User Commands kmfcfg(1)
NAME
kmfcfg - Key Management Policy and Plugin Configuration
UtilitySYNOPSIS
kmfcfg subcommand [option ...]
DESCRIPTION
The kmfcfg command allows users to configure Key Management
Framework (KMF) policy databases. The KMF policy database (DB) restricts the use of keys and certificates that are managed through the KMF framework.kmfcfg provides the ability to list, create, modify, delete,
import and export policy definitions either in the system default database file /etc/security/kmfpolicy.xml or auser-defined database file.
For plugin configuration, kmfcfg allows users to display
plugin information, install or uninstall a KMF plugin, and modify the plugin option. SUBCOMMANDS The following subcommands are supported: create Adds a new policy into the policy database file. The format for the create subcommand is as follows: create [dbfile=dbfile] policy=policyname[ignore-date=true|false]
[ignore-unknown-eku=true|false]
[ignore-trust-anchor=true|false]
[validity-adjusttime=adjusttime]
[ta-name=trust anchor subject DN]
[ta-name=trust anchor subject DN | search]
[ta-serial=trust anchor serial number]
[ocsp-responder=URL]
[ocsp-proxy=URL]
[ocsp-use-cert-responder=true|false]
[ocsp-response-lifetime=timelimit]
[ocsp-ignore-response-sign=true|false]
[ocsp-responder-cert-name=Issuer DN]
[ocsp-responder-cert-serial=serial number]
[crl-basefilename=basefilename]
[crl-directory=directory]
[crl-get-crl-uri=true|false]
SunOS 5.11 Last change: 12 Aug 2010 1
User Commands kmfcfg(1)
[crl-proxy=URL]
[crl-ignore-crl-sign=true|false]
[crl-ignore-crl-date=true|false]
[keyusage=digitalSignature|nonRepudiation |keyEncipherment | dataEncipherment | keyAgreement |keyCertSign | cRLSign | encipherOnly | decipherOnly],[...] [ekunames=serverAuth | clientAuth | codeSigning | emailProtection | ipsecEndSystem | ipsecTunnel | ipsecUser | timeStamping | OCSPSigning],[...] [ekuoids=OID,OID,OID...][mapper-name=name of the mapper]
[mapper-dir=dir where mapper library resides]
[mapper-path=full pathname of mapper library]
[mapper-options=mapper options]
The create subcommand supports the following options:crl-basefilename=filename
crl-directory=directory
These two attributes are used to specify the loca-
tion for CRL files. The crl-basefilename attribute
represents the base filename for a CRL file. Thecrl-directory attribute represents the directory for
CRL files, which defaults to the current directory.If the crl-get-crl-uri attribute is set to true and
the crl-basefilename is not specified, the base-
filename for the cached CRL file is the basename of the URI used to fetch the CRL file.If the crl-get-crl-uri attribute is set to false the
crl-basefilename needs to be specified to indicate
an input CRL file. The setting for crl-get-crl-uri
is false by default.These two attributes only apply to the file-based
CRL plugins. The current file-based CRL plugins are
file and pkcs11 keystores. For the nss keystore, the CRL location is always the NSS internal database.crl-get-crl-uri=true | false
Configure if a CRL file is fetched and cached dynam-
ically as part of the certificate validation, usingthe URI information from the certificate's distribu-
tion points extension.SunOS 5.11 Last change: 12 Aug 2010 2
User Commands kmfcfg(1)
The default for this attribute is false.crl-ignore-crl-date=true | false
If crl-ignore-crl-date is set to true, the validity
time period of the CRL is not checked. The default for this attribute is false.crl-ignore-crl-sign=true | false
If crl-ignore-crl-sign is set to true, the signature
of the CRL is not checked. The default for this attribute is false.crl-proxy= URL
Sets the proxy server name and port for dynamicallyretrieving a CRL file when crl-get-crl-uri is set to
true. The port number is optional. If the port number is not specified, the default value is 8080. An examplecrl-proxy setting might be: crl-
proxy=webcache.sfbay:8080. dbfile=dbfile The DB file to add the new policy. If not specified, the default is the system KMF policy database file /etc/security/kmfpolicy.xml. ekuoids=EKUOIDS A comma separated list of Extended Key Usage OIDs that are required by the policy being defined. The OIDs are expressed in dot notation, for example, 1.2.3.4. An example ekuoids setting might be: ekuoids=1.2.3.4,9.8.7.6.5.ekunames=EKUNAMES
A comma separated list of Extended Key Usage names that are required by the policy being defined. Thelist of values allowed for EKUNAMES are: serverAuth,
SunOS 5.11 Last change: 12 Aug 2010 3
User Commands kmfcfg(1)
clientAuth, codeSigning, emailProtection,ipsecEndSystem, ipsecTunnel, ipsecUser, timeStamp-
ing, and OCSPSigning The OCSP, CRL, key usage and extended key usage checkings are off by default. To turn on any one ofthem, specify one or more attributes for the partic-
ular checking. For example, if the ocsp-responder
attribute is set, then the OCSP checking is turnedon. If the ekuname attribute or the ekuoids attri-
bute is set, then the extended key usage checking is turned on.ignore-date=true | false
Set the Ignore Date option for this policy. By default this value is false. If true is specified, the policy ignores the validity periods defined in the certificates when evaluating their validity.ignore-unknown-eku=true | false
Set the Ignore Unknown EKU option for this policy. By default this value is false. If true, the policy ignores any unrecognized EKU values in the Extended Key Usage extension.ignore-trust-anchor=true | false
Set the Ignore Trust Anchor option for this policy.By default this value is false. If true is speci-
fied, the policy does not verify the signature ofthe subject certificate using trust anchor certifi-
cate at validation. keyusage=KUVALUES A comma separated list of key usage values that are required by the policy being defined. The list ofvalues allowed are: digitalSignature, nonRepudia-
tion, keyEncipherment, dataEncipherment, keyAgree-
ment, keyCertSign, cRLSign, encipherOnly, deci-
pherOnlyocsp-ignore-response-sign=true | false
If this attribute is set to true, the signature ofSunOS 5.11 Last change: 12 Aug 2010 4
User Commands kmfcfg(1)
the OCSP response is not verified. This attribute value is default to false.ocsp-proxy=URL
Set the proxy server name and port for OCSP. The port number is optional. If the port number is not specified, the default value is 8080. An exampleocsp-proxy setting might be: ocsp-
proxy="webcache.sfbay:8080"ocsp-response-lifetime=timelimit
Set the freshness period that a response must be.The timelimit can be specified by number-day,
number-hour, number-minute, or number-second. An
example ocsp-response-lifetime setting might
be:ocsp-response-lifetime=6-hour.
ocsp-responder-cert-name=IssuerDN
ocsp-responder-cert-serial=serialNumber
These two attributes represent the OCSP respondercertificate. The ocsp-responder-cert-name is to
specify the issuer name of the certificate. See theta-name option for example. The ocsp-responder-
cert-serial is for the serial number and must be
specified as a hex value, for example, 0x0102030405060708090a0b0c0d0e0f. If an OCSPresponder is different from the issuer of the certi-
ficate and if the OCSP response needs to be veri-
fied, an OCSP responder certificate information should be provided.ocsp-responder=URL
Set the OCSP responder URL for use with the OCSPvalidation method. For example, ocsp-
responder=http://ocsp.verisign.com/ocsp/statusocsp-use-cert-responder=true | false
Configure this policy to always use the responder defined in the certificate itself if possible.SunOS 5.11 Last change: 12 Aug 2010 5
User Commands kmfcfg(1)
policy=policyname The policy record to be created. policyname is required.ta-name=trust anchor subject DN | search
ta-name identifies the trust anchor used to validate
a certificate. The KMF policy engine does not do full PKIX path validation, but rather just treats the trust anchor as if it were the parent of the certificate to be validated. If an explicit Subject DN is specified, it must becombined with a ta-serial value to uniquely identify
the certificate to use. Also, the certificate iden-
tified must be available in the keystore that is selected. If the value search is used instead of an explicit subject and serial number, the KMF policy engine attempts to locate a certificate that matches the issuer name of the certificate to be validated and uses that for the validation.If search is used, the ta-serial value is ignored.
ta-serial=trust anchor serial number
If the ta-name is specified as an explicit subject
name, the serial number of that certificate must beindicated by the ta-serial value. The serial number
must be represented in hexadecimal format, forexample, ta-serial=0x01020a0b.
validity-adjusttime=adjusttime
Set the adjust time for both ends of validity period for a certificate. The time can be specified bynumber-day, number-hour, number-minute, or number-
second. An example validity-adjusttime setting might
be: validity-adjusttime=6-hour. ta-name="Subject DN"
ta-serial=serialNumber
These two attributes represent the trust anchor cer-
tificate and are used to find the trust anchor cer-
tificate in the keystore. The ta-name is to specify
the distinguished name of the trust anchor certifi-
cate subject name. For example, ta-name="O=Sun
SunOS 5.11 Last change: 12 Aug 2010 6
User Commands kmfcfg(1)
Microsystems Inc., OU=Solaris Security Technologies Group, L=Ashburn, ST=VA, C=US, CN=John Smith" The serial number of the TA certificate. This, alongwith the Issuer DN, is used to find the TA certifi-
cate in the keystore. The serial number must be specified as a hex value, for example, 0x0102030405060708090a0b0c0d0e The trust anchorattributes need to be set, if the value of ignore-
trust-anchor attribute is false.
mapper-name=name
mapper-dir=directory
mapper-path=path
mapper-options=options
These four options support the certificate to namemapping. mapper-name provides the name of the
mapper. For example, the cn name represents themapper object kmf_mapper_cn.so.1. mapper-dir over-
rides the default mapper directory /lib/crypto.mapper-path specifies the full path to the mapper
object. mapper-options is an ASCII only string of
maximum of 255 bytes long. Its format is mapper specific but mappers are expected to accept a comma separated list of options, for examplecasesensitive,ignoredomain. mapper-path and mapper-
name are mutually exclusive. mapper-dir can be set
only if mapper-name is set. mapper-options can be
set only if mapper-name or mapper-path is set. Try-
ing to use any of the above mentioned incorrect set-
tings results in an error and the policy database is not modified. delete Deletes any policy matching the indicated policy name. The system default policy (default) cannot be deleted. The format for the delete subcommand is as follows: delete [dbfile=dbfile] policy=policyname The delete subcommand supports the following options: dbfile=dbfile Read policy definitions from the indicated file. If dbfile is not specified, , the default is the system KMF policy database file:SunOS 5.11 Last change: 12 Aug 2010 7
User Commands kmfcfg(1)
/etc/security/kmfpolicy.xml. policy=policyname The name of the policy to delete. policyname is required, if using the system database. export Exports a policy from one policy database file to another policy database file. The format for the export subcommand is as follows:kmfcfg export policy=policyname outfile=newdbfile [dbfile=dbfile]
The export subcommand supports the following options: dbfile=dbfile The DB file where the exported policy is read. If dbfile is not specified, the default is the system KMF policy database file: /etc/security/kmfpolicy.xml. outfile=outputdbfile The DB file where the exported policy is stored. policy=policyname The policy record to be exported. helpDisplays help for the kmfcfg command.
The format for the help subcommand is as follows: help import Imports a policy from one policy database file to another policy database file.SunOS 5.11 Last change: 12 Aug 2010 8
User Commands kmfcfg(1)
The format for the import subcommand is as follows:kmfcfg import policy=policyname infile=inputdbfile [dbfile=dbfile]
The import subcommand supports the following options: policy=policyname The policy record to be imported. infile=inputdbfile The DB file to read the policy from. dbfile=outdbfile The DB file to add the new policy. If not specified, the default is the system KMF policy database file /etc/security/kmfpolicy.xml. list Without arguments, lists all policy definitions from the default system database. The format for the list subcommand is as follows: list [dbfile=dbfile] [policy=policyname] The list subcommand supports the following options: dbfile=dbfile Reads policy definitions from the indicated file. If not specified,the default is the system KMF pol-
icy database file /etc/security/kmfpolicy.xml. policy=policyname Only display policy definition for the named policy. modify Modifies any policy matching the indicated name. The system default policy (default) cannot be modified. The format for the modify subcommand is as follows:SunOS 5.11 Last change: 12 Aug 2010 9
User Commands kmfcfg(1)
modify [dbfile=dbfile] policy=policyname[ignore-date=true|false]
[ignore-unknown-eku=true|false]
[ignore-trust-anchor=true|false]
[validity-adjusttime=adjusttime]
[ta-name=trust anchor subject DN]
[ta-serial=trust anchor serial number]
[ocsp-responder=URL]
[ocsp-proxy=URL]
[ocsp-use-cert-responder=true|false]
[ocsp-response-lifetime=timelimit]
[ocsp-ignore-response-sign=true|false]
[ocsp-responder-cert-name=Issuer DN]
[ocsp-responder-cert-serial=serial number]
[ocsp-none=true|false]
[crl-basefilename=basefilename]
[crl-directory=directory]
[crl-get-crl-uri=true|false]
[crl-proxy=URL]
[crl-ignore-crl-sign=true|false]
[crl-ignore-crl-date=true|false]
[crl-none=true|false]
[keyusage=digitalSignature| nonRepudiation |keyEncipherment | dataEncipherment | keyAgreement |keyCertSign | cRLSign | encipherOnly | decipherOnly],[...][keyusage-none=true|false]
[ekunames=serverAuth | clientAuth | codeSigning | emailProtection | ipsecEndSystem | ipsecTunnel | ipsecUser | timeStamping | OCSPSigning],[...] [ekuoids=OID,OID,OID][eku-none=true|false]
[mapper-name=name of the mapper]
[mapper-dir=dir where mapper library resides]
[mapper-path=full pathname of mapper library]
[mapper-options=mapper options]
The modify subcommand supports many of the same options as the create subcommand. For descriptions of shared options, see the create subcommand. The modify subcommand supports the following unique options:crl-none=true | false If crl-none is set to
true, CRL checking isturned off. If this attri-
bute is set to true, other CRL attributes cannot beSunOS 5.11 Last change: 12 Aug 2010 10
User Commands kmfcfg(1)
set. dfile=[dbfile] The database file to modify a policy. If not specified, the default is the system KMF policy database file /etc/security/kmfpolicy.xml.eku-none=true | false If eku-none is set to
true, extended key usage checking is turned off. The extended key usage attributes, ekuname and ekuoids cannot be set atthe same time if eku-none
is set to true.keyusage-none=true | false If keyusage-none is set to
true, key usage checking is turned off. The keyusage attribute cannot be set at the same time if this attribute is set to true.ocsp-none=true | false If ocsp-none is set to
true, OCSP checking is turned off. Any other OCSP attribute is not set at the same time if this attribute is set to true. policy=policyname The name of the policy to modify. policyname isrequired. The default pol-
icy in the system KMF pol-
icy database cannot be modified.mapper-name=name See the create subcommand
mapper-dir=directory for more information.
mapper-path=path
mapper-options=options
SunOS 5.11 Last change: 12 Aug 2010 11
User Commands kmfcfg(1)
Plugin Subcommandsinstall keystore=keystore_name modulepath=pathname\
[option=option_str]
Install a plugin into the system. The modulepath field specifies the pathname to a KMF plugin shared library object. If pathname is not specified as an absolutepathname, shared library objects are assumed to be rela-
tive to /lib/security/$ISA/. The ISA token is replaced
by an implementation defined directory name which defines the pathname relative to the calling program's instruction set architecture. list plugin Display KMF plugin information.Without the pluginkeyword, kmfcfg list shows the policy
information as described in the SUBCOMMANDS section.modify plugin keystore=keystore_name option=option_str
Modify the plugin option. The plugin option is definedby the plugin and is interpreted by the plugin specifi-
cally, therefore this command accepts any option string.Without the plugin keyword, kmfcfg modify updates the
policy configuration as described in the SUBCOMMANDS section.uninstall keystore=keystore_name
Uninstall the plugin with the keystore_name.
EXAMPLES
Example 1 Creating a New Policy The following example creates a new policy called IPSEC in the system database:$ kmfcfg create IPSEC \
ignore-trust-anchor=true \
ocsp-use-cert-responder=true \
keyusage=keyAgreement,keyEncipherment,dataEncipherment \ ekuname=ipsecTunnel,ipsecUserSunOS 5.11 Last change: 12 Aug 2010 12
User Commands kmfcfg(1)
EXIT STATUS The following exit values are returned: 0 Successful completion. >0 An error occurred. FILES /etc/security/kmfpolicy.xml Default system policy databaseATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcs ||_____________________________|_____________________________|
| Interface Stability | Uncommitted ||_____________________________|_____________________________|
SEE ALSO
attributes(5)SunOS 5.11 Last change: 12 Aug 2010 13