1 '\" te 2 .\" Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved. 3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. 4 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the 5 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] 6 .TH CRYPTOADM 1M "Sep 1, 2009" 7 .SH NAME 8 cryptoadm \- cryptographic framework administration 9 .SH SYNOPSIS 10 .LP 11 .nf 12 \fBcryptoadm\fR list [\fB-mpv\fR] [provider=\fIprovider-name\fR] 13 [mechanism=\fImechanism-list\fR] 14 .fi 15 16 .LP 17 .nf 18 \fBcryptoadm\fR disable 19 provider=\fIprovider-name\fR mechanism=\fImechanism-list\fR | random | all 20 .fi 21 22 .LP 23 .nf 24 \fBcryptoadm\fR enable 25 provider=\fIprovider-name\fR mechanism=\fImechanism-list\fR | random | all 26 .fi 27 28 .LP 29 .nf 30 \fBcryptoadm\fR install provider=\fIprovider-name\fR 31 .fi 32 33 .LP 34 .nf 35 \fBcryptoadm\fR install provider=\fIprovider-name\fR 36 [mechanism=\fImechanism-list\fR] 37 .fi 38 39 .LP 40 .nf 41 \fBcryptoadm\fR uninstall provider=\fIprovider-name\fR 42 .fi 43 44 .LP 45 .nf 46 \fBcryptoadm\fR unload provider=\fIprovider-name\fR 47 .fi 48 49 .LP 50 .nf 51 \fBcryptoadm\fR disable fips-140 52 .fi 53 54 .LP 55 .nf 56 \fBcryptoadm\fR enable fips-140 57 .fi 58 59 .LP 60 .nf 61 \fBcryptoadm\fR list fips-140 62 .fi 63 64 .LP 65 .nf 66 \fBcryptoadm\fR refresh 67 .fi 68 69 .LP 70 .nf 71 \fBcryptoadm\fR start 72 .fi 73 74 .LP 75 .nf 76 \fBcryptoadm\fR stop 77 .fi 78 79 .LP 80 .nf 81 \fBcryptoadm\fR \fB-\fR\fB-help\fR 82 .fi 83 84 .SH DESCRIPTION 85 .sp 86 .LP 87 The \fBcryptoadm\fR utility displays cryptographic provider information for a 88 system, configures the mechanism policy for each provider, and installs or 89 uninstalls a cryptographic provider. The cryptographic framework supports three 90 types of providers: a user-level provider (a PKCS11 shared library), a kernel 91 software provider (a loadable kernel software module), and a kernel hardware 92 provider (a cryptographic hardware device). 93 .sp 94 .LP 95 For kernel software providers, the \fBcryptoadm\fR utility provides the 96 \fBunload\fR subcommand. This subcommand instructs the kernel to unload a 97 kernel software providers. 98 .sp 99 .LP 100 For the cryptographic framework's metaslot, the \fBcryptoadm\fR utility 101 provides subcommands to enable and disable the metaslot's features, list 102 metaslot's configuration, specify alternate persistent object storage, and 103 configure the metaslot's mechanism policy. 104 .sp 105 .LP 106 The \fBcryptoadm\fR utility provides subcommands to enable and disable FIPS-140 107 mode in the Cryptographic Framework. It also provides a \fBlist\fR subcommand 108 to display the current status of FIPS-140 mode. 109 .sp 110 .LP 111 Administrators will find it useful to use \fBsyslog\fR facilities (see 112 \fBsyslogd\fR(1M) and \fBlogadm\fR(1M)) to maintain the cryptographic 113 subsystem. Logging can be especially useful under the following circumstances: 114 .RS +4 115 .TP 116 .ie t \(bu 117 .el o 118 If kernel-level daemon is dead, all applications fail. You can learn this from 119 syslog and use \fBsvcadm\fR(1M) to restart the \fBsvc:/system/cryptosvc\fR 120 service. 121 .RE 122 .RS +4 123 .TP 124 .ie t \(bu 125 .el o 126 If there are bad providers plugged into the framework, you can learn this from 127 syslog and remove the bad providers from the framework. 128 .RE 129 .sp 130 .LP 131 With the exception of the subcommands or options listed below, the 132 \fBcryptoadm\fR command needs to be run by a privileged user. 133 .RS +4 134 .TP 135 .ie t \(bu 136 .el o 137 subcommand \fBlist\fR, any options 138 .RE 139 .RS +4 140 .TP 141 .ie t \(bu 142 .el o 143 subcommand \fB-\fR\fB-help\fR 144 .RE 145 .SH OPTIONS 146 .sp 147 .LP 148 The \fBcryptoadm\fR utility has the various combinations of subcommands and 149 options shown below. 150 .sp 151 .ne 2 152 .na 153 \fB\fBcryptoadm\fR \fBlist\fR\fR 154 .ad 155 .sp .6 156 .RS 4n 157 Display the list of installed providers. 158 .RE 159 160 .sp 161 .ne 2 162 .na 163 \fB\fBcryptoadm\fR \fBlist metaslot\fR\fR 164 .ad 165 .sp .6 166 .RS 4n 167 Display the system-wide configuration for metaslot. 168 .RE 169 170 .sp 171 .ne 2 172 .na 173 \fB\fBcryptoadm\fR \fBlist\fR \fB-m\fR \fB[ provider=\fIprovider-name\fR | 174 metaslot ]\fR\fR 175 .ad 176 .sp .6 177 .RS 4n 178 Display a list of mechanisms that can be used with the installed providers or 179 metaslot. If a provider is specified, display the name of the specified 180 provider and the mechanism list that can be used with that provider. If the 181 metaslot keyword is specified, display the list of mechanisms that can be used 182 with metaslot. 183 .RE 184 185 .sp 186 .ne 2 187 .na 188 \fB\fBcryptoadm\fR \fBlist\fR \fB-p\fR \fB[ provider=\fIprovider-name\fR | 189 metaslot ]\fR\fR 190 .ad 191 .sp .6 192 .RS 4n 193 Display the mechanism policy (that is, which mechanisms are available and which 194 are not) for the installed providers. Also display the provider feature policy 195 or metaslot. If a provider is specified, display the name of the provider with 196 the mechanism policy enforced on it only. If the metaslot keyword is specified, 197 display the mechanism policy enforced on the metaslot. 198 .RE 199 200 .sp 201 .ne 2 202 .na 203 \fB\fBcryptoadm\fR \fBlist\fR \fB-v\fR \fBprovider=\fIprovider-name\fR | 204 metaslot\fR\fR 205 .ad 206 .sp .6 207 .RS 4n 208 Display details about the specified provider if a provider is specified. If the 209 metaslot keyword is specified, display details about the metaslot. 210 .RE 211 212 .sp 213 .ne 2 214 .na 215 \fB\fB-v\fR\fR 216 .ad 217 .sp .6 218 .RS 4n 219 For the various \fBlist\fR subcommands described above (except for \fBlist\fR 220 \fB-p\fR), the \fB-v\fR (verbose) option provides details about providers, 221 mechanisms and slots. 222 .RE 223 224 .sp 225 .ne 2 226 .na 227 \fB\fBcryptoadm\fR \fBdisable provider=\fIprovider-name\fR\fR\fR 228 .ad 229 .br 230 .na 231 \fB[ mechanism=\fImechanism-list\fR | \fIprovider-feature\fR \fB\&... |\fR 232 \fBall\fR ]\fR 233 .ad 234 .sp .6 235 .RS 4n 236 Disable the mechanisms or provider features specified for the provider. See 237 OPERANDS for a description of \fImechanism\fR, \fIprovider-feature\fR, and the 238 \fBall\fR keyword. 239 .RE 240 241 .sp 242 .ne 2 243 .na 244 \fB\fBcryptoadm\fR \fB[ mechanism=\fImechanism-list\fR ] [ auto-key-migrate 245 ]\fR\fR 246 .ad 247 .sp .6 248 .RS 4n 249 Disable the metaslot feature in the cryptographic framework or disable some of 250 metaslot's features. If no operand is specified, this command disables the 251 metaslot feature in the cryptographic framework. If a list of mechanisms is 252 specified, disable mechanisms specified for metaslot. If all mechanisms are 253 disabled for metaslot, the metaslot will be disabled. See OPERANDS for a 254 description of mechanism. If the \fBauto-key-migrate\fR keyword is specified, 255 it disables the migration of sensitive token objects to other slots even if it 256 is necessary for performing crypto operations. See OPERANDS for a description 257 of \fBauto-key-migrate\fR. 258 .RE 259 260 .sp 261 .ne 2 262 .na 263 \fB\fBcryptoadm\fR \fBenable provider=\fIprovider-name\fR\fR\fR 264 .ad 265 .br 266 .na 267 \fB[ mechanism=\fImechanism-list\fR | \fIprovider-feature\fR \fB\&... |\fR 268 \fBall\fR ]\fR 269 .ad 270 .sp .6 271 .RS 4n 272 Enable the mechanisms or provider features specified for the provider. See 273 OPERANDS for a description of \fImechanism\fR, \fIprovider-feature\fR, and the 274 \fBall\fR keyword. 275 .RE 276 277 .sp 278 .ne 2 279 .na 280 \fB\fBcryptoadm\fR \fBenable metaslot [ mechanism=\fImechanism-list\fR ] 281 |\fR\fR 282 .ad 283 .br 284 .na 285 \fB\fB[ [ token=\fItoken-label\fR] [ slot=\fIslot-description\fR] |\fR\fR 286 .ad 287 .br 288 .na 289 \fB\fBdefault-keystore ] | [ auto-key-migrate ]\fR\fR 290 .ad 291 .sp .6 292 .RS 4n 293 If no operand is specified, this command enables the metaslot feature in the 294 cryptographic framework. If a list of mechanisms is specified, it enables only 295 the list of specified mechanisms for metaslot. If \fItoken-label\fR is 296 specified, the specified token will be used as the persistent object store. If 297 the \fIslot-description\fR is specified, the specified slot will be used as the 298 persistent object store. If both the \fItoken-label\fR and the 299 \fIslot-description\fR are specified, the provider with the matching token 300 label and slot description is used as the persistent object store. If the 301 \fBdefault-keystore\fR keyword is specified, metaslot will use the default 302 persistent object store. If the \fBauto-key-migrate\fR keyword is specified, 303 sensitive token objects will automatically migrate to other slots as needed to 304 complete certain crypto operations. See OPERANDS for a description of 305 mechanism, token, slot, \fBdefault-keystore\fR, and \fBauto-key-migrate\fR. 306 .RE 307 308 .sp 309 .ne 2 310 .na 311 \fB\fBcryptoadm\fR \fBinstall provider=\fIprovider-name\fR\fR\fR 312 .ad 313 .sp .6 314 .RS 4n 315 Install a user-level provider into the system. The \fIprovider\fR operand must 316 be an absolute pathname of the corresponding shared library. If there are both 317 32-bit and 64-bit versions for a library, this command should be run once only 318 with the path name containing \fB$ISA\fR. Note that \fB$ISA\fR is not a 319 reference to an environment variable. Note also that \fB$ISA\fR must be quoted 320 (with single quotes [for example, \fB\&'$ISA'\fR]) or the \fB$\fR must be 321 escaped to keep it from being incorrectly expanded by the shell. The user-level 322 framework expands \fB$ISA\fR to an empty string or an architecture-specific 323 directory, for example, \fBsparcv9\fR. 324 .sp 325 The preferred way of installing a user-level provider is to build a package for 326 the provider. For more information, see the \fISolaris Security for Developer's 327 Guide\fR. 328 .RE 329 330 .sp 331 .ne 2 332 .na 333 \fB\fBcryptoadm\fR \fBinstall provider=\fIprovider-name\fR\fR\fR 334 .ad 335 .br 336 .na 337 \fBmechanism=\fImechanism-list\fR\fR 338 .ad 339 .sp .6 340 .RS 4n 341 Install a kernel software provider into the system. The provider should contain 342 the base name only. The \fImechanism-list\fR operand specifies the complete 343 list of mechanisms to be supported by this provider. 344 .sp 345 The preferred way of installing a kernel software provider is to build a 346 package for providers. For more information, see the \fISolaris Security for 347 Developer's Guide\fR. 348 .RE 349 350 .sp 351 .ne 2 352 .na 353 \fB\fBcryptoadm\fR \fBuninstall provider=\fIprovider-name\fR\fR\fR 354 .ad 355 .sp .6 356 .RS 4n 357 Uninstall the specified \fIprovider\fR and the associated mechanism policy from 358 the system. This subcommand applies only to a user-level provider or a kernel 359 software provider. 360 .RE 361 362 .sp 363 .ne 2 364 .na 365 \fB\fBcryptoadm\fR \fBunload provider=\fIprovider-name\fR\fR\fR 366 .ad 367 .sp .6 368 .RS 4n 369 Unload the kernel software module specified by \fIprovider\fR. 370 .RE 371 372 .sp 373 .ne 2 374 .na 375 \fB\fBcryptoadm\fR \fBdisable fips-140\fR\fR 376 .ad 377 .sp .6 378 .RS 4n 379 Disable FIPS-140 mode in the Cryptographic Framework. 380 .RE 381 382 .sp 383 .ne 2 384 .na 385 \fB\fBcryptoadm\fR \fBenable fips-140\fR\fR 386 .ad 387 .sp .6 388 .RS 4n 389 Enable FIPS-140 mode in the Cryptographic Framework. This subcommand does not 390 disable the non-FIPS approved algorithms from the user-level 391 \fBpkcs11_softtoken\fR library and the kernel software providers. It is the 392 consumers of the framework that are responsible for using only FIPS-approved 393 algorithms. 394 .sp 395 Upon completion of this subcommand, a message is issued to inform the 396 administrator that any plugins added that are not within the boundary might 397 invalidate FIPS compliance and to check the Security Policies for those 398 plugins. In addition, a warning message is issued to indicate that, in this 399 release, the Cryptographic Framework has not been FIPS 140-2 certified. 400 .sp 401 The system will require a reboot to perform Power-Up Self Tests that include a 402 cryptographic algorithm test and a software integrity test. 403 .RE 404 405 .sp 406 .ne 2 407 .na 408 \fB\fBcryptoadm\fR \fBlist fips-140\fR\fR 409 .ad 410 .sp .6 411 .RS 4n 412 Display the current setting of FIPS-140 mode in the Cryptographic Framework. 413 The status of FIPS-140 mode is \fBenabled\fR or \fBdisabled\fR. The default 414 FIPS-140 mode is \fBdisabled\fR. 415 .RE 416 417 .sp 418 .ne 2 419 .na 420 \fB\fBcryptoadm\fR \fBrefresh\fR\fR 421 .ad 422 .br 423 .na 424 \fB\fBcryptoadm\fR \fBstart\fR\fR 425 .ad 426 .br 427 .na 428 \fB\fBcryptoadm\fR \fBstop\fR\fR 429 .ad 430 .sp .6 431 .RS 4n 432 Private interfaces for use by \fBsmf\fR(5), these must not be used directly. 433 .RE 434 435 .sp 436 .ne 2 437 .na 438 \fB\fBcryptoadm\fR \fB-help\fR\fR 439 .ad 440 .sp .6 441 .RS 4n 442 Display the command usage. 443 .RE 444 445 .SH OPERANDS 446 .sp 447 .ne 2 448 .na 449 \fBprovider=\fIprovider-name\fR\fR 450 .ad 451 .sp .6 452 .RS 4n 453 A user-level provider (a PKCS11 shared library), a kernel software provider (a 454 loadable kernel software module), or a kernel hardware provider (a 455 cryptographic hardware device). 456 .sp 457 A valid value of the \fIprovider\fR operand is one entry from the output of a 458 command of the form: \fBcryptoadm\fR \fIlist\fR. A \fIprovider\fR operand for a 459 user-level provider is an absolute pathname of the corresponding shared 460 library. A \fIprovider\fR operand for a kernel software provider contains a 461 base name only. A \fIprovider\fR operand for a kernel hardware provider is in a 462 "\fIname\fR/\fInumber\fR" form. 463 .RE 464 465 .sp 466 .ne 2 467 .na 468 \fBmechanism=\fImechanism-list\fR\fR 469 .ad 470 .sp .6 471 .RS 4n 472 A comma separated list of one or more PKCS #11 mechanisms. A process for 473 implementing a cryptographic operation as defined in PKCS #11 specification. 474 You can substitute \fBall\fR for \fImechanism-list\fR, to specify all 475 mechanisms on a provider. See the discussion of the \fBall\fR keyword, below. 476 .RE 477 478 .sp 479 .ne 2 480 .na 481 \fB\fIprovider-feature\fR\fR 482 .ad 483 .sp .6 484 .RS 4n 485 A cryptographic framework feature for the given provider. Currently only 486 \fBrandom\fR is accepted as a feature. For a user-level provider, disabling the 487 random feature makes the PKCS #11 routines \fBC_GenerateRandom\fR and 488 \fBC_SeedRandom\fR unavailable from the provider. For a kernel provider, 489 disabling the random feature prevents \fB/dev/random\fR from gathering random 490 numbers from the provider. 491 .RE 492 493 .sp 494 .ne 2 495 .na 496 \fB\fBall\fR\fR 497 .ad 498 .sp .6 499 .RS 4n 500 The keyword all can be used with with the \fBdisable\fR and \fBenable\fR 501 subcommands to operate on all provider features. 502 .RE 503 504 .sp 505 .ne 2 506 .na 507 \fB\fBtoken=\fR\fItoken-label\fR\fR 508 .ad 509 .sp .6 510 .RS 4n 511 The label of a token in one of the providers in the cryptographic framework. 512 .sp 513 A valid value of the token operand is an item displayed under "Token Label" 514 from the output of the command \fBcryptoadm list\fR \fB-v\fR. 515 .RE 516 517 .sp 518 .ne 2 519 .na 520 \fB\fBslot=\fR\fIslot-description\fR\fR 521 .ad 522 .sp .6 523 .RS 4n 524 The description of a slot in one of the providers in the cryptographic 525 framework. 526 .sp 527 A valid value of the slot operand is an item displayed under "Description" from 528 the output of the command \fBcryptoadm list\fR \fB-v\fR. 529 .RE 530 531 .sp 532 .ne 2 533 .na 534 \fB\fBdefault-keystore\fR\fR 535 .ad 536 .sp .6 537 .RS 4n 538 The keyword \fBdefault-keystore\fR is valid only for metaslot. Specify this 539 keyword to set the persistent object store for metaslot back to using the 540 default store. 541 .RE 542 543 .sp 544 .ne 2 545 .na 546 \fB\fBauto-key-migrate\fR\fR 547 .ad 548 .sp .6 549 .RS 4n 550 The keyword auto-key-migrate is valid only for metaslot. Specify this keyword 551 to configure whether metaslot is allowed to move sensitive token objects from 552 the token object slot to other slots for performing cryptographic operations. 553 .RE 554 555 .sp 556 .LP 557 The keyword \fBall\fR can be used in two ways with the \fBdisable\fR and 558 \fBenable\fR subcommands: 559 .RS +4 560 .TP 561 .ie t \(bu 562 .el o 563 You can substitute \fBall\fR for \fBmechanism\fR=\fImechanism-list\fR, as in: 564 .sp 565 .in +2 566 .nf 567 # \fBcryptoadm enable provider=dca/0 all\fR 568 .fi 569 .in -2 570 .sp 571 572 This command enables the mechanisms on the provider \fBand\fR any other 573 provider-features, such as \fBrandom\fR. 574 .sp 575 .in +2 576 .nf 577 # \fBcryptoadm enable provider=des mechanism=all\fR 578 .fi 579 .in -2 580 .sp 581 582 .RE 583 .RS +4 584 .TP 585 .ie t \(bu 586 .el o 587 You can also use \fBall\fR as an argument to \fBmechanism\fR, as in: 588 .sp 589 .in +2 590 .nf 591 # \fBcryptoadm enable provider=des mechanism=all\fR 592 .fi 593 .in -2 594 .sp 595 596 \&...which enables all mechanisms on the provider, but enables no other 597 provider-features, such as \fBrandom\fR. 598 .RE 599 .SH EXAMPLES 600 .LP 601 \fBExample 1 \fRDisplay List of Providers Installed in System 602 .sp 603 .LP 604 The following command displays a list of all installed providers: 605 606 .sp 607 .in +2 608 .nf 609 example% \fBcryptoadm list\fR 610 user-level providers: 611 /usr/lib/security/$ISA/pkcs11_kernel.so 612 /usr/lib/security/$ISA/pkcs11_softtoken.so 613 /opt/lib/libcryptoki.so.1 614 /opt/SUNWconn/lib/$ISA/libpkcs11.so.1 615 616 kernel software providers: 617 des 618 aes 619 bfish 620 sha1 621 md5 622 623 kernel hardware providers: 624 dca/0 625 .fi 626 .in -2 627 .sp 628 629 .LP 630 \fBExample 2 \fRDisplay Mechanism List for \fBmd5\fR Provider 631 .sp 632 .LP 633 The following command is a variation of the \fBlist\fR subcommand: 634 635 .sp 636 .in +2 637 .nf 638 example% \fBcryptoadm list -m provider=md5\fR 639 md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL 640 .fi 641 .in -2 642 .sp 643 644 .LP 645 \fBExample 3 \fRDisable Specific Mechanisms for Kernel Software Provider 646 .sp 647 .LP 648 The following command disables mechanisms \fBCKM_DES3_ECB\fR and 649 \fBCKM_DES3_CBC\fR for the kernel software provider \fBdes\fR: 650 651 .sp 652 .in +2 653 .nf 654 example# \fBcryptoadm disable provider=des\fR 655 .fi 656 .in -2 657 .sp 658 659 .LP 660 \fBExample 4 \fRDisplay Mechanism Policy for a Provider 661 .sp 662 .LP 663 The following command displays the mechanism policy for the \fBdes\fR provider: 664 665 .sp 666 .in +2 667 .nf 668 example% \fBcryptoadm list -p provider=des\fR 669 des: All mechanisms are enabled, except CKM_DES3_ECB, CKM_DES3_CBC 670 .fi 671 .in -2 672 .sp 673 674 .LP 675 \fBExample 5 \fREnable Specific Mechanism for a Provider 676 .sp 677 .LP 678 The following command enables the \fBCKM_DES3_ECB\fR mechanism for the kernel 679 software provider \fBdes\fR: 680 681 .sp 682 .in +2 683 .nf 684 example# \fBcryptoadm enable provider=des mechanism=CKM_DES3_ECB\fR 685 .fi 686 .in -2 687 .sp 688 689 .LP 690 \fBExample 6 \fRInstall User-Level Provider 691 .sp 692 .LP 693 The following command installs a user-level provider: 694 695 .sp 696 .in +2 697 .nf 698 example# \fBcryptoadm install provider=/opt/lib/libcryptoki.so.1\fR 699 .fi 700 .in -2 701 .sp 702 703 .LP 704 \fBExample 7 \fRInstall User-Level Provider That Contains 32- and 64-bit 705 Versions 706 .sp 707 .LP 708 The following command installs a user-level provider that contains both 32-bit 709 and 64-bit versions: 710 711 .sp 712 .in +2 713 .nf 714 example# \fBcryptoadm install \e\fR 715 provider=/opt/SUNWconn/lib/'$ISA'/libpkcs11.so.1 716 .fi 717 .in -2 718 .sp 719 720 .LP 721 \fBExample 8 \fRUninstall a Provider 722 .sp 723 .LP 724 The following command uninstalls the \fBmd5\fR provider: 725 726 .sp 727 .in +2 728 .nf 729 example# \fBcryptoadm uninstall provider=md5\fR 730 .fi 731 .in -2 732 .sp 733 734 .LP 735 \fBExample 9 \fRDisable metaslot 736 .sp 737 .LP 738 The following command disables the metaslot feature in the cryptographic 739 framework. 740 741 .sp 742 .in +2 743 .nf 744 example# \fBcryptoadm disable metaslot\fR 745 .fi 746 .in -2 747 .sp 748 749 .LP 750 \fBExample 10 \fRSpecify metaslot to Use Specified Token as Persistent Object 751 Store 752 .sp 753 .LP 754 The following command specifies that metaslot use the Venus token as the 755 persistent object store. 756 757 .sp 758 .in +2 759 .nf 760 example# \fBcryptoadm enable metaslot token="SUNW,venus"\fR 761 .fi 762 .in -2 763 .sp 764 765 .SH EXIT STATUS 766 .sp 767 .LP 768 The following exit values are returned: 769 .sp 770 .ne 2 771 .na 772 \fB\fB0\fR\fR 773 .ad 774 .sp .6 775 .RS 4n 776 Successful completion. 777 .RE 778 779 .sp 780 .ne 2 781 .na 782 \fB\fB>0\fR\fR 783 .ad 784 .sp .6 785 .RS 4n 786 An error occurred. 787 .RE 788 789 .SH ATTRIBUTES 790 .sp 791 .LP 792 See \fBattributes\fR(5) for descriptions of the following attributes: 793 .sp 794 795 .sp 796 .TS 797 box; 798 c | c 799 l | l . 800 ATTRIBUTE TYPE ATTRIBUTE VALUE 801 _ 802 Interface Stability See below 803 .TE 804 805 .sp 806 .LP 807 The \fBstart\fR, \fBstop\fR, and \fBrefresh\fR options are Private interfaces. 808 All other options are Evolving. The utility name is Stable. 809 .SH SEE ALSO 810 .sp 811 .LP 812 \fBlogadm\fR(1M), \fBsvcadm\fR(1M), \fBsyslogd\fR(1M), \fBlibpkcs11\fR(3LIB), 813 \fBexec_attr\fR(4), \fBprof_attr\fR(4), \fBattributes\fR(5), \fBsmf\fR(5), 814 \fBrandom\fR(7D) 815 .sp 816 .LP 817 818 .sp 819 .LP 820 \fISolaris Security for Developer's Guide\fR 821 .SH NOTES 822 .sp 823 .LP 824 If a hardware provider's policy was made explicitly (that is, some of its 825 mechanisms were disabled) and the hardware provider has been detached, the 826 policy of this hardware provider is still listed. 827 .sp 828 .LP 829 \fBcryptoadm\fR assumes that, minimally, a 32-bit shared object is delivered 830 for each user-level provider. If both a 32-bit and 64-bit shared object are 831 delivered, the two versions must provide the same functionality. The same 832 mechanism policy applies to both.