To configure SSL monitoring, you must select the SSL engine to be used, which defines the type of accelerator card used or refers to software decryption.
Selecting engine type
The type of the accelerator card is set in the configuration file
rtm.config, in the configuration property named
ssl.engine . The value to use depends on the accelerator card:
nshield(for nShield 32-bit platform)
nfast(for nFast 32-bit platform)
ncipher_pkcs11(for nShield 64-bit platform)
sca6000(for Sun Crypto Accelerator 6000 – supported but not recommended)
Specifying the number of dedicated threads
For the SSL cards that operate in synchronous mode, the NAM Probe spawns dedicated threads to wait for SSL operations on the accelerator. You can increase the number of threads to be executed for the given SSL engine by setting the
ssl.engine.param=*threads* :*number* configuration property in the
rtm.config file. Specifying more than one thread may improve performance, depending on the performance capacity of the card.
The SSL engines for which this setting is supported are:
Specifying the key search criteria for the SSL engine
The following engines distinguish between key identifiers and key labels. Both of these identification methods can be used to identify the keys in the
keylist file. However, you may need to specify the type of identification to be used by editing the
rtm.config file and setting the
searchKeyBy parameter of the
ssl.engine.param property to
label, as appropriate.
Default key identification is by label.
Default key identification is by key identifier.
Applying the configuration changes
When the SSL engine type is chosen and other configuration changed according to your SSL accelerator, apply the changes to the NAM Probe. To do so, log on to the NAM Probe as user root and execute the following commands:
# ndstop # ndstart
This restarts the NAM Probe and applies all of the configuration changes. You can also verify that the changes are applied correctly by using the
rcon command. For more information, see SSLDECR STATUS.