Driver & CSP Setup Guide (Release 1.1)

snortfearServers

Dec 4, 2013 (3 years and 9 months ago)

104 views

Driver & CSP
Setup
Guide

(
Release 1.
1
)


(
Nitrox driver, Cavium SSL csp and IIS configuration
)



The
release

contains the following directories:


-

driver

: driver and supported files

-

tester

: programs (
Nitrox
Tester
.exe

and SSLRSA.exe
) to test the driver and
the
csp

-

sslcsp

: csp and supported files

-

docs



nitrox and csp related documents


Before the installation, unzip and copy all these directories to a local directory (let’s say
c:
\
install for future references).


The driver and the csp will work on Win200
0
,

Win XP and Win 2003. They will also
work for both 3.3 volt and 5 volt
Nitrox boards
.



1.

Installing the driver

(Win2003)
:


-

Shutdown the system and plug in the Nitrox accelerator board.

-

Start the system. It will detect the board and the installation wizard w
ill

come up.

(you can also use the add hardware wizard instead).

-

Select the advanced option.

-

When asked, specify the location where the driver files are. (e.g. c:
\
install
\
driver).
The wizard will pick up the inf file and will install the supported files.

-

A
fter the installation completes, check the device manager to make sure the driver
has been installed properly.

-

Various driver settings can be configured before and after the installation. Refer
to ‘
Nitrox
-
Installatoin And User Guide.doc
’ document in the ‘d
ocs’ folder.

-

If the driver installation fails, read the
section ‘
Configuring after installation’ and
get the LastError code. The error code can either be looked
up in

the source code
or can be asked by sending e
-
mail to ‘
support
@cavium.com’ [The error code
s
will be documented in the ‘
Nitrox
-
Installatoin And User Guide.doc
’ soon].



2.

Testing

the driver:


-

Once the driver has been installed and is shown in the device manager, the test
program ‘
Nitrox
Tester.exe’ in the ‘tester’ folder can be run to make sure the

driver is
working
.

-

The program performs three operations


Random number generation, 3DES and
AES encryption/decryption. If you see the results of all three operation
s

without
any error message, the driver is working. If you get an error message, there is

a

problem with the driver installation. Re
-
install the driver and refer to the ‘
Nitrox
-
Installatoin And User Guide.doc
’ for how to get the error code if driver fails.




3.

Installing the Cavium SSL CSP
:


-

Run the bat file called ‘run.bat’ in the ‘sslcsp’ fol
der. (c:
\
install
\
sslcsp
\
run.bat).

-

This will install the csp and add the corresponding eateries in the registry.

-

You can check whether the csp has been installed correctly
or not
by looking at
the registr
y

entries.

(
See the s
ection ‘
Registry Entries and Con
trol flags’ of the
document ‘
CaviumCsp
-
Reference.doc
’).

-

Note: Cavium provides two different csps. This section only explained how to
setup the Cavium SSL csp.



4.

Testing the Cavium SSL CSP
:


-

Once the csp has been installed and is shown in the registry, the
test program

SSL
RSA.exe’ in the ‘tester’ folder can be run to make sure the csp is running.

-

Select the option number 2 or 3 (Using Cavium csp) and make sure that valid
results are returned and no error is reported. If the test returns en error, this
is an

indicat
ion

that the csp
is not working
. Go through the cps installation procedure
again.




5.

Setting up IIS
:


5.1 Setting up IIS 6.0


5.1
.1

IIS
6

configuration:


-

Right click on the web site you want to run the csp for
-
>Properties

and set the
following:



we
b site:

Uncheck Enable HTTP keep alives

Uncheck Enable logging

SSL port should be 443

TCP port should be 80



Performance
:

Uncheck limit the network bandwidth

Unlimited website connections



Documents
:

Check

enable default content page

, and make sure tha
t the default page
is
present
(
for testing the default

page was ‘
default.htm
’)





5.1.2

IIS
6

Certificate
Request
Generation:


-

Make sure the cavium rsa schannel csp is configured in the registry and its
EnableLog property is 0.


-

Launch IIS

6.0

-

C
lick Websites
-
>
website

for which you want to get a new certificate

for
. (in my
case it was the default website).

-

Right click
-
>
Properties

-

G
o

to directory Security
-
> server certificate

-

Next
-
> create new certificate

(make sure to remove the existing certificate first, if

there is any)

-

Prepare request now but sent it later

-

Type name of the certificate and select key length (1024)

-

Check the 'select the cryptographic provider' and select the cavium rsa schannel
csp.

-

Enter organization and unit

-

Enter
Site common name

-

Enter co
untry, region, state, city etc.

-

Enter file name to store the
certificate
request.

-

Click Finish button.




5.1.3

Certificate Generation

by a CA
:


Now
the certificate request has been stored in a file. You

have to send this request to a
CA,

get the response and st
ore it in a
nother

file. In

order to send it to a
local
CA, follow
these steps:



-

A
certification authority

(CA) must be installed on a server and you can access

it.


-

In IE, type

http://<server

name or ip address>/CertSrv


to make sure that the
server is
a
ccessible
.


(server name is the name of the server running the CA).

-

Select 'Request a certificate', press Next.

-

Select 'Advanced request', and then press next.

-

Select 'Submit a certificate request using a base64 encoding', press next.

-

Copy and paste the sa
ved certificate request and submit.

-

On
c
e the certificate

has been

generated by the CA. download the CA certificate
and save it locally.




5.1.4

IIS6 Certificate Installation
:


F
ollow these steps to install the newly generated certificate in IIS 6.



-

Go back to
IIS and right click website
-
>
website for which the certificate request
was generated

-
> properties.

-

Select
Directory security
-
> server certificate.

-

Process the pending request.

-

Specify the file name containing the certificate

when asked
.

-

Select SSL port

number (443).

-

Finish



5.2

Setting up IIS
5
.0


5.
2
.1 IIS
5

configuration:


-

Right click on the web site you want to run the csp for
-
>Properties

and set the
options accordingly


make sure that the file logging is disabled to get higher
performance.



5.2.2

IIS
5

C
ertificate
Request
Generation:

-

Open the registry editor (start
-
> run
-
> regedit)

-

Note down the following registry key settings (Name and TypeName):


HKLM
\
Software
\
Microsoft
\
Cryptography
\
Provider Types
\
012
\


-

Now mo
dify th
is

registry setting:


HKLM
\
Software
\
Microsoft
\
Cryptography
\
Provider Types
\
012
\

Name

: change it to Cavium RSA Schannel Cryptographic Provider (make
sure it matches with the name in
\
Defaults
\
Providers
-

it is very important)

TypeName

: change it to Cavium RSA Schannel Cryptographic Provide
r
(make sure it matches with the name in
\
Defaults
\
Providers)

-

Launch IIS

5.0

-

C
lick Web

sites
-
> website

for which you wan
t to get a new certificate for.

-

Right click
-
> Properties

-

G
o

to directory Security
-
> server certificate
.

-

Click 'Server Certificate'. Th
is will display the certificate wizard.

-

Type name of the certificate and select key length (1024)

-

Generate a request for the cer
tificate and save it in a file.


Now follow the steps mentioned in section
5.1.3

to get the certific
ate.



5.2.3

IIS
5

Certificate
Installation
:

F
ollow these steps to install the newl
y generated certificate in IIS 5
.


-

Go back to IIS and right click website
-
>
website for which the certificate request
was generated

-
> properties.

-

Select
Directory security
-
> ser
ver certificate.

-

Process the pending request.

-

Specify the file name containing the certificate

when asked
.

-

Finish.

-

Open the registry editor (start
-
> run
-
> regedit)

-

Change the
following
registry
settings
and make Windows SSL csp as the default
type 012 cs
p

(
change
the Name and TypeName
to the ones
noted in Certificate
Request Generation procedure)
.


HKLM
\
Software
\
Microsoft
\
Cryptography
\
Provider Types
\
012
\

Name : change it to Microsoft Rsa Schannel Cryptographic Provider
(make sure it matches with the name

in
\
Defaults
\
Providers
-

it is very
important)

TypeName : Rsa Schannel


-

Close IIS
5

and reboot the machine. After boot

up, the IIS
5

will use the new
certificate.

-

C
heck that IIS
5

is running the recently generated certificate.






Now the new certificate h
as been imported. Check
if
its name is correct (Directory
security
-
> view certificate).

If everything is fine, reboot the machine

running IIS (you
may not need to do this)
.



You can test the
IIS
setup by doing a
n

https:// from another machine to the mach
ine
running the csp. You should be able to see your

default we
b

page. If you cannot see the
default page and the IE says 'Page cannot be displaye
d
', it means that the csp is not
running
.

Check the entries in the registry

and

run the csp test program
again.



Now you can run your tests on IIS and it will use the Cavium ssl csp.





6.

Test setup used for IIS 6 testing
:



We

used WebBench client and server software. The requests generated b
y

the clients are
TLS1.0 with no

session resumption. You can also use SSL
3.0.

A
single request from the
client performs a full SSL handshake, fetch the 'Default.htm' [1kb] and then

terminate
s

the connection.