The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

cryptoadm (1)
  • >> cryptoadm (1) ( Solaris man: Команды и прикладные программы пользовательского уровня )
  •  

    NAME

    cryptoadm - cryptographic framework administration
     
    

    SYNOPSIS

    cryptoadm list [-mpv] [provider=provider-name] 
        [mechanism=mechanism-list]
    

    cryptoadm disable
        provider=provider-name mechanism=mechanism-list | random | all
    

    cryptoadm enable
        provider=provider-name mechanism=mechanism-list | random | all
    

    cryptoadm install provider=provider-name
    

    cryptoadm install provider=provider-name 
        [mechanism=mechanism-list]
    

    cryptoadm uninstall provider=provider-name
    

    cryptoadm unload provider=provider-name
    

    cryptoadm refresh
    

    cryptoadm start
    

    cryptoadm stop
    

    cryptoadm --help
    

     

    DESCRIPTION

    The cryptoadm utility displays cryptographic provider information for a system, configures the mechanism policy for each provider, and installs or uninstalls a cryptographic provider. The cryptographic framework supports three types of providers: a user-level provider (a PKCS11 shared library), a kernel software provider (a loadable kernel software module), and a kernel hardware provider (a cryptographic hardware device).

    For kernel software providers, the cryptoadm utility provides the unload subcommand. This subcommand instructs the kernel to unload a kernel software providers.

    For the cryptographic framework's metaslot, the cryptoadm utility provides subcommands to enable and disable the metaslot's features, list metaslot's configuration, specify alternate persistent object storage, and configure the metaslot's mechanism policy.

    Administrators will find it useful to use syslog facilities (see syslogd(1M) and logadm(1M)) to maintain the cryptographic subsystem. Logging can be especially useful under the following circumstances:

    o If kernel-level daemon is dead, all applications fail. You can learn this from syslog and use svcadm(1M) to restart the svc:/system/cryptosvc service.
    o If there are bad providers plugged into the framework, you can learn this from syslog and remove the bad providers from the framework.

    With the exception of the subcommands or options listed below, the cryptoadm command needs to be run by a privileged user.

    o subcommand list, any options
    o subcommand --help
     

    OPTIONS

    The cryptoadm utility has the various combinations of subcommands and options shown below.

    cryptoadm list

    Display the list of installed providers.

    cryptoadm list metaslot

    Display the system-wide configuration for metaslot.

    cryptoadm list -m [ provider=provider-name | metaslot ]

    Display a list of mechanisms that can be used with the installed providers or metaslot. If a provider is specified, display the name of the specified provider and the mechanism list that can be used with that provider. If the metaslot keyword is specified, display the list of mechanisms that can be used with metaslot.

    cryptoadm list -p [ provider=provider-name | metaslot ]

    Display the mechanism policy (that is, which mechanisms are available and which are not) for the installed providers. Also display the provider feature policy or metaslot. If a provider is specified, display the name of the provider with the mechanism policy enforced on it only. If the metaslot keyword is specified, display the mechanism policy enforced on the metaslot.

    cryptoadm list -v provider=provider-name | metaslot

    Display details about the specified provider if a provider is specified. If the metaslot keyword is specified, display details about the metaslot.

    -v

    For the various list subcommands described above (except for list -p), the -v (verbose) option provides details about providers, mechanisms and slots.

    cryptoadm disable provider=provider-name
    [ mechanism=mechanism-list | provider-feature ... | all ]

    Disable the mechanisms or provider features specified for the provider. See OPERANDS for a description of mechanism, provider-feature, and the all keyword.

    cryptoadm [ mechanism=mechanism-list ] [ auto-key-migrate ]

    Disable the metaslot feature in the cryptographic framework or disable some of metaslot's features. If no operand is specified, this command disables the metaslot feature in the cryptographic framework. If a list of mechanisms is specified, disable mechanisms specified for metaslot. If all mechanisms are disabled for metaslot, the metaslot will be disabled. See OPERANDS for a description of mechanism. If the auto-key-migrate keyword is specified, it disables the migration of sensitive token objects to other slots even if it is necessary for performing crypto operations. See OPERANDS for a description of auto-key-migrate.

    cryptoadm enable provider=provider-name
    [ mechanism=mechanism-list | provider-feature ... | all ]

    Enable the mechanisms or provider features specified for the provider. See OPERANDS for a description of mechanism, provider-feature, and the all keyword.

    cryptoadm enable metaslot [ mechanism=mechanism-list ] |
    [ [ token=token-label] [ slot=slot-description] |
    default-keystore ] | [ auto-key-migrate ]

    If no operand is specified, this command enables the metaslot feature in the cryptographic framework. If a list of mechanisms is specified, it enables only the list of specified mechanisms for metaslot. If token-label is specified, the specified token will be used as the persistent object store. If the slot-description is specified, the specified slot will be used as the persistent object store. If both the token-label and the slot-description are specified, the provider with the matching token label and slot description is used as the persistent object store. If the default-keystore keyword is specified, metaslot will use the default persistent object store. If the auto-key-migrate keyword is specified, sensitive token objects will automatically migrate to other slots as needed to complete certain crypto operations. See OPERANDS for a description of mechanism, token, slot, default-keystore, and auto-key-migrate.

    cryptoadm install provider=provider-name

    Install a user-level provider into the system. The provider operand must be an absolute pathname of the corresponding shared library. If there are both 32-bit and 64-bit versions for a library, this command should be run once only with the path name containing $ISA. Note that $ISA is not a reference to an environment variable. Note also that $ISA must be quoted (with single quotes [for example, '$ISA']) or the $ must be escaped to keep it from being incorrectly expanded by the shell. The user-level framework expands $ISA to an empty string or an architecture-specific directory, for example, sparcv9.

    The preferred way of installing a user-level provider is to build a package for the provider. For more information, see the Solaris Security for Developer's Guide.

    cryptoadm install provider=provider-name
    mechanism=mechanism-list

    Install a kernel software provider into the system. The provider should contain the base name only. The mechanism-list operand specifies the complete list of mechanisms to be supported by this provider.

    The preferred way of installing a kernel software provider is to build a package for providers. For more information, see the Solaris Security for Developer's Guide.

    cryptoadm uninstall provider=provider-name

    Uninstall the specified provider and the associated mechanism policy from the system. This subcommand applies only to a user-level provider or a kernel software provider.

    cryptoadm unload provider=provider-name

    Unload the kernel software module specified by provider.

    cryptoadm refresh
    cryptoadm start
    cryptoadm stop

    Private interfaces for use by smf(5), these must not be used directly.

    cryptoadm -help

    Display the command usage.

     

    OPERANDS

    provider=provider-name

    A user-level provider (a PKCS11 shared library), a kernel software provider (a loadable kernel software module), or a kernel hardware provider (a cryptographic hardware device).

    A valid value of the provider operand is one entry from the output of a command of the form: cryptoadm list. A provider operand for a user-level provider is an absolute pathname of the corresponding shared library. A provider operand for a kernel software provider contains a base name only. A provider operand for a kernel hardware provider is in a "name/number" form.

    mechanism=mechanism-list

    A comma separated list of one or more PKCS #11 mechanisms. A process for implementing a cryptographic operation as defined in PKCS #11 specification. You can substitute all for mechanism-list, to specify all mechanisms on a provider. See the discussion of the all keyword, below.

    provider-feature

    A cryptographic framework feature for the given provider. Currently only random is accepted as a feature. For a user-level provider, disabling the random feature makes the PKCS #11 routines C_GenerateRandom and C_SeedRandom unavailable from the provider. For a kernel provider, disabling the random feature prevents /dev/random from gathering random numbers from the provider.

    all

    The keyword all can be used with with the disable and enable subcommands to operate on all provider features.

    token=token-label

    The label of a token in one of the providers in the cryptographic framework.

    A valid value of the token operand is an item displayed under "Token Label" from the output of the command cryptoadm list -v.

    slot=slot-description

    The description of a slot in one of the providers in the cryptographic framework.

    A valid value of the slot operand is an item displayed under "Description" from the output of the command cryptoadm list -v.

    default-keystore

    The keyword default-keystore is valid only for metaslot. Specify this keyword to set the persistent object store for metaslot back to using the default store.

    auto-key-migrate

    The keyword auto-key-migrate is valid only for metaslot. Specify this keyword to configure whether metaslot is allowed to move sensitive token objects from the token object slot to other slots for performing cryptographic operations.

    The keyword all can be used in two ways with the disable and enable subcommands:

    o You can substitute all for mechanism=mechanism-list, as in:

    # cryptoadm enable provider=dca/0 all
    

    This command enables the mechanisms on the provider and any other provider-features, such as random. You can also use all as an argument to mechanism, as in:

    # cryptoadm enable provider=des mechanism=all
    

    ...which enables all mechanisms on the provider, but enables no other provider-features, such as random.

     

    EXAMPLES

    Example 1 Display List of Providers Installed in System

    The following command displays a list of all installed providers:

    example% cryptoadm list
    user-level providers:
    /usr/lib/security/$ISA/pkcs11_kernel.so
    /usr/lib/security/$ISA/pkcs11_softtoken.so
    /opt/lib/libcryptoki.so.1
    /opt/SUNWconn/lib/$ISA/libpkcs11.so.1
     
    kernel software providers:
       des
       aes
       bfish
       sha1
       md5
    
    kernel hardware providers:
       dca/0
    

    Example 2 Display Mechanism List for md5 Provider

    The following command is a variation of the list subcommand:

    example% cryptoadm list -m provider=md5
    md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL
    

    Example 3 Disable Specific Mechanisms for Kernel Software Provider

    The following command disables mechanisms CKM_DES3_ECB and CKM_DES3_CBC for the kernel software provider des:

    example# cryptoadm disable provider=des
    

    Example 4 Display Mechanism Policy for a Provider

    The following command displays the mechanism policy for the des provider:

    example% cryptoadm list -p provider=des
    des: All mechanisms are enabled, except CKM_DES3_ECB, CKM_DES3_CBC
    

    Example 5 Enable Specific Mechanism for a Provider

    The following command enables the CKM_DES3_ECB mechanism for the kernel software provider des:

    example# cryptoadm enable provider=des mechanism=CKM_DES3_ECB
    

    Example 6 Install User-Level Provider

    The following command installs a user-level provider:

    example# cryptoadm install provider=/opt/lib/libcryptoki.so.1
    

    Example 7 Install User-Level Provider That Contains 32- and 64-bit Versions

    The following command installs a user-level provider that contains both 32-bit and 64-bit versions:

    example# cryptoadm install \
    provider=/opt/SUNWconn/lib/'$ISA'/libpkcs11.so.1
    

    Example 8 Uninstall a Provider

    The following command uninstalls the md5 provider:

    example# cryptoadm uninstall provider=md5
    

    Example 9 Disable metaslot

    The following command disables the metaslot feature in the cryptographic framework.

    example# cryptoadm disable metaslot
    

    Example 10 Specify metaslot to Use Specified Token as Persistent Object Store

    The following command specifies that metaslot use the Venus token as the persistent object store.

    example# cryptoadm enable metaslot token="SUNW,venus"
    

     

    EXIT STATUS

    The following exit values are returned:

    0

    Successful completion.

    >0

    An error occurred.

     

    ATTRIBUTES

    See attributes(5) for descriptions of the following attributes:

    ATTRIBUTE TYPEATTRIBUTE VALUE

    AvailabilitySUNWcsu

    Interface Stability

    The start, stop, and refresh options are Private interfaces. All other options are Evolving. The utility name is Stable.  

    SEE ALSO

    logadm(1M), svcadm(1M), syslogd(1M), libpkcs11(3LIB), exec_attr(4), prof_attr(4), attributes(5), smf(5), random(7D)

    Solaris Security for Developer's Guide  

    NOTES

    If a hardware provider's policy was made explicitly (that is, some of its mechanisms were disabled) and the hardware provider has been detached, the policy of this hardware provider is still listed.

    cryptoadm assumes that, minimally, a 32-bit shared object is delivered for each user-level provider. If both a 32-bit and 64-bit shared object are delivered, the two versions must provide the same functionality. The same mechanism policy applies to both.


     

    Index

    NAME
    SYNOPSIS
    DESCRIPTION
    OPTIONS
    OPERANDS
    EXAMPLES
    EXIT STATUS
    ATTRIBUTES
    SEE ALSO
    NOTES


    Поиск по тексту MAN-ов: 




    Партнёры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2024 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру