SJSAS 8.2EE + pkcs11
I've got a brand new T2000, and I'm trying to make sure that SJSAS 8.2 EE is using its ncp0 SSL accelerator, rather than relying on the rather slow CPU for SSL.
I've read conflicting information about this.
The Sun Blueprint at http://www.sun.com/blueprints/0306/819-5782.pdf suggests that all Java 1.5_06 applications should use this by default.
However in the same Blueprint they suggest that querying the ncp0 module with kstat should show increasing values if the hardware accelerator is being used. (Command is kstat -n ncp0 rsaprivate)
It doesn't seem to be for me, when I hit the SJSAS DAS (and nodeagents) SSL ports.
If I use other applications, including running the OpenSSL rsa test (with -engine pkcs11), this value does increase.
So I'm a little concerned that SJSAS isn't using the SSL accelerator.
Does anybody know if additional config is required to get this going?
Certainly for Sun Java System Webserver, there are additional changes required - including registering the /usr/lib/pkcs11.so PKCS11 library with Sun Web Server using modutil. The Blueprint spells this out.
To me, it looks like similar configuation would be required for SJSAS too.
Any help would be appreciated!
[1267 byte] By [
tourtecha] at [2007-11-27 5:10:58]
# 1
I've discovered that there are additional steps required to get SJSAS to use the T2000's hardware accelerator. By default, its NSS won't, and will instead use an internal SSL device.
There are loose directions on
http://developers.sun.com/appserver/reference/techart/keymgmt.html
which describe the process of changing the NSS db files for the Application server to use a new "Sun Metaslot" pkcs11 device.
I've been able to get this going, however its a bit of a manual process to make sure that the secmod.db file gets created properly. Effectively you have to create the nodeagent and then run a few modutil/certutil commands to force the nodeagent to use the pkcs11 hardware device "Sun Metaslot".
Am concerned that while it works, its not a very robust solution, and I'm surprised others haven't been frustrated by it. For example, this needs to be done on each nodeagent, and the das. Should you later need to re-create the nodeagent, the process must be repeated.
Not only that, but part of the directions seem to be outdated. It doesn't seem necessary to create the pkcs11 J2SE 5.0 configuration file ($AS_INSTALL/mypkcs11.cfg ) as described under the section "Configuration of J2SE 5.0 PKCS#11 Providers".
Still, it seems to work, with kstat reporting the ncp0 device is being used.
Testing will tell if its functional.
