System Administration Commands kmscfg(1M)
NAME
kmscfg - configure the PKCS#11 KMS provider
SYNOPSIS
kmscfg
kmscfg -p[rofile] Profile_Name
kmscfg -a[gent] Agent_ID
kmscfg -i[paddr] Agent_Address
kmscfg -t[imeout] Transaction_Timeout
kmscfg -f[ailover] Failover_Limit
kmscfg -d[iscovery] Discovery_Freq
DESCRIPTION
The kmscfg command is used to initialize a PKCS#11 KMS pro-
vider (pkcs11_kms) for use with the Solaris Cryptographic
Framework. In order for the KMS provider to communicate withthe KMS, it must have some configuration information avail-
able. This configuration data contains information such as the name of the profile to be used, the name of the KMS Agent, the IP address of the KMS server, and some otherparameters (see SYNOPSIS).
By default, kmscfg stores the configuration information in
/var/kms/$USERNAME. This directory will be created if it is
not already present. If the configuration is already detected, the user will be given the option to override the existing data. The default location can be overriden byusing the KMSTOKEN_DIR environment variable, which must be
set prior to invoking kmscfg.
Prior to running kmscfg, the KMS administrator must have
performed the required initialization and configuration steps on the KMS itself to setup the individual Profiles and Agents that PKCS11 KMS consumers will use. The instructionsfor configuring a KMS are available in the KMS 2.2 Adminis-
tration Guide (http://docs.sun.com/app/docs/doc/316195103AA).SunOS 5.11 Last change: 3 Jun 2010 1
System Administration Commands kmscfg(1M)
Once the administrator has configured the KMS, the necessary identification information (profile name, agent ID, IPaddress) must be provided to be able to run kmscfg and ini-
tialize the provider on the Oracle Solaris client. OPTIONS The options listed below are supported. Note that if the profile, agent id, or agent address are not specified on thecommand line, kmscfg prompts you to provide these items.
-a Agent_ID
The user agent ID to be used for the KMS token being configured. It is not unusual for the Profile and Agent ID to be the same, for example, MyAgent.-d Discovery_Freq
Frequency with which the client will try to discover the availability of other KMS servers. If not specified,Discovery_Freq defaults to 10.
-f Failover_Limit
The number of times communications to the KMS can fail before the client gives up. If not specified,Failover_Limit defaults to 3.
-i Agent_Addr
Address of the KMS. This can be an IPv4 address (xxx.xxx.xxx.xxx) or an IPv6 address. If an IPv6 address is used, it must be enclosed in brackets. For example: [2001:0DB8:AC10:FE01] A fully qualified host name can also be used, as long as that name can be resolved by the name service configured on the client.-p Profile_Name
The name of the KMS profile to be used for the KMS token being configured.-t Transaction_Timeout
Timeout period for individual KMS commands, in seconds. If not specified, this value defaults to 10.SunOS 5.11 Last change: 3 Jun 2010 2
System Administration Commands kmscfg(1M)
EXIT STATUSAfter completing the requested operation, kmscfg exits with
one of the following status values. 0 Successful termination. 1 Failure. The requested operation could not be completed. FILES/var/kms/$USERNAME
Default KMS token configuration directory.${KMSTOKEN_DIR}
Alternate KMS token configuration directory.ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:__________________________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
| ____________________________|___________________________________________|_
| Availability | /system/library/security/crypto/pkcs11_kms|
|_____________________________|___________________________________________|
| Interface Stability | Volatile ||_____________________________|___________________________________________|
SEE ALSO
pktool(1), attributes(5), pkcs11_kms(5)
KMS 2.2 Administration Guide (http://docs.sun.com/app/docs/doc/316195103AA)SunOS 5.11 Last change: 3 Jun 2010 3