Справочник Пользователя для Sun Microsystems Sun Crypto Accelerator 4000
86
Sun Crypto Accelerator 4000 Board Installation and User’s Guide • May 2003
Concepts and Terminology
Keystores and users must be created for applications that communicate with the Sun
Crypto Accelerator 4000 board through a PKCS#11 interface, such as the Sun ONE
Web Server.
Crypto Accelerator 4000 board through a PKCS#11 interface, such as the Sun ONE
Web Server.
Users, within the context of the Sun Crypto Accelerator 4000, are owners of
cryptographic keying material. Each key is owned by a single user. Each user may
own multiple keys. A user may want to own multiple keys to support different
configurations, such as a
cryptographic keying material. Each key is owned by a single user. Each user may
own multiple keys. A user may want to own multiple keys to support different
configurations, such as a
production
key and a
development
key (to reflect the
organizations the user is supporting).
Note –
The term user or user account refers to Sun Crypto Accelerator 4000 users
created in
vcaadm
, not traditional UNIX user accounts. There is no fixed mapping
between UNIX user names and Sun Crypto Accelerator 4000 user names.
A keystore is a repository for key material. Associated with a keystore are security
officers and users. Keystores not only provide storage, but a means for key objects to
be owned by user accounts. This allows keys to be hidden from applications that do
not authenticate as the owner. Keystores have three components:
officers and users. Keystores not only provide storage, but a means for key objects to
be owned by user accounts. This allows keys to be hidden from applications that do
not authenticate as the owner. Keystores have three components:
■
Key objects – Long-term keys that are stored for applications such as the Sun
ONE Web Server.
ONE Web Server.
■
User accounts – These accounts provide applications a means to authenticate and
access specific keys
access specific keys
■
Security officer accounts – These accounts provide access to key management
functions through
functions through
vcaadm
.
Note –
A single Sun Crypto Accelerator 4000 board must have exactly one keystore.
Multiple Sun Crypto Accelerator 4000 boards can be configured to collectively work
with the same keystore to provide additional performance and fault-tolerance.
with the same keystore to provide additional performance and fault-tolerance.
A typical installation contains a single keystore with a single user. For example, such
a configuration might consist of a single keystore web_server and a single user within
that keystore, web_admin. This would allow the user web_admin to own and maintain
access control of the server keys within that single keystore.
a configuration might consist of a single keystore web_server and a single user within
that keystore, web_admin. This would allow the user web_admin to own and maintain
access control of the server keys within that single keystore.
An administrative tool,
vcaadm
, is used to manage Sun Crypto Accelerator 4000
keystores and users. Refer to “Managing Keystores With vcaadm” on page 69.