11622 clean up rarer mandoc lint warnings

   1 '\" te
   2 .\" Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved.
   3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
   4 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
   5 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   6 .TH CRYPTOADM 1M "Sep 1, 2009"
   7 .SH NAME
   8 cryptoadm \- cryptographic framework administration
   9 .SH SYNOPSIS

  10 .nf
  11 \fBcryptoadm\fR list [\fB-mpv\fR] [provider=\fIprovider-name\fR]
  12      [mechanism=\fImechanism-list\fR]
  13 .fi
  14 
  15 .LP
  16 .nf
  17 \fBcryptoadm\fR disable
  18      provider=\fIprovider-name\fR mechanism=\fImechanism-list\fR | random | all
  19 .fi
  20 
  21 .LP
  22 .nf
  23 \fBcryptoadm\fR enable
  24      provider=\fIprovider-name\fR mechanism=\fImechanism-list\fR | random | all
  25 .fi
  26 
  27 .LP
  28 .nf
  29 \fBcryptoadm\fR install provider=\fIprovider-name\fR
  30 .fi
  31 
  32 .LP
  33 .nf
  34 \fBcryptoadm\fR install provider=\fIprovider-name\fR
  35      [mechanism=\fImechanism-list\fR]
  36 .fi
  37 
  38 .LP
  39 .nf
  40 \fBcryptoadm\fR uninstall provider=\fIprovider-name\fR
  41 .fi
  42 
  43 .LP
  44 .nf
  45 \fBcryptoadm\fR unload provider=\fIprovider-name\fR
  46 .fi
  47 
  48 .LP
  49 .nf
  50 \fBcryptoadm\fR disable fips-140
  51 .fi
  52 
  53 .LP
  54 .nf
  55 \fBcryptoadm\fR enable fips-140
  56 .fi
  57 
  58 .LP
  59 .nf
  60 \fBcryptoadm\fR list fips-140
  61 .fi
  62 
  63 .LP
  64 .nf
  65 \fBcryptoadm\fR refresh
  66 .fi
  67 
  68 .LP
  69 .nf
  70 \fBcryptoadm\fR start
  71 .fi
  72 
  73 .LP
  74 .nf
  75 \fBcryptoadm\fR stop
  76 .fi
  77 
  78 .LP
  79 .nf
  80 \fBcryptoadm\fR \fB-\fR\fB-help\fR
  81 .fi
  82 
  83 .SH DESCRIPTION


  84 The \fBcryptoadm\fR utility displays cryptographic provider information for a
  85 system, configures the mechanism policy for each provider, and installs or
  86 uninstalls a cryptographic provider. The cryptographic framework supports three
  87 types of providers: a user-level provider (a PKCS11 shared library), a kernel
  88 software provider (a loadable kernel software module), and a kernel hardware
  89 provider (a cryptographic hardware device).
  90 .sp
  91 .LP
  92 For kernel software providers, the \fBcryptoadm\fR utility provides the
  93 \fBunload\fR subcommand. This subcommand instructs the kernel to unload a
  94 kernel software providers.
  95 .sp
  96 .LP
  97 For the cryptographic framework's metaslot, the \fBcryptoadm\fR utility
  98 provides subcommands to enable and disable the metaslot's features, list
  99 metaslot's configuration, specify alternate persistent object storage, and
 100 configure the metaslot's mechanism policy.
 101 .sp
 102 .LP
 103 The \fBcryptoadm\fR utility provides subcommands to enable and disable FIPS-140
 104 mode in the Cryptographic Framework. It also provides a \fBlist\fR subcommand
 105 to display the current status of FIPS-140 mode.
 106 .sp
 107 .LP
 108 Administrators will find it useful to use \fBsyslog\fR facilities (see
 109 \fBsyslogd\fR(1M) and \fBlogadm\fR(1M)) to maintain the cryptographic
 110 subsystem. Logging can be especially useful under the following circumstances:
 111 .RS +4
 112 .TP
 113 .ie t \(bu
 114 .el o
 115 If kernel-level daemon is dead, all applications fail. You can learn this from
 116 syslog and use \fBsvcadm\fR(1M) to restart the \fBsvc:/system/cryptosvc\fR
 117 service.
 118 .RE
 119 .RS +4
 120 .TP
 121 .ie t \(bu
 122 .el o
 123 If there are bad providers plugged into the framework, you can learn this from
 124 syslog and remove the bad providers from the framework.
 125 .RE
 126 .sp
 127 .LP
 128 With the exception of the subcommands or options listed below, the
 129 \fBcryptoadm\fR command needs to be run by a privileged user.
 130 .RS +4
 131 .TP
 132 .ie t \(bu
 133 .el o
 134 subcommand \fBlist\fR, any options
 135 .RE
 136 .RS +4
 137 .TP
 138 .ie t \(bu
 139 .el o
 140 subcommand \fB-\fR\fB-help\fR
 141 .RE
 142 .SH OPTIONS


 143 The \fBcryptoadm\fR utility has the various combinations of subcommands and
 144 options shown below.
 145 .sp
 146 .ne 2
 147 .na
 148 \fB\fBcryptoadm\fR \fBlist\fR\fR
 149 .ad
 150 .sp .6
 151 .RS 4n
 152 Display the list of installed providers.
 153 .RE
 154 
 155 .sp
 156 .ne 2
 157 .na
 158 \fB\fBcryptoadm\fR \fBlist metaslot\fR\fR
 159 .ad
 160 .sp .6
 161 .RS 4n
 162 Display the system-wide configuration for metaslot.
 163 .RE
 164 
 165 .sp
 166 .ne 2
 167 .na
 168 \fB\fBcryptoadm\fR \fBlist\fR \fB-m\fR \fB[ provider=\fIprovider-name\fR |
 169 metaslot ]\fR\fR
 170 .ad
 171 .sp .6
 172 .RS 4n
 173 Display a list of mechanisms that can be used with the installed providers or
 174 metaslot. If a provider is specified, display the name of the specified
 175 provider and the mechanism list that can be used with that provider. If the
 176 metaslot keyword is specified, display the list of mechanisms that can be used
 177 with metaslot.
 178 .RE
 179 
 180 .sp
 181 .ne 2
 182 .na
 183 \fB\fBcryptoadm\fR \fBlist\fR \fB-p\fR \fB[ provider=\fIprovider-name\fR |
 184 metaslot ]\fR\fR
 185 .ad
 186 .sp .6
 187 .RS 4n
 188 Display the mechanism policy (that is, which mechanisms are available and which
 189 are not) for the installed providers. Also display the provider feature policy
 190 or metaslot. If a provider is specified, display the name of the provider with
 191 the mechanism policy enforced on it only. If the metaslot keyword is specified,
 192 display the mechanism policy enforced on the metaslot.
 193 .RE
 194 
 195 .sp
 196 .ne 2
 197 .na
 198 \fB\fBcryptoadm\fR \fBlist\fR \fB-v\fR \fBprovider=\fIprovider-name\fR |
 199 metaslot\fR\fR
 200 .ad
 201 .sp .6
 202 .RS 4n
 203 Display details about the specified provider if a provider is specified. If the
 204 metaslot keyword is specified, display details about the metaslot.
 205 .RE
 206 
 207 .sp
 208 .ne 2
 209 .na
 210 \fB\fB-v\fR\fR
 211 .ad
 212 .sp .6
 213 .RS 4n
 214 For the various \fBlist\fR subcommands described above (except for \fBlist\fR
 215 \fB-p\fR), the \fB-v\fR (verbose) option provides details about providers,
 216 mechanisms and slots.
 217 .RE
 218 
 219 .sp
 220 .ne 2
 221 .na
 222 \fB\fBcryptoadm\fR \fBdisable provider=\fIprovider-name\fR\fR\fR
 223 .ad
 224 .br
 225 .na
 226 \fB[ mechanism=\fImechanism-list\fR | \fIprovider-feature\fR \fB\&... |\fR
 227 \fBall\fR ]\fR
 228 .ad
 229 .sp .6
 230 .RS 4n
 231 Disable the mechanisms or provider features specified for the provider. See
 232 OPERANDS for a description of \fImechanism\fR, \fIprovider-feature\fR, and the
 233 \fBall\fR keyword.
 234 .RE
 235 
 236 .sp
 237 .ne 2
 238 .na
 239 \fB\fBcryptoadm\fR \fB[ mechanism=\fImechanism-list\fR ] [ auto-key-migrate
 240 ]\fR\fR
 241 .ad
 242 .sp .6
 243 .RS 4n
 244 Disable the metaslot feature in the cryptographic framework or disable some of
 245 metaslot's features. If no operand is specified, this command disables the
 246 metaslot feature in the cryptographic framework. If a list of mechanisms is
 247 specified, disable mechanisms specified for metaslot. If all mechanisms are
 248 disabled for metaslot, the metaslot will be disabled. See OPERANDS for a
 249 description of mechanism. If the \fBauto-key-migrate\fR keyword is specified,
 250 it disables the migration of sensitive token objects to other slots even if it
 251 is necessary for performing crypto operations. See OPERANDS for a description
 252 of \fBauto-key-migrate\fR.
 253 .RE
 254 
 255 .sp
 256 .ne 2
 257 .na
 258 \fB\fBcryptoadm\fR \fBenable provider=\fIprovider-name\fR\fR\fR
 259 .ad
 260 .br
 261 .na
 262 \fB[ mechanism=\fImechanism-list\fR | \fIprovider-feature\fR \fB\&... |\fR
 263 \fBall\fR ]\fR
 264 .ad
 265 .sp .6
 266 .RS 4n
 267 Enable the mechanisms or provider features specified for the provider. See
 268 OPERANDS for a description of \fImechanism\fR, \fIprovider-feature\fR, and the
 269 \fBall\fR keyword.
 270 .RE
 271 
 272 .sp
 273 .ne 2
 274 .na
 275 \fB\fBcryptoadm\fR \fBenable metaslot [ mechanism=\fImechanism-list\fR ]
 276 |\fR\fR
 277 .ad
 278 .br
 279 .na
 280 \fB\fB[ [ token=\fItoken-label\fR] [ slot=\fIslot-description\fR] |\fR\fR
 281 .ad
 282 .br
 283 .na
 284 \fB\fBdefault-keystore ] | [ auto-key-migrate ]\fR\fR
 285 .ad
 286 .sp .6
 287 .RS 4n
 288 If no operand is specified, this command enables the metaslot feature in the
 289 cryptographic framework. If a list of mechanisms is specified, it enables only
 290 the list of specified mechanisms for metaslot. If \fItoken-label\fR is
 291 specified, the specified token will be used as the persistent object store. If
 292 the \fIslot-description\fR is specified, the specified slot will be used as the
 293 persistent object store. If both the \fItoken-label\fR and the
 294 \fIslot-description\fR are specified, the provider with the matching token
 295 label and slot description is used as the persistent object store. If the
 296 \fBdefault-keystore\fR keyword is specified, metaslot will use the default
 297 persistent object store. If the \fBauto-key-migrate\fR keyword is specified,
 298 sensitive token objects will automatically migrate to other slots as needed to
 299 complete certain crypto operations. See OPERANDS for a description of
 300 mechanism, token, slot, \fBdefault-keystore\fR, and \fBauto-key-migrate\fR.
 301 .RE
 302 
 303 .sp
 304 .ne 2
 305 .na
 306 \fB\fBcryptoadm\fR \fBinstall provider=\fIprovider-name\fR\fR\fR
 307 .ad
 308 .sp .6
 309 .RS 4n
 310 Install a user-level provider into the system. The \fIprovider\fR operand must
 311 be an absolute pathname of the corresponding shared library. If there are both
 312 32-bit and 64-bit versions for a library, this command should be run once only
 313 with the path name containing \fB$ISA\fR. Note that \fB$ISA\fR is not a
 314 reference to an environment variable. Note also that \fB$ISA\fR must be quoted
 315 (with single quotes [for example, \fB\&'$ISA'\fR]) or the \fB$\fR must be
 316 escaped to keep it from being incorrectly expanded by the shell. The user-level
 317 framework expands \fB$ISA\fR to an empty string or an architecture-specific
 318 directory, for example, \fBsparcv9\fR.
 319 .sp
 320 The preferred way of installing a user-level provider is to build a package for
 321 the provider. For more information, see the \fISolaris Security for Developer's
 322 Guide\fR.
 323 .RE
 324 
 325 .sp
 326 .ne 2
 327 .na
 328 \fB\fBcryptoadm\fR \fBinstall provider=\fIprovider-name\fR\fR\fR
 329 .ad
 330 .br
 331 .na
 332 \fBmechanism=\fImechanism-list\fR\fR
 333 .ad
 334 .sp .6
 335 .RS 4n
 336 Install a kernel software provider into the system. The provider should contain
 337 the base name only. The \fImechanism-list\fR operand specifies the complete
 338 list of mechanisms to be supported by this provider.
 339 .sp
 340 The preferred way of installing a kernel software provider is to build a
 341 package for providers. For more information, see the \fISolaris Security for
 342 Developer's Guide\fR.
 343 .RE
 344 
 345 .sp
 346 .ne 2
 347 .na
 348 \fB\fBcryptoadm\fR \fBuninstall provider=\fIprovider-name\fR\fR\fR
 349 .ad
 350 .sp .6
 351 .RS 4n
 352 Uninstall the specified \fIprovider\fR and the associated mechanism policy from
 353 the system. This subcommand applies only to a user-level provider or a kernel
 354 software provider.
 355 .RE
 356 
 357 .sp
 358 .ne 2
 359 .na
 360 \fB\fBcryptoadm\fR \fBunload provider=\fIprovider-name\fR\fR\fR
 361 .ad
 362 .sp .6
 363 .RS 4n
 364 Unload the kernel software module specified by \fIprovider\fR.
 365 .RE
 366 
 367 .sp
 368 .ne 2
 369 .na
 370 \fB\fBcryptoadm\fR \fBdisable fips-140\fR\fR
 371 .ad
 372 .sp .6
 373 .RS 4n
 374 Disable FIPS-140 mode in the Cryptographic Framework.
 375 .RE
 376 
 377 .sp
 378 .ne 2
 379 .na
 380 \fB\fBcryptoadm\fR \fBenable fips-140\fR\fR
 381 .ad
 382 .sp .6
 383 .RS 4n
 384 Enable FIPS-140 mode in the Cryptographic Framework. This subcommand does not
 385 disable the non-FIPS approved algorithms from the user-level
 386 \fBpkcs11_softtoken\fR library and the kernel software providers. It is the
 387 consumers of the framework that are responsible for using only FIPS-approved
 388 algorithms.
 389 .sp
 390 Upon completion of this subcommand, a message is issued to inform the
 391 administrator that any plugins added that are not within the boundary might
 392 invalidate FIPS compliance and to check the Security Policies for those
 393 plugins. In addition, a warning message is issued to indicate that, in this
 394 release, the Cryptographic Framework has not been FIPS 140-2 certified.
 395 .sp
 396 The system will require a reboot to perform Power-Up Self Tests that include a
 397 cryptographic algorithm test and a software integrity test.
 398 .RE
 399 
 400 .sp
 401 .ne 2
 402 .na
 403 \fB\fBcryptoadm\fR \fBlist fips-140\fR\fR
 404 .ad
 405 .sp .6
 406 .RS 4n
 407 Display the current setting of FIPS-140 mode in the Cryptographic Framework.
 408 The status of FIPS-140 mode is \fBenabled\fR or \fBdisabled\fR. The default
 409 FIPS-140 mode is \fBdisabled\fR.
 410 .RE
 411 
 412 .sp
 413 .ne 2
 414 .na
 415 \fB\fBcryptoadm\fR \fBrefresh\fR\fR
 416 .ad
 417 .br
 418 .na
 419 \fB\fBcryptoadm\fR \fBstart\fR\fR
 420 .ad
 421 .br
 422 .na
 423 \fB\fBcryptoadm\fR \fBstop\fR\fR
 424 .ad
 425 .sp .6
 426 .RS 4n
 427 Private interfaces for use by \fBsmf\fR(5), these must not be used directly.
 428 .RE
 429 
 430 .sp
 431 .ne 2
 432 .na
 433 \fB\fBcryptoadm\fR \fB-help\fR\fR
 434 .ad
 435 .sp .6
 436 .RS 4n
 437 Display the command usage.
 438 .RE
 439 
 440 .SH OPERANDS

 441 .ne 2
 442 .na
 443 \fBprovider=\fIprovider-name\fR\fR
 444 .ad
 445 .sp .6
 446 .RS 4n
 447 A user-level provider (a PKCS11 shared library), a kernel software provider (a
 448 loadable kernel software module), or a kernel hardware provider (a
 449 cryptographic hardware device).
 450 .sp
 451 A valid value of the \fIprovider\fR operand is one entry from the output of a
 452 command of the form: \fBcryptoadm\fR \fIlist\fR. A \fIprovider\fR operand for a
 453 user-level provider is an absolute pathname of the corresponding shared
 454 library. A \fIprovider\fR operand for a kernel software provider contains a
 455 base name only. A \fIprovider\fR operand for a kernel hardware provider is in a
 456 "\fIname\fR/\fInumber\fR" form.
 457 .RE
 458 
 459 .sp
 460 .ne 2
 461 .na
 462 \fBmechanism=\fImechanism-list\fR\fR
 463 .ad
 464 .sp .6
 465 .RS 4n
 466 A comma separated list of one or more PKCS #11 mechanisms. A process for
 467 implementing a cryptographic operation as defined in PKCS #11 specification.
 468 You can substitute \fBall\fR for \fImechanism-list\fR, to specify all
 469 mechanisms on a provider. See the discussion of the \fBall\fR keyword, below.
 470 .RE
 471 
 472 .sp
 473 .ne 2
 474 .na
 475 \fB\fIprovider-feature\fR\fR
 476 .ad
 477 .sp .6
 478 .RS 4n
 479 A cryptographic framework feature for the given provider. Currently only
 480 \fBrandom\fR is accepted as a feature. For a user-level provider, disabling the
 481 random feature makes the PKCS #11 routines \fBC_GenerateRandom\fR and
 482 \fBC_SeedRandom\fR unavailable from the provider. For a kernel provider,
 483 disabling the random feature prevents \fB/dev/random\fR from gathering random
 484 numbers from the provider.
 485 .RE
 486 
 487 .sp
 488 .ne 2
 489 .na
 490 \fB\fBall\fR\fR
 491 .ad
 492 .sp .6
 493 .RS 4n
 494 The keyword all can be used with with the \fBdisable\fR and \fBenable\fR
 495 subcommands to operate on all provider features.
 496 .RE
 497 
 498 .sp
 499 .ne 2
 500 .na
 501 \fB\fBtoken=\fR\fItoken-label\fR\fR
 502 .ad
 503 .sp .6
 504 .RS 4n
 505 The label of a token in one of the providers in the cryptographic framework.
 506 .sp
 507 A valid value of the token operand is an item displayed under "Token Label"
 508 from the output of the command \fBcryptoadm list\fR \fB-v\fR.
 509 .RE
 510 
 511 .sp
 512 .ne 2
 513 .na
 514 \fB\fBslot=\fR\fIslot-description\fR\fR
 515 .ad
 516 .sp .6
 517 .RS 4n
 518 The description of a slot in one of the providers in the cryptographic
 519 framework.
 520 .sp
 521 A valid value of the slot operand is an item displayed under "Description" from
 522 the output of the command \fBcryptoadm list\fR \fB-v\fR.
 523 .RE
 524 
 525 .sp
 526 .ne 2
 527 .na
 528 \fB\fBdefault-keystore\fR\fR
 529 .ad
 530 .sp .6
 531 .RS 4n
 532 The keyword \fBdefault-keystore\fR is valid only for metaslot. Specify this
 533 keyword to set the persistent object store for metaslot back to using the
 534 default store.
 535 .RE
 536 
 537 .sp
 538 .ne 2
 539 .na
 540 \fB\fBauto-key-migrate\fR\fR
 541 .ad
 542 .sp .6
 543 .RS 4n
 544 The keyword auto-key-migrate is valid only for metaslot. Specify this keyword
 545 to configure whether metaslot is allowed to move sensitive token objects from
 546 the token object slot to other slots for performing cryptographic operations.
 547 .RE
 548 
 549 .sp
 550 .LP
 551 The keyword \fBall\fR can be used in two ways with the \fBdisable\fR and
 552 \fBenable\fR subcommands:
 553 .RS +4
 554 .TP
 555 .ie t \(bu
 556 .el o
 557 You can substitute \fBall\fR for \fBmechanism\fR=\fImechanism-list\fR, as in:
 558 .sp
 559 .in +2
 560 .nf
 561 # \fBcryptoadm enable provider=dca/0 all\fR
 562 .fi
 563 .in -2
 564 .sp
 565 
 566 This command enables the mechanisms on the provider \fBand\fR any other
 567 provider-features, such as \fBrandom\fR.
 568 .sp
 569 .in +2
 570 .nf
 571 # \fBcryptoadm enable provider=des mechanism=all\fR
 572 .fi
 573 .in -2
 574 .sp
 575 
 576 .RE
 577 .RS +4
 578 .TP
 579 .ie t \(bu
 580 .el o
 581 You can also use \fBall\fR as an argument to \fBmechanism\fR, as in:
 582 .sp
 583 .in +2
 584 .nf
 585 # \fBcryptoadm enable provider=des mechanism=all\fR
 586 .fi
 587 .in -2
 588 .sp
 589 
 590 \&...which enables all mechanisms on the provider, but enables no other
 591 provider-features, such as \fBrandom\fR.
 592 .RE
 593 .SH EXAMPLES

 594 \fBExample 1 \fRDisplay List of Providers Installed in System
 595 .sp
 596 .LP
 597 The following command displays a list of all installed providers:
 598 
 599 .sp
 600 .in +2
 601 .nf
 602 example% \fBcryptoadm list\fR
 603 user-level providers:
 604 /usr/lib/security/$ISA/pkcs11_kernel.so
 605 /usr/lib/security/$ISA/pkcs11_softtoken.so
 606 /opt/lib/libcryptoki.so.1
 607 /opt/SUNWconn/lib/$ISA/libpkcs11.so.1
 608 
 609 kernel software providers:
 610     des
 611     aes
 612     bfish
 613     sha1
 614     md5
 615 
 616 kernel hardware providers:
 617     dca/0
 618 .fi
 619 .in -2
 620 .sp
 621 
 622 .LP
 623 \fBExample 2 \fRDisplay Mechanism List for \fBmd5\fR Provider
 624 .sp
 625 .LP
 626 The following command is a variation of the \fBlist\fR subcommand:
 627 
 628 .sp
 629 .in +2
 630 .nf
 631 example% \fBcryptoadm list -m provider=md5\fR
 632 md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL
 633 .fi
 634 .in -2
 635 .sp
 636 
 637 .LP
 638 \fBExample 3 \fRDisable Specific Mechanisms for Kernel Software Provider
 639 .sp
 640 .LP
 641 The following command disables mechanisms \fBCKM_DES3_ECB\fR and
 642 \fBCKM_DES3_CBC\fR for the kernel software provider \fBdes\fR:
 643 
 644 .sp
 645 .in +2
 646 .nf
 647 example# \fBcryptoadm disable provider=des\fR
 648 .fi
 649 .in -2
 650 .sp
 651 
 652 .LP
 653 \fBExample 4 \fRDisplay Mechanism Policy for a Provider
 654 .sp
 655 .LP
 656 The following command displays the mechanism policy for the \fBdes\fR provider:
 657 
 658 .sp
 659 .in +2
 660 .nf
 661 example% \fBcryptoadm list -p provider=des\fR
 662 des: All mechanisms are enabled, except CKM_DES3_ECB, CKM_DES3_CBC
 663 .fi
 664 .in -2
 665 .sp
 666 
 667 .LP
 668 \fBExample 5 \fREnable Specific Mechanism for a Provider
 669 .sp
 670 .LP
 671 The following command enables the \fBCKM_DES3_ECB\fR mechanism for the kernel
 672 software provider \fBdes\fR:
 673 
 674 .sp
 675 .in +2
 676 .nf
 677 example# \fBcryptoadm enable provider=des mechanism=CKM_DES3_ECB\fR
 678 .fi
 679 .in -2
 680 .sp
 681 
 682 .LP
 683 \fBExample 6 \fRInstall User-Level Provider
 684 .sp
 685 .LP
 686 The following command installs a user-level provider:
 687 
 688 .sp
 689 .in +2
 690 .nf
 691 example# \fBcryptoadm install provider=/opt/lib/libcryptoki.so.1\fR
 692 .fi
 693 .in -2
 694 .sp
 695 
 696 .LP
 697 \fBExample 7 \fRInstall User-Level Provider That Contains 32- and 64-bit
 698 Versions
 699 .sp
 700 .LP
 701 The following command installs a user-level provider that contains both 32-bit
 702 and 64-bit versions:
 703 
 704 .sp
 705 .in +2
 706 .nf
 707 example# \fBcryptoadm install \e\fR
 708 provider=/opt/SUNWconn/lib/'$ISA'/libpkcs11.so.1
 709 .fi
 710 .in -2
 711 .sp
 712 
 713 .LP
 714 \fBExample 8 \fRUninstall a Provider
 715 .sp
 716 .LP
 717 The following command uninstalls the \fBmd5\fR provider:
 718 
 719 .sp
 720 .in +2
 721 .nf
 722 example# \fBcryptoadm uninstall provider=md5\fR
 723 .fi
 724 .in -2
 725 .sp
 726 
 727 .LP
 728 \fBExample 9 \fRDisable metaslot
 729 .sp
 730 .LP
 731 The following command disables the metaslot feature in the cryptographic
 732 framework.
 733 
 734 .sp
 735 .in +2
 736 .nf
 737 example# \fBcryptoadm disable metaslot\fR
 738 .fi
 739 .in -2
 740 .sp
 741 
 742 .LP
 743 \fBExample 10 \fRSpecify metaslot to Use Specified Token as Persistent Object
 744 Store
 745 .sp
 746 .LP
 747 The following command specifies that metaslot use the Venus token as the
 748 persistent object store.
 749 
 750 .sp
 751 .in +2
 752 .nf
 753 example# \fBcryptoadm enable metaslot token="SUNW,venus"\fR
 754 .fi
 755 .in -2
 756 .sp
 757 
 758 .SH EXIT STATUS


 759 The following exit values are returned:
 760 .sp
 761 .ne 2
 762 .na
 763 \fB\fB0\fR\fR
 764 .ad
 765 .sp .6
 766 .RS 4n
 767 Successful completion.
 768 .RE
 769 
 770 .sp
 771 .ne 2
 772 .na
 773 \fB\fB>0\fR\fR
 774 .ad
 775 .sp .6
 776 .RS 4n
 777 An error occurred.
 778 .RE
 779 
 780 .SH ATTRIBUTES


 781 See \fBattributes\fR(5) for descriptions of the following attributes:
 782 .sp
 783 
 784 .sp
 785 .TS
 786 box;
 787 c | c
 788 l | l .
 789 ATTRIBUTE TYPE  ATTRIBUTE VALUE
 790 _
 791 Interface Stability     See below
 792 .TE
 793 
 794 .sp
 795 .LP
 796 The \fBstart\fR, \fBstop\fR, and \fBrefresh\fR options are Private interfaces.
 797 All other options are Evolving. The utility name is Stable.
 798 .SH SEE ALSO


 799 \fBlogadm\fR(1M), \fBsvcadm\fR(1M), \fBsyslogd\fR(1M), \fBlibpkcs11\fR(3LIB),
 800 \fBexec_attr\fR(4), \fBprof_attr\fR(4), \fBattributes\fR(5), \fBsmf\fR(5),
 801 \fBrandom\fR(7D)


 802 
 803 .sp
 804 .LP
 805 \fISolaris Security for Developer's Guide\fR
 806 .SH NOTES


 807 If a hardware provider's policy was made explicitly (that is, some of its
 808 mechanisms were disabled) and the hardware provider has been detached, the
 809 policy of this hardware provider is still listed.
 810 .sp
 811 .LP
 812 \fBcryptoadm\fR assumes that, minimally, a 32-bit shared object is delivered
 813 for each user-level provider. If both a 32-bit and 64-bit shared object are
 814 delivered, the two versions must provide the same functionality. The same
 815 mechanism policy applies to both.
--- EOF ---