|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library|
The Key Management Framework (KMF) provides a unified approach to managing public key technologies (PKI). Oracle Solaris has several different applications that make use of PKI technologies. Each application provides its own programming interfaces, key storage mechanisms, and administrative utilities. If an application provides a policy enforcement mechanism, the mechanism applies to that application only. With KMF, applications use a unified set of administrative tools, a single set of programming interfaces, and a single policy enforcement mechanism. These features manage the PKI needs of all applications that adopt these interfaces.
KMF unifies the management of public key technologies with the following interfaces:
PKI policy decisions include operations such as the validation method for an operation. Also, PKI policy can limit the scope of a certificate. For example, PKI policy might assert that a certificate can be used only for specific purposes. Such a policy would prevent that certificate from being used for other requests.
Applications do not have to choose one particular keystore mechanism, but can migrate from one mechanism to another mechanism. The supported keystores are PKCS #11, NSS, and OpenSSL. The library includes a pluggable framework so that new keystore mechanisms can be added. Therefore, applications that use the new mechanisms would require only minor modifications to use a new keystore.
KMF provides methods for managing the storage of keys and provides the overall policy for the use of those keys. KMF manages the policy, keys, and certificates for three public key technologies:
Tokens from PKCS #11 providers, that is, from the Cryptographic Framework
NSS, that is, Network Security Services
OpenSSL, a file-based keystore
The kmfcfg tool can create, modify, or delete KMF policy entries. The tool also manages plugins to the framework. KMF manages keystores through the pktool command. For more information, see the kmfcfg(1) and pktool(1) man pages, and the following sections.
KMF policy is stored in a database. This policy database is accessed internally by all applications that use the KMF programming interfaces. The database can constrain the use of the keys and certificates that are managed by the KMF library. When an application attempts to verify a certificate, the application checks the policy database. The kmfcfg command modifies the policy database.
The kmfcfg command provides the following subcommands for plugins:
list plugin – Lists plugins that are managed by KMF.
install plugin – Installs the plugin by the module's path name and creates a keystore for the plugin. To remove the plugin from KMF, you remove the keystore.
uninstall plugin – Removes the plugin from KMF by removing its keystore.
modify plugin – Enables the plugin to be run with an option that is defined in the code for the plugin, such as debug.
Generate a self-signed certificate.
Generate a certificate request.
Generate a symmetric key.
Generate a public/private key pair.
Generate a PKCS #10 certificate signing request (CSR) to be sent to an external certificate authority (CA) to be signed.
Sign a PKCS #10 CSR.
Import objects into the keystore.
List the objects in the keystore.
Delete objects from the keystore.
Download a CRL.
Generate a passphrase for the keystore.
Generate a passphrase for an object in the keystore.