Developer's Guide to Oracle Solaris Security

ProcedureTo Generate an Activation File for Retail Export

This procedure is useful for when the same provider is to be shipped for both domestic use and restricted international use. You sign the provider with a key for a usage-restricted certificate for all customers. For those customers who use providers without caller-based restrictions, you generate and include a special activation file that permits use with IPsec. The activation file should reside in the same directory as the provider. The convention for naming the activation file is to combine the name of the driver with the extension .esa, for example, /kernel/drv/vca.esa.

  1. Sign the provider. Use the elfsign sign command, the certificate from Oracle, and the private key for requesting certificates from Oracle.


    % elfsign sign -a -k private-keyfile -c Oracle-certificate -e provider-object
    
    -a

    Generate a signed ELF Sign Activation (.esa) file. This option is used when a cryptographic provider needs both non-retail export approval and retail approval. The retail approval is accomplished by restricting export-sensitive callers such as IPsec. This option assumes that the provider binary has previously been signed with a restricted certificate.

    -k

    File that contains that private key that was used to generate the certificate request that was sent to Oracle Corporation.

    -c

    Path to the certificate from Oracle that was issued from the certificate request.

    -e

    Path to the provider, or binary, to be signed for use within the cryptographic framework.

    The following example shows how to sign a provider.


    % elfsign sign \
    -a \
    -k /securecrypt/private/MyCompany.private.key \
    -c /etc/crypto/certs/MyCompany
    -e /path/to/provider.object