-
Bug
-
Resolution: Won't Fix
-
P2
-
solaris_10u10, 5.0u12, 7
-
generic, sparc
-
generic, solaris_10
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2205522 | 7 | Valerie Peng | P3 | Closed | Fixed | b134 |
| JDK-2207033 | 6-pool | Sean Coffey | P2 | Closed | Won't Fix |
JDK 5.0/Weblogic/Solaris 10 fails to use T2000 onboard crypto accelerator for SSL operations
customer uses kstat to verify use of ncp0
bash-3.00# kstat -n ncp0 -s rsaprivate
module: ncp instance: 0
name: ncp0 class: misc
rsaprivate 35247
bash-3.00# kstat -n ncp0 -s rsaprivate
module: ncp instance: 0
name: ncp0 class: misc
rsaprivate 35247
The rsaprivate number does not increase over time while weblogic is doing ssl ops.
Customer has verified:
-that java.security file has pkcs11 provider listed first (default file settings, actually)
-that he's not using any java options to disable pkcs11 provider.
-there are crypto operations being performed by WLS
-that WLS is configured to listen and respond on secure port
<Aug 12, 2010 12:23:15 PM EDT> <Notice> <Server> <BEA-002613> <Channel "DefaultAdministration" is now listening on 147.141.83.138:60700 for protocols admin, ldaps, https.>
Customer has also verified that openSSL is offloading to the hw accelerator, by running `kstat -n ncp0 -s rsaprivate` and seeing the rsaprivate number increasing.
java.security and sunpkcs11-solaris.cfg files are attached along with weblogic log from a run with security debug flag set to all (also included are weblogic policy file and java options). These are in initial_settings* tar file attached.
From these, it was noticed that 1) the settings in pkcs11 config file did not match the log, and 2) JCE provider was being used instead of PKCS provider.
We verified with customer that the /tools/weblogic9/jdk1.5.0_12/jre/lib/security/sunpkcs11-solaris.cfg file was the same one he sent us. However, an anomaly remains, as the initial debug log file reports:
Mechanism CKM_RSA_PKCS_KEY_PAIR_GEN:
DISABLED in configuration
But the sunpkcs11 config file does not have this mechanism in the disabled list.
For observation 2, we tried disabling JCE provider and seeing what happens, but per the attached noJCE* debug log, it looks like JCE provider is still being used.
Additionally, customer has tried enabling and disabling various mechanisms according to documentation, such as these instructions from "Wire-speed Cryptography for Securing Oracle SOA & Java EE Applications on Solaris (Emphasis on using Sun Chip Multi-threading (CMT) systems)" by Chad Prucha, Solutions Engineer, and Ramesh Nagappan, Security Architect...
Option 2: SSL Acceleration for Weblogic
1.Setup SSL listener for your Weblogic Server instance
> Follow your Admin guide instructions for configuring SSL
> Install the SSL certificates
2.Enable cryptographic acceleration for Weblogic SSL by
editing JRE's SunPKCS11 provider configuration.
> SunPKCS#11 provider is a generic provider to utilize any PKCS11 provider
implementation.
> The sunpkcs11 configuration file contains the attributes for accessing the
hardware accelerator.
? Located at <weblogic-java-home>/jre/lib/security/sunpkcs11-solaris.cfg
> Mechanisms/attributes supported by the underlying hardware accelerator can
be enabled or disabled at SunPKCS11 configuration file.
? Include the RSA mechanisms in disableMechanisms list of SunPKCS11 softoken.
? Helps to force those RSA mechanisms performed by NCP (Sun CMT accelerator)
3.Restart the Weblogic server instance.
Example: SunPKCS11 Provider configuration
Disabling Soft-token and enabling RSA mechanisms to use HW accelerator
name = Solaris
description = SunPKCS11 accessing Solaris Cryptographic Framework
library = /usr/lib/$ISA/libpkcs11.so
handleStartupErrors = ignoreAll
attributes = compatibility
disabledMechanisms = {
CKM_MD2
CKM_MD5
CKM_SHA_1
CKM_SHA256
CKM_SHA384
CKM_SHA512
CKM_DSA_KEY_PAIR_GEN
CKM_SHA1_RSA_PKCS
CKM_MD5_RSA_PKCS
CKM_DSA_SHA1
CKM_TLS_KEY_AND_MAC_DERIVE
CKM_RSA_PKCS_KEY_PAIR_GEN
CKM_SSL3_PRE_MASTER_KEY_GEN
CKM_SSL3_MASTER_KEY_DERIVE
CKM_SSL3_KEY_AND_MAC_DERIVE
CKM_SSL3_MASTER_KEY_DERIVE_DH
CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC
}
Customer disabled all the mechanisms in the example, but still does not see the Weblogic server using the hw accelerator. Also, customer has enabled all mechanisms and that had no effect either.
customer uses kstat to verify use of ncp0
bash-3.00# kstat -n ncp0 -s rsaprivate
module: ncp instance: 0
name: ncp0 class: misc
rsaprivate 35247
bash-3.00# kstat -n ncp0 -s rsaprivate
module: ncp instance: 0
name: ncp0 class: misc
rsaprivate 35247
The rsaprivate number does not increase over time while weblogic is doing ssl ops.
Customer has verified:
-that java.security file has pkcs11 provider listed first (default file settings, actually)
-that he's not using any java options to disable pkcs11 provider.
-there are crypto operations being performed by WLS
-that WLS is configured to listen and respond on secure port
<Aug 12, 2010 12:23:15 PM EDT> <Notice> <Server> <BEA-002613> <Channel "DefaultAdministration" is now listening on 147.141.83.138:60700 for protocols admin, ldaps, https.>
Customer has also verified that openSSL is offloading to the hw accelerator, by running `kstat -n ncp0 -s rsaprivate` and seeing the rsaprivate number increasing.
java.security and sunpkcs11-solaris.cfg files are attached along with weblogic log from a run with security debug flag set to all (also included are weblogic policy file and java options). These are in initial_settings* tar file attached.
From these, it was noticed that 1) the settings in pkcs11 config file did not match the log, and 2) JCE provider was being used instead of PKCS provider.
We verified with customer that the /tools/weblogic9/jdk1.5.0_12/jre/lib/security/sunpkcs11-solaris.cfg file was the same one he sent us. However, an anomaly remains, as the initial debug log file reports:
Mechanism CKM_RSA_PKCS_KEY_PAIR_GEN:
DISABLED in configuration
But the sunpkcs11 config file does not have this mechanism in the disabled list.
For observation 2, we tried disabling JCE provider and seeing what happens, but per the attached noJCE* debug log, it looks like JCE provider is still being used.
Additionally, customer has tried enabling and disabling various mechanisms according to documentation, such as these instructions from "Wire-speed Cryptography for Securing Oracle SOA & Java EE Applications on Solaris (Emphasis on using Sun Chip Multi-threading (CMT) systems)" by Chad Prucha, Solutions Engineer, and Ramesh Nagappan, Security Architect...
Option 2: SSL Acceleration for Weblogic
1.Setup SSL listener for your Weblogic Server instance
> Follow your Admin guide instructions for configuring SSL
> Install the SSL certificates
2.Enable cryptographic acceleration for Weblogic SSL by
editing JRE's SunPKCS11 provider configuration.
> SunPKCS#11 provider is a generic provider to utilize any PKCS11 provider
implementation.
> The sunpkcs11 configuration file contains the attributes for accessing the
hardware accelerator.
? Located at <weblogic-java-home>/jre/lib/security/sunpkcs11-solaris.cfg
> Mechanisms/attributes supported by the underlying hardware accelerator can
be enabled or disabled at SunPKCS11 configuration file.
? Include the RSA mechanisms in disableMechanisms list of SunPKCS11 softoken.
? Helps to force those RSA mechanisms performed by NCP (Sun CMT accelerator)
3.Restart the Weblogic server instance.
Example: SunPKCS11 Provider configuration
Disabling Soft-token and enabling RSA mechanisms to use HW accelerator
name = Solaris
description = SunPKCS11 accessing Solaris Cryptographic Framework
library = /usr/lib/$ISA/libpkcs11.so
handleStartupErrors = ignoreAll
attributes = compatibility
disabledMechanisms = {
CKM_MD2
CKM_MD5
CKM_SHA_1
CKM_SHA256
CKM_SHA384
CKM_SHA512
CKM_DSA_KEY_PAIR_GEN
CKM_SHA1_RSA_PKCS
CKM_MD5_RSA_PKCS
CKM_DSA_SHA1
CKM_TLS_KEY_AND_MAC_DERIVE
CKM_RSA_PKCS_KEY_PAIR_GEN
CKM_SSL3_PRE_MASTER_KEY_GEN
CKM_SSL3_MASTER_KEY_DERIVE
CKM_SSL3_KEY_AND_MAC_DERIVE
CKM_SSL3_MASTER_KEY_DERIVE_DH
CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC
}
Customer disabled all the mechanisms in the example, but still does not see the Weblogic server using the hw accelerator. Also, customer has enabled all mechanisms and that had no effect either.
- backported by
-
JDK-2207033 PKCS11 should support "RSA" and "RSA/ECB/NoPadding" ciphers
-
- Closed
-
-
-
- Closed
-