Developers and system administrators can choose among several different keystore systems when designing systems that employ PKI technologies. A keystore is a storage system for PKI objects. The primary choices for Oracle Solaris users are NSS, OpenSSL, and PKCS#11. Each of these keystore systems presents different programming interfaces and administrative tools. None of these keystore systems includes any PKI policy enforcement system.
KMF provides generic interfaces that manipulate keys and certificates in all of these keystores.
A generic API layer enables the developer to specify which type of keystore to use. KMF also provides plugin modules for each of these three keystore systems so that you can write new applications to use any of these keystores. Applications written to KMF are not bound to one keystore system.
A management utility enables the administrator to manage PKI objects in all three of these keystores. You do not need to use a different utility for each keystore.
KMF also provides a system-wide policy database that KMF applications can use, regardless of which type of keystore is being used. The administrator can create policy definitions in a global database. KMF applications can choose which policy to assert, and then all subsequent KMF operations behave according to the limitations of that policy. Policy definitions include rules for how to perform validations, requirements for key usage and extended key usage, trust anchor definitions, Online Certificate Status Protocol (OCSP) parameters, and Certificate Revocation List (CRL) DB parameters such as location.
Oracle Solaris KMF includes the following features:
Programming interfaces for developing PKI aware applications. These interfaces are keystore independent: The interface does not bind the application to a particular keystore system such as NSS, OpenSSL, or PKCS#11.
An administrative utility for managing PKI objects.
A PKI policy database and enforcement system for PKI aware applications. The enforcement system is keystore independent and can be applied system-wide.
A plugin interface to extend KMF for legacy and proprietary systems.
KMF consumers include any project that uses certificates, such as authentication services and smart card authentication with X.509 certificates.