Administering the Cryptographic Framework
This section describes how to administer the software providers and the
hardware providers in the Cryptographic Framework. Software providers and hardware
providers can be removed from use when desirable. For example, you can disable the
implementation of an algorithm from one software provider. You can then force the
system to use the algorithm from a different software provider.
Note -
An important component of administering the Cryptographic Framework is to plan
and implement your policy regarding FIPS 140, the U.S. Government computer
security standard for cryptography modules.
If you have a strict requirement to use only FIPS 140-2 validated cryptography,
you must be running the Oracle Solaris11.1 SRU5.5 release or the Oracle
Solaris11.1 SRU3 release. Oracle completed a FIPS 140-2 validation against the
Solaris Cryptographic Framework in these two specific releases. Oracle
Solaris11.2 builds on this validated foundation and includes software
improvements that address performance, function, and reliability. Whenever
possible, you should configure Oracle Solaris11.2 in FIPS 140-2 mode to take
advantage of these improvements.
Review Using a FIPS 140 Enabled System in Oracle Solaris 11.2
and plan an
overall FIPS policy for your systems.
The following task map points to procedures for administering software and hardware
providers in the Cryptographic Framework.
Table 3-2 Administering the Cryptographic Framework Task Map
|
|
|
Plan your FIPS policy for your systems.
|
Decide on your plan for enabling FIPS-approved providers
and consumers and implement your plan.
|
|
List the providers in the Cryptographic Framework.
|
Lists the algorithms, libraries, and hardware devices that
are available for use in the Cryptographic Framework.
|
|
Enable FIPS 140 mode.
|
Runs the Cryptographic Framework to a U.S. government
standard for cryptography modules.
|
|
Add a software provider.
|
Adds a PKCS #11 library or a kernel module to the
Cryptographic Framework. The provider must be signed.
|
|
Prevent the use of a user-level mechanism.
|
Removes a software mechanism from use. The mechanism can be
enabled again.
|
|
Temporarily disable mechanisms from a kernel module.
|
Temporarily removes a mechanism from use. Usually used for
testing.
|
|
Uninstall a library.
|
Removes a user-level software provider from use.
|
|
Uninstall a kernel provider.
|
Removes a kernel software provider from use.
|
|
Disable mechanisms from a hardware provider.
|
Ensures that selected mechanisms on a hardware accelerator
are not used.
|
|
Restart or refresh cryptographic services.
|
Ensures that cryptographic services are available.
|
|
|