|
Hopefully, this page is exactly what you are looking for, but if not, you can always find further assistance on Unix/Linux Forum!
System Administration Commands cryptoadm(1M)
NAME
cryptoadm - cryptographic framework administration
SYNOPSIS
cryptoadm list [-mpv] [provider=provider-name]
[mechanism=mechanism-list]
cryptoadm disable provider=provider-name
mechanism=mechanism-list | random | all
cryptoadm enable provider=provider-name
mechanism=mechanism-list | random | all
cryptoadm install provider=provider-name
cryptoadm install provider=provider-name
[mechanism=mechanism-list]
cryptoadm uninstall provider=provider-name
cryptoadm unload provider=provider-name
cryptoadm refresh
cryptoadm start
cryptoadm stop
cryptoadm --help
DESCRIPTION
The cryptoadm utility displays cryptographic provider infor-
mation for a system, configures the mechanism policy for
each provider, and installs or uninstalls a cryptographic
provider. The cryptographic framework supports three types
of providers: a user-level provider (a PKCS11 shared
library), a kernel software provider (a loadable kernel
software module), and a kernel hardware provider (a crypto-
graphic hardware device).
For kernel software providers, the cryptoadm utility pro-
vides the unload subcommand. This subcommand instructs the
kernel to unload a kernel software providers.
For the cryptographic framework's metaslot, the cryptoadm
utility provides subcommands to enable and disable the
metaslot's features, list metaslot's configuration, specify
alternate persistent object storage, and configure the
metaslot's mechanism policy.
Administrators will find it useful to use syslog facilities
(see syslogd(1M) and logadm(1M)) to maintain the
SunOS 5.10 Last change: 10 Feb 2006 1
System Administration Commands cryptoadm(1M)
cryptographic subsystem. Logging can be especially useful
under the following circumstances:
o If kernel-level daemon is dead, all applications fail.
You can learn this from syslog and use svcadm(1M) to
restart the svc:/system/cryptosvc service.
o If there are bad providers plugged into the framework,
you can learn this from syslog and remove the bad pro-
viders from the framework.
With the exception of the subcommands or options listed
below, the cryptoadm command needs to be run by a privileged
user.
o subcommand list, any options
o subcommand --help
OPTIONS
The cryptoadm utility has the various combinations of sub-
commands and options shown below.
cryptoadm list
Display the list of installed providers.
cryptoadm list metaslot
Display the system-wide configuration for metaslot.
cryptoadm list -m [ provider=provider-name | metaslot ]
Display a list of mechanisms that can be used with the
installed providers or metaslot. If a provider is speci-
fied, display the name of the specified provider and the
mechanism list that can be used with that provider. If
the metaslot keyword is specified, display the list of
mechanisms that can be used with metaslot.
cryptoadm list -p [ provider=provider-name | metaslot ]
Display the mechanism policy (that is, which mechanisms
are available and which are not) for the installed
SunOS 5.10 Last change: 10 Feb 2006 2
System Administration Commands cryptoadm(1M)
providers. Also display the provider feature policy or
metaslot. If a provider is specified, display the name
of the provider with the mechanism policy enforced on it
only. If the metaslot keyword is specified, display the
mechanism policy enforced on the metaslot.
Note - If a hardware provider's policy was made expli-
citly (that is, some of its mechanisms were dis-
abled) and the hardware provider has been
detached, the policy of this hardware provider
is still listed.
cryptoadm list -v provider=provider-name | metaslot
Display details about the specified provider if a pro-
vider is specified. If the metaslot keyword is speci-
fied, display details about the metaslot.
-v
For the various list subcommands described above (except
for list -p), the -v (verbose) option provides details
about providers and mechanisms.
cryptoadm disable provider=provider-name
[ mechanism=mechanism-list | provider-feature ... | all ]
Disable the mechanisms or provider features specified
for the provider. See OPERANDS for a description of
mechanism, provider-feature, and the all keyword.
cryptoadm [ mechanism=mechanism-list ] [ auto-key-migrate ]
Disable the metaslot feature in the cryptographic frame-
work or disable some of metaslot's features. If no
operand is specified, this command disables the metaslot
feature in the cryptographic framework. If a list of
mechanisms is specified, disable mechanisms specified
for metaslot. If all mechanisms are disabled for
metaslot, the metaslot will be disabled. See OPERANDS
for a description of mechanism. If the auto-key-migrate
keyword is specified, it disables the migration of
SunOS 5.10 Last change: 10 Feb 2006 3
System Administration Commands cryptoadm(1M)
sensitive token objects to other slots even if it is
necessary for performing crypto operations. See OPERANDS
for a description of auto-key-migrate.
cryptoadm enable provider=provider-name
[ mechanism=mechanism-list | provider-feature ... | all ]
Enable the mechanisms or provider features specified for
the provider. See OPERANDS for a description of mechan-
ism, provider-feature, and the all keyword.
cryptoadm enable metaslot [ mechanism=mechanism-list ] |
[ [ token=token-label] [ slot=slot-description] |
default-keystore] | [ auto-key-migrate ]
If no operand is specified, this command enables the
metaslot feature in the cryptographic framework. If a
list of mechanisms is specified, it enables only the
list of specified mechanisms for metaslot. If token-
label is specified, the specified token will be used as
the persistent object store. If the slot-description is
specified, the specified slot will be used as the per-
sistent object store. If both the token-label and the
slot-description are specified, the provider with the
matching token label and slot description is used as the
persistent object store. If the default-keystore keyword
is specified, metaslot will use the default persistent
object store. If the auto-key-migrate keyword is speci-
fied, sensitive token objects will automatically migrate
to other slots as needed to complete certain crypto
operations. See OPERANDS for a description of mechanism,
token, slot, default-keystore, and auto-key-migrate.
cryptoadm install provider=provider-name
Install a user-level provider into the system. The pro-
vider operand must be an absolute pathname of the
corresponding shared library. If there are both 32-bit
and 64-bit versions for a library, this command should
be run once only with the path name containing "$ISA".
Note that $ISA is not a reference to an environment
variable. Note also that $ISA must be quoted or the $
must be escaped to keep it from being incorrectly
SunOS 5.10 Last change: 10 Feb 2006 4
System Administration Commands cryptoadm(1M)
expanded by the shell. The user-level framework expands
$ISA to an empty string or an architecture-specific
directory, for example, sparcv9.
Note - cryptoadm assumes that, minimally, a 32-bit
shared object is delivered for each user-level
provider. If both a 32-bit and 64-bit shared
object are delivered, the two versions must pro-
vide the same functionality. The same mechanism
policy applies to both.
The preferred way of installing a user-level provider is
to build a package for the provider. For more informa-
tion, see the Solaris Security for Developer's Guide.
cryptoadm install provider=provider-name
mechanism=mechanism-list
Install a kernel software provider into the system. The
provider should contain the base name only. The
mechanism-list operand specifies the complete list of
mechanisms to be supported by this provider.
The preferred way of installing a kernel software pro-
vider is to build a package for providers. For more
information, see the Solaris Security for Developer's
Guide.
cryptoadm uninstall provider=provider-name
Uninstall the specified provider and the associated
mechanism policy from the system. This subcommand
applies only to a user-level provider or a kernel
software provider.
cryptoadm unload provider=provider-name
Unload the kernel software module specified by provider.
cryptoadm refresh
cryptoadm start
cryptoadm stop
SunOS 5.10 Last change: 10 Feb 2006 5
System Administration Commands cryptoadm(1M)
Private interfaces for use by smf(5), these must not be
used directly.
cryptoadm --help
Display the command usage.
OPERANDS
provider=provider-name
A user-level provider (a PKCS11 shared library), a ker-
nel software provider (a loadable kernel software
module), or a kernel hardware provider (a cryptographic
hardware device).
A valid value of the provider operand is one entry from
the output of a command of the form: cryptoadm list. A
provider operand for a user-level provider is an abso-
lute pathname of the corresponding shared library. A
provider operand for a kernel software provider contains
a base name only. A provider operand for a kernel
hardware provider is in a "name/number" form.
mechanism=mechanism-list
A comma separated list of one or more PKCS #11 mechan-
isms. A process for implementing a cryptographic opera-
tion as defined in PKCS #11 specification. You can sub-
stitute all for mechanism-list, to specify all mechan-
isms on a provider. See the discussion of the all key-
word, below.
provider-feature
A cryptographic framework feature for the given pro-
vider. Currently only random is accepted as a feature.
For a user-level provider, disabling the random feature
makes the PKCS #11 routines C_GenerateRandom and
C_SeedRandom unavailable from the provider. For a kernel
provider, disabling the random feature prevents
/dev/random from gathering random numbers from the pro-
vider.
SunOS 5.10 Last change: 10 Feb 2006 6
System Administration Commands cryptoadm(1M)
all
The keyword all can be used with with the disable and
enable subcommands to operate on all provider features.
token=token-label
The label of a token in one of the providers in the
cryptographic framework.
A valid value of the token operand is an item displayed
under "Token Label" from the output of the command cryp-
toadm list -v.
slot=slot-description
The description of a slot in one of the providers in the
cryptographic framework.
A valid value of the slot operand is an item displayed
under "Description" from the output of the command cryp-
toadm list -v.
default-keystore
The keyword default-keystore is valid only for metaslot.
Specify this keyword to set the persistent object store
for metaslot back to using the default store.
auto-key-migrate
The keyword auto-key-migrate is valid only for metaslot.
Specify this keyword to configure whether metaslot is
allowed to move sensitive token objects from the token
object slot to other slots for performing cryptographic
operations.
The keyword all can be used in two ways with the disable and
enable subcommands:
o You can substitute all for mechanism=mechanism-list, as
in:
SunOS 5.10 Last change: 10 Feb 2006 7
System Administration Commands cryptoadm(1M)
# cryptoadm enable provider=dca/0 all
This command enables the mechanisms on the provider and
any other provider-features, such as random. You can
also use all as an argument to mechanism, as in:
# cryptoadm enable provider=des mechanism=all
...which enables all mechanisms on the provider, but
enables no other provider-features, such as random.
EXAMPLES
Example 1: Display List of Providers Installed in System
The following command displays a list of all installed pro-
viders:
example% cryptoadm list
user-level providers:
/usr/lib/security/$ISA/pkcs11_kernel.so
/usr/lib/security/$ISA/pkcs11_softtoken.so
/opt/lib/libcryptoki.so.1
/opt/SUNWconn/lib/$ISA/libpkcs11.so.1
kernel software providers:
des
aes
bfish
sha1
md5
kernel hardware providers:
dca/0
Example 2: Display Mechanism List for md5 Provider
The following command is a variation of the list subcommand:
example% cryptoadm list -m provider=md5
md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL
Example 3: Disable Specific Mechanisms for Kernel Software
Provider
The following command disables mechanisms CKM_DES3_ECB and
CKM_DES3_CBC for the kernel software provider des:
example# cryptoadm disable provider=des3
SunOS 5.10 Last change: 10 Feb 2006 8
System Administration Commands cryptoadm(1M)
Example 4: Display Mechanism Policy for a Provider
The following command displays the mechanism policy for the
des provider:
example% cryptoadm list -p provider=des3
des: All mechanisms are enabled, except CKM_DES3_ECB, CKM_DES3_CBC
Example 5: Enable Specific Mechanism for a Provider
The following command enables the CKM_DES3_ECB mechanism for
the kernel software provider des:
example# cryptoadm enable provider=des3 mechanism=CKM_DES3_ECB
Example 6: Install User-Level Provider
The following command installs a user-level provider:
example# cryptoadm install provider=/opt/lib/libcryptoki.so.1
Example 7: Install User-Level Provider That Contains 32- and
64-bit Versions
The following command installs a user-level provider that
contains both 32-bit and 64-bit versions:
example# cryptoadm install \
provider=/opt/SUNWconn/lib/'$ISA'/libpkcs11.so.1
Example 8: Uninstall a Provider
The following command uninstalls the md5 provider:
example# cryptoadm uninstall provider=md5
Example 9: Disable metaslot
The following command disables the metaslot feature in the
cryptographic framework.
example# cryptoadm disable metaslot
Example 10: Specify metaslot to Use Specified Token as Per-
sistent Object Store
The following command specifies that metaslot use the Venus
token as the persistent object store.
example# cryptoadm enable metaslot token="SUNW,venus"
SunOS 5.10 Last change: 10 Feb 2006 9
System Administration Commands cryptoadm(1M)
EXIT STATUS
The following exit values are returned:
0
Successful completion.
>0
An error occurred.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
| ____________________________|_____________________________|_
| Availability | SUNWcsu |
| ____________________________|_____________________________|_
| Command Line Options | . |
| | |
| start/stop/refresh | Private |
| | |
| all other options | Evolving |
|_____________________________|_____________________________|
| Utility Name | Stable |
|_____________________________|_____________________________|
SEE ALSO
logadm(1M), svcadm(1M), syslogd(1M), libpkcs11(3LIB),
exec_attr(4), prof_attr(4), attributes(5), smf(5),
random(7D)
System Administration Guide: Security Services
Solaris Security for Developer's Guide
SunOS 5.10 Last change: 10 Feb 2006 10
Man(1) output converted with
man2html and wrapped by fishsponge
This page was generated on Wed Sep 12 11:25:51 GMT 2007
|
Your favourite pages:
No pages logged yet.
Trying to save cookie... Top 10 most popular pages:
CPAN man page (4290 hits)
(Suse Linux 10.1)
ssh man page (4160 hits)
(Suse Linux 10.1)
adv_cap_autoneg man page (3470 hits)
(Solaris 10 11_06)
sqlite3 man page (3370 hits)
(openSUSE 10.2)
svn man page (3036 hits)
(FreeBSD 6.2)
startproc man page (1856 hits)
(Suse Linux 10.1)
pprosetup man page (1576 hits)
(Solaris 10 11_06)
signal man page (1541 hits)
(Suse Linux 10.1)
netcat man page (1508 hits)
(Suse Linux 10.1)
ssh-socks5-proxy-connect man page (1450 hits)
(Solaris 10 11_06)
|
Man Pages 
