cryptoadm man page on SmartOS

Printed from http://www.polarhome.com/service/man/?qf=cryptoadm&af=0&tf=2&of=SmartOS

CRYPTOADM(1M)							 CRYPTOADM(1M)

NAME
       cryptoadm - cryptographic framework administration

SYNOPSIS
       cryptoadm list [-mpv] [provider=provider-name]
	    [mechanism=mechanism-list]

       cryptoadm disable
	    provider=provider-name mechanism=mechanism-list | random | all

       cryptoadm enable
	    provider=provider-name mechanism=mechanism-list | random | all

       cryptoadm install provider=provider-name

       cryptoadm install provider=provider-name
	    [mechanism=mechanism-list]

       cryptoadm uninstall provider=provider-name

       cryptoadm unload provider=provider-name

       cryptoadm disable fips-140

       cryptoadm enable fips-140

       cryptoadm list fips-140

       cryptoadm refresh

       cryptoadm start

       cryptoadm stop

       cryptoadm --help


DESCRIPTION
       The cryptoadm utility displays cryptographic provider information for a
       system, configures the mechanism policy for each provider, and installs
       or  uninstalls  a  cryptographic	 provider. The cryptographic framework
       supports three types of providers:  a  user-level  provider  (a	PKCS11
       shared library), a kernel software provider (a loadable kernel software
       module), and a  kernel  hardware	 provider  (a  cryptographic  hardware
       device).

       For  kernel  software  providers,  the  cryptoadm  utility provides the
       unload subcommand. This subcommand instructs the	 kernel	 to  unload  a
       kernel software providers.

       For  the cryptographic framework's metaslot, the cryptoadm utility pro‐
       vides subcommands to enable and disable the metaslot's  features,  list
       metaslot's  configuration, specify alternate persistent object storage,
       and configure the metaslot's mechanism policy.

       The cryptoadm  utility  provides	 subcommands  to  enable  and  disable
       FIPS-140	 mode  in the Cryptographic Framework. It also provides a list
       subcommand to display the current status of FIPS-140 mode.

       Administrators will find it useful to use syslog facilities  (see  sys‐
       logd(1M)	 and logadm(1M)) to maintain the cryptographic subsystem. Log‐
       ging can be especially useful under the following circumstances:

	   o	  If kernel-level daemon is dead, all applications  fail.  You
		  can learn this from syslog and use svcadm(1M) to restart the
		  svc:/system/cryptosvc service.

	   o	  If there are bad providers plugged into the  framework,  you
		  can learn this from syslog and remove the bad providers from
		  the framework.

       With the exception of the subcommands  or  options  listed  below,  the
       cryptoadm command needs to be run by a privileged user.

	   o	  subcommand list, any options

	   o	  subcommand --help

OPTIONS
       The  cryptoadm  utility has the various combinations of subcommands and
       options shown below.

       cryptoadm list

	   Display the list of installed providers.

       cryptoadm list metaslot

	   Display the system-wide configuration for metaslot.

       cryptoadm list -m [ provider=provider-name | metaslot ]

	   Display a list of mechanisms that can be used  with	the  installed
	   providers or metaslot. If a provider is specified, display the name
	   of the specified provider and the mechanism list that can  be  used
	   with	 that  provider. If the metaslot keyword is specified, display
	   the list of mechanisms that can be used with metaslot.

       cryptoadm list -p [ provider=provider-name | metaslot ]

	   Display the mechanism policy (that is, which mechanisms are	avail‐
	   able	 and  which are not) for the installed providers. Also display
	   the provider feature policy or metaslot. If a  provider  is	speci‐
	   fied,  display  the	name of the provider with the mechanism policy
	   enforced on it only. If the metaslot keyword is specified,  display
	   the mechanism policy enforced on the metaslot.

       cryptoadm list -v provider=provider-name | metaslot

	   Display details about the specified provider if a provider is spec‐
	   ified. If the metaslot keyword is specified, display details	 about
	   the metaslot.

       -v

	   For	the  various list subcommands described above (except for list
	   -p), the -v (verbose)  option  provides  details  about  providers,
	   mechanisms and slots.

       cryptoadm disable provider=provider-name
       [ mechanism=mechanism-list | provider-feature ... | all ]

	   Disable  the	 mechanisms  or	 provider  features  specified for the
	   provider. See OPERANDS for a description  of	 mechanism,  provider-
	   feature, and the all keyword.

       cryptoadm [ mechanism=mechanism-list ] [ auto-key-migrate ]

	   Disable the metaslot feature in the cryptographic framework or dis‐
	   able some of metaslot's features. If no operand is specified,  this
	   command  disables  the metaslot feature in the cryptographic frame‐
	   work. If a list of  mechanisms  is  specified,  disable  mechanisms
	   specified   for  metaslot.  If  all	mechanisms  are	 disabled  for
	   metaslot, the  metaslot  will  be  disabled.	 See  OPERANDS	for  a
	   description of mechanism. If the auto-key-migrate keyword is speci‐
	   fied, it disables the migration of sensitive token objects to other
	   slots even if it is necessary for performing crypto operations. See
	   OPERANDS for a description of auto-key-migrate.

       cryptoadm enable provider=provider-name
       [ mechanism=mechanism-list | provider-feature ... | all ]

	   Enable the  mechanisms  or  provider	 features  specified  for  the
	   provider.  See  OPERANDS  for a description of mechanism, provider-
	   feature, and the all keyword.

       cryptoadm enable metaslot [ mechanism=mechanism-list ] |
       [ [ token=token-label] [ slot=slot-description] |
       default-keystore ] | [ auto-key-migrate ]

	   If no operand is specified, this command enables the metaslot  fea‐
	   ture	 in  the  cryptographic	 framework. If a list of mechanisms is
	   specified, it enables only the list	of  specified  mechanisms  for
	   metaslot.  If token-label is specified, the specified token will be
	   used as the persistent object store.	 If  the  slot-description  is
	   specified, the specified slot will be used as the persistent object
	   store. If both the token-label and the slot-description are	speci‐
	   fied,  the provider with the matching token label and slot descrip‐
	   tion is used as the persistent object store.	 If  the  default-key‐
	   store  keyword  is specified, metaslot will use the default persis‐
	   tent object store. If the auto-key-migrate  keyword	is  specified,
	   sensitive  token  objects will automatically migrate to other slots
	   as needed to complete certain crypto operations. See OPERANDS for a
	   description	of mechanism, token, slot, default-keystore, and auto-
	   key-migrate.

       cryptoadm install provider=provider-name

	   Install a user-level provider into the system. The provider operand
	   must	 be  an absolute pathname of the corresponding shared library.
	   If there are both 32-bit and 64-bit versions for  a	library,  this
	   command should be run once only with the path name containing $ISA.
	   Note that $ISA is not a reference to an environment variable.  Note
	   also	 that  $ISA  must  be quoted (with single quotes [for example,
	   '$ISA']) or the $ must be escaped to keep it from being incorrectly
	   expanded  by the shell. The user-level framework expands $ISA to an
	   empty string or an architecture-specific  directory,	 for  example,
	   sparcv9.

	   The preferred way of installing a user-level provider is to build a
	   package for the provider. For more  information,  see  the  Solaris
	   Security for Developer's Guide.

       cryptoadm install provider=provider-name
       mechanism=mechanism-list

	   Install  a  kernel  software provider into the system. The provider
	   should contain the base name only. The mechanism-list operand spec‐
	   ifies  the  complete	 list  of  mechanisms  to be supported by this
	   provider.

	   The preferred way of installing a kernel software  provider	is  to
	   build  a  package  for  providers.  For  more  information, see the
	   Solaris Security for Developer's Guide.

       cryptoadm uninstall provider=provider-name

	   Uninstall the specified provider and the associated mechanism  pol‐
	   icy	from  the system. This subcommand applies only to a user-level
	   provider or a kernel software provider.

       cryptoadm unload provider=provider-name

	   Unload the kernel software module specified by provider.

       cryptoadm disable fips-140

	   Disable FIPS-140 mode in the Cryptographic Framework.

       cryptoadm enable fips-140

	   Enable FIPS-140 mode in the Cryptographic Framework.	 This  subcom‐
	   mand	 does  not  disable  the non-FIPS approved algorithms from the
	   user-level  pkcs11_softtoken	 library  and  the   kernel   software
	   providers.  It is the consumers of the framework that are responsi‐
	   ble for using only FIPS-approved algorithms.

	   Upon completion of this subcommand, a message is issued  to	inform
	   the	administrator  that  any plugins added that are not within the
	   boundary might invalidate FIPS compliance and to check the Security
	   Policies  for  those	 plugins.  In  addition,  a warning message is
	   issued to indicate that, in this release, the Cryptographic	Frame‐
	   work has not been FIPS 140-2 certified.

	   The	system	will  require  a reboot to perform Power-Up Self Tests
	   that	 include  a  cryptographic  algorithm  test  and  a   software
	   integrity test.

       cryptoadm list fips-140

	   Display  the	 current setting of FIPS-140 mode in the Cryptographic
	   Framework.  The status of FIPS-140 mode is enabled or disabled. The
	   default FIPS-140 mode is disabled.

       cryptoadm refresh
       cryptoadm start
       cryptoadm stop

	   Private  interfaces	for  use  by  smf(5),  these  must not be used
	   directly.

       cryptoadm -help

	   Display the command usage.

OPERANDS
       provider=provider-name

	   A user-level provider (a PKCS11 shared library), a kernel  software
	   provider  (a loadable kernel software module), or a kernel hardware
	   provider (a cryptographic hardware device).

	   A valid value of the provider operand is one entry from the	output
	   of  a command of the form: cryptoadm list. A provider operand for a
	   user-level provider is an absolute pathname	of  the	 corresponding
	   shared  library.  A provider operand for a kernel software provider
	   contains a base name only. A provider operand for a kernel hardware
	   provider is in a "name/number" form.

       mechanism=mechanism-list

	   A  comma  separated	list  of  one  or  more PKCS #11 mechanisms. A
	   process for implementing a cryptographic operation  as  defined  in
	   PKCS #11 specification.  You can substitute all for mechanism-list,
	   to specify all mechanisms on a provider. See the discussion of  the
	   all keyword, below.

       provider-feature

	   A cryptographic framework feature for the given provider. Currently
	   only random is accepted as a feature. For  a	 user-level  provider,
	   disabling  the  random feature makes the PKCS #11 routines C_Gener‐
	   ateRandom and C_SeedRandom unavailable from	the  provider.	For  a
	   kernel  provider, disabling the random feature prevents /dev/random
	   from gathering random numbers from the provider.

       all

	   The keyword all can be used with with the disable and  enable  sub‐
	   commands to operate on all provider features.

       token=token-label

	   The	label  of a token in one of the providers in the cryptographic
	   framework.

	   A valid value of the token  operand	is  an	item  displayed	 under
	   "Token Label" from the output of the command cryptoadm list -v.

       slot=slot-description

	   The	description  of	 a slot in one of the providers in the crypto‐
	   graphic framework.

	   A valid value of the	 slot  operand	is  an	item  displayed	 under
	   "Description" from the output of the command cryptoadm list -v.

       default-keystore

	   The	keyword	 default-keystore  is valid only for metaslot. Specify
	   this keyword to set the persistent object store for	metaslot  back
	   to using the default store.

       auto-key-migrate

	   The	keyword	 auto-key-migrate  is valid only for metaslot. Specify
	   this keyword to configure whether metaslot is allowed to move  sen‐
	   sitive  token objects from the token object slot to other slots for
	   performing cryptographic operations.

       The keyword all can be used in two ways with  the  disable  and	enable
       subcommands:

	   o	  You can substitute all for mechanism=mechanism-list, as in:

		    # cryptoadm enable provider=dca/0 all

		  This	command enables the mechanisms on the provider and any
		  other provider-features, such as random.

		    # cryptoadm enable provider=des mechanism=all

	   o	  You can also use all as an argument to mechanism, as in:

		    # cryptoadm enable provider=des mechanism=all

		  ...which enables all mechanisms on the provider, but enables
		  no other provider-features, such as random.

EXAMPLES
       Example 1 Display List of Providers Installed in System

       The following command displays a list of all installed providers:

	 example% cryptoadm list
	 user-level providers:
	 /usr/lib/security/$ISA/pkcs11_kernel.so
	 /usr/lib/security/$ISA/pkcs11_softtoken.so
	 /opt/lib/libcryptoki.so.1
	 /opt/SUNWconn/lib/$ISA/libpkcs11.so.1

	 kernel software providers:
	     des
	     aes
	     bfish
	     sha1
	     md5

	 kernel hardware providers:
	     dca/0

       Example 2 Display Mechanism List for md5 Provider

       The following command is a variation of the list subcommand:

	 example% cryptoadm list -m provider=md5
	 md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL

       Example 3 Disable Specific Mechanisms for Kernel Software Provider

       The following command disables mechanisms CKM_DES3_ECB and CKM_DES3_CBC
       for the kernel software provider des:

	 example# cryptoadm disable provider=des

       Example 4 Display Mechanism Policy for a Provider

       The following  command  displays	 the  mechanism	 policy	 for  the  des
       provider:

	 example% cryptoadm list -p provider=des
	 des: All mechanisms are enabled, except CKM_DES3_ECB, CKM_DES3_CBC

       Example 5 Enable Specific Mechanism for a Provider

       The following command enables the CKM_DES3_ECB mechanism for the kernel
       software provider des:

	 example# cryptoadm enable provider=des mechanism=CKM_DES3_ECB

       Example 6 Install User-Level Provider

       The following command installs a user-level provider:

	 example# cryptoadm install provider=/opt/lib/libcryptoki.so.1

       Example 7 Install User-Level Provider That Contains 32- and 64-bit Ver‐
       sions

       The following command installs a user-level provider that contains both
       32-bit and 64-bit versions:

	 example# cryptoadm install \
	 provider=/opt/SUNWconn/lib/'$ISA'/libpkcs11.so.1

       Example 8 Uninstall a Provider

       The following command uninstalls the md5 provider:

	 example# cryptoadm uninstall provider=md5

       Example 9 Disable metaslot

       The following command disables the  metaslot  feature  in  the  crypto‐
       graphic framework.

	 example# cryptoadm disable metaslot

       Example 10 Specify metaslot to Use Specified Token as Persistent Object
       Store

       The following command specifies that metaslot use the  Venus  token  as
       the persistent object store.

	 example# cryptoadm enable metaslot token="SUNW,venus"

EXIT STATUS
       The following exit values are returned:

       0

	   Successful completion.

       >0

	   An error occurred.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌────────────────────┬─────────────────┐
       │  ATTRIBUTE TYPE    │ ATTRIBUTE VALUE │
       ├────────────────────┼─────────────────┤
       │Interface Stability │ See below	      │
       └────────────────────┴─────────────────┘

       The start, stop, and refresh options are Private interfaces.  All other
       options are Evolving. The utility name is Stable.

SEE ALSO
       logadm(1M),  svcadm(1M),	 syslogd(1M),  libpkcs11(3LIB),	 exec_attr(4),
       prof_attr(4), attributes(5), smf(5), random(7D)

       Solaris Security for Developer's Guide

NOTES
       If  a  hardware provider's policy was made explicitly (that is, some of
       its mechanisms were  disabled)  and  the	 hardware  provider  has  been
       detached, the policy of this hardware provider is still listed.

       cryptoadm  assumes that, minimally, a 32-bit shared object is delivered
       for each user-level provider. If both a 32-bit and 64-bit shared object
       are  delivered,	the  two versions must provide the same functionality.
       The same mechanism policy applies to both.

				  Sep 1, 2009			 CRYPTOADM(1M)
[top]

List of man pages available for SmartOS

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net