How To Configure Messaging Server for SSL and the Solaris Cryptographic Framework (SCF)

(Doc ID 2102297.1)

Last updated on DECEMBER 12, 2016

Applies to:

Oracle Communications Messaging Server - Version 7.0.0 and later
Information in this document applies to any platform.

Goal

The following article describes how to configure Messaging Server for SSL and the Oracle Solaris Cryptographic Framework (SCF) to use the Cryptographic Accelerator of the SPARC processor.  This is a three-step process where you configure Messaging Server for SSL (optional), configure the Oracle Solaris Cryptographic Framework, then configure Messaging Server to use SCF.

About the Solaris Cryptographic Framework

The Solaris Cryptographic Framework (SCF) provides a common store of algorithms and PKCS#11 libraries to handle cryptographic requirements. The PKCS#11 libraries are implemented according to the cryptography standard created by RSA Security Inc., PKCS#11 Cryptographic Token Interface (Cryptoki). See Chapter 8, Introduction to the Solaris Cryptographic Framework, in Solaris Security for Developers Guide and Further Reading for more information. The Solaris Cryptographic Framework is available in the Solaris 10 Operating System and Solaris Express releases.

A PKCS#11 module (also called a cryptographic module or a cryptographic service provider ) manages cryptographic services such as encryption and decryption via the PKCS#11 interface. PKCS#11 modules can be thought of as drivers for cryptographic devices that can be implemented in either software or hardware. A PKCS#11 module always has one or more slots, which can be implemented as physical hardware slots in some form of physical reader (for example, for smart cards) or as conceptual software slots. Each slot for a PKCS#11 module can in turn contain a token, which is the hardware or software device that actually provides cryptographic services and optionally stores certificates and keys. A hardware token is a PKCS#11 token implemented in physical devices, such as hardware accelerators and smart cards. A software token is a PKCS#11 token implemented entirely in software.

Messaging Server is configured to use the NSS built-in soft token for its cryptographic needs. Any PKCS#11 module that supports PKCS#11 can be used with NSS libraries, so the Solaris Cryptographic Framework can be used as the cryptographic service provider for Messaging Server.

About PKI Cryptography

Asymmetric Cryptography is also commonly called Public Key Infrastructure (PKI) cryptography. PKI cryptography is up to 1000 times more CPU intensive than symmetric cryptography. The Rivest, Shamir, Adelman (RSA) algorithm uses modular arithmetic to enable the concept of public and private keys. Typically, only the RSA operations that use public key cryptography are offloaded to a hardware accelerator. So the accelerator card performs the asymmetric cryptography operations and the symmetric cryptography operations are performed by the server's main processor.

RSA operations are an important component of the SSL full handshake. Each core of the SPARC Processor has a MAU (Modular Arithmetic Unit), which supports RSA and DSA operations. RSA operations utilize a compute-intensive algorithm that can be offloaded to the MAU. The MAU is capable of sustaining 14000 RSA operations per second. Moving RSA operations to the MAU speeds full handshake performance and frees the CPU. In terms of the Solaris Cryptographic Framework, the MAU is implemented as a Service Provider (ncp(7D)-Niagara crypto provider device driver). There is a great deal of performance improvement with a hardware accelerator.

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms