Security Enhancements
The following security features and enhancements have been added to the Solaris 10 6/06 release.
Enhancements for pktool Object Migration and Interoperability
These security enhancements are new in the Solaris 10 6/06 release.
The pktool command enables users to manage PKCS#11 objects. New subcommands have been added to move, display, and delete PKCS#11 objects and to show available PKCS#11 tokens. The new pktool subcommands help migrate cryptographic objects to or from the default Sun Software PKCS#11 Softtoken or other PKCS#11-compliant tokens.
For further information, see the pktool(1) man page.
SSL Proxy Module
This security enhancement is new in the Solaris 10 6/06 release.
A kernel-level SSL proxy server has been added in this release. The proxy simplifies and accelerates the SSL/TLS protocol implementation by pushing handshake and records processing to the kernel. The proxy supports the most commonly used cipher suites. You can configure applications, such as web servers, to offload the handling of the SSL operations with those cipher suites to the proxy, and seamlessly fall back to their existing user-level SSL library for the others.
For more information, see the ksslcfg(1M) man page.
AES Counter Mode
This security enhancement is new in the Solaris 10 6/06 release.
Advanced Encryption Standard (AES) is a block cipher recommended by the National Institute of Standard and Technology (NIST). When used in counter mode, a counter block is encrypted and the result is XOR with a block of plain text to produce cipher text. The counter mode is useful with block devices because the encryption or decryption of a block does not depend upon the prior encryption or decryption of any other block. The counter mode has been approved by NIST. This feature is only available to kernel consumers.
For more information, see the libpkcs11(3LIB) man page.
PKCS #11 v2.20 Support in the Solaris Cryptographic Framework
This security enhancement is new in the Solaris 10 6/06 release.
This feature adds RSA PKCS #11 v2.20 support to the Solaris Cryptographic Framework, including the stronger SHA2 algorithms.
For a list of mechanisms that v2.20 provides, see the pkcs11_softtoken(5) man page. For a list of mechanisms that are available to users, see the digestp(1) and mac(1) man pages.
Kerberos Cred Auto-Renew
This security enhancement is new in the Solaris 10 6/06 release.
In the Solaris 10 6/06 release, the Kerberos Cred Auto-Renew feature can automatically renew an user's credentials rather than sending a warning. The user is also not required to manually renew the credentials using the kinit -R command.
For more information, see ktkt_warnd(1M) and warn.conf(4) man pages.
- © 2010, Oracle Corporation and/or its affiliates