CBC_SHA Before setting SSL configuration, export Directory Server data. Do you want to continue [y/n] ? y Directory Server must be restarted for changes to take effect. $ dsadm restart /local/ds
Pretty please?!
# truss -u libucrypto::athena_\* -c -p $(pgrep ns-slapd) ... start some ldaps:// or STARTTLS ldapsearch'es... libucrypto: athena_sha1_block 6220 libucrypto: athena_sha1_multiblock 3975 libucrypto: athena_AES_cbc_encrypt 472 libucrypto: athena_AES_encrypt_cbc_s 472 libucrypto: athena_aes128_cbc_encrypt 472 libucrypto: athena_aes128_load_keys_for_encrypt 472 libucrypto: athena_copy_key_s 472 libucrypto: athena_sha256_block 380 libucrypto: athena_AES_decrypt_cbc_s 157 libucrypto: athena_sha256_multiblock 87 libucrypto: athena_AES_cbc_decrypt 80 libucrypto: athena_aes128_cbc_decrypt 80 libucrypto: athena_aes128_load_keys_for_decrypt 80 libucrypto: athena_DES3_encrypt_s 36 libucrypto: athena_AES_set_encrypt_key 24 libucrypto: athena_aes_expand128 24 libucrypto: athena_AES_decrypt_cbc_4unrolling_s 18 libucrypto: athena_AES_decrypt_cbc_8unrolling_s 14 libucrypto: athena_des3_ecb_encrypt 12 libucrypto: athena_des3_load_keys 12 ...
Lovely!
PS: the only hardware capable ciphers seem to be: TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_DES_CBC_SHA.
No comments:
Post a Comment