System Administration Commands cryptoadm(1M)
NAME
cryptoadm - cryptographic framework administration
SYNOPSIS
cryptoadm list [-mpv] [provider=provider-name]
[mechanism=mechanism-list]
cryptoadm disable
provider=provider-name mechanism=mechanism-list | random | all
cryptoadm enable
provider=provider-name mechanism=mechanism-list | random | all
cryptoadm install provider=provider-name
cryptoadm install provider=provider-name
[mechanism=mechanism-list]
cryptoadm uninstall provider=provider-name
cryptoadm unload provider=provider-name
cryptoadm disable fips-140
cryptoadm enable fips-140
cryptoadm list fips-140
cryptoadm refresh
cryptoadm start
cryptoadm stop
cryptoadm --help
DESCRIPTION
SunOS 5.11 Last change: 28 Jul 2010 1
System Administration Commands cryptoadm(1M)
The cryptoadm utility displays cryptographic provider infor-
mation for a system, configures the mechanism policy for each provider, and installs or uninstalls a cryptographic provider. The cryptographic framework supports three typesof providers: a user-level provider (a PKCS11 shared
library), a kernel software provider (a loadable kernelsoftware module), and a kernel hardware provider (a crypto-
graphic hardware device).For kernel software providers, the cryptoadm utility pro-
vides the unload subcommand. This subcommand instructs the kernel to unload a kernel software providers.For the cryptographic framework's metaslot, the cryptoadm
utility provides subcommands to enable and disable the metaslot's features, list metaslot's configuration, specify alternate persistent object storage, and configure the metaslot's mechanism policy.The cryptoadm utility provides subcommands to enable and
disable FIPS-140 mode in the Cryptographic Framework. It
also provides a list subcommand to display the currentstatus of FIPS-140 mode.
Administrators will find it useful to use syslog facilities(see syslogd(1M) and logadm(1M)) to maintain the crypto-
graphic subsystem. Logging can be especially useful under the following circumstances:o If kernel-level daemon is dead, all applications
fail. You can learn this from syslog and use svcadm(1M) to restart the svc:/system/cryptosvc service.o If there are bad providers plugged into the frame-
work, you can learn this from syslog and remove the bad providers from the framework. With the exception of the subcommands or options listedbelow, the cryptoadm command needs to be run by a privileged
user. o subcommand list, any optionso subcommand --help
SunOS 5.11 Last change: 28 Jul 2010 2
System Administration Commands cryptoadm(1M)
OPTIONSThe cryptoadm utility has the various combinations of sub-
commands and options shown below.cryptoadm list
Display the list of installed providers.cryptoadm list metaslot
Display the system-wide configuration for metaslot.
cryptoadm list -m [ provider=provider-name | metaslot ]
Display a list of mechanisms that can be used with theinstalled providers or metaslot. If a provider is speci-
fied, display the name of the specified provider and the mechanism list that can be used with that provider. If the metaslot keyword is specified, display the list of mechanisms that can be used with metaslot.cryptoadm list -p [ provider=provider-name | metaslot ]
Display the mechanism policy (that is, which mechanismsare available and which are not) for the installed pro-
viders. Also display the provider feature policy or metaslot. If a provider is specified, display the name of the provider with the mechanism policy enforced on it only. If the metaslot keyword is specified, display the mechanism policy enforced on the metaslot.cryptoadm list -v provider=provider-name | metaslot
Display details about the specified provider if a pro-
vider is specified. If the metaslot keyword is speci-
fied, display details about the metaslot.-v
For the various list subcommands described above (exceptfor list -p), the -v (verbose) option provides details
about providers, mechanisms and slots.cryptoadm disable provider=provider-name
[ mechanism=mechanism-list | provider-feature ... | all ]
SunOS 5.11 Last change: 28 Jul 2010 3
System Administration Commands cryptoadm(1M)
Disable the mechanisms or provider features specified for the provider. See OPERANDS for a description ofmechanism, provider-feature, and the all keyword.
cryptoadm [ mechanism=mechanism-list ] [ auto-key-migrate ]
Disable the metaslot feature in the cryptographic frame-
work or disable some of metaslot's features. If no operand is specified, this command disables the metaslot feature in the cryptographic framework. If a list of mechanisms is specified, disable mechanisms specified for metaslot. If all mechanisms are disabled for metaslot, the metaslot will be disabled. See OPERANDSfor a description of mechanism. If the auto-key-migrate
keyword is specified, it disables the migration of sen-
sitive token objects to other slots even if it is neces-
sary for performing crypto operations. See OPERANDS fora description of auto-key-migrate.
cryptoadm enable provider=provider-name
[ mechanism=mechanism-list | provider-feature ... | all ]
Enable the mechanisms or provider features specified forthe provider. See OPERANDS for a description of mechan-
ism, provider-feature, and the all keyword.
cryptoadm enable metaslot [ mechanism=mechanism-list ] |
[ [ token=token-label] [ slot=slot-description] |
default-keystore ] | [ auto-key-migrate ]
If no operand is specified, this command enables the metaslot feature in the cryptographic framework. If a list of mechanisms is specified, it enables only thelist of specified mechanisms for metaslot. If token-
label is specified, the specified token will be used asthe persistent object store. If the slot-description is
specified, the specified slot will be used as the per-
sistent object store. If both the token-label and the
slot-description are specified, the provider with the
matching token label and slot description is used as thepersistent object store. If the default-keystore keyword
is specified, metaslot will use the default persistentobject store. If the auto-key-migrate keyword is speci-
fied, sensitive token objects will automatically migrate to other slots as needed to complete certain crypto operations. See OPERANDS for a description of mechanism,token, slot, default-keystore, and auto-key-migrate.
SunOS 5.11 Last change: 28 Jul 2010 4
System Administration Commands cryptoadm(1M)
cryptoadm install provider=provider-name
Install a user-level provider into the system. The pro-
vider operand must be an absolute pathname of thecorresponding shared library. If there are both 32-bit
and 64-bit versions for a library, this command should
be run once only with the path name containing $ISA.
Note that $ISA is not a reference to an environment
variable. Note also that $ISA must be quoted (with sin-
gle quotes [for example, '$ISA']) or the $ must be
escaped to keep it from being incorrectly expanded bythe shell. The user-level framework expands $ISA to an
empty string or an architecture-specific directory, for
example, sparcv9.The preferred way of installing a user-level provider is
to build a package for the provider. For more informa-
tion, see the Solaris Security for Developer's Guide.cryptoadm install provider=provider-name
mechanism=mechanism-list
Install a kernel software provider into the system. The provider should contain the base name only. Themechanism-list operand specifies the complete list of
mechanisms to be supported by this provider.The preferred way of installing a kernel software pro-
vider is to build a package for providers. For more information, see the Solaris Security for Developer's Guide.cryptoadm uninstall provider=provider-name
Uninstall the specified provider and the associated mechanism policy from the system. This subcommandapplies only to a user-level provider or a kernel
software provider.cryptoadm unload provider=provider-name
Unload the kernel software module specified by provider.cryptoadm disable fips-140
Disable FIPS-140 mode in the Cryptographic Framework and
for hardware providers.SunOS 5.11 Last change: 28 Jul 2010 5
System Administration Commands cryptoadm(1M)
cryptoadm enable fips-140
Enable FIPS-140 mode in the Cryptographic Framework and
for hardware providers. This subcommand does not disablethe non-FIPS approved algorithms from the user-level
pkcs11_softtoken library and the kernel software provid-
ers. It is the consumers of the framework that areresponsible for using only FIPS-approved algorithms.
Upon completion of this subcommand, a message is issued to inform the administrator that any plugins added thatare not within the boundary might invalidate FIPS com-
pliance and to check the Security Policies for those plugins.The system will require a reboot to perform Power-Up
Self Tests that include a cryptographic algorithm test and a software integrity test.cryptoadm list fips-140
Display the current setting of FIPS-140 mode in the
Cryptographic Framework and for hardware providers. Thestatus of FIPS-140 mode is enabled or disabled. The
default FIPS-140 mode is disabled.
cryptoadm refresh
cryptoadm start
cryptoadm stop
Private interfaces for use by smf(5), these must not be used directly.cryptoadm -help
Display the command usage. OPERANDSprovider=provider-name
A user-level provider (a PKCS11 shared library), a ker-
nel software provider (a loadable kernel software module), or a kernel hardware provider (a cryptographic hardware device). A valid value of the provider operand is one entry fromthe output of a command of the form: cryptoadm list. A
provider operand for a user-level provider is an
SunOS 5.11 Last change: 28 Jul 2010 6
System Administration Commands cryptoadm(1M)
absolute pathname of the corresponding shared library. A provider operand for a kernel software provider contains a base name only. A provider operand for a kernel hardware provider is in a "name/number" form.mechanism=mechanism-list
A comma separated list of one or more PKCS #11 mechan-
isms. A process for implementing a cryptographic opera-
tion as defined in PKCS #11 specification. You can sub-
stitute all for mechanism-list, to specify all mechan-
isms on a provider. See the discussion of the all key-
word, below.provider-feature
A cryptographic framework feature for the given pro-
vider. Currently only random is accepted as a feature.For a user-level provider, disabling the random feature
makes the PKCS #11 routines C_GenerateRandom and
C_SeedRandom unavailable from the provider. For a kernel
provider, disabling the random feature prevents/dev/random from gathering random numbers from the pro-
vider. all The keyword all can be used with with the disable and enable subcommands to operate on all provider features.token=token-label
The label of a token in one of the providers in the cryptographic framework. A valid value of the token operand is an item displayedunder "Token Label" from the output of the command cryp-
toadm list -v.
slot=slot-description
The description of a slot in one of the providers in the cryptographic framework. A valid value of the slot operand is an item displayedunder "Description" from the output of the command cryp-
toadm list -v.
SunOS 5.11 Last change: 28 Jul 2010 7
System Administration Commands cryptoadm(1M)
default-keystore
The keyword default-keystore is valid only for metaslot.
Specify this keyword to set the persistent object store for metaslot back to using the default store.auto-key-migrate
The keyword auto-key-migrate is valid only for metaslot.
Specify this keyword to configure whether metaslot is allowed to move sensitive token objects from the token object slot to other slots for performing cryptographic operations. The keyword all can be used in two ways with the disable and enable subcommands:o You can substitute all for mechanism=mechanism-
list, as in:# cryptoadm enable provider=dca/0 all
This command enables the mechanisms on the providerand any other provider-features, such as random.
# cryptoadm enable provider=des mechanism=all
o You can also use all as an argument to mechanism, as in:# cryptoadm enable provider=des mechanism=all
...which enables all mechanisms on the provider,but enables no other provider-features, such as
random.EXAMPLES
Example 1 Display List of Providers Installed in SystemThe following command displays a list of all installed pro-
viders:example% cryptoadm list
SunOS 5.11 Last change: 28 Jul 2010 8
System Administration Commands cryptoadm(1M)
user-level providers:
/usr/lib/security/$ISA/pkcs11_kernel.so
/usr/lib/security/$ISA/pkcs11_softtoken.so
/opt/lib/libcryptoki.so.1/opt/SUNWconn/lib/$ISA/libpkcs11.so.1
kernel software providers: des aes bfish sha1 md5 kernel hardware providers: dca/0 Example 2 Display Mechanism List for md5 Provider The following command is a variation of the list subcommand:example% cryptoadm list -m provider=md5
md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL
Example 3 Disable Specific Mechanisms for Kernel Software ProviderThe following command disables mechanisms CKM_DES3_ECB and
CKM_DES3_CBC for the kernel software provider des:
example# cryptoadm disable provider=des
Example 4 Display Mechanism Policy for a Provider The following command displays the mechanism policy for the des provider:example% cryptoadm list -p provider=des
des: All mechanisms are enabled, except CKM_DES3_ECB, CKM_DES3_CBC
SunOS 5.11 Last change: 28 Jul 2010 9
System Administration Commands cryptoadm(1M)
Example 5 Enable Specific Mechanism for a ProviderThe following command enables the CKM_DES3_ECB mechanism for
the kernel software provider des:example# cryptoadm enable provider=des mechanism=CKM_DES3_ECB
Example 6 Install User-Level Provider
The following command installs a user-level provider:
example# cryptoadm install provider=/opt/lib/libcryptoki.so.1
Example 7 Install User-Level Provider That Contains 32- and
64-bit Versions
The following command installs a user-level provider that
contains both 32-bit and 64-bit versions:
example# cryptoadm install \
provider=/opt/SUNWconn/lib/'$ISA'/libpkcs11.so.1
Example 8 Uninstall a Provider The following command uninstalls the md5 provider:example# cryptoadm uninstall provider=md5
Example 9 Disable metaslot The following command disables the metaslot feature in the cryptographic framework.example# cryptoadm disable metaslot
SunOS 5.11 Last change: 28 Jul 2010 10
System Administration Commands cryptoadm(1M)
Example 10 Specify metaslot to Use Specified Token as Per-
sistent Object Store The following command specifies that metaslot use the Venus token as the persistent object store.example# cryptoadm enable metaslot token="SUNW,venus"
EXIT STATUS The following exit values are returned: 0 Successful completion. >0 An error occurred.ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcs ||_____________________________|_____________________________|
| Interface Stability | See below. ||_____________________________|_____________________________|
The start, stop, and refresh options are Private interfaces. All other options and the utility name are Committed.SEE ALSO
logadm(1M), svcadm(1M), syslogd(1M), libpkcs11(3LIB),exec_attr(4), prof_attr(4), attributes(5), smf(5),
random(7D) Solaris Security for Developer's GuideSunOS 5.11 Last change: 28 Jul 2010 11
System Administration Commands cryptoadm(1M)
NOTES If a hardware provider's policy was made explicitly (that is, some of its mechanisms were disabled) and the hardwareprovider has been detached, the policy of this hardware pro-
vider is still listed.cryptoadm assumes that, minimally, a 32-bit shared object is
delivered for each user-level provider. If both a 32-bit and
64-bit shared object are delivered, the two versions must
provide the same functionality. The same mechanism policy applies to both.SunOS 5.11 Last change: 28 Jul 2010 12