Selecting and configuring SSL engine

To configure SSL monitoring, you must select the SSL engine to be used, which defines the type of accelerator card used or refers to software decryption.

Selecting engine type

The type of the accelerator card is set in the configuration file rtm.config, in the configuration property named ssl.engine . The value to use depends on the accelerator card:

  • openssl (for OpenSSL)
  • nshield (for nShield 32-bit platform)
  • nfast (for nFast 32-bit platform)
  • ncipher_pkcs11 (for nShield 64-bit platform)
  • nitroxfips (for NITROX)
  • sca6000 (for Sun Crypto Accelerator 6000 – supported but not recommended)

Example usage:

 ssl.engine=nitroxfips

Specifying the number of dedicated threads

For the SSL cards that operate in synchronous mode, the NAM Probe spawns dedicated threads to wait for SSL operations on the accelerator. You can increase the number of threads to be executed for the given SSL engine by setting the ssl.engine.param=*threads* :*number* configuration property in the rtm.config file. Specifying more than one thread may improve performance, depending on the performance capacity of the card.

The SSL engines for which this setting is supported are:

  • openssl
  • ncipher_pkcs11
  • sca6000

Specifying the key search criteria for the SSL engine

The following engines distinguish between key identifiers and key labels. Both of these identification methods can be used to identify the keys in the keylist file. However, you may need to specify the type of identification to be used by editing the rtm.config file and setting the searchKeyBy parameter of the ssl.engine.param property to id or label, as appropriate.

ncipher_pkcs11

Default key identification is by label.

sca6000

Default key identification is by key identifier.

Example usage:

 ssl.engine.param=searchKeyBy:id

Applying the configuration changes

When the SSL engine type is chosen and other configuration changed according to your SSL accelerator, apply the changes to the NAM Probe. To do so, log on to the NAM Probe as user root and execute the following commands:

# ndstop
# ndstart

This restarts the NAM Probe and applies all of the configuration changes. You can also verify that the changes are applied correctly by using the rcon command. For more information, see SSLDECR STATUS.