Print this page
11622 clean up rarer mandoc lint warnings
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1m/cryptoadm.1m.man.txt
+++ new/usr/src/man/man1m/cryptoadm.1m.man.txt
1 1 CRYPTOADM(1M) Maintenance Commands CRYPTOADM(1M)
2 2
3 3
4 4
5 5 NAME
6 6 cryptoadm - cryptographic framework administration
7 7
8 8 SYNOPSIS
9 9 cryptoadm list [-mpv] [provider=provider-name]
10 10 [mechanism=mechanism-list]
11 11
12 12
13 13 cryptoadm disable
14 14 provider=provider-name mechanism=mechanism-list | random | all
15 15
16 16
17 17 cryptoadm enable
18 18 provider=provider-name mechanism=mechanism-list | random | all
19 19
20 20
21 21 cryptoadm install provider=provider-name
22 22
23 23
24 24 cryptoadm install provider=provider-name
25 25 [mechanism=mechanism-list]
26 26
27 27
28 28 cryptoadm uninstall provider=provider-name
29 29
30 30
31 31 cryptoadm unload provider=provider-name
32 32
33 33
34 34 cryptoadm disable fips-140
35 35
36 36
37 37 cryptoadm enable fips-140
38 38
39 39
40 40 cryptoadm list fips-140
41 41
42 42
43 43 cryptoadm refresh
44 44
45 45
46 46 cryptoadm start
47 47
48 48
49 49 cryptoadm stop
50 50
51 51
52 52 cryptoadm --help
53 53
54 54
55 55 DESCRIPTION
56 56 The cryptoadm utility displays cryptographic provider information for a
57 57 system, configures the mechanism policy for each provider, and installs
58 58 or uninstalls a cryptographic provider. The cryptographic framework
59 59 supports three types of providers: a user-level provider (a PKCS11
60 60 shared library), a kernel software provider (a loadable kernel software
61 61 module), and a kernel hardware provider (a cryptographic hardware
62 62 device).
63 63
64 64
65 65 For kernel software providers, the cryptoadm utility provides the
66 66 unload subcommand. This subcommand instructs the kernel to unload a
67 67 kernel software providers.
68 68
69 69
70 70 For the cryptographic framework's metaslot, the cryptoadm utility
71 71 provides subcommands to enable and disable the metaslot's features,
72 72 list metaslot's configuration, specify alternate persistent object
73 73 storage, and configure the metaslot's mechanism policy.
74 74
75 75
76 76 The cryptoadm utility provides subcommands to enable and disable
77 77 FIPS-140 mode in the Cryptographic Framework. It also provides a list
78 78 subcommand to display the current status of FIPS-140 mode.
79 79
80 80
81 81 Administrators will find it useful to use syslog facilities (see
82 82 syslogd(1M) and logadm(1M)) to maintain the cryptographic subsystem.
83 83 Logging can be especially useful under the following circumstances:
84 84
85 85 o If kernel-level daemon is dead, all applications fail. You
86 86 can learn this from syslog and use svcadm(1M) to restart the
87 87 svc:/system/cryptosvc service.
88 88
89 89 o If there are bad providers plugged into the framework, you
90 90 can learn this from syslog and remove the bad providers from
91 91 the framework.
92 92
93 93
94 94 With the exception of the subcommands or options listed below, the
95 95 cryptoadm command needs to be run by a privileged user.
96 96
97 97 o subcommand list, any options
98 98
99 99 o subcommand --help
100 100
101 101 OPTIONS
102 102 The cryptoadm utility has the various combinations of subcommands and
103 103 options shown below.
104 104
105 105 cryptoadm list
106 106
107 107 Display the list of installed providers.
108 108
109 109
110 110 cryptoadm list metaslot
111 111
112 112 Display the system-wide configuration for metaslot.
113 113
114 114
115 115 cryptoadm list -m [ provider=provider-name | metaslot ]
116 116
117 117 Display a list of mechanisms that can be used with the installed
118 118 providers or metaslot. If a provider is specified, display the name
119 119 of the specified provider and the mechanism list that can be used
120 120 with that provider. If the metaslot keyword is specified, display
121 121 the list of mechanisms that can be used with metaslot.
122 122
123 123
124 124 cryptoadm list -p [ provider=provider-name | metaslot ]
125 125
126 126 Display the mechanism policy (that is, which mechanisms are
127 127 available and which are not) for the installed providers. Also
128 128 display the provider feature policy or metaslot. If a provider is
129 129 specified, display the name of the provider with the mechanism
130 130 policy enforced on it only. If the metaslot keyword is specified,
131 131 display the mechanism policy enforced on the metaslot.
132 132
133 133
134 134 cryptoadm list -v provider=provider-name | metaslot
135 135
136 136 Display details about the specified provider if a provider is
137 137 specified. If the metaslot keyword is specified, display details
138 138 about the metaslot.
139 139
140 140
141 141 -v
142 142
143 143 For the various list subcommands described above (except for list
144 144 -p), the -v (verbose) option provides details about providers,
145 145 mechanisms and slots.
146 146
147 147
148 148 cryptoadm disable provider=provider-name
149 149 [ mechanism=mechanism-list | provider-feature ... | all ]
150 150
151 151 Disable the mechanisms or provider features specified for the
152 152 provider. See OPERANDS for a description of mechanism, provider-
153 153 feature, and the all keyword.
154 154
155 155
156 156 cryptoadm [ mechanism=mechanism-list ] [ auto-key-migrate ]
157 157
158 158 Disable the metaslot feature in the cryptographic framework or
159 159 disable some of metaslot's features. If no operand is specified,
160 160 this command disables the metaslot feature in the cryptographic
161 161 framework. If a list of mechanisms is specified, disable mechanisms
162 162 specified for metaslot. If all mechanisms are disabled for
163 163 metaslot, the metaslot will be disabled. See OPERANDS for a
164 164 description of mechanism. If the auto-key-migrate keyword is
165 165 specified, it disables the migration of sensitive token objects to
166 166 other slots even if it is necessary for performing crypto
167 167 operations. See OPERANDS for a description of auto-key-migrate.
168 168
169 169
170 170 cryptoadm enable provider=provider-name
171 171 [ mechanism=mechanism-list | provider-feature ... | all ]
172 172
173 173 Enable the mechanisms or provider features specified for the
174 174 provider. See OPERANDS for a description of mechanism, provider-
175 175 feature, and the all keyword.
176 176
177 177
178 178 cryptoadm enable metaslot [ mechanism=mechanism-list ] |
179 179 [ [ token=token-label] [ slot=slot-description] |
180 180 default-keystore ] | [ auto-key-migrate ]
181 181
182 182 If no operand is specified, this command enables the metaslot
183 183 feature in the cryptographic framework. If a list of mechanisms is
184 184 specified, it enables only the list of specified mechanisms for
185 185 metaslot. If token-label is specified, the specified token will be
186 186 used as the persistent object store. If the slot-description is
187 187 specified, the specified slot will be used as the persistent object
188 188 store. If both the token-label and the slot-description are
189 189 specified, the provider with the matching token label and slot
190 190 description is used as the persistent object store. If the default-
191 191 keystore keyword is specified, metaslot will use the default
192 192 persistent object store. If the auto-key-migrate keyword is
193 193 specified, sensitive token objects will automatically migrate to
194 194 other slots as needed to complete certain crypto operations. See
195 195 OPERANDS for a description of mechanism, token, slot, default-
196 196 keystore, and auto-key-migrate.
197 197
198 198
199 199 cryptoadm install provider=provider-name
200 200
201 201 Install a user-level provider into the system. The provider operand
202 202 must be an absolute pathname of the corresponding shared library.
203 203 If there are both 32-bit and 64-bit versions for a library, this
204 204 command should be run once only with the path name containing $ISA.
205 205 Note that $ISA is not a reference to an environment variable. Note
206 206 also that $ISA must be quoted (with single quotes [for example,
207 207 '$ISA']) or the $ must be escaped to keep it from being incorrectly
208 208 expanded by the shell. The user-level framework expands $ISA to an
209 209 empty string or an architecture-specific directory, for example,
210 210 sparcv9.
211 211
212 212 The preferred way of installing a user-level provider is to build a
213 213 package for the provider. For more information, see the Solaris
214 214 Security for Developer's Guide.
215 215
216 216
217 217 cryptoadm install provider=provider-name
218 218 mechanism=mechanism-list
219 219
220 220 Install a kernel software provider into the system. The provider
221 221 should contain the base name only. The mechanism-list operand
222 222 specifies the complete list of mechanisms to be supported by this
223 223 provider.
224 224
225 225 The preferred way of installing a kernel software provider is to
226 226 build a package for providers. For more information, see the
227 227 Solaris Security for Developer's Guide.
228 228
229 229
230 230 cryptoadm uninstall provider=provider-name
231 231
232 232 Uninstall the specified provider and the associated mechanism
233 233 policy from the system. This subcommand applies only to a user-
234 234 level provider or a kernel software provider.
235 235
236 236
237 237 cryptoadm unload provider=provider-name
238 238
239 239 Unload the kernel software module specified by provider.
240 240
241 241
242 242 cryptoadm disable fips-140
243 243
244 244 Disable FIPS-140 mode in the Cryptographic Framework.
245 245
246 246
247 247 cryptoadm enable fips-140
248 248
249 249 Enable FIPS-140 mode in the Cryptographic Framework. This
250 250 subcommand does not disable the non-FIPS approved algorithms from
251 251 the user-level pkcs11_softtoken library and the kernel software
252 252 providers. It is the consumers of the framework that are
253 253 responsible for using only FIPS-approved algorithms.
254 254
255 255 Upon completion of this subcommand, a message is issued to inform
256 256 the administrator that any plugins added that are not within the
257 257 boundary might invalidate FIPS compliance and to check the Security
258 258 Policies for those plugins. In addition, a warning message is
259 259 issued to indicate that, in this release, the Cryptographic
260 260 Framework has not been FIPS 140-2 certified.
261 261
262 262 The system will require a reboot to perform Power-Up Self Tests
263 263 that include a cryptographic algorithm test and a software
264 264 integrity test.
265 265
266 266
267 267 cryptoadm list fips-140
268 268
269 269 Display the current setting of FIPS-140 mode in the Cryptographic
270 270 Framework. The status of FIPS-140 mode is enabled or disabled. The
271 271 default FIPS-140 mode is disabled.
272 272
273 273
274 274 cryptoadm refresh
275 275 cryptoadm start
276 276 cryptoadm stop
277 277
278 278 Private interfaces for use by smf(5), these must not be used
279 279 directly.
280 280
281 281
282 282 cryptoadm -help
283 283
284 284 Display the command usage.
285 285
286 286
287 287 OPERANDS
288 288 provider=provider-name
289 289
290 290 A user-level provider (a PKCS11 shared library), a kernel software
291 291 provider (a loadable kernel software module), or a kernel hardware
292 292 provider (a cryptographic hardware device).
293 293
294 294 A valid value of the provider operand is one entry from the output
295 295 of a command of the form: cryptoadm list. A provider operand for a
296 296 user-level provider is an absolute pathname of the corresponding
297 297 shared library. A provider operand for a kernel software provider
298 298 contains a base name only. A provider operand for a kernel hardware
299 299 provider is in a "name/number" form.
300 300
301 301
302 302 mechanism=mechanism-list
303 303
304 304 A comma separated list of one or more PKCS #11 mechanisms. A
305 305 process for implementing a cryptographic operation as defined in
306 306 PKCS #11 specification. You can substitute all for mechanism-list,
307 307 to specify all mechanisms on a provider. See the discussion of the
308 308 all keyword, below.
309 309
310 310
311 311 provider-feature
312 312
313 313 A cryptographic framework feature for the given provider. Currently
314 314 only random is accepted as a feature. For a user-level provider,
315 315 disabling the random feature makes the PKCS #11 routines
316 316 C_GenerateRandom and C_SeedRandom unavailable from the provider.
317 317 For a kernel provider, disabling the random feature prevents
318 318 /dev/random from gathering random numbers from the provider.
319 319
320 320
321 321 all
322 322
323 323 The keyword all can be used with with the disable and enable
324 324 subcommands to operate on all provider features.
325 325
326 326
327 327 token=token-label
328 328
329 329 The label of a token in one of the providers in the cryptographic
330 330 framework.
331 331
332 332 A valid value of the token operand is an item displayed under
333 333 "Token Label" from the output of the command cryptoadm list -v.
334 334
335 335
336 336 slot=slot-description
337 337
338 338 The description of a slot in one of the providers in the
339 339 cryptographic framework.
340 340
341 341 A valid value of the slot operand is an item displayed under
342 342 "Description" from the output of the command cryptoadm list -v.
343 343
344 344
345 345 default-keystore
346 346
347 347 The keyword default-keystore is valid only for metaslot. Specify
348 348 this keyword to set the persistent object store for metaslot back
349 349 to using the default store.
350 350
351 351
352 352 auto-key-migrate
353 353
354 354 The keyword auto-key-migrate is valid only for metaslot. Specify
355 355 this keyword to configure whether metaslot is allowed to move
356 356 sensitive token objects from the token object slot to other slots
357 357 for performing cryptographic operations.
358 358
359 359
360 360
361 361 The keyword all can be used in two ways with the disable and enable
362 362 subcommands:
363 363
364 364 o You can substitute all for mechanism=mechanism-list, as in:
365 365
366 366 # cryptoadm enable provider=dca/0 all
367 367
368 368
369 369 This command enables the mechanisms on the provider and any
370 370 other provider-features, such as random.
371 371
372 372 # cryptoadm enable provider=des mechanism=all
373 373
374 374
375 375
376 376 o You can also use all as an argument to mechanism, as in:
377 377
378 378 # cryptoadm enable provider=des mechanism=all
379 379
380 380
381 381 ...which enables all mechanisms on the provider, but enables
382 382 no other provider-features, such as random.
383 383
384 384 EXAMPLES
385 385 Example 1 Display List of Providers Installed in System
386 386
387 387
388 388 The following command displays a list of all installed providers:
389 389
390 390
391 391 example% cryptoadm list
392 392 user-level providers:
393 393 /usr/lib/security/$ISA/pkcs11_kernel.so
394 394 /usr/lib/security/$ISA/pkcs11_softtoken.so
395 395 /opt/lib/libcryptoki.so.1
396 396 /opt/SUNWconn/lib/$ISA/libpkcs11.so.1
397 397
398 398 kernel software providers:
399 399 des
400 400 aes
401 401 bfish
402 402 sha1
403 403 md5
404 404
405 405 kernel hardware providers:
406 406 dca/0
407 407
408 408
409 409
410 410 Example 2 Display Mechanism List for md5 Provider
411 411
412 412
413 413 The following command is a variation of the list subcommand:
414 414
415 415
416 416 example% cryptoadm list -m provider=md5
417 417 md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL
418 418
419 419
420 420
421 421 Example 3 Disable Specific Mechanisms for Kernel Software Provider
422 422
423 423
424 424 The following command disables mechanisms CKM_DES3_ECB and CKM_DES3_CBC
425 425 for the kernel software provider des:
426 426
427 427
428 428 example# cryptoadm disable provider=des
429 429
430 430
431 431
432 432 Example 4 Display Mechanism Policy for a Provider
433 433
434 434
435 435 The following command displays the mechanism policy for the des
436 436 provider:
437 437
438 438
439 439 example% cryptoadm list -p provider=des
440 440 des: All mechanisms are enabled, except CKM_DES3_ECB, CKM_DES3_CBC
441 441
442 442
443 443
444 444 Example 5 Enable Specific Mechanism for a Provider
445 445
446 446
447 447 The following command enables the CKM_DES3_ECB mechanism for the kernel
448 448 software provider des:
449 449
450 450
451 451 example# cryptoadm enable provider=des mechanism=CKM_DES3_ECB
452 452
453 453
454 454
455 455 Example 6 Install User-Level Provider
456 456
457 457
458 458 The following command installs a user-level provider:
459 459
460 460
461 461 example# cryptoadm install provider=/opt/lib/libcryptoki.so.1
462 462
463 463
464 464
465 465 Example 7 Install User-Level Provider That Contains 32- and 64-bit
466 466 Versions
467 467
468 468
469 469 The following command installs a user-level provider that contains both
470 470 32-bit and 64-bit versions:
471 471
472 472
473 473 example# cryptoadm install \
474 474 provider=/opt/SUNWconn/lib/'$ISA'/libpkcs11.so.1
475 475
476 476
477 477
478 478 Example 8 Uninstall a Provider
479 479
480 480
481 481 The following command uninstalls the md5 provider:
482 482
483 483
484 484 example# cryptoadm uninstall provider=md5
485 485
486 486
487 487
488 488 Example 9 Disable metaslot
489 489
490 490
491 491 The following command disables the metaslot feature in the
492 492 cryptographic framework.
493 493
494 494
495 495 example# cryptoadm disable metaslot
496 496
497 497
498 498
499 499 Example 10 Specify metaslot to Use Specified Token as Persistent Object
500 500 Store
501 501
502 502
503 503 The following command specifies that metaslot use the Venus token as
504 504 the persistent object store.
505 505
506 506
507 507 example# cryptoadm enable metaslot token="SUNW,venus"
508 508
509 509
510 510
511 511 EXIT STATUS
512 512 The following exit values are returned:
513 513
514 514 0
515 515
516 516 Successful completion.
517 517
518 518
519 519 >0
520 520
521 521 An error occurred.
522 522
523 523
524 524 ATTRIBUTES
525 525 See attributes(5) for descriptions of the following attributes:
526 526
527 527
528 528
529 529
530 530 +--------------------+-----------------+
531 531 | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
532 532 +--------------------+-----------------+
533 533 |Interface Stability | See below |
534 534 +--------------------+-----------------+
535 535
|
↓ open down ↓ |
535 lines elided |
↑ open up ↑ |
536 536
537 537 The start, stop, and refresh options are Private interfaces. All other
538 538 options are Evolving. The utility name is Stable.
539 539
540 540 SEE ALSO
541 541 logadm(1M), svcadm(1M), syslogd(1M), libpkcs11(3LIB), exec_attr(4),
542 542 prof_attr(4), attributes(5), smf(5), random(7D)
543 543
544 544
545 545
546 -
547 546 Solaris Security for Developer's Guide
548 547
549 548 NOTES
550 549 If a hardware provider's policy was made explicitly (that is, some of
551 550 its mechanisms were disabled) and the hardware provider has been
552 551 detached, the policy of this hardware provider is still listed.
553 552
554 553
555 554 cryptoadm assumes that, minimally, a 32-bit shared object is delivered
556 555 for each user-level provider. If both a 32-bit and 64-bit shared object
557 556 are delivered, the two versions must provide the same functionality.
558 557 The same mechanism policy applies to both.
559 558
560 559
561 560
562 561 September 1, 2009 CRYPTOADM(1M)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX