1 '\" te 2 .\" Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved. 3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. 4 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the 5 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] 6 .TH CRYPTOADM 1M "Sep 1, 2009" 7 .SH NAME 8 cryptoadm \- cryptographic framework administration 9 .SH SYNOPSIS 10 .nf 11 \fBcryptoadm\fR list [\fB-mpv\fR] [provider=\fIprovider-name\fR] 12 [mechanism=\fImechanism-list\fR] 13 .fi 14 15 .LP 16 .nf 17 \fBcryptoadm\fR disable 18 provider=\fIprovider-name\fR mechanism=\fImechanism-list\fR | random | all 19 .fi 20 21 .LP 22 .nf 23 \fBcryptoadm\fR enable 24 provider=\fIprovider-name\fR mechanism=\fImechanism-list\fR | random | all 25 .fi 26 27 .LP 28 .nf 29 \fBcryptoadm\fR install provider=\fIprovider-name\fR 30 .fi 31 32 .LP 33 .nf 34 \fBcryptoadm\fR install provider=\fIprovider-name\fR 35 [mechanism=\fImechanism-list\fR] 36 .fi 37 38 .LP 39 .nf 40 \fBcryptoadm\fR uninstall provider=\fIprovider-name\fR 41 .fi 42 43 .LP 44 .nf 45 \fBcryptoadm\fR unload provider=\fIprovider-name\fR 46 .fi 47 48 .LP 49 .nf 50 \fBcryptoadm\fR disable fips-140 51 .fi 52 53 .LP 54 .nf 55 \fBcryptoadm\fR enable fips-140 56 .fi 57 58 .LP 59 .nf 60 \fBcryptoadm\fR list fips-140 61 .fi 62 63 .LP 64 .nf 65 \fBcryptoadm\fR refresh 66 .fi 67 68 .LP 69 .nf 70 \fBcryptoadm\fR start 71 .fi 72 73 .LP 74 .nf 75 \fBcryptoadm\fR stop 76 .fi 77 78 .LP 79 .nf 80 \fBcryptoadm\fR \fB-\fR\fB-help\fR 81 .fi 82 83 .SH DESCRIPTION 84 The \fBcryptoadm\fR utility displays cryptographic provider information for a 85 system, configures the mechanism policy for each provider, and installs or 86 uninstalls a cryptographic provider. The cryptographic framework supports three 87 types of providers: a user-level provider (a PKCS11 shared library), a kernel 88 software provider (a loadable kernel software module), and a kernel hardware 89 provider (a cryptographic hardware device). 90 .sp 91 .LP 92 For kernel software providers, the \fBcryptoadm\fR utility provides the 93 \fBunload\fR subcommand. This subcommand instructs the kernel to unload a 94 kernel software providers. 95 .sp 96 .LP 97 For the cryptographic framework's metaslot, the \fBcryptoadm\fR utility 98 provides subcommands to enable and disable the metaslot's features, list 99 metaslot's configuration, specify alternate persistent object storage, and 100 configure the metaslot's mechanism policy. 101 .sp 102 .LP 103 The \fBcryptoadm\fR utility provides subcommands to enable and disable FIPS-140 104 mode in the Cryptographic Framework. It also provides a \fBlist\fR subcommand 105 to display the current status of FIPS-140 mode. 106 .sp 107 .LP 108 Administrators will find it useful to use \fBsyslog\fR facilities (see 109 \fBsyslogd\fR(1M) and \fBlogadm\fR(1M)) to maintain the cryptographic 110 subsystem. Logging can be especially useful under the following circumstances: 111 .RS +4 112 .TP 113 .ie t \(bu 114 .el o 115 If kernel-level daemon is dead, all applications fail. You can learn this from 116 syslog and use \fBsvcadm\fR(1M) to restart the \fBsvc:/system/cryptosvc\fR 117 service. 118 .RE 119 .RS +4 120 .TP 121 .ie t \(bu 122 .el o 123 If there are bad providers plugged into the framework, you can learn this from 124 syslog and remove the bad providers from the framework. 125 .RE 126 .sp 127 .LP 128 With the exception of the subcommands or options listed below, the 129 \fBcryptoadm\fR command needs to be run by a privileged user. 130 .RS +4 131 .TP 132 .ie t \(bu 133 .el o 134 subcommand \fBlist\fR, any options 135 .RE 136 .RS +4 137 .TP 138 .ie t \(bu 139 .el o 140 subcommand \fB-\fR\fB-help\fR 141 .RE 142 .SH OPTIONS 143 The \fBcryptoadm\fR utility has the various combinations of subcommands and 144 options shown below. 145 .sp 146 .ne 2 147 .na 148 \fB\fBcryptoadm\fR \fBlist\fR\fR 149 .ad 150 .sp .6 151 .RS 4n 152 Display the list of installed providers. 153 .RE 154 155 .sp 156 .ne 2 157 .na 158 \fB\fBcryptoadm\fR \fBlist metaslot\fR\fR 159 .ad 160 .sp .6 161 .RS 4n 162 Display the system-wide configuration for metaslot. 163 .RE 164 165 .sp 166 .ne 2 167 .na 168 \fB\fBcryptoadm\fR \fBlist\fR \fB-m\fR \fB[ provider=\fIprovider-name\fR | 169 metaslot ]\fR\fR 170 .ad 171 .sp .6 172 .RS 4n 173 Display a list of mechanisms that can be used with the installed providers or 174 metaslot. If a provider is specified, display the name of the specified 175 provider and the mechanism list that can be used with that provider. If the 176 metaslot keyword is specified, display the list of mechanisms that can be used 177 with metaslot. 178 .RE 179 180 .sp 181 .ne 2 182 .na 183 \fB\fBcryptoadm\fR \fBlist\fR \fB-p\fR \fB[ provider=\fIprovider-name\fR | 184 metaslot ]\fR\fR 185 .ad 186 .sp .6 187 .RS 4n 188 Display the mechanism policy (that is, which mechanisms are available and which 189 are not) for the installed providers. Also display the provider feature policy 190 or metaslot. If a provider is specified, display the name of the provider with 191 the mechanism policy enforced on it only. If the metaslot keyword is specified, 192 display the mechanism policy enforced on the metaslot. 193 .RE 194 195 .sp 196 .ne 2 197 .na 198 \fB\fBcryptoadm\fR \fBlist\fR \fB-v\fR \fBprovider=\fIprovider-name\fR | 199 metaslot\fR\fR 200 .ad 201 .sp .6 202 .RS 4n 203 Display details about the specified provider if a provider is specified. If the 204 metaslot keyword is specified, display details about the metaslot. 205 .RE 206 207 .sp 208 .ne 2 209 .na 210 \fB\fB-v\fR\fR 211 .ad 212 .sp .6 213 .RS 4n 214 For the various \fBlist\fR subcommands described above (except for \fBlist\fR 215 \fB-p\fR), the \fB-v\fR (verbose) option provides details about providers, 216 mechanisms and slots. 217 .RE 218 219 .sp 220 .ne 2 221 .na 222 \fB\fBcryptoadm\fR \fBdisable provider=\fIprovider-name\fR\fR\fR 223 .ad 224 .br 225 .na 226 \fB[ mechanism=\fImechanism-list\fR | \fIprovider-feature\fR \fB\&... |\fR 227 \fBall\fR ]\fR 228 .ad 229 .sp .6 230 .RS 4n 231 Disable the mechanisms or provider features specified for the provider. See 232 OPERANDS for a description of \fImechanism\fR, \fIprovider-feature\fR, and the 233 \fBall\fR keyword. 234 .RE 235 236 .sp 237 .ne 2 238 .na 239 \fB\fBcryptoadm\fR \fB[ mechanism=\fImechanism-list\fR ] [ auto-key-migrate 240 ]\fR\fR 241 .ad 242 .sp .6 243 .RS 4n 244 Disable the metaslot feature in the cryptographic framework or disable some of 245 metaslot's features. If no operand is specified, this command disables the 246 metaslot feature in the cryptographic framework. If a list of mechanisms is 247 specified, disable mechanisms specified for metaslot. If all mechanisms are 248 disabled for metaslot, the metaslot will be disabled. See OPERANDS for a 249 description of mechanism. If the \fBauto-key-migrate\fR keyword is specified, 250 it disables the migration of sensitive token objects to other slots even if it 251 is necessary for performing crypto operations. See OPERANDS for a description 252 of \fBauto-key-migrate\fR. 253 .RE 254 255 .sp 256 .ne 2 257 .na 258 \fB\fBcryptoadm\fR \fBenable provider=\fIprovider-name\fR\fR\fR 259 .ad 260 .br 261 .na 262 \fB[ mechanism=\fImechanism-list\fR | \fIprovider-feature\fR \fB\&... |\fR 263 \fBall\fR ]\fR 264 .ad 265 .sp .6 266 .RS 4n 267 Enable the mechanisms or provider features specified for the provider. See 268 OPERANDS for a description of \fImechanism\fR, \fIprovider-feature\fR, and the 269 \fBall\fR keyword. 270 .RE 271 272 .sp 273 .ne 2 274 .na 275 \fB\fBcryptoadm\fR \fBenable metaslot [ mechanism=\fImechanism-list\fR ] 276 |\fR\fR 277 .ad 278 .br 279 .na 280 \fB\fB[ [ token=\fItoken-label\fR] [ slot=\fIslot-description\fR] |\fR\fR 281 .ad 282 .br 283 .na 284 \fB\fBdefault-keystore ] | [ auto-key-migrate ]\fR\fR 285 .ad 286 .sp .6 287 .RS 4n 288 If no operand is specified, this command enables the metaslot feature in the 289 cryptographic framework. If a list of mechanisms is specified, it enables only 290 the list of specified mechanisms for metaslot. If \fItoken-label\fR is 291 specified, the specified token will be used as the persistent object store. If 292 the \fIslot-description\fR is specified, the specified slot will be used as the 293 persistent object store. If both the \fItoken-label\fR and the 294 \fIslot-description\fR are specified, the provider with the matching token 295 label and slot description is used as the persistent object store. If the 296 \fBdefault-keystore\fR keyword is specified, metaslot will use the default 297 persistent object store. If the \fBauto-key-migrate\fR keyword is specified, 298 sensitive token objects will automatically migrate to other slots as needed to 299 complete certain crypto operations. See OPERANDS for a description of 300 mechanism, token, slot, \fBdefault-keystore\fR, and \fBauto-key-migrate\fR. 301 .RE 302 303 .sp 304 .ne 2 305 .na 306 \fB\fBcryptoadm\fR \fBinstall provider=\fIprovider-name\fR\fR\fR 307 .ad 308 .sp .6 309 .RS 4n 310 Install a user-level provider into the system. The \fIprovider\fR operand must 311 be an absolute pathname of the corresponding shared library. If there are both 312 32-bit and 64-bit versions for a library, this command should be run once only 313 with the path name containing \fB$ISA\fR. Note that \fB$ISA\fR is not a 314 reference to an environment variable. Note also that \fB$ISA\fR must be quoted 315 (with single quotes [for example, \fB\&'$ISA'\fR]) or the \fB$\fR must be 316 escaped to keep it from being incorrectly expanded by the shell. The user-level 317 framework expands \fB$ISA\fR to an empty string or an architecture-specific 318 directory, for example, \fBsparcv9\fR. 319 .sp 320 The preferred way of installing a user-level provider is to build a package for 321 the provider. For more information, see the \fISolaris Security for Developer's 322 Guide\fR. 323 .RE 324 325 .sp 326 .ne 2 327 .na 328 \fB\fBcryptoadm\fR \fBinstall provider=\fIprovider-name\fR\fR\fR 329 .ad 330 .br 331 .na 332 \fBmechanism=\fImechanism-list\fR\fR 333 .ad 334 .sp .6 335 .RS 4n 336 Install a kernel software provider into the system. The provider should contain 337 the base name only. The \fImechanism-list\fR operand specifies the complete 338 list of mechanisms to be supported by this provider. 339 .sp 340 The preferred way of installing a kernel software provider is to build a 341 package for providers. For more information, see the \fISolaris Security for 342 Developer's Guide\fR. 343 .RE 344 345 .sp 346 .ne 2 347 .na 348 \fB\fBcryptoadm\fR \fBuninstall provider=\fIprovider-name\fR\fR\fR 349 .ad 350 .sp .6 351 .RS 4n 352 Uninstall the specified \fIprovider\fR and the associated mechanism policy from 353 the system. This subcommand applies only to a user-level provider or a kernel 354 software provider. 355 .RE 356 357 .sp 358 .ne 2 359 .na 360 \fB\fBcryptoadm\fR \fBunload provider=\fIprovider-name\fR\fR\fR 361 .ad 362 .sp .6 363 .RS 4n 364 Unload the kernel software module specified by \fIprovider\fR. 365 .RE 366 367 .sp 368 .ne 2 369 .na 370 \fB\fBcryptoadm\fR \fBdisable fips-140\fR\fR 371 .ad 372 .sp .6 373 .RS 4n 374 Disable FIPS-140 mode in the Cryptographic Framework. 375 .RE 376 377 .sp 378 .ne 2 379 .na 380 \fB\fBcryptoadm\fR \fBenable fips-140\fR\fR 381 .ad 382 .sp .6 383 .RS 4n 384 Enable FIPS-140 mode in the Cryptographic Framework. This subcommand does not 385 disable the non-FIPS approved algorithms from the user-level 386 \fBpkcs11_softtoken\fR library and the kernel software providers. It is the 387 consumers of the framework that are responsible for using only FIPS-approved 388 algorithms. 389 .sp 390 Upon completion of this subcommand, a message is issued to inform the 391 administrator that any plugins added that are not within the boundary might 392 invalidate FIPS compliance and to check the Security Policies for those 393 plugins. In addition, a warning message is issued to indicate that, in this 394 release, the Cryptographic Framework has not been FIPS 140-2 certified. 395 .sp 396 The system will require a reboot to perform Power-Up Self Tests that include a 397 cryptographic algorithm test and a software integrity test. 398 .RE 399 400 .sp 401 .ne 2 402 .na 403 \fB\fBcryptoadm\fR \fBlist fips-140\fR\fR 404 .ad 405 .sp .6 406 .RS 4n 407 Display the current setting of FIPS-140 mode in the Cryptographic Framework. 408 The status of FIPS-140 mode is \fBenabled\fR or \fBdisabled\fR. The default 409 FIPS-140 mode is \fBdisabled\fR. 410 .RE 411 412 .sp 413 .ne 2 414 .na 415 \fB\fBcryptoadm\fR \fBrefresh\fR\fR 416 .ad 417 .br 418 .na 419 \fB\fBcryptoadm\fR \fBstart\fR\fR 420 .ad 421 .br 422 .na 423 \fB\fBcryptoadm\fR \fBstop\fR\fR 424 .ad 425 .sp .6 426 .RS 4n 427 Private interfaces for use by \fBsmf\fR(5), these must not be used directly. 428 .RE 429 430 .sp 431 .ne 2 432 .na 433 \fB\fBcryptoadm\fR \fB-help\fR\fR 434 .ad 435 .sp .6 436 .RS 4n 437 Display the command usage. 438 .RE 439 440 .SH OPERANDS 441 .ne 2 442 .na 443 \fBprovider=\fIprovider-name\fR\fR 444 .ad 445 .sp .6 446 .RS 4n 447 A user-level provider (a PKCS11 shared library), a kernel software provider (a 448 loadable kernel software module), or a kernel hardware provider (a 449 cryptographic hardware device). 450 .sp 451 A valid value of the \fIprovider\fR operand is one entry from the output of a 452 command of the form: \fBcryptoadm\fR \fIlist\fR. A \fIprovider\fR operand for a 453 user-level provider is an absolute pathname of the corresponding shared 454 library. A \fIprovider\fR operand for a kernel software provider contains a 455 base name only. A \fIprovider\fR operand for a kernel hardware provider is in a 456 "\fIname\fR/\fInumber\fR" form. 457 .RE 458 459 .sp 460 .ne 2 461 .na 462 \fBmechanism=\fImechanism-list\fR\fR 463 .ad 464 .sp .6 465 .RS 4n 466 A comma separated list of one or more PKCS #11 mechanisms. A process for 467 implementing a cryptographic operation as defined in PKCS #11 specification. 468 You can substitute \fBall\fR for \fImechanism-list\fR, to specify all 469 mechanisms on a provider. See the discussion of the \fBall\fR keyword, below. 470 .RE 471 472 .sp 473 .ne 2 474 .na 475 \fB\fIprovider-feature\fR\fR 476 .ad 477 .sp .6 478 .RS 4n 479 A cryptographic framework feature for the given provider. Currently only 480 \fBrandom\fR is accepted as a feature. For a user-level provider, disabling the 481 random feature makes the PKCS #11 routines \fBC_GenerateRandom\fR and 482 \fBC_SeedRandom\fR unavailable from the provider. For a kernel provider, 483 disabling the random feature prevents \fB/dev/random\fR from gathering random 484 numbers from the provider. 485 .RE 486 487 .sp 488 .ne 2 489 .na 490 \fB\fBall\fR\fR 491 .ad 492 .sp .6 493 .RS 4n 494 The keyword all can be used with with the \fBdisable\fR and \fBenable\fR 495 subcommands to operate on all provider features. 496 .RE 497 498 .sp 499 .ne 2 500 .na 501 \fB\fBtoken=\fR\fItoken-label\fR\fR 502 .ad 503 .sp .6 504 .RS 4n 505 The label of a token in one of the providers in the cryptographic framework. 506 .sp 507 A valid value of the token operand is an item displayed under "Token Label" 508 from the output of the command \fBcryptoadm list\fR \fB-v\fR. 509 .RE 510 511 .sp 512 .ne 2 513 .na 514 \fB\fBslot=\fR\fIslot-description\fR\fR 515 .ad 516 .sp .6 517 .RS 4n 518 The description of a slot in one of the providers in the cryptographic 519 framework. 520 .sp 521 A valid value of the slot operand is an item displayed under "Description" from 522 the output of the command \fBcryptoadm list\fR \fB-v\fR. 523 .RE 524 525 .sp 526 .ne 2 527 .na 528 \fB\fBdefault-keystore\fR\fR 529 .ad 530 .sp .6 531 .RS 4n 532 The keyword \fBdefault-keystore\fR is valid only for metaslot. Specify this 533 keyword to set the persistent object store for metaslot back to using the 534 default store. 535 .RE 536 537 .sp 538 .ne 2 539 .na 540 \fB\fBauto-key-migrate\fR\fR 541 .ad 542 .sp .6 543 .RS 4n 544 The keyword auto-key-migrate is valid only for metaslot. Specify this keyword 545 to configure whether metaslot is allowed to move sensitive token objects from 546 the token object slot to other slots for performing cryptographic operations. 547 .RE 548 549 .sp 550 .LP 551 The keyword \fBall\fR can be used in two ways with the \fBdisable\fR and 552 \fBenable\fR subcommands: 553 .RS +4 554 .TP 555 .ie t \(bu 556 .el o 557 You can substitute \fBall\fR for \fBmechanism\fR=\fImechanism-list\fR, as in: 558 .sp 559 .in +2 560 .nf 561 # \fBcryptoadm enable provider=dca/0 all\fR 562 .fi 563 .in -2 564 .sp 565 566 This command enables the mechanisms on the provider \fBand\fR any other 567 provider-features, such as \fBrandom\fR. 568 .sp 569 .in +2 570 .nf 571 # \fBcryptoadm enable provider=des mechanism=all\fR 572 .fi 573 .in -2 574 .sp 575 576 .RE 577 .RS +4 578 .TP 579 .ie t \(bu 580 .el o 581 You can also use \fBall\fR as an argument to \fBmechanism\fR, as in: 582 .sp 583 .in +2 584 .nf 585 # \fBcryptoadm enable provider=des mechanism=all\fR 586 .fi 587 .in -2 588 .sp 589 590 \&...which enables all mechanisms on the provider, but enables no other 591 provider-features, such as \fBrandom\fR. 592 .RE 593 .SH EXAMPLES 594 \fBExample 1 \fRDisplay List of Providers Installed in System 595 .sp 596 .LP 597 The following command displays a list of all installed providers: 598 599 .sp 600 .in +2 601 .nf 602 example% \fBcryptoadm list\fR 603 user-level providers: 604 /usr/lib/security/$ISA/pkcs11_kernel.so 605 /usr/lib/security/$ISA/pkcs11_softtoken.so 606 /opt/lib/libcryptoki.so.1 607 /opt/SUNWconn/lib/$ISA/libpkcs11.so.1 608 609 kernel software providers: 610 des 611 aes 612 bfish 613 sha1 614 md5 615 616 kernel hardware providers: 617 dca/0 618 .fi 619 .in -2 620 .sp 621 622 .LP 623 \fBExample 2 \fRDisplay Mechanism List for \fBmd5\fR Provider 624 .sp 625 .LP 626 The following command is a variation of the \fBlist\fR subcommand: 627 628 .sp 629 .in +2 630 .nf 631 example% \fBcryptoadm list -m provider=md5\fR 632 md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL 633 .fi 634 .in -2 635 .sp 636 637 .LP 638 \fBExample 3 \fRDisable Specific Mechanisms for Kernel Software Provider 639 .sp 640 .LP 641 The following command disables mechanisms \fBCKM_DES3_ECB\fR and 642 \fBCKM_DES3_CBC\fR for the kernel software provider \fBdes\fR: 643 644 .sp 645 .in +2 646 .nf 647 example# \fBcryptoadm disable provider=des\fR 648 .fi 649 .in -2 650 .sp 651 652 .LP 653 \fBExample 4 \fRDisplay Mechanism Policy for a Provider 654 .sp 655 .LP 656 The following command displays the mechanism policy for the \fBdes\fR provider: 657 658 .sp 659 .in +2 660 .nf 661 example% \fBcryptoadm list -p provider=des\fR 662 des: All mechanisms are enabled, except CKM_DES3_ECB, CKM_DES3_CBC 663 .fi 664 .in -2 665 .sp 666 667 .LP 668 \fBExample 5 \fREnable Specific Mechanism for a Provider 669 .sp 670 .LP 671 The following command enables the \fBCKM_DES3_ECB\fR mechanism for the kernel 672 software provider \fBdes\fR: 673 674 .sp 675 .in +2 676 .nf 677 example# \fBcryptoadm enable provider=des mechanism=CKM_DES3_ECB\fR 678 .fi 679 .in -2 680 .sp 681 682 .LP 683 \fBExample 6 \fRInstall User-Level Provider 684 .sp 685 .LP 686 The following command installs a user-level provider: 687 688 .sp 689 .in +2 690 .nf 691 example# \fBcryptoadm install provider=/opt/lib/libcryptoki.so.1\fR 692 .fi 693 .in -2 694 .sp 695 696 .LP 697 \fBExample 7 \fRInstall User-Level Provider That Contains 32- and 64-bit 698 Versions 699 .sp 700 .LP 701 The following command installs a user-level provider that contains both 32-bit 702 and 64-bit versions: 703 704 .sp 705 .in +2 706 .nf 707 example# \fBcryptoadm install \e\fR 708 provider=/opt/SUNWconn/lib/'$ISA'/libpkcs11.so.1 709 .fi 710 .in -2 711 .sp 712 713 .LP 714 \fBExample 8 \fRUninstall a Provider 715 .sp 716 .LP 717 The following command uninstalls the \fBmd5\fR provider: 718 719 .sp 720 .in +2 721 .nf 722 example# \fBcryptoadm uninstall provider=md5\fR 723 .fi 724 .in -2 725 .sp 726 727 .LP 728 \fBExample 9 \fRDisable metaslot 729 .sp 730 .LP 731 The following command disables the metaslot feature in the cryptographic 732 framework. 733 734 .sp 735 .in +2 736 .nf 737 example# \fBcryptoadm disable metaslot\fR 738 .fi 739 .in -2 740 .sp 741 742 .LP 743 \fBExample 10 \fRSpecify metaslot to Use Specified Token as Persistent Object 744 Store 745 .sp 746 .LP 747 The following command specifies that metaslot use the Venus token as the 748 persistent object store. 749 750 .sp 751 .in +2 752 .nf 753 example# \fBcryptoadm enable metaslot token="SUNW,venus"\fR 754 .fi 755 .in -2 756 .sp 757 758 .SH EXIT STATUS 759 The following exit values are returned: 760 .sp 761 .ne 2 762 .na 763 \fB\fB0\fR\fR 764 .ad 765 .sp .6 766 .RS 4n 767 Successful completion. 768 .RE 769 770 .sp 771 .ne 2 772 .na 773 \fB\fB>0\fR\fR 774 .ad 775 .sp .6 776 .RS 4n 777 An error occurred. 778 .RE 779 780 .SH ATTRIBUTES 781 See \fBattributes\fR(5) for descriptions of the following attributes: 782 .sp 783 784 .sp 785 .TS 786 box; 787 c | c 788 l | l . 789 ATTRIBUTE TYPE ATTRIBUTE VALUE 790 _ 791 Interface Stability See below 792 .TE 793 794 .sp 795 .LP 796 The \fBstart\fR, \fBstop\fR, and \fBrefresh\fR options are Private interfaces. 797 All other options are Evolving. The utility name is Stable. 798 .SH SEE ALSO 799 \fBlogadm\fR(1M), \fBsvcadm\fR(1M), \fBsyslogd\fR(1M), \fBlibpkcs11\fR(3LIB), 800 \fBexec_attr\fR(4), \fBprof_attr\fR(4), \fBattributes\fR(5), \fBsmf\fR(5), 801 \fBrandom\fR(7D) 802 803 .sp 804 .LP 805 \fISolaris Security for Developer's Guide\fR 806 .SH NOTES 807 If a hardware provider's policy was made explicitly (that is, some of its 808 mechanisms were disabled) and the hardware provider has been detached, the 809 policy of this hardware provider is still listed. 810 .sp 811 .LP 812 \fBcryptoadm\fR assumes that, minimally, a 32-bit shared object is delivered 813 for each user-level provider. If both a 32-bit and 64-bit shared object are 814 delivered, the two versions must provide the same functionality. The same 815 mechanism policy applies to both.