SETH STEIN :::::::::: SETH STEIN :::::::::: SETH STEIN :::::::::: SETH STEIN :::::::::: SETH STEIN

Experience with IBM 4960 PCI Cryptographic Accelerator on an RS/6000 pSeries 640 box running AIX 4.3.3 and using the card with the Netscape / IPlanet Enterprise Web Server

 
HOME
PERSONAL
SPORTS
WORK
skip prosser
adobe cps
icmp
red hat
php directory
google search
ibm 4758
ibm 4960
printer display
videocharger
technology @ WFU
RANDOM STUFF
deacon & mr. peanut
test patterns
  1. On the pSeries 640 system, be sure you are at system microcode level NAN01184 or later
    > lsattr -El sys0 -a fwversion
fwversion IBM,NAN01184 Firmware version and revision levels False

  2. Install bos.pkcs11 fileset off of the AIX 4.3.3 Additional Device Software CD
    installp bos.pkcs11 
    > lslpp -l bos.pkcs11
  Fileset                      Level  State      Description         
  ----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  bos.pkcs11                4.3.3.51  COMMITTED  Base Operating System PKCS11
                                                 Support

Path: /etc/objrepos
  bos.pkcs11                4.3.3.51  COMMITTED  Base Operating System PKCS11
                                                 Support
    This will start-up the pkcsslotd daemon and add a call to /etc/inittab to call /etc/rc.pkcs11 upon system startup.

  3. Install the IBM PCI 4960 Cryptographic Accelerator Card device drivers
    installp devices.pci.1410e601 
    > lslpp -l "devices.pci.1410e601*"
  Fileset                      Level  State      Description         
  ----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  devices.pci.1410e601.diag  4.3.3.0  COMMITTED  IBM Crypto Accelerator Adapter
                                                 Diagnostics 
  devices.pci.1410e601.rte   4.3.3.0  COMMITTED  IBM Crypto Accelerator Adapter
                                                 Software 

Path: /etc/objrepos
  devices.pci.1410e601.rte   4.3.3.0  COMMITTED  IBM Crypto Accelerator Adapter
                                                 Software
    You probably will need to run cfgmgr after this and verify that the system sees the 4960 adapter (lsdev -C | grep ica)

  4. Initialize the PKCS#11 token
    smitty pkcs11
    a. Select "Initialize a Token"
    b. Choose the 4960 adapter
    c. Enter the SO PIN (there is already a default SO PIN set)
    d. Choose a unique label for the token

  5. Change the Security Office (SO) PIN, if necessary
    smitty pkcs11
    a. Select "Set the Security Officer PIN"
    b. Choose the 4960 adapter
    c. like the passwd command, enter the current SO PIN and the desired new SO PIN

  6. Initialize the User PIN
    smitty pkcs11
    a. Select "Initialize the User PIN"
    b. Choose the 4960 adapter
    c. enter the SO PIN and the desired new User PIN

  7. Create a Trust Database through the IPlanet Admin. Server
    a. Choose Security tab.
    b. Choose "Create Database" button.
    c. Enter database password.

  8. Add as a valid cryptographic module for IPlanet
    /pathto-netscape/bin/https/admin/bin/modutil -dbdir /pathto-netscape/alias/ -add ibm4960 -libfile /usr/lib/pkcs11/PKCS11_API.so

  9. Request/Install Certificate via IPlanet administration interface

  10. Update magnus.conf for the web server
    Add "CERTDefaultNickname [module-name]:[cert-name]" to magnus.conf
    Now when you start up the web server, it will ask for both the Trust Database password and the User PIN for the 4960 adapter.

stein insert_at_sign_here alumni.duke.edu
This document last modified: Saturday, 06-Aug-05 19:25:26