1cryptoadm(1M) System Administration Commands cryptoadm(1M)
2
6 cryptoadm - cryptographic framework administration
7
9 cryptoadm list [-mpv] [provider=provider-name]
10 [mechanism=mechanism-list]
11 cryptoadm disable
14 provider=provider-name mechanism=mechanism-list | random | all
15 cryptoadm enable
18 provider=provider-name mechanism=mechanism-list | random | all
19 cryptoadm install provider=provider-name
22 cryptoadm install provider=provider-name
25 [mechanism=mechanism-list]
26 cryptoadm uninstall provider=provider-name
29 cryptoadm unload provider=provider-name
32 cryptoadm disable fips-140
35 cryptoadm enable fips-140
38 cryptoadm list fips-140
41 cryptoadm refresh
44 cryptoadm start
47 cryptoadm stop
50 cryptoadm --help
53
56 The cryptoadm utility displays cryptographic provider information for a
57 system, configures the mechanism policy for each provider, and installs
58 or uninstalls a cryptographic provider. The cryptographic framework
59 supports three types of providers: a user-level provider (a PKCS11
60 shared library), a kernel software provider (a loadable kernel software
61 module), and a kernel hardware provider (a cryptographic hardware
62 device).
63 For kernel software providers, the cryptoadm utility provides the
66 unload subcommand. This subcommand instructs the kernel to unload a
67 kernel software providers.
68 For the cryptographic framework's metaslot, the cryptoadm utility pro‐
71 vides subcommands to enable and disable the metaslot's features, list
72 metaslot's configuration, specify alternate persistent object storage,
73 and configure the metaslot's mechanism policy.
74 The cryptoadm utility provides subcommands to enable and disable
77 FIPS-140 mode in the Cryptographic Framework. It also provides a list
78 subcommand to display the current status of FIPS-140 mode.
79 Administrators will find it useful to use syslog facilities (see sys‐
82 logd(1M) and logadm(1M)) to maintain the cryptographic subsystem. Log‐
83 ging can be especially useful under the following circumstances:
84 o If kernel-level daemon is dead, all applications fail. You
86 can learn this from syslog and use svcadm(1M) to restart the
87 svc:/system/cryptosvc service.
88 o If there are bad providers plugged into the framework, you
90 can learn this from syslog and remove the bad providers from
91 the framework.
92 With the exception of the subcommands or options listed below, the
95 cryptoadm command needs to be run by a privileged user.
96 o subcommand list, any options
98 o subcommand --help
100
102 The cryptoadm utility has the various combinations of subcommands and
103 options shown below.
104 cryptoadm list
106 Display the list of installed providers.
108 cryptoadm list metaslot
111 Display the system-wide configuration for metaslot.
113 cryptoadm list -m [ provider=provider-name | metaslot ]
116 Display a list of mechanisms that can be used with the installed
118 providers or metaslot. If a provider is specified, display the name
119 of the specified provider and the mechanism list that can be used
120 with that provider. If the metaslot keyword is specified, display
121 the list of mechanisms that can be used with metaslot.
122 cryptoadm list -p [ provider=provider-name | metaslot ]
125 Display the mechanism policy (that is, which mechanisms are avail‐
127 able and which are not) for the installed providers. Also display
128 the provider feature policy or metaslot. If a provider is speci‐
129 fied, display the name of the provider with the mechanism policy
130 enforced on it only. If the metaslot keyword is specified, display
131 the mechanism policy enforced on the metaslot.
132 cryptoadm list -v provider=provider-name | metaslot
135 Display details about the specified provider if a provider is spec‐
137 ified. If the metaslot keyword is specified, display details about
138 the metaslot.
139 -v
142 For the various list subcommands described above (except for list
144 -p), the -v (verbose) option provides details about providers,
145 mechanisms and slots.
146 cryptoadm disable provider=provider-name
149 [ mechanism=mechanism-list | provider-feature ... | all ]
150 Disable the mechanisms or provider features specified for the
152 provider. See OPERANDS for a description of mechanism, provider-
153 feature, and the all keyword.
154 cryptoadm [ mechanism=mechanism-list ] [ auto-key-migrate ]
157 Disable the metaslot feature in the cryptographic framework or dis‐
159 able some of metaslot's features. If no operand is specified, this
160 command disables the metaslot feature in the cryptographic frame‐
161 work. If a list of mechanisms is specified, disable mechanisms
162 specified for metaslot. If all mechanisms are disabled for
163 metaslot, the metaslot will be disabled. See OPERANDS for a
164 description of mechanism. If the auto-key-migrate keyword is speci‐
165 fied, it disables the migration of sensitive token objects to other
166 slots even if it is necessary for performing crypto operations. See
167 OPERANDS for a description of auto-key-migrate.
168 cryptoadm enable provider=provider-name
171 [ mechanism=mechanism-list | provider-feature ... | all ]
172 Enable the mechanisms or provider features specified for the
174 provider. See OPERANDS for a description of mechanism, provider-
175 feature, and the all keyword.
176 cryptoadm enable metaslot [ mechanism=mechanism-list ] |
179 [ [ token=token-label] [ slot=slot-description] |
180 default-keystore ] | [ auto-key-migrate ]
181 If no operand is specified, this command enables the metaslot fea‐
183 ture in the cryptographic framework. If a list of mechanisms is
184 specified, it enables only the list of specified mechanisms for
185 metaslot. If token-label is specified, the specified token will be
186 used as the persistent object store. If the slot-description is
187 specified, the specified slot will be used as the persistent object
188 store. If both the token-label and the slot-description are speci‐
189 fied, the provider with the matching token label and slot descrip‐
190 tion is used as the persistent object store. If the default-key‐
191 store keyword is specified, metaslot will use the default persis‐
192 tent object store. If the auto-key-migrate keyword is specified,
193 sensitive token objects will automatically migrate to other slots
194 as needed to complete certain crypto operations. See OPERANDS for a
195 description of mechanism, token, slot, default-keystore, and auto-
196 key-migrate.
197 cryptoadm install provider=provider-name
200 Install a user-level provider into the system. The provider operand
202 must be an absolute pathname of the corresponding shared library.
203 If there are both 32-bit and 64-bit versions for a library, this
204 command should be run once only with the path name containing $ISA.
205 Note that $ISA is not a reference to an environment variable. Note
206 also that $ISA must be quoted (with single quotes [for example,
207 '$ISA']) or the $ must be escaped to keep it from being incorrectly
208 expanded by the shell. The user-level framework expands $ISA to an
209 empty string or an architecture-specific directory, for example,
210 sparcv9.
211 The preferred way of installing a user-level provider is to build a
213 package for the provider. For more information, see the Solaris
214 Security for Developer's Guide.
215 cryptoadm install provider=provider-name
218 mechanism=mechanism-list
219 Install a kernel software provider into the system. The provider
221 should contain the base name only. The mechanism-list operand spec‐
222 ifies the complete list of mechanisms to be supported by this
223 provider.
224 The preferred way of installing a kernel software provider is to
226 build a package for providers. For more information, see the
227 Solaris Security for Developer's Guide.
228 cryptoadm uninstall provider=provider-name
231 Uninstall the specified provider and the associated mechanism pol‐
233 icy from the system. This subcommand applies only to a user-level
234 provider or a kernel software provider.
235 cryptoadm unload provider=provider-name
238 Unload the kernel software module specified by provider.
240 cryptoadm disable fips-140
243 Disable FIPS-140 mode in the Cryptographic Framework.
245 cryptoadm enable fips-140
248 Enable FIPS-140 mode in the Cryptographic Framework. This subcom‐
250 mand does not disable the non-FIPS approved algorithms from the
251 user-level pkcs11_softtoken library and the kernel software
252 providers. It is the consumers of the framework that are responsi‐
253 ble for using only FIPS-approved algorithms.
254 Upon completion of this subcommand, a message is issued to inform
256 the administrator that any plugins added that are not within the
257 boundary might invalidate FIPS compliance and to check the Security
258 Policies for those plugins. In addition, a warning message is
259 issued to indicate that, in this release, the Cryptographic Frame‐
260 work has not been FIPS 140-2 certified.
261 The system will require a reboot to perform Power-Up Self Tests
263 that include a cryptographic algorithm test and a software
264 integrity test.
265 cryptoadm list fips-140
268 Display the current setting of FIPS-140 mode in the Cryptographic
270 Framework. The status of FIPS-140 mode is enabled or disabled. The
271 default FIPS-140 mode is disabled.
272 cryptoadm refresh
275 cryptoadm start
276 cryptoadm stop
277 Private interfaces for use by smf(5), these must not be used
279 directly.
280 cryptoadm -help
283 Display the command usage.
285
288 provider=provider-name
289 A user-level provider (a PKCS11 shared library), a kernel software
291 provider (a loadable kernel software module), or a kernel hardware
292 provider (a cryptographic hardware device).
293 A valid value of the provider operand is one entry from the output
295 of a command of the form: cryptoadm list. A provider operand for a
296 user-level provider is an absolute pathname of the corresponding
297 shared library. A provider operand for a kernel software provider
298 contains a base name only. A provider operand for a kernel hardware
299 provider is in a "name/number" form.
300 mechanism=mechanism-list
303 A comma separated list of one or more PKCS #11 mechanisms. A
305 process for implementing a cryptographic operation as defined in
306 PKCS #11 specification. You can substitute all for mechanism-list,
307 to specify all mechanisms on a provider. See the discussion of the
308 all keyword, below.
309 provider-feature
312 A cryptographic framework feature for the given provider. Currently
314 only random is accepted as a feature. For a user-level provider,
315 disabling the random feature makes the PKCS #11 routines C_Gener‐
316 ateRandom and C_SeedRandom unavailable from the provider. For a
317 kernel provider, disabling the random feature prevents /dev/random
318 from gathering random numbers from the provider.
319 all
322 The keyword all can be used with with the disable and enable sub‐
324 commands to operate on all provider features.
325 token=token-label
328 The label of a token in one of the providers in the cryptographic
330 framework.
331 A valid value of the token operand is an item displayed under
333 "Token Label" from the output of the command cryptoadm list -v.
334 slot=slot-description
337 The description of a slot in one of the providers in the crypto‐
339 graphic framework.
340 A valid value of the slot operand is an item displayed under
342 "Description" from the output of the command cryptoadm list -v.
343 default-keystore
346 The keyword default-keystore is valid only for metaslot. Specify
348 this keyword to set the persistent object store for metaslot back
349 to using the default store.
350 auto-key-migrate
353 The keyword auto-key-migrate is valid only for metaslot. Specify
355 this keyword to configure whether metaslot is allowed to move sen‐
356 sitive token objects from the token object slot to other slots for
357 performing cryptographic operations.
358 The keyword all can be used in two ways with the disable and enable
362 subcommands:
363 o You can substitute all for mechanism=mechanism-list, as in:
365 # cryptoadm enable provider=dca/0 all
367 This command enables the mechanisms on the provider and any
370 other provider-features, such as random.
371 # cryptoadm enable provider=des mechanism=all
373 o You can also use all as an argument to mechanism, as in:
377 # cryptoadm enable provider=des mechanism=all
379 ...which enables all mechanisms on the provider, but enables
382 no other provider-features, such as random.
383
385 Example 1 Display List of Providers Installed in System
386 The following command displays a list of all installed providers:
389 example% cryptoadm list
392 user-level providers:
393 /usr/lib/security/$ISA/pkcs11_kernel.so
394 /usr/lib/security/$ISA/pkcs11_softtoken.so
395 /opt/lib/libcryptoki.so.1
396 /opt/SUNWconn/lib/$ISA/libpkcs11.so.1
397 kernel software providers:
399 des
400 aes
401 bfish
402 sha1
403 md5
404 kernel hardware providers:
406 dca/0
407 Example 2 Display Mechanism List for md5 Provider
411 The following command is a variation of the list subcommand:
414 example% cryptoadm list -m provider=md5
417 md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL
418 Example 3 Disable Specific Mechanisms for Kernel Software Provider
422 The following command disables mechanisms CKM_DES3_ECB and CKM_DES3_CBC
425 for the kernel software provider des:
426 example# cryptoadm disable provider=des
429 Example 4 Display Mechanism Policy for a Provider
433 The following command displays the mechanism policy for the des
436 provider:
437 example% cryptoadm list -p provider=des
440 des: All mechanisms are enabled, except CKM_DES3_ECB, CKM_DES3_CBC
441 Example 5 Enable Specific Mechanism for a Provider
445 The following command enables the CKM_DES3_ECB mechanism for the kernel
448 software provider des:
449 example# cryptoadm enable provider=des mechanism=CKM_DES3_ECB
452 Example 6 Install User-Level Provider
456 The following command installs a user-level provider:
459 example# cryptoadm install provider=/opt/lib/libcryptoki.so.1
462 Example 7 Install User-Level Provider That Contains 32- and 64-bit Ver‐
466 sions
467 The following command installs a user-level provider that contains both
470 32-bit and 64-bit versions:
471 example# cryptoadm install \
474 provider=/opt/SUNWconn/lib/'$ISA'/libpkcs11.so.1
475 Example 8 Uninstall a Provider
479 The following command uninstalls the md5 provider:
482 example# cryptoadm uninstall provider=md5
485 Example 9 Disable metaslot
489 The following command disables the metaslot feature in the crypto‐
492 graphic framework.
493 example# cryptoadm disable metaslot
496 Example 10 Specify metaslot to Use Specified Token as Persistent Object
500 Store
501 The following command specifies that metaslot use the Venus token as
504 the persistent object store.
505 example# cryptoadm enable metaslot token="SUNW,venus"
508
512 The following exit values are returned:
513 0
515 Successful completion.
517 >0
520 An error occurred.
522
525 See attributes(5) for descriptions of the following attributes:
526 ┌─────────────────────────────┬─────────────────────────────┐
531 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
532 ├─────────────────────────────┼─────────────────────────────┤
533 │Availability │SUNWcsu │
534 ├─────────────────────────────┼─────────────────────────────┤
535 │Interface Stability │See below │
536 └─────────────────────────────┴─────────────────────────────┘
537 The start, stop, and refresh options are Private interfaces. All other
540 options are Evolving. The utility name is Stable.
541
543 logadm(1M), svcadm(1M), syslogd(1M), libpkcs11(3LIB), exec_attr(4),
544 prof_attr(4), attributes(5), smf(5), random(7D)
545 Solaris Security for Developer's Guide
548
550 If a hardware provider's policy was made explicitly (that is, some of
551 its mechanisms were disabled) and the hardware provider has been
552 detached, the policy of this hardware provider is still listed.
553 cryptoadm assumes that, minimally, a 32-bit shared object is delivered
556 for each user-level provider. If both a 32-bit and 64-bit shared object
557 are delivered, the two versions must provide the same functionality.
558 The same mechanism policy applies to both.
559SunOS 5.11 1 Sep 2009 cryptoadm(1M)