Driver & CSP Setup Guide (Release 1.1) (Nitrox driver, Cavium SSL csp and IIS configuration) The release contains the following directories: - driver : driver and supported files - tester : programs (NitroxTester.exe and SSLRSA.exe) to test the driver and the csp - sslcsp : csp and supported files - docs – nitrox and csp related documents Before the installation, unzip and copy all these directories to a local directory (let‟s say c:\install for future references). The driver and the csp will work on Win2000, Win XP and Win 2003. They will also work for both 3.3 volt and 5 volt Nitrox boards. 1. Installing the driver (Win2003): - Shutdown the system and plug in the Nitrox accelerator board. - Start the system. It will detect the board and the installation wizard will come up. (you can also use the add hardware wizard instead). - Select the advanced option. - When asked, specify the location where the driver files are. (e.g. c:\install\driver). The wizard will pick up the inf file and will install the supported files. - After the installation completes, check the device manager to make sure the driver has been installed properly. - Various driver settings can be configured before and after the installation. Refer to „Nitrox-Installatoin And User Guide.doc‟ document in the „docs‟ folder. - If the driver installation fails, read the section „Configuring after installation‟ and get the LastError code. The error code can either be looked up in the source code or can be asked by sending e-mail to „email@example.com‟ [The error codes will be documented in the „Nitrox-Installatoin And User Guide.doc‟ soon]. 2. Testing the driver: - Once the driver has been installed and is shown in the device manager, the test program „NitroxTester.exe‟ in the „tester‟ folder can be run to make sure the driver is working. - The program performs three operations – Random number generation, 3DES and AES encryption/decryption. If you see the results of all three operations without any error message, the driver is working. If you get an error message, there is a problem with the driver installation. Re-install the driver and refer to the „Nitrox- Installatoin And User Guide.doc‟ for how to get the error code if driver fails. 3. Installing the Cavium SSL CSP: - Run the bat file called „run.bat‟ in the „sslcsp‟ folder. (c:\install\sslcsp\run.bat). - This will install the csp and add the corresponding eateries in the registry. - You can check whether the csp has been installed correctly or not by looking at the registry entries. (See the section „Registry Entries and Control flags‟ of the document „CaviumCsp-Reference.doc‟). - Note: Cavium provides two different csps. This section only explained how to setup the Cavium SSL csp. 4. Testing the Cavium SSL CSP: - Once the csp has been installed and is shown in the registry, the test program „SSLRSA.exe‟ in the „tester‟ folder can be run to make sure the csp is running. - Select the option number 2 or 3 (Using Cavium csp) and make sure that valid results are returned and no error is reported. If the test returns en error, this is an indication that the csp is not working. Go through the cps installation procedure again. 5. Setting up IIS: 5.1 Setting up IIS 6.0 5.1.1 IIS6 configuration: - Right click on the web site you want to run the csp for->Properties and set the following: web site: Uncheck Enable HTTP keep alives Uncheck Enable logging SSL port should be 443 TCP port should be 80 Performance: Uncheck limit the network bandwidth Unlimited website connections Documents: Check „enable default content page‟, and make sure that the default page is present (for testing the default page was „default.htm‟) 5.1.2 IIS6 Certificate Request Generation: - Make sure the cavium rsa schannel csp is configured in the registry and its EnableLog property is 0. - Launch IIS 6.0 - Click Websites -> website for which you want to get a new certificate for. (in my case it was the default website). - Right click -> Properties - Go to directory Security-> server certificate - Next -> create new certificate (make sure to remove the existing certificate first, if there is any) - Prepare request now but sent it later - Type name of the certificate and select key length (1024) - Check the 'select the cryptographic provider' and select the cavium rsa schannel csp. - Enter organization and unit - Enter Site common name - Enter country, region, state, city etc. - Enter file name to store the certificate request. - Click Finish button. 5.1.3 Certificate Generation by a CA: Now the certificate request has been stored in a file. You have to send this request to a CA, get the response and store it in another file. In order to send it to a local CA, follow these steps: - A certification authority (CA) must be installed on a server and you can access it. - In IE, type “http://<server name or ip address>/CertSrv” to make sure that the server is accessible. (server name is the name of the server running the CA). - Select 'Request a certificate', press Next. - Select 'Advanced request', and then press next. - Select 'Submit a certificate request using a base64 encoding', press next. - Copy and paste the saved certificate request and submit. - Once the certificate has been generated by the CA. download the CA certificate and save it locally. 5.1.4 IIS6 Certificate Installation: Follow these steps to install the newly generated certificate in IIS 6. - Go back to IIS and right click website -> website for which the certificate request was generated -> properties. - Select Directory security -> server certificate. - Process the pending request. - Specify the file name containing the certificate when asked. - Select SSL port number (443). - Finish 5.2 Setting up IIS 5.0 5.2.1 IIS5 configuration: - Right click on the web site you want to run the csp for->Properties and set the options accordingly – make sure that the file logging is disabled to get higher performance. 5.2.2 IIS5 Certificate Request Generation: - Open the registry editor (start -> run -> regedit) - Note down the following registry key settings (Name and TypeName): HKLM\Software\Microsoft\Cryptography\Provider Types\012\ - Now modify this registry setting: HKLM\Software\Microsoft\Cryptography\Provider Types\012\ Name : change it to Cavium RSA Schannel Cryptographic Provider (make sure it matches with the name in \Defaults\Providers - it is very important) TypeName : change it to Cavium RSA Schannel Cryptographic Provider (make sure it matches with the name in \Defaults\Providers) - Launch IIS 5.0 - Click Web sites -> website for which you want to get a new certificate for. - Right click -> Properties - Go to directory Security-> server certificate. - Click 'Server Certificate'. This will display the certificate wizard. - Type name of the certificate and select key length (1024) - Generate a request for the certificate and save it in a file. Now follow the steps mentioned in section 5.1.3 to get the certificate. 5.2.3 IIS5 Certificate Installation: Follow these steps to install the newly generated certificate in IIS 5. - Go back to IIS and right click website -> website for which the certificate request was generated -> properties. - Select Directory security -> server certificate. - Process the pending request. - Specify the file name containing the certificate when asked. - Finish. - Open the registry editor (start -> run -> regedit) - Change the following registry settings and make Windows SSL csp as the default type 012 csp (change the Name and TypeName to the ones noted in Certificate Request Generation procedure). HKLM\Software\Microsoft\Cryptography\Provider Types\012\ Name : change it to Microsoft Rsa Schannel Cryptographic Provider (make sure it matches with the name in \Defaults\Providers - it is very important) TypeName : Rsa Schannel - Close IIS5 and reboot the machine. After boot up, the IIS5 will use the new certificate. - Check that IIS5 is running the recently generated certificate. Now the new certificate has been imported. Check if its name is correct (Directory security -> view certificate). If everything is fine, reboot the machine running IIS (you may not need to do this). You can test the IIS setup by doing an https:// from another machine to the machine running the csp. You should be able to see your default web page. If you cannot see the default page and the IE says 'Page cannot be displayed', it means that the csp is not running. Check the entries in the registry and run the csp test program again. Now you can run your tests on IIS and it will use the Cavium ssl csp. 6. Test setup used for IIS 6 testing: We used WebBench client and server software. The requests generated by the clients are TLS1.0 with no session resumption. You can also use SSL3.0. A single request from the client performs a full SSL handshake, fetch the 'Default.htm' [1kb] and then terminates the connection.