cryptoadm - cryptographic framework administration
cryptoadm list [-mpv] [provider=provider-name] [mechanism=mechanism-list]
cryptoadm disable provider=provider-name mechanism=mechanism-list | random | all
cryptoadm enable provider=provider-name mechanism=mechanism-list | random | all
cryptoadm install provider=provider-name
cryptoadm install provider=provider-name [mechanism=mechanism-list]
cryptoadm uninstall provider=provider-name
cryptoadm unload provider=provider-name
cryptoadm refresh
cryptoadm start
cryptoadm stop
cryptoadm --help
The cryptoadm utility displays cryptographic provider information for a system, configures the mechanism policy for each provider, and installs or uninstalls a cryptographic provider. The cryptographic framework supports three types of providers: a user-level provider (a PKCS11 shared library), a kernel software provider (a loadable kernel software module), and a kernel hardware provider (a cryptographic hardware device).
For kernel software providers, the cryptoadm utility provides the unload subcommand. This subcommand instructs the kernel to unload a kernel software providers.
For the cryptographic framework's metaslot, the cryptoadm utility provides subcommands to enable and disable the metaslot's features, list metaslot's configuration, specify alternate persistent object storage, and configure the metaslot's mechanism policy.
Administrators will find it useful to use syslog facilities (see syslogd(1M) and logadm(1M)) to maintain the cryptographic subsystem. Logging can be especially useful under the following circumstances:
With the exception of the subcommands or options listed below, the cryptoadm command needs to be run by a privileged user.
The cryptoadm utility has the various combinations of subcommands and options shown below.
cryptoadm list
cryptoadm list metaslot
cryptoadm list -m [ provider=provider-name | metaslot ]
cryptoadm list -p [ provider=provider-name | metaslot ]
cryptoadm list -v provider=provider-name | metaslot
-v
cryptoadm disable provider=provider-name
[ mechanism=mechanism-list | provider-feature ... | all ]
cryptoadm [ mechanism=mechanism-list ] [ auto-key-migrate ]
cryptoadm enable provider=provider-name
[ mechanism=mechanism-list | provider-feature ... | all ]
cryptoadm enable metaslot [ mechanism=mechanism-list ] |
[ [ token=token-label] [ slot=slot-description] |
default-keystore
] | [ auto-key-migrate ]
cryptoadm install provider=provider-name
The preferred way of installing a user-level provider is to build a package for the provider. For more information, see the Solaris Security for Developer's Guide.
cryptoadm install provider=provider-name
mechanism=mechanism-list
The preferred way of installing a kernel software provider is to build a package for providers. For more information, see the Solaris Security for Developer's Guide.
cryptoadm uninstall provider=provider-name
cryptoadm unload provider=provider-name
cryptoadm refresh
cryptoadm start
cryptoadm stop
cryptoadm -help
provider=provider-name
A valid value of the provider operand is one entry from the output of a command of the form: cryptoadm list. A provider operand for a user-level provider is an absolute pathname of the corresponding shared library. A provider operand for a kernel software provider contains a base name only. A provider operand for a kernel hardware provider is in a "name/number" form.
mechanism=mechanism-list
provider-feature
all
token=token-label
A valid value of the token operand is an item displayed under "Token Label" from the output of the command cryptoadm list -v.
slot=slot-description
A valid value of the slot operand is an item displayed under "Description" from the output of the command cryptoadm list -v.
default-keystore
auto-key-migrate
The keyword all can be used in two ways with the disable and enable subcommands:
# cryptoadm enable provider=dca/0 all
This command enables the mechanisms on the provider and any other provider-features, such as random. You can also use all as an argument to mechanism, as in:
# cryptoadm enable provider=des mechanism=all
...which enables all mechanisms on the provider, but enables no other provider-features, such as random.
Example 1 Display List of Providers Installed in System
The following command displays a list of all installed providers:
example% cryptoadm list user-level providers: /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_softtoken.so /opt/lib/libcryptoki.so.1 /opt/SUNWconn/lib/$ISA/libpkcs11.so.1 kernel software providers: des aes bfish sha1 md5 kernel hardware providers: dca/0
Example 2 Display Mechanism List for md5 Provider
The following command is a variation of the list subcommand:
example% cryptoadm list -m provider=md5 md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL
Example 3 Disable Specific Mechanisms for Kernel Software Provider
The following command disables mechanisms CKM_DES3_ECB and CKM_DES3_CBC for the kernel software provider des:
example# cryptoadm disable provider=des
Example 4 Display Mechanism Policy for a Provider
The following command displays the mechanism policy for the des provider:
example% cryptoadm list -p provider=des des: All mechanisms are enabled, except CKM_DES3_ECB, CKM_DES3_CBC
Example 5 Enable Specific Mechanism for a Provider
The following command enables the CKM_DES3_ECB mechanism for the kernel software provider des:
example# cryptoadm enable provider=des mechanism=CKM_DES3_ECB
Example 6 Install User-Level Provider
The following command installs a user-level provider:
example# cryptoadm install provider=/opt/lib/libcryptoki.so.1
Example 7 Install User-Level Provider That Contains 32- and 64-bit Versions
The following command installs a user-level provider that contains both 32-bit and 64-bit versions:
example# cryptoadm install \ provider=/opt/SUNWconn/lib/'$ISA'/libpkcs11.so.1
Example 8 Uninstall a Provider
The following command uninstalls the md5 provider:
example# cryptoadm uninstall provider=md5
Example 9 Disable metaslot
The following command disables the metaslot feature in the cryptographic framework.
example# cryptoadm disable metaslot
Example 10 Specify metaslot to Use Specified Token as Persistent Object Store
The following command specifies that metaslot use the Venus token as the persistent object store.
example# cryptoadm enable metaslot token="SUNW,venus"
The following exit values are returned:
0
>0
See attributes(5) for descriptions of the following attributes:
|
The start, stop, and refresh options are Private interfaces. All other options are Evolving. The utility name is Stable.
logadm(1M), svcadm(1M), syslogd(1M), libpkcs11(3LIB), exec_attr(4), prof_attr(4), attributes(5), smf(5), random(7D)
Solaris Security for Developer's Guide
If a hardware provider's policy was made explicitly (that is, some of its mechanisms were disabled) and the hardware provider has been detached, the policy of this hardware provider is still listed.
cryptoadm assumes that, minimally, a 32-bit shared object is delivered for each user-level provider. If both a 32-bit and 64-bit shared object are delivered, the two versions must provide the same functionality. The same mechanism policy applies to both.
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |