How to Prevent the Use of a Kernel Software Provider
If the cryptographic framework provides multiple modes of a provider such as AES, you might remove a slow mechanism from use, or a corrupted mechanism. This procedure uses the AES algorithm as an example.
-
Become superuser or assume a role that includes the Crypto Management rights profile.
To create a role that includes the Crypto Management rights profile and assign the role to a user, see Example 9–7.
-
List the mechanisms that are offered by a particular kernel software provider.
$ cryptoadm list -m provider=aes aes: CKM_AES_ECB,CKM_AES_CBC
-
List the mechanisms that are available for use.
$ cryptoadm list -p provider=aes aes: all mechanisms are enabled.
-
Disable the mechanism that should not be used.
$ cryptoadm disable provider=aes mechanism=CKM_AES_ECB
-
List the mechanisms that are available for use.
$ cryptoadm list -p provider=aes aes: all mechanisms are enabled, except CKM_AES_ECB.
Example 14–25 Enabling a Kernel Software Provider Mechanism
In the following example, a disabled AES mechanism is again made available for use.
cryptoadm list -m provider=aes aes: CKM_AES_ECB,CKM_AES_CBC $ cryptoadm list -p provider=aes aes: all mechanisms are enabled, except CKM_AES_ECB. $ cryptoadm enable provider=aes mechanism=CKM_AES_ECB $ cryptoadm list -p provider=aes aes: all mechanisms are enabled. |
Example 14–26 Temporarily Removing Kernel Software Provider Availability
In the following example, the AES provider is temporarily removed from use. The unload subcommand is useful to prevent a provider from being loaded automatically while the provider is being uninstalled. For example, the unload subcommand would be used when installing a patch that affects the provider.
$ cryptoadm unload provider=aes |
$ cryptoadm list … Kernel software providers: des aes (inactive) arcfour blowfish ecc sha1 sha2 md4 md5 rsa swrand |
The AES provider is unavailable until the cryptographic framework is refreshed.
$ svcadm refresh system/cryptosvc |
$ cryptoadm list … Kernel software providers: des aes arcfour blowfish ecc sha1 sha2 md4 md5 rsa swrand |
If a kernel consumer is using the kernel software provider, the software is not unloaded. An error message is displayed and the provider continues to be available for use.
Example 14–27 Permanently Removing Software Provider Availability
In the following example, the AES provider is removed from use. Once removed, the AES provider does not appear in the policy listing of kernel software providers.
$ cryptoadm uninstall provider=aes |
$ cryptoadm list … Kernel software providers: des arcfour blowfish ecc sha1 sha2 md4 md5 rsa swrand |
If a kernel consumer is using the kernel software provider, an error message is displayed and the provider continues to be available for use.
Example 14–28 Reinstalling a Removed Kernel Software Provider
In the following example, the AES kernel software provider is reinstalled.
$ cryptoadm install provider=aes mechanism=CKM_AES_ECB,CKM_AES_CBC |
$ cryptoadm list … Kernel software providers: des aes arcfour blowfish ecc sha1 sha2 md4 md5 rsa swrand |
- © 2010, Oracle Corporation and/or its affiliates