Print this page
11622 clean up rarer mandoc lint warnings
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1m/cryptoadm.1m
+++ new/usr/src/man/man1m/cryptoadm.1m
1 1 '\" te
2 2 .\" Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved.
3 3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
4 4 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
5 5 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 6 .TH CRYPTOADM 1M "Sep 1, 2009"
7 7 .SH NAME
8 8 cryptoadm \- cryptographic framework administration
9 9 .SH SYNOPSIS
10 -.LP
11 10 .nf
12 11 \fBcryptoadm\fR list [\fB-mpv\fR] [provider=\fIprovider-name\fR]
13 12 [mechanism=\fImechanism-list\fR]
14 13 .fi
15 14
16 15 .LP
17 16 .nf
18 17 \fBcryptoadm\fR disable
19 18 provider=\fIprovider-name\fR mechanism=\fImechanism-list\fR | random | all
20 19 .fi
21 20
22 21 .LP
23 22 .nf
24 23 \fBcryptoadm\fR enable
25 24 provider=\fIprovider-name\fR mechanism=\fImechanism-list\fR | random | all
26 25 .fi
27 26
28 27 .LP
29 28 .nf
30 29 \fBcryptoadm\fR install provider=\fIprovider-name\fR
31 30 .fi
32 31
33 32 .LP
34 33 .nf
35 34 \fBcryptoadm\fR install provider=\fIprovider-name\fR
36 35 [mechanism=\fImechanism-list\fR]
37 36 .fi
38 37
39 38 .LP
40 39 .nf
41 40 \fBcryptoadm\fR uninstall provider=\fIprovider-name\fR
42 41 .fi
43 42
44 43 .LP
45 44 .nf
46 45 \fBcryptoadm\fR unload provider=\fIprovider-name\fR
47 46 .fi
48 47
49 48 .LP
50 49 .nf
51 50 \fBcryptoadm\fR disable fips-140
52 51 .fi
53 52
54 53 .LP
55 54 .nf
56 55 \fBcryptoadm\fR enable fips-140
57 56 .fi
58 57
59 58 .LP
60 59 .nf
61 60 \fBcryptoadm\fR list fips-140
62 61 .fi
63 62
64 63 .LP
65 64 .nf
66 65 \fBcryptoadm\fR refresh
67 66 .fi
68 67
69 68 .LP
70 69 .nf
71 70 \fBcryptoadm\fR start
72 71 .fi
73 72
74 73 .LP
|
↓ open down ↓ |
54 lines elided |
↑ open up ↑ |
75 74 .nf
76 75 \fBcryptoadm\fR stop
77 76 .fi
78 77
79 78 .LP
80 79 .nf
81 80 \fBcryptoadm\fR \fB-\fR\fB-help\fR
82 81 .fi
83 82
84 83 .SH DESCRIPTION
85 -.sp
86 -.LP
87 84 The \fBcryptoadm\fR utility displays cryptographic provider information for a
88 85 system, configures the mechanism policy for each provider, and installs or
89 86 uninstalls a cryptographic provider. The cryptographic framework supports three
90 87 types of providers: a user-level provider (a PKCS11 shared library), a kernel
91 88 software provider (a loadable kernel software module), and a kernel hardware
92 89 provider (a cryptographic hardware device).
93 90 .sp
94 91 .LP
95 92 For kernel software providers, the \fBcryptoadm\fR utility provides the
96 93 \fBunload\fR subcommand. This subcommand instructs the kernel to unload a
97 94 kernel software providers.
98 95 .sp
99 96 .LP
100 97 For the cryptographic framework's metaslot, the \fBcryptoadm\fR utility
101 98 provides subcommands to enable and disable the metaslot's features, list
102 99 metaslot's configuration, specify alternate persistent object storage, and
103 100 configure the metaslot's mechanism policy.
104 101 .sp
105 102 .LP
106 103 The \fBcryptoadm\fR utility provides subcommands to enable and disable FIPS-140
107 104 mode in the Cryptographic Framework. It also provides a \fBlist\fR subcommand
108 105 to display the current status of FIPS-140 mode.
109 106 .sp
110 107 .LP
111 108 Administrators will find it useful to use \fBsyslog\fR facilities (see
112 109 \fBsyslogd\fR(1M) and \fBlogadm\fR(1M)) to maintain the cryptographic
113 110 subsystem. Logging can be especially useful under the following circumstances:
114 111 .RS +4
115 112 .TP
116 113 .ie t \(bu
117 114 .el o
118 115 If kernel-level daemon is dead, all applications fail. You can learn this from
119 116 syslog and use \fBsvcadm\fR(1M) to restart the \fBsvc:/system/cryptosvc\fR
120 117 service.
121 118 .RE
122 119 .RS +4
123 120 .TP
124 121 .ie t \(bu
125 122 .el o
126 123 If there are bad providers plugged into the framework, you can learn this from
127 124 syslog and remove the bad providers from the framework.
128 125 .RE
129 126 .sp
130 127 .LP
131 128 With the exception of the subcommands or options listed below, the
132 129 \fBcryptoadm\fR command needs to be run by a privileged user.
133 130 .RS +4
134 131 .TP
135 132 .ie t \(bu
|
↓ open down ↓ |
39 lines elided |
↑ open up ↑ |
136 133 .el o
137 134 subcommand \fBlist\fR, any options
138 135 .RE
139 136 .RS +4
140 137 .TP
141 138 .ie t \(bu
142 139 .el o
143 140 subcommand \fB-\fR\fB-help\fR
144 141 .RE
145 142 .SH OPTIONS
146 -.sp
147 -.LP
148 143 The \fBcryptoadm\fR utility has the various combinations of subcommands and
149 144 options shown below.
150 145 .sp
151 146 .ne 2
152 147 .na
153 148 \fB\fBcryptoadm\fR \fBlist\fR\fR
154 149 .ad
155 150 .sp .6
156 151 .RS 4n
157 152 Display the list of installed providers.
158 153 .RE
159 154
160 155 .sp
161 156 .ne 2
162 157 .na
163 158 \fB\fBcryptoadm\fR \fBlist metaslot\fR\fR
164 159 .ad
165 160 .sp .6
166 161 .RS 4n
167 162 Display the system-wide configuration for metaslot.
168 163 .RE
169 164
170 165 .sp
171 166 .ne 2
172 167 .na
173 168 \fB\fBcryptoadm\fR \fBlist\fR \fB-m\fR \fB[ provider=\fIprovider-name\fR |
174 169 metaslot ]\fR\fR
175 170 .ad
176 171 .sp .6
177 172 .RS 4n
178 173 Display a list of mechanisms that can be used with the installed providers or
179 174 metaslot. If a provider is specified, display the name of the specified
180 175 provider and the mechanism list that can be used with that provider. If the
181 176 metaslot keyword is specified, display the list of mechanisms that can be used
182 177 with metaslot.
183 178 .RE
184 179
185 180 .sp
186 181 .ne 2
187 182 .na
188 183 \fB\fBcryptoadm\fR \fBlist\fR \fB-p\fR \fB[ provider=\fIprovider-name\fR |
189 184 metaslot ]\fR\fR
190 185 .ad
191 186 .sp .6
192 187 .RS 4n
193 188 Display the mechanism policy (that is, which mechanisms are available and which
194 189 are not) for the installed providers. Also display the provider feature policy
195 190 or metaslot. If a provider is specified, display the name of the provider with
196 191 the mechanism policy enforced on it only. If the metaslot keyword is specified,
197 192 display the mechanism policy enforced on the metaslot.
198 193 .RE
199 194
200 195 .sp
201 196 .ne 2
202 197 .na
203 198 \fB\fBcryptoadm\fR \fBlist\fR \fB-v\fR \fBprovider=\fIprovider-name\fR |
204 199 metaslot\fR\fR
205 200 .ad
206 201 .sp .6
207 202 .RS 4n
208 203 Display details about the specified provider if a provider is specified. If the
209 204 metaslot keyword is specified, display details about the metaslot.
210 205 .RE
211 206
212 207 .sp
213 208 .ne 2
214 209 .na
215 210 \fB\fB-v\fR\fR
216 211 .ad
217 212 .sp .6
218 213 .RS 4n
219 214 For the various \fBlist\fR subcommands described above (except for \fBlist\fR
220 215 \fB-p\fR), the \fB-v\fR (verbose) option provides details about providers,
221 216 mechanisms and slots.
222 217 .RE
223 218
224 219 .sp
225 220 .ne 2
226 221 .na
227 222 \fB\fBcryptoadm\fR \fBdisable provider=\fIprovider-name\fR\fR\fR
228 223 .ad
229 224 .br
230 225 .na
231 226 \fB[ mechanism=\fImechanism-list\fR | \fIprovider-feature\fR \fB\&... |\fR
232 227 \fBall\fR ]\fR
233 228 .ad
234 229 .sp .6
235 230 .RS 4n
236 231 Disable the mechanisms or provider features specified for the provider. See
237 232 OPERANDS for a description of \fImechanism\fR, \fIprovider-feature\fR, and the
238 233 \fBall\fR keyword.
239 234 .RE
240 235
241 236 .sp
242 237 .ne 2
243 238 .na
244 239 \fB\fBcryptoadm\fR \fB[ mechanism=\fImechanism-list\fR ] [ auto-key-migrate
245 240 ]\fR\fR
246 241 .ad
247 242 .sp .6
248 243 .RS 4n
249 244 Disable the metaslot feature in the cryptographic framework or disable some of
250 245 metaslot's features. If no operand is specified, this command disables the
251 246 metaslot feature in the cryptographic framework. If a list of mechanisms is
252 247 specified, disable mechanisms specified for metaslot. If all mechanisms are
253 248 disabled for metaslot, the metaslot will be disabled. See OPERANDS for a
254 249 description of mechanism. If the \fBauto-key-migrate\fR keyword is specified,
255 250 it disables the migration of sensitive token objects to other slots even if it
256 251 is necessary for performing crypto operations. See OPERANDS for a description
257 252 of \fBauto-key-migrate\fR.
258 253 .RE
259 254
260 255 .sp
261 256 .ne 2
262 257 .na
263 258 \fB\fBcryptoadm\fR \fBenable provider=\fIprovider-name\fR\fR\fR
264 259 .ad
265 260 .br
266 261 .na
267 262 \fB[ mechanism=\fImechanism-list\fR | \fIprovider-feature\fR \fB\&... |\fR
268 263 \fBall\fR ]\fR
269 264 .ad
270 265 .sp .6
271 266 .RS 4n
272 267 Enable the mechanisms or provider features specified for the provider. See
273 268 OPERANDS for a description of \fImechanism\fR, \fIprovider-feature\fR, and the
274 269 \fBall\fR keyword.
275 270 .RE
276 271
277 272 .sp
278 273 .ne 2
279 274 .na
280 275 \fB\fBcryptoadm\fR \fBenable metaslot [ mechanism=\fImechanism-list\fR ]
281 276 |\fR\fR
282 277 .ad
283 278 .br
284 279 .na
285 280 \fB\fB[ [ token=\fItoken-label\fR] [ slot=\fIslot-description\fR] |\fR\fR
286 281 .ad
287 282 .br
288 283 .na
289 284 \fB\fBdefault-keystore ] | [ auto-key-migrate ]\fR\fR
290 285 .ad
291 286 .sp .6
292 287 .RS 4n
293 288 If no operand is specified, this command enables the metaslot feature in the
294 289 cryptographic framework. If a list of mechanisms is specified, it enables only
295 290 the list of specified mechanisms for metaslot. If \fItoken-label\fR is
296 291 specified, the specified token will be used as the persistent object store. If
297 292 the \fIslot-description\fR is specified, the specified slot will be used as the
298 293 persistent object store. If both the \fItoken-label\fR and the
299 294 \fIslot-description\fR are specified, the provider with the matching token
300 295 label and slot description is used as the persistent object store. If the
301 296 \fBdefault-keystore\fR keyword is specified, metaslot will use the default
302 297 persistent object store. If the \fBauto-key-migrate\fR keyword is specified,
303 298 sensitive token objects will automatically migrate to other slots as needed to
304 299 complete certain crypto operations. See OPERANDS for a description of
305 300 mechanism, token, slot, \fBdefault-keystore\fR, and \fBauto-key-migrate\fR.
306 301 .RE
307 302
308 303 .sp
309 304 .ne 2
310 305 .na
311 306 \fB\fBcryptoadm\fR \fBinstall provider=\fIprovider-name\fR\fR\fR
312 307 .ad
313 308 .sp .6
314 309 .RS 4n
315 310 Install a user-level provider into the system. The \fIprovider\fR operand must
316 311 be an absolute pathname of the corresponding shared library. If there are both
317 312 32-bit and 64-bit versions for a library, this command should be run once only
318 313 with the path name containing \fB$ISA\fR. Note that \fB$ISA\fR is not a
319 314 reference to an environment variable. Note also that \fB$ISA\fR must be quoted
320 315 (with single quotes [for example, \fB\&'$ISA'\fR]) or the \fB$\fR must be
321 316 escaped to keep it from being incorrectly expanded by the shell. The user-level
322 317 framework expands \fB$ISA\fR to an empty string or an architecture-specific
323 318 directory, for example, \fBsparcv9\fR.
324 319 .sp
325 320 The preferred way of installing a user-level provider is to build a package for
326 321 the provider. For more information, see the \fISolaris Security for Developer's
327 322 Guide\fR.
328 323 .RE
329 324
330 325 .sp
331 326 .ne 2
332 327 .na
333 328 \fB\fBcryptoadm\fR \fBinstall provider=\fIprovider-name\fR\fR\fR
334 329 .ad
335 330 .br
336 331 .na
337 332 \fBmechanism=\fImechanism-list\fR\fR
338 333 .ad
339 334 .sp .6
340 335 .RS 4n
341 336 Install a kernel software provider into the system. The provider should contain
342 337 the base name only. The \fImechanism-list\fR operand specifies the complete
343 338 list of mechanisms to be supported by this provider.
344 339 .sp
345 340 The preferred way of installing a kernel software provider is to build a
346 341 package for providers. For more information, see the \fISolaris Security for
347 342 Developer's Guide\fR.
348 343 .RE
349 344
350 345 .sp
351 346 .ne 2
352 347 .na
353 348 \fB\fBcryptoadm\fR \fBuninstall provider=\fIprovider-name\fR\fR\fR
354 349 .ad
355 350 .sp .6
356 351 .RS 4n
357 352 Uninstall the specified \fIprovider\fR and the associated mechanism policy from
358 353 the system. This subcommand applies only to a user-level provider or a kernel
359 354 software provider.
360 355 .RE
361 356
362 357 .sp
363 358 .ne 2
364 359 .na
365 360 \fB\fBcryptoadm\fR \fBunload provider=\fIprovider-name\fR\fR\fR
366 361 .ad
367 362 .sp .6
368 363 .RS 4n
369 364 Unload the kernel software module specified by \fIprovider\fR.
370 365 .RE
371 366
372 367 .sp
373 368 .ne 2
374 369 .na
375 370 \fB\fBcryptoadm\fR \fBdisable fips-140\fR\fR
376 371 .ad
377 372 .sp .6
378 373 .RS 4n
379 374 Disable FIPS-140 mode in the Cryptographic Framework.
380 375 .RE
381 376
382 377 .sp
383 378 .ne 2
384 379 .na
385 380 \fB\fBcryptoadm\fR \fBenable fips-140\fR\fR
386 381 .ad
387 382 .sp .6
388 383 .RS 4n
389 384 Enable FIPS-140 mode in the Cryptographic Framework. This subcommand does not
390 385 disable the non-FIPS approved algorithms from the user-level
391 386 \fBpkcs11_softtoken\fR library and the kernel software providers. It is the
392 387 consumers of the framework that are responsible for using only FIPS-approved
393 388 algorithms.
394 389 .sp
395 390 Upon completion of this subcommand, a message is issued to inform the
396 391 administrator that any plugins added that are not within the boundary might
397 392 invalidate FIPS compliance and to check the Security Policies for those
398 393 plugins. In addition, a warning message is issued to indicate that, in this
399 394 release, the Cryptographic Framework has not been FIPS 140-2 certified.
400 395 .sp
401 396 The system will require a reboot to perform Power-Up Self Tests that include a
402 397 cryptographic algorithm test and a software integrity test.
403 398 .RE
404 399
405 400 .sp
406 401 .ne 2
407 402 .na
408 403 \fB\fBcryptoadm\fR \fBlist fips-140\fR\fR
409 404 .ad
410 405 .sp .6
411 406 .RS 4n
412 407 Display the current setting of FIPS-140 mode in the Cryptographic Framework.
413 408 The status of FIPS-140 mode is \fBenabled\fR or \fBdisabled\fR. The default
414 409 FIPS-140 mode is \fBdisabled\fR.
415 410 .RE
416 411
417 412 .sp
418 413 .ne 2
419 414 .na
420 415 \fB\fBcryptoadm\fR \fBrefresh\fR\fR
421 416 .ad
422 417 .br
423 418 .na
424 419 \fB\fBcryptoadm\fR \fBstart\fR\fR
425 420 .ad
426 421 .br
427 422 .na
428 423 \fB\fBcryptoadm\fR \fBstop\fR\fR
429 424 .ad
430 425 .sp .6
431 426 .RS 4n
432 427 Private interfaces for use by \fBsmf\fR(5), these must not be used directly.
433 428 .RE
434 429
435 430 .sp
|
↓ open down ↓ |
278 lines elided |
↑ open up ↑ |
436 431 .ne 2
437 432 .na
438 433 \fB\fBcryptoadm\fR \fB-help\fR\fR
439 434 .ad
440 435 .sp .6
441 436 .RS 4n
442 437 Display the command usage.
443 438 .RE
444 439
445 440 .SH OPERANDS
446 -.sp
447 441 .ne 2
448 442 .na
449 443 \fBprovider=\fIprovider-name\fR\fR
450 444 .ad
451 445 .sp .6
452 446 .RS 4n
453 447 A user-level provider (a PKCS11 shared library), a kernel software provider (a
454 448 loadable kernel software module), or a kernel hardware provider (a
455 449 cryptographic hardware device).
456 450 .sp
457 451 A valid value of the \fIprovider\fR operand is one entry from the output of a
458 452 command of the form: \fBcryptoadm\fR \fIlist\fR. A \fIprovider\fR operand for a
459 453 user-level provider is an absolute pathname of the corresponding shared
460 454 library. A \fIprovider\fR operand for a kernel software provider contains a
461 455 base name only. A \fIprovider\fR operand for a kernel hardware provider is in a
462 456 "\fIname\fR/\fInumber\fR" form.
463 457 .RE
464 458
465 459 .sp
466 460 .ne 2
467 461 .na
468 462 \fBmechanism=\fImechanism-list\fR\fR
469 463 .ad
470 464 .sp .6
471 465 .RS 4n
472 466 A comma separated list of one or more PKCS #11 mechanisms. A process for
473 467 implementing a cryptographic operation as defined in PKCS #11 specification.
474 468 You can substitute \fBall\fR for \fImechanism-list\fR, to specify all
475 469 mechanisms on a provider. See the discussion of the \fBall\fR keyword, below.
476 470 .RE
477 471
478 472 .sp
479 473 .ne 2
480 474 .na
481 475 \fB\fIprovider-feature\fR\fR
482 476 .ad
483 477 .sp .6
484 478 .RS 4n
485 479 A cryptographic framework feature for the given provider. Currently only
486 480 \fBrandom\fR is accepted as a feature. For a user-level provider, disabling the
487 481 random feature makes the PKCS #11 routines \fBC_GenerateRandom\fR and
488 482 \fBC_SeedRandom\fR unavailable from the provider. For a kernel provider,
489 483 disabling the random feature prevents \fB/dev/random\fR from gathering random
490 484 numbers from the provider.
491 485 .RE
492 486
493 487 .sp
494 488 .ne 2
495 489 .na
496 490 \fB\fBall\fR\fR
497 491 .ad
498 492 .sp .6
499 493 .RS 4n
500 494 The keyword all can be used with with the \fBdisable\fR and \fBenable\fR
501 495 subcommands to operate on all provider features.
502 496 .RE
503 497
504 498 .sp
505 499 .ne 2
506 500 .na
507 501 \fB\fBtoken=\fR\fItoken-label\fR\fR
508 502 .ad
509 503 .sp .6
510 504 .RS 4n
511 505 The label of a token in one of the providers in the cryptographic framework.
512 506 .sp
513 507 A valid value of the token operand is an item displayed under "Token Label"
514 508 from the output of the command \fBcryptoadm list\fR \fB-v\fR.
515 509 .RE
516 510
517 511 .sp
518 512 .ne 2
519 513 .na
520 514 \fB\fBslot=\fR\fIslot-description\fR\fR
521 515 .ad
522 516 .sp .6
523 517 .RS 4n
524 518 The description of a slot in one of the providers in the cryptographic
525 519 framework.
526 520 .sp
527 521 A valid value of the slot operand is an item displayed under "Description" from
528 522 the output of the command \fBcryptoadm list\fR \fB-v\fR.
529 523 .RE
530 524
531 525 .sp
532 526 .ne 2
533 527 .na
534 528 \fB\fBdefault-keystore\fR\fR
535 529 .ad
536 530 .sp .6
537 531 .RS 4n
538 532 The keyword \fBdefault-keystore\fR is valid only for metaslot. Specify this
539 533 keyword to set the persistent object store for metaslot back to using the
540 534 default store.
541 535 .RE
542 536
543 537 .sp
544 538 .ne 2
545 539 .na
546 540 \fB\fBauto-key-migrate\fR\fR
547 541 .ad
548 542 .sp .6
549 543 .RS 4n
550 544 The keyword auto-key-migrate is valid only for metaslot. Specify this keyword
551 545 to configure whether metaslot is allowed to move sensitive token objects from
552 546 the token object slot to other slots for performing cryptographic operations.
553 547 .RE
554 548
555 549 .sp
556 550 .LP
557 551 The keyword \fBall\fR can be used in two ways with the \fBdisable\fR and
558 552 \fBenable\fR subcommands:
559 553 .RS +4
560 554 .TP
561 555 .ie t \(bu
562 556 .el o
563 557 You can substitute \fBall\fR for \fBmechanism\fR=\fImechanism-list\fR, as in:
564 558 .sp
565 559 .in +2
566 560 .nf
567 561 # \fBcryptoadm enable provider=dca/0 all\fR
568 562 .fi
569 563 .in -2
570 564 .sp
571 565
572 566 This command enables the mechanisms on the provider \fBand\fR any other
573 567 provider-features, such as \fBrandom\fR.
574 568 .sp
575 569 .in +2
576 570 .nf
577 571 # \fBcryptoadm enable provider=des mechanism=all\fR
578 572 .fi
579 573 .in -2
580 574 .sp
581 575
582 576 .RE
583 577 .RS +4
584 578 .TP
585 579 .ie t \(bu
586 580 .el o
587 581 You can also use \fBall\fR as an argument to \fBmechanism\fR, as in:
588 582 .sp
589 583 .in +2
|
↓ open down ↓ |
133 lines elided |
↑ open up ↑ |
590 584 .nf
591 585 # \fBcryptoadm enable provider=des mechanism=all\fR
592 586 .fi
593 587 .in -2
594 588 .sp
595 589
596 590 \&...which enables all mechanisms on the provider, but enables no other
597 591 provider-features, such as \fBrandom\fR.
598 592 .RE
599 593 .SH EXAMPLES
600 -.LP
601 594 \fBExample 1 \fRDisplay List of Providers Installed in System
602 595 .sp
603 596 .LP
604 597 The following command displays a list of all installed providers:
605 598
606 599 .sp
607 600 .in +2
608 601 .nf
609 602 example% \fBcryptoadm list\fR
610 603 user-level providers:
611 604 /usr/lib/security/$ISA/pkcs11_kernel.so
612 605 /usr/lib/security/$ISA/pkcs11_softtoken.so
613 606 /opt/lib/libcryptoki.so.1
614 607 /opt/SUNWconn/lib/$ISA/libpkcs11.so.1
615 608
616 609 kernel software providers:
617 610 des
618 611 aes
619 612 bfish
620 613 sha1
621 614 md5
622 615
623 616 kernel hardware providers:
624 617 dca/0
625 618 .fi
626 619 .in -2
627 620 .sp
628 621
629 622 .LP
630 623 \fBExample 2 \fRDisplay Mechanism List for \fBmd5\fR Provider
631 624 .sp
632 625 .LP
633 626 The following command is a variation of the \fBlist\fR subcommand:
634 627
635 628 .sp
636 629 .in +2
637 630 .nf
638 631 example% \fBcryptoadm list -m provider=md5\fR
639 632 md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL
640 633 .fi
641 634 .in -2
642 635 .sp
643 636
644 637 .LP
645 638 \fBExample 3 \fRDisable Specific Mechanisms for Kernel Software Provider
646 639 .sp
647 640 .LP
648 641 The following command disables mechanisms \fBCKM_DES3_ECB\fR and
649 642 \fBCKM_DES3_CBC\fR for the kernel software provider \fBdes\fR:
650 643
651 644 .sp
652 645 .in +2
653 646 .nf
654 647 example# \fBcryptoadm disable provider=des\fR
655 648 .fi
656 649 .in -2
657 650 .sp
658 651
659 652 .LP
660 653 \fBExample 4 \fRDisplay Mechanism Policy for a Provider
661 654 .sp
662 655 .LP
663 656 The following command displays the mechanism policy for the \fBdes\fR provider:
664 657
665 658 .sp
666 659 .in +2
667 660 .nf
668 661 example% \fBcryptoadm list -p provider=des\fR
669 662 des: All mechanisms are enabled, except CKM_DES3_ECB, CKM_DES3_CBC
670 663 .fi
671 664 .in -2
672 665 .sp
673 666
674 667 .LP
675 668 \fBExample 5 \fREnable Specific Mechanism for a Provider
676 669 .sp
677 670 .LP
678 671 The following command enables the \fBCKM_DES3_ECB\fR mechanism for the kernel
679 672 software provider \fBdes\fR:
680 673
681 674 .sp
682 675 .in +2
683 676 .nf
684 677 example# \fBcryptoadm enable provider=des mechanism=CKM_DES3_ECB\fR
685 678 .fi
686 679 .in -2
687 680 .sp
688 681
689 682 .LP
690 683 \fBExample 6 \fRInstall User-Level Provider
691 684 .sp
692 685 .LP
693 686 The following command installs a user-level provider:
694 687
695 688 .sp
696 689 .in +2
697 690 .nf
698 691 example# \fBcryptoadm install provider=/opt/lib/libcryptoki.so.1\fR
699 692 .fi
700 693 .in -2
701 694 .sp
702 695
703 696 .LP
704 697 \fBExample 7 \fRInstall User-Level Provider That Contains 32- and 64-bit
705 698 Versions
706 699 .sp
707 700 .LP
708 701 The following command installs a user-level provider that contains both 32-bit
709 702 and 64-bit versions:
710 703
711 704 .sp
712 705 .in +2
713 706 .nf
714 707 example# \fBcryptoadm install \e\fR
715 708 provider=/opt/SUNWconn/lib/'$ISA'/libpkcs11.so.1
716 709 .fi
717 710 .in -2
718 711 .sp
719 712
720 713 .LP
721 714 \fBExample 8 \fRUninstall a Provider
722 715 .sp
723 716 .LP
724 717 The following command uninstalls the \fBmd5\fR provider:
725 718
726 719 .sp
727 720 .in +2
728 721 .nf
729 722 example# \fBcryptoadm uninstall provider=md5\fR
730 723 .fi
731 724 .in -2
732 725 .sp
733 726
734 727 .LP
735 728 \fBExample 9 \fRDisable metaslot
736 729 .sp
737 730 .LP
738 731 The following command disables the metaslot feature in the cryptographic
739 732 framework.
740 733
741 734 .sp
742 735 .in +2
743 736 .nf
744 737 example# \fBcryptoadm disable metaslot\fR
745 738 .fi
746 739 .in -2
747 740 .sp
748 741
749 742 .LP
750 743 \fBExample 10 \fRSpecify metaslot to Use Specified Token as Persistent Object
751 744 Store
752 745 .sp
753 746 .LP
754 747 The following command specifies that metaslot use the Venus token as the
755 748 persistent object store.
|
↓ open down ↓ |
145 lines elided |
↑ open up ↑ |
756 749
757 750 .sp
758 751 .in +2
759 752 .nf
760 753 example# \fBcryptoadm enable metaslot token="SUNW,venus"\fR
761 754 .fi
762 755 .in -2
763 756 .sp
764 757
765 758 .SH EXIT STATUS
766 -.sp
767 -.LP
768 759 The following exit values are returned:
769 760 .sp
770 761 .ne 2
771 762 .na
772 763 \fB\fB0\fR\fR
773 764 .ad
774 765 .sp .6
775 766 .RS 4n
776 767 Successful completion.
777 768 .RE
778 769
779 770 .sp
|
↓ open down ↓ |
2 lines elided |
↑ open up ↑ |
780 771 .ne 2
781 772 .na
782 773 \fB\fB>0\fR\fR
783 774 .ad
784 775 .sp .6
785 776 .RS 4n
786 777 An error occurred.
787 778 .RE
788 779
789 780 .SH ATTRIBUTES
790 -.sp
791 -.LP
792 781 See \fBattributes\fR(5) for descriptions of the following attributes:
793 782 .sp
794 783
795 784 .sp
796 785 .TS
797 786 box;
798 787 c | c
799 788 l | l .
800 789 ATTRIBUTE TYPE ATTRIBUTE VALUE
801 790 _
802 791 Interface Stability See below
803 792 .TE
804 793
805 794 .sp
806 795 .LP
807 796 The \fBstart\fR, \fBstop\fR, and \fBrefresh\fR options are Private interfaces.
808 797 All other options are Evolving. The utility name is Stable.
809 798 .SH SEE ALSO
810 -.sp
811 -.LP
812 799 \fBlogadm\fR(1M), \fBsvcadm\fR(1M), \fBsyslogd\fR(1M), \fBlibpkcs11\fR(3LIB),
813 800 \fBexec_attr\fR(4), \fBprof_attr\fR(4), \fBattributes\fR(5), \fBsmf\fR(5),
814 801 \fBrandom\fR(7D)
815 -.sp
816 -.LP
817 802
818 803 .sp
819 804 .LP
820 805 \fISolaris Security for Developer's Guide\fR
821 806 .SH NOTES
822 -.sp
823 -.LP
824 807 If a hardware provider's policy was made explicitly (that is, some of its
825 808 mechanisms were disabled) and the hardware provider has been detached, the
826 809 policy of this hardware provider is still listed.
827 810 .sp
828 811 .LP
829 812 \fBcryptoadm\fR assumes that, minimally, a 32-bit shared object is delivered
830 813 for each user-level provider. If both a 32-bit and 64-bit shared object are
831 814 delivered, the two versions must provide the same functionality. The same
832 815 mechanism policy applies to both.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX