Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6994008

PKCS11 should support "RSA" and "RSA/ECB/NoPadding" ciphers

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P2
    • Resolution: Won't Fix
    • Affects Version/s: solaris_10u10, 5.0u12, 7
    • Fix Version/s: 5.0-pool
    • Component/s: security-libs
    • Labels:

      Backports

        Description

        JDK 5.0/Weblogic/Solaris 10 fails to use T2000 onboard crypto accelerator for SSL operations

        customer uses kstat to verify use of ncp0

        bash-3.00# kstat -n ncp0 -s rsaprivate
        module: ncp instance: 0
        name: ncp0 class: misc
                rsaprivate 35247
         
        bash-3.00# kstat -n ncp0 -s rsaprivate
        module: ncp instance: 0
        name: ncp0 class: misc
                rsaprivate 35247

        The rsaprivate number does not increase over time while weblogic is doing ssl ops.

        Customer has verified:

        -that java.security file has pkcs11 provider listed first (default file settings, actually)

        -that he's not using any java options to disable pkcs11 provider.

        -there are crypto operations being performed by WLS

        -that WLS is configured to listen and respond on secure port

        <Aug 12, 2010 12:23:15 PM EDT> <Notice> <Server> <BEA-002613> <Channel "DefaultAdministration" is now listening on 147.141.83.138:60700 for protocols admin, ldaps, https.>
         
        Customer has also verified that openSSL is offloading to the hw accelerator, by running `kstat -n ncp0 -s rsaprivate` and seeing the rsaprivate number increasing.

        java.security and sunpkcs11-solaris.cfg files are attached along with weblogic log from a run with security debug flag set to all (also included are weblogic policy file and java options). These are in initial_settings* tar file attached.

        From these, it was noticed that 1) the settings in pkcs11 config file did not match the log, and 2) JCE provider was being used instead of PKCS provider.

        We verified with customer that the /tools/weblogic9/jdk1.5.0_12/jre/lib/security/sunpkcs11-solaris.cfg file was the same one he sent us. However, an anomaly remains, as the initial debug log file reports:
        Mechanism CKM_RSA_PKCS_KEY_PAIR_GEN:
        DISABLED in configuration

        But the sunpkcs11 config file does not have this mechanism in the disabled list.

        For observation 2, we tried disabling JCE provider and seeing what happens, but per the attached noJCE* debug log, it looks like JCE provider is still being used.

        Additionally, customer has tried enabling and disabling various mechanisms according to documentation, such as these instructions from "Wire-speed Cryptography for Securing Oracle SOA & Java EE Applications on Solaris (Emphasis on using Sun Chip Multi-threading (CMT) systems)" by Chad Prucha, Solutions Engineer, and Ramesh Nagappan, Security Architect...

        Option 2: SSL Acceleration for Weblogic
        1.Setup SSL listener for your Weblogic Server instance
        > Follow your Admin guide instructions for configuring SSL
        > Install the SSL certificates
        2.Enable cryptographic acceleration for Weblogic SSL by
        editing JRE's SunPKCS11 provider configuration.
        > SunPKCS#11 provider is a generic provider to utilize any PKCS11 provider
        implementation.
        > The sunpkcs11 configuration file contains the attributes for accessing the
        hardware accelerator.
        ? Located at <weblogic-java-home>/jre/lib/security/sunpkcs11-solaris.cfg
        > Mechanisms/attributes supported by the underlying hardware accelerator can
        be enabled or disabled at SunPKCS11 configuration file.
        ? Include the RSA mechanisms in disableMechanisms list of SunPKCS11 softoken.
        ? Helps to force those RSA mechanisms performed by NCP (Sun CMT accelerator)
        3.Restart the Weblogic server instance.

        Example: SunPKCS11 Provider configuration
        Disabling Soft-token and enabling RSA mechanisms to use HW accelerator
        name = Solaris
        description = SunPKCS11 accessing Solaris Cryptographic Framework
        library = /usr/lib/$ISA/libpkcs11.so
        handleStartupErrors = ignoreAll
        attributes = compatibility
        disabledMechanisms = {
        CKM_MD2
        CKM_MD5
        CKM_SHA_1
        CKM_SHA256
        CKM_SHA384
        CKM_SHA512
        CKM_DSA_KEY_PAIR_GEN
        CKM_SHA1_RSA_PKCS
        CKM_MD5_RSA_PKCS
        CKM_DSA_SHA1
        CKM_TLS_KEY_AND_MAC_DERIVE
        CKM_RSA_PKCS_KEY_PAIR_GEN
        CKM_SSL3_PRE_MASTER_KEY_GEN
        CKM_SSL3_MASTER_KEY_DERIVE
        CKM_SSL3_KEY_AND_MAC_DERIVE
        CKM_SSL3_MASTER_KEY_DERIVE_DH
        CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC
        }

        Customer disabled all the mechanisms in the example, but still does not see the Weblogic server using the hw accelerator. Also, customer has enabled all mechanisms and that had no effect either.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  coffeys Sean Coffey
                  Reporter:
                  spayne Sandra Payne
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Imported:
                    Indexed: