| Skip Navigation Links | |
| Exit Print View | |
 | man pages section 1M: System Administration Commands Oracle Solaris 11 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
| man pages section 1M: System Administration Commands Oracle Solaris 11 Information Library |
- cryptographic framework administration
cryptoadm list [-mpv] [provider=provider-name] [mechanism=mechanism-list]
cryptoadm disable provider=provider-name mechanism=mechanism-list | random | all
cryptoadm enable provider=provider-name mechanism=mechanism-list | random | all
cryptoadm install provider=provider-name
cryptoadm install provider=provider-name [mechanism=mechanism-list]
cryptoadm uninstall provider=provider-name
cryptoadm unload provider=provider-name
cryptoadm disable fips-140
cryptoadm enable fips-140
cryptoadm list fips-140
cryptoadm refresh
cryptoadm start
cryptoadm stop
cryptoadm--help
Thecryptoadm utility displays cryptographic provider information for a system, configures themechanism policy for each provider, and installs or uninstalls a cryptographic provider.The cryptographic framework supports three types of providers: a user-level provider (a PKCS11shared library), a kernel software provider (a loadable kernel software module), anda kernel hardware provider (a cryptographic hardware device).
For kernel software providers, thecryptoadm utility provides theunload subcommand. Thissubcommand instructs the kernel to unload a kernel software providers.
For the cryptographic framework's metaslot, thecryptoadm utility provides subcommands to enableand disable the metaslot's features, list metaslot's configuration, specify alternate persistent objectstorage, and configure the metaslot's mechanism policy.
Thecryptoadm utility provides subcommands to enable and disable FIPS-140 mode inthe Cryptographic Framework. It also provides alist subcommand to display thecurrent status of FIPS-140 mode.
Administrators will find it useful to usesyslog facilities (seesyslogd(1M) andlogadm(1M)) to maintain the cryptographic subsystem. Logging can be especially useful underthe following circumstances:
If kernel-level daemon is dead, all applications fail. You can learn this from syslog and usesvcadm(1M) to restart thesvc:/system/cryptosvc service.
If there are bad providers plugged into the framework, you can learn this from syslog and remove the bad providers from the framework.
With the exception of the subcommands or options listed below, thecryptoadmcommand needs to be run by a privileged user.
subcommandlist, any options
subcommand--help
Thecryptoadm utility has the various combinations of subcommands and options shownbelow.
Display the list of installed providers.
Display the system-wide configuration for metaslot.
Display a list of mechanisms that can be used with the installed providers or metaslot. If a provider is specified, display the name of the specified provider and the mechanism list that can be used with that provider. If the metaslot keyword is specified, display the list of mechanisms that can be used with metaslot.
Display the mechanism policy (that is, which mechanisms are available and which are not) for the installed providers. Also display the provider feature policy or metaslot. If a provider is specified, display the name of the provider with the mechanism policy enforced on it only. If the metaslot keyword is specified, display the mechanism policy enforced on the metaslot.
Display details about the specified provider if a provider is specified. If the metaslot keyword is specified, display details about the metaslot.
For the variouslist subcommands described above (except forlist-p), the-v (verbose) option provides details about providers, mechanisms and slots.
Disable the mechanisms or provider features specified for the provider. See OPERANDS for a description ofmechanism,provider-feature, and theall keyword.
Disable the metaslot feature in the cryptographic framework or disable some of metaslot's features. If no operand is specified, this command disables the metaslot feature in the cryptographic framework. If a list of mechanisms is specified, disable mechanisms specified for metaslot. If all mechanisms are disabled for metaslot, the metaslot will be disabled. See OPERANDS for a description of mechanism. If theauto-key-migrate keyword is specified, it disables the migration of sensitive token objects to other slots even if it is necessary for performing crypto operations. See OPERANDS for a description ofauto-key-migrate.
Enable the mechanisms or provider features specified for the provider. See OPERANDS for a description ofmechanism,provider-feature, and theall keyword.
If no operand is specified, this command enables the metaslot feature in the cryptographic framework. If a list of mechanisms is specified, it enables only the list of specified mechanisms for metaslot. Iftoken-label is specified, the specified token will be used as the persistent object store. If theslot-description is specified, the specified slot will be used as the persistent object store. If both thetoken-label and theslot-description are specified, the provider with the matching token label and slot description is used as the persistent object store. If thedefault-keystore keyword is specified, metaslot will use the default persistent object store. If theauto-key-migrate keyword is specified, sensitive token objects will automatically migrate to other slots as needed to complete certain crypto operations. See OPERANDS for a description of mechanism, token, slot,default-keystore, andauto-key-migrate.
Install a user-level provider into the system. Theprovider operand must be an absolute pathname of the corresponding shared library. If there are both 32–bit and 64–bit versions for a library, this command should be run once only with the path name containing$ISA. Note that$ISA is not a reference to an environment variable. Note also that$ISA must be quoted (with single quotes [for example,'$ISA']) or the$ must be escaped to keep it from being incorrectly expanded by the shell. The user-level framework expands$ISA to an empty string or an architecture-specific directory, for example,sparcv9.
The preferred way of installing a user-level provider is to build a package for the provider. For more information, see theSolaris Security for Developer's Guide.
Install a kernel software provider into the system. The provider should contain the base name only. Themechanism-list operand specifies the complete list of mechanisms to be supported by this provider.
The preferred way of installing a kernel software provider is to build a package for providers. For more information, see theSolaris Security for Developer's Guide.
Uninstall the specifiedprovider and the associated mechanism policy from the system. This subcommand applies only to a user-level provider or a kernel software provider.
Unload the kernel software module specified byprovider.
Disable FIPS-140 mode in the Cryptographic Framework and for hardware providers.
Enable FIPS-140 mode in the Cryptographic Framework and for hardware providers. This subcommand does not disable the non-FIPS approved algorithms from the user-levelpkcs11_softtoken library and the kernel software providers. It is the consumers of the framework that are responsible for using only FIPS-approved algorithms.
Upon completion of this subcommand, a message is issued to inform the administrator that any plugins added that are not within the boundary might invalidate FIPS compliance and to check the Security Policies for those plugins.
The system will require a reboot to perform Power-Up Self Tests that include a cryptographic algorithm test and a software integrity test.
Display the current setting of FIPS-140 mode in the Cryptographic Framework and for hardware providers. The status of FIPS-140 mode isenabled ordisabled. The default FIPS-140 mode isdisabled.
Private interfaces for use bysmf(5), these must not be used directly.
Display the command usage.
A user-level provider (a PKCS11 shared library), a kernel software provider (a loadable kernel software module), or a kernel hardware provider (a cryptographic hardware device).
A valid value of theprovider operand is one entry from the output of a command of the form:cryptoadmlist. Aprovider operand for a user-level provider is an absolute pathname of the corresponding shared library. Aprovider operand for a kernel software provider contains a base name only. Aprovider operand for a kernel hardware provider is in a “name/number” form.
A comma separated list of one or more PKCS #11 mechanisms. A process for implementing a cryptographic operation as defined in PKCS #11 specification. You can substituteall formechanism-list, to specify all mechanisms on a provider. See the discussion of theall keyword, below.
A cryptographic framework feature for the given provider. Currently onlyrandom is accepted as a feature. For a user-level provider, disabling the random feature makes the PKCS #11 routinesC_GenerateRandom andC_SeedRandom unavailable from the provider. For a kernel provider, disabling the random feature prevents/dev/random from gathering random numbers from the provider.
The keywordall can be used with with thedisable andenable subcommands to operate on all provider features.
The label of a token in one of the providers in the cryptographic framework.
A valid value of the token operand is an item displayed under “Token Label” from the output of the commandcryptoadm list-v.
The description of a slot in one of the providers in the cryptographic framework.
A valid value of the slot operand is an item displayed under “Description” from the output of the commandcryptoadm list-v.
The keyworddefault-keystore is valid only for metaslot. Specify this keyword to set the persistent object store for metaslot back to using the default store.
The keyword auto-key-migrate is valid only for metaslot. Specify this keyword to configure whether metaslot is allowed to move sensitive token objects from the token object slot to other slots for performing cryptographic operations.
The keywordall can be used in two ways with thedisableandenable subcommands:
You can substituteall formechanism=mechanism-list and any other provider-features, as in:
#cryptoadm enable provider=dca/0 all
This command enables the mechanisms on the providerand any other provider-features, such asrandom.
You can also useall as an argument tomechanism, as in:
#cryptoadm enable provider=des mechanism=all
...which enables all mechanisms on the provider, but enables no other provider–features, such asrandom.
Example 1 Display List of Providers Installed in System
The following command displays a list of all installed providers:
example%cryptoadm listuser-level providers:/usr/lib/security/$ISA/pkcs11_kernel.so/usr/lib/security/$ISA/pkcs11_softtoken.so/opt/lib/libcryptoki.so.1/opt/system/core-osonn/lib/$ISA/libpkcs11.so.1 kernel software providers: des aes bfish sha1 md5kernel hardware providers: dca/0
Example 2 Display Mechanism List formd5 Provider
The following command is a variation of thelist subcommand:
example%cryptoadm list -m provider=md5md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL
Example 3 Disable Specific Mechanisms for Kernel Software Provider
The following command disables mechanismsCKM_DES3_ECB andCKM_DES3_CBC for the kernel softwareproviderdes:
example#cryptoadm disable provider=des
Example 4 Display Mechanism Policy for a Provider
The following command displays the mechanism policy for thedes provider:
example%cryptoadm list -p provider=desdes: All mechanisms are enabled, except CKM_DES3_ECB, CKM_DES3_CBC
Example 5 Enable Specific Mechanism for a Provider
The following command enables theCKM_DES3_ECB mechanism for the kernel software providerdes:
example#cryptoadm enable provider=des mechanism=CKM_DES3_ECB
Example 6 Install User-Level Provider
The following command installs a user-level provider:
example#cryptoadm install provider=/opt/lib/libcryptoki.so.1
Example 7 Install User-Level Provider That Contains 32– and 64–bit Versions
The following command installs a user-level provider that contains both 32–bit and64–bit versions:
example#cryptoadm install \provider=/opt/system/core-osonn/lib/'$ISA'/libpkcs11.so.1
Example 8 Uninstall a Provider
The following command uninstalls themd5 provider:
example#cryptoadm uninstall provider=md5
Example 9 Disable metaslot
The following command disables the metaslot feature in the cryptographic framework.
example#cryptoadm disable metaslot
Example 10 Specify metaslot to Use Specified Token as Persistent Object Store
The following command specifies that metaslot use the Venus token as thepersistent object store.
example#cryptoadm enable metaslot token="SUNW,venus"
The following exit values are returned:
Successful completion.
An error occurred.
Seeattributes(5) for descriptions of the following attributes:
|
Thestart,stop, andrefresh options are Private interfaces. All other optionsand the utility name are Committed.
logadm(1M),svcadm(1M),syslogd(1M),libpkcs11(3LIB),exec_attr(4),prof_attr(4),attributes(5),smf(5),random(7D)
Oracle Solaris Administration: Security Services
Solaris Security for Developer's Guide
If a hardware provider's policy was made explicitly (that is, some ofits mechanisms were disabled) and the hardware provider has been detached, thepolicy of this hardware provider is still listed.
cryptoadm assumes that, minimally, a 32–bit shared object is delivered for eachuser-level provider. If both a 32–bit and 64–bit shared object are delivered,the two versions must provide the same functionality. The same mechanism policyapplies to both.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.Legal Notices |   |