1 '\" te
2 .\" Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved.
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
4 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
5 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH CRYPTOADM 1M "Sep 1, 2009"
7 .SH NAME
8 cryptoadm \- cryptographic framework administration
9 .SH SYNOPSIS
10 .LP
11 .nf
12 \fBcryptoadm\fR list [\fB-mpv\fR] [provider=\fIprovider-name\fR]
13 [mechanism=\fImechanism-list\fR]
14 .fi
15
16 .LP
17 .nf
18 \fBcryptoadm\fR disable
19 provider=\fIprovider-name\fR mechanism=\fImechanism-list\fR | random | all
20 .fi
21
22 .LP
23 .nf
24 \fBcryptoadm\fR enable
25 provider=\fIprovider-name\fR mechanism=\fImechanism-list\fR | random | all
26 .fi
27
28 .LP
29 .nf
30 \fBcryptoadm\fR install provider=\fIprovider-name\fR
65 .nf
66 \fBcryptoadm\fR refresh
67 .fi
68
69 .LP
70 .nf
71 \fBcryptoadm\fR start
72 .fi
73
74 .LP
75 .nf
76 \fBcryptoadm\fR stop
77 .fi
78
79 .LP
80 .nf
81 \fBcryptoadm\fR \fB-\fR\fB-help\fR
82 .fi
83
84 .SH DESCRIPTION
85 .sp
86 .LP
87 The \fBcryptoadm\fR utility displays cryptographic provider information for a
88 system, configures the mechanism policy for each provider, and installs or
89 uninstalls a cryptographic provider. The cryptographic framework supports three
90 types of providers: a user-level provider (a PKCS11 shared library), a kernel
91 software provider (a loadable kernel software module), and a kernel hardware
92 provider (a cryptographic hardware device).
93 .sp
94 .LP
95 For kernel software providers, the \fBcryptoadm\fR utility provides the
96 \fBunload\fR subcommand. This subcommand instructs the kernel to unload a
97 kernel software providers.
98 .sp
99 .LP
100 For the cryptographic framework's metaslot, the \fBcryptoadm\fR utility
101 provides subcommands to enable and disable the metaslot's features, list
102 metaslot's configuration, specify alternate persistent object storage, and
103 configure the metaslot's mechanism policy.
104 .sp
105 .LP
106 The \fBcryptoadm\fR utility provides subcommands to enable and disable FIPS-140
126 If there are bad providers plugged into the framework, you can learn this from
127 syslog and remove the bad providers from the framework.
128 .RE
129 .sp
130 .LP
131 With the exception of the subcommands or options listed below, the
132 \fBcryptoadm\fR command needs to be run by a privileged user.
133 .RS +4
134 .TP
135 .ie t \(bu
136 .el o
137 subcommand \fBlist\fR, any options
138 .RE
139 .RS +4
140 .TP
141 .ie t \(bu
142 .el o
143 subcommand \fB-\fR\fB-help\fR
144 .RE
145 .SH OPTIONS
146 .sp
147 .LP
148 The \fBcryptoadm\fR utility has the various combinations of subcommands and
149 options shown below.
150 .sp
151 .ne 2
152 .na
153 \fB\fBcryptoadm\fR \fBlist\fR\fR
154 .ad
155 .sp .6
156 .RS 4n
157 Display the list of installed providers.
158 .RE
159
160 .sp
161 .ne 2
162 .na
163 \fB\fBcryptoadm\fR \fBlist metaslot\fR\fR
164 .ad
165 .sp .6
166 .RS 4n
167 Display the system-wide configuration for metaslot.
426 .br
427 .na
428 \fB\fBcryptoadm\fR \fBstop\fR\fR
429 .ad
430 .sp .6
431 .RS 4n
432 Private interfaces for use by \fBsmf\fR(5), these must not be used directly.
433 .RE
434
435 .sp
436 .ne 2
437 .na
438 \fB\fBcryptoadm\fR \fB-help\fR\fR
439 .ad
440 .sp .6
441 .RS 4n
442 Display the command usage.
443 .RE
444
445 .SH OPERANDS
446 .sp
447 .ne 2
448 .na
449 \fBprovider=\fIprovider-name\fR\fR
450 .ad
451 .sp .6
452 .RS 4n
453 A user-level provider (a PKCS11 shared library), a kernel software provider (a
454 loadable kernel software module), or a kernel hardware provider (a
455 cryptographic hardware device).
456 .sp
457 A valid value of the \fIprovider\fR operand is one entry from the output of a
458 command of the form: \fBcryptoadm\fR \fIlist\fR. A \fIprovider\fR operand for a
459 user-level provider is an absolute pathname of the corresponding shared
460 library. A \fIprovider\fR operand for a kernel software provider contains a
461 base name only. A \fIprovider\fR operand for a kernel hardware provider is in a
462 "\fIname\fR/\fInumber\fR" form.
463 .RE
464
465 .sp
466 .ne 2
580 .sp
581
582 .RE
583 .RS +4
584 .TP
585 .ie t \(bu
586 .el o
587 You can also use \fBall\fR as an argument to \fBmechanism\fR, as in:
588 .sp
589 .in +2
590 .nf
591 # \fBcryptoadm enable provider=des mechanism=all\fR
592 .fi
593 .in -2
594 .sp
595
596 \&...which enables all mechanisms on the provider, but enables no other
597 provider-features, such as \fBrandom\fR.
598 .RE
599 .SH EXAMPLES
600 .LP
601 \fBExample 1 \fRDisplay List of Providers Installed in System
602 .sp
603 .LP
604 The following command displays a list of all installed providers:
605
606 .sp
607 .in +2
608 .nf
609 example% \fBcryptoadm list\fR
610 user-level providers:
611 /usr/lib/security/$ISA/pkcs11_kernel.so
612 /usr/lib/security/$ISA/pkcs11_softtoken.so
613 /opt/lib/libcryptoki.so.1
614 /opt/SUNWconn/lib/$ISA/libpkcs11.so.1
615
616 kernel software providers:
617 des
618 aes
619 bfish
620 sha1
746 .in -2
747 .sp
748
749 .LP
750 \fBExample 10 \fRSpecify metaslot to Use Specified Token as Persistent Object
751 Store
752 .sp
753 .LP
754 The following command specifies that metaslot use the Venus token as the
755 persistent object store.
756
757 .sp
758 .in +2
759 .nf
760 example# \fBcryptoadm enable metaslot token="SUNW,venus"\fR
761 .fi
762 .in -2
763 .sp
764
765 .SH EXIT STATUS
766 .sp
767 .LP
768 The following exit values are returned:
769 .sp
770 .ne 2
771 .na
772 \fB\fB0\fR\fR
773 .ad
774 .sp .6
775 .RS 4n
776 Successful completion.
777 .RE
778
779 .sp
780 .ne 2
781 .na
782 \fB\fB>0\fR\fR
783 .ad
784 .sp .6
785 .RS 4n
786 An error occurred.
787 .RE
788
789 .SH ATTRIBUTES
790 .sp
791 .LP
792 See \fBattributes\fR(5) for descriptions of the following attributes:
793 .sp
794
795 .sp
796 .TS
797 box;
798 c | c
799 l | l .
800 ATTRIBUTE TYPE ATTRIBUTE VALUE
801 _
802 Interface Stability See below
803 .TE
804
805 .sp
806 .LP
807 The \fBstart\fR, \fBstop\fR, and \fBrefresh\fR options are Private interfaces.
808 All other options are Evolving. The utility name is Stable.
809 .SH SEE ALSO
810 .sp
811 .LP
812 \fBlogadm\fR(1M), \fBsvcadm\fR(1M), \fBsyslogd\fR(1M), \fBlibpkcs11\fR(3LIB),
813 \fBexec_attr\fR(4), \fBprof_attr\fR(4), \fBattributes\fR(5), \fBsmf\fR(5),
814 \fBrandom\fR(7D)
815 .sp
816 .LP
817
818 .sp
819 .LP
820 \fISolaris Security for Developer's Guide\fR
821 .SH NOTES
822 .sp
823 .LP
824 If a hardware provider's policy was made explicitly (that is, some of its
825 mechanisms were disabled) and the hardware provider has been detached, the
826 policy of this hardware provider is still listed.
827 .sp
828 .LP
829 \fBcryptoadm\fR assumes that, minimally, a 32-bit shared object is delivered
830 for each user-level provider. If both a 32-bit and 64-bit shared object are
831 delivered, the two versions must provide the same functionality. The same
832 mechanism policy applies to both.
|
1 '\" te
2 .\" Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved.
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
4 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
5 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH CRYPTOADM 1M "Sep 1, 2009"
7 .SH NAME
8 cryptoadm \- cryptographic framework administration
9 .SH SYNOPSIS
10 .nf
11 \fBcryptoadm\fR list [\fB-mpv\fR] [provider=\fIprovider-name\fR]
12 [mechanism=\fImechanism-list\fR]
13 .fi
14
15 .LP
16 .nf
17 \fBcryptoadm\fR disable
18 provider=\fIprovider-name\fR mechanism=\fImechanism-list\fR | random | all
19 .fi
20
21 .LP
22 .nf
23 \fBcryptoadm\fR enable
24 provider=\fIprovider-name\fR mechanism=\fImechanism-list\fR | random | all
25 .fi
26
27 .LP
28 .nf
29 \fBcryptoadm\fR install provider=\fIprovider-name\fR
64 .nf
65 \fBcryptoadm\fR refresh
66 .fi
67
68 .LP
69 .nf
70 \fBcryptoadm\fR start
71 .fi
72
73 .LP
74 .nf
75 \fBcryptoadm\fR stop
76 .fi
77
78 .LP
79 .nf
80 \fBcryptoadm\fR \fB-\fR\fB-help\fR
81 .fi
82
83 .SH DESCRIPTION
84 The \fBcryptoadm\fR utility displays cryptographic provider information for a
85 system, configures the mechanism policy for each provider, and installs or
86 uninstalls a cryptographic provider. The cryptographic framework supports three
87 types of providers: a user-level provider (a PKCS11 shared library), a kernel
88 software provider (a loadable kernel software module), and a kernel hardware
89 provider (a cryptographic hardware device).
90 .sp
91 .LP
92 For kernel software providers, the \fBcryptoadm\fR utility provides the
93 \fBunload\fR subcommand. This subcommand instructs the kernel to unload a
94 kernel software providers.
95 .sp
96 .LP
97 For the cryptographic framework's metaslot, the \fBcryptoadm\fR utility
98 provides subcommands to enable and disable the metaslot's features, list
99 metaslot's configuration, specify alternate persistent object storage, and
100 configure the metaslot's mechanism policy.
101 .sp
102 .LP
103 The \fBcryptoadm\fR utility provides subcommands to enable and disable FIPS-140
123 If there are bad providers plugged into the framework, you can learn this from
124 syslog and remove the bad providers from the framework.
125 .RE
126 .sp
127 .LP
128 With the exception of the subcommands or options listed below, the
129 \fBcryptoadm\fR command needs to be run by a privileged user.
130 .RS +4
131 .TP
132 .ie t \(bu
133 .el o
134 subcommand \fBlist\fR, any options
135 .RE
136 .RS +4
137 .TP
138 .ie t \(bu
139 .el o
140 subcommand \fB-\fR\fB-help\fR
141 .RE
142 .SH OPTIONS
143 The \fBcryptoadm\fR utility has the various combinations of subcommands and
144 options shown below.
145 .sp
146 .ne 2
147 .na
148 \fB\fBcryptoadm\fR \fBlist\fR\fR
149 .ad
150 .sp .6
151 .RS 4n
152 Display the list of installed providers.
153 .RE
154
155 .sp
156 .ne 2
157 .na
158 \fB\fBcryptoadm\fR \fBlist metaslot\fR\fR
159 .ad
160 .sp .6
161 .RS 4n
162 Display the system-wide configuration for metaslot.
421 .br
422 .na
423 \fB\fBcryptoadm\fR \fBstop\fR\fR
424 .ad
425 .sp .6
426 .RS 4n
427 Private interfaces for use by \fBsmf\fR(5), these must not be used directly.
428 .RE
429
430 .sp
431 .ne 2
432 .na
433 \fB\fBcryptoadm\fR \fB-help\fR\fR
434 .ad
435 .sp .6
436 .RS 4n
437 Display the command usage.
438 .RE
439
440 .SH OPERANDS
441 .ne 2
442 .na
443 \fBprovider=\fIprovider-name\fR\fR
444 .ad
445 .sp .6
446 .RS 4n
447 A user-level provider (a PKCS11 shared library), a kernel software provider (a
448 loadable kernel software module), or a kernel hardware provider (a
449 cryptographic hardware device).
450 .sp
451 A valid value of the \fIprovider\fR operand is one entry from the output of a
452 command of the form: \fBcryptoadm\fR \fIlist\fR. A \fIprovider\fR operand for a
453 user-level provider is an absolute pathname of the corresponding shared
454 library. A \fIprovider\fR operand for a kernel software provider contains a
455 base name only. A \fIprovider\fR operand for a kernel hardware provider is in a
456 "\fIname\fR/\fInumber\fR" form.
457 .RE
458
459 .sp
460 .ne 2
574 .sp
575
576 .RE
577 .RS +4
578 .TP
579 .ie t \(bu
580 .el o
581 You can also use \fBall\fR as an argument to \fBmechanism\fR, as in:
582 .sp
583 .in +2
584 .nf
585 # \fBcryptoadm enable provider=des mechanism=all\fR
586 .fi
587 .in -2
588 .sp
589
590 \&...which enables all mechanisms on the provider, but enables no other
591 provider-features, such as \fBrandom\fR.
592 .RE
593 .SH EXAMPLES
594 \fBExample 1 \fRDisplay List of Providers Installed in System
595 .sp
596 .LP
597 The following command displays a list of all installed providers:
598
599 .sp
600 .in +2
601 .nf
602 example% \fBcryptoadm list\fR
603 user-level providers:
604 /usr/lib/security/$ISA/pkcs11_kernel.so
605 /usr/lib/security/$ISA/pkcs11_softtoken.so
606 /opt/lib/libcryptoki.so.1
607 /opt/SUNWconn/lib/$ISA/libpkcs11.so.1
608
609 kernel software providers:
610 des
611 aes
612 bfish
613 sha1
739 .in -2
740 .sp
741
742 .LP
743 \fBExample 10 \fRSpecify metaslot to Use Specified Token as Persistent Object
744 Store
745 .sp
746 .LP
747 The following command specifies that metaslot use the Venus token as the
748 persistent object store.
749
750 .sp
751 .in +2
752 .nf
753 example# \fBcryptoadm enable metaslot token="SUNW,venus"\fR
754 .fi
755 .in -2
756 .sp
757
758 .SH EXIT STATUS
759 The following exit values are returned:
760 .sp
761 .ne 2
762 .na
763 \fB\fB0\fR\fR
764 .ad
765 .sp .6
766 .RS 4n
767 Successful completion.
768 .RE
769
770 .sp
771 .ne 2
772 .na
773 \fB\fB>0\fR\fR
774 .ad
775 .sp .6
776 .RS 4n
777 An error occurred.
778 .RE
779
780 .SH ATTRIBUTES
781 See \fBattributes\fR(5) for descriptions of the following attributes:
782 .sp
783
784 .sp
785 .TS
786 box;
787 c | c
788 l | l .
789 ATTRIBUTE TYPE ATTRIBUTE VALUE
790 _
791 Interface Stability See below
792 .TE
793
794 .sp
795 .LP
796 The \fBstart\fR, \fBstop\fR, and \fBrefresh\fR options are Private interfaces.
797 All other options are Evolving. The utility name is Stable.
798 .SH SEE ALSO
799 \fBlogadm\fR(1M), \fBsvcadm\fR(1M), \fBsyslogd\fR(1M), \fBlibpkcs11\fR(3LIB),
800 \fBexec_attr\fR(4), \fBprof_attr\fR(4), \fBattributes\fR(5), \fBsmf\fR(5),
801 \fBrandom\fR(7D)
802
803 .sp
804 .LP
805 \fISolaris Security for Developer's Guide\fR
806 .SH NOTES
807 If a hardware provider's policy was made explicitly (that is, some of its
808 mechanisms were disabled) and the hardware provider has been detached, the
809 policy of this hardware provider is still listed.
810 .sp
811 .LP
812 \fBcryptoadm\fR assumes that, minimally, a 32-bit shared object is delivered
813 for each user-level provider. If both a 32-bit and 64-bit shared object are
814 delivered, the two versions must provide the same functionality. The same
815 mechanism policy applies to both.
|