JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
man pages section 5: Standards, Environments, and Macros     Oracle Solaris 11 Express 11/10
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Introduction

Standards, Environments, and Macros

acl(5)

ad(5)

advance(5)

adv_cap_1000fdx(5)

adv_cap_1000hdx(5)

adv_cap_100fdx(5)

adv_cap_100hdx(5)

adv_cap_10fdx(5)

adv_cap_10hdx(5)

adv_cap_asym_pause(5)

adv_cap_autoneg(5)

adv_cap_pause(5)

adv_rem_fault(5)

ANSI(5)

architecture(5)

ascii(5)

attributes(5)

audit_binfile(5)

audit_flags(5)

audit_remote(5)

audit_syslog(5)

availability(5)

brands(5)

C++(5)

C(5)

cancellation(5)

cap_1000fdx(5)

cap_1000hdx(5)

cap_100fdx(5)

cap_100hdx(5)

cap_10fdx(5)

cap_10hdx(5)

cap_asym_pause(5)

cap_autoneg(5)

cap_pause(5)

cap_rem_fault(5)

charmap(5)

compile(5)

condition(5)

crypt_bsdbf(5)

crypt_bsdmd5(5)

crypt_sha256(5)

crypt_sha512(5)

crypt_sunmd5(5)

crypt_unix(5)

CSI(5)

device_clean(5)

dhcp(5)

dhcp_modules(5)

environ(5)

eqnchar(5)

extendedFILE(5)

extensions(5)

filesystem(5)

fnmatch(5)

formats(5)

fsattr(5)

grub(5)

gss_auth_rules(5)

hal(5)

iconv_1250(5)

iconv_1251(5)

iconv(5)

iconv_646(5)

iconv_852(5)

iconv_8859-1(5)

iconv_8859-2(5)

iconv_8859-5(5)

iconv_dhn(5)

iconv_koi8-r(5)

iconv_mac_cyr(5)

iconv_maz(5)

iconv_pc_cyr(5)

iconv_unicode(5)

ieee802.11(5)

ieee802.3(5)

ipfilter(5)

ipkg(5)

isalist(5)

ISO(5)

kerberos(5)

krb5_auth_rules(5)

krb5envvar(5)

labels(5)

largefile(5)

lf64(5)

lfcompile(5)

lfcompile64(5)

link_duplex(5)

link_rx_pause(5)

link_tx_pause(5)

link_up(5)

live_upgrade(5)

locale(5)

lp_cap_1000fdx(5)

lp_cap_1000hdx(5)

lp_cap_100fdx(5)

lp_cap_100hdx(5)

lp_cap_10fdx(5)

lp_cap_10hdx(5)

lp_cap_asym_pause(5)

lp_cap_autoneg(5)

lp_cap_pause(5)

lp_rem_fault(5)

man(5)

mansun(5)

me(5)

mech_spnego(5)

mm(5)

ms(5)

MT-Level(5)

mutex(5)

nfssec(5)

NIS+(5)

NIS(5)

nis(5)

openssl(5)

pam_allow(5)

pam_authtok_check(5)

pam_authtok_get(5)

pam_authtok_store(5)

pam_deny(5)

pam_dhkeys(5)

pam_dial_auth(5)

pam_krb5(5)

pam_krb5_migrate(5)

pam_ldap(5)

pam_list(5)

pam_passwd_auth(5)

pam_pkcs11(5)

pam_rhosts_auth(5)

pam_roles(5)

pam_sample(5)

pam_smbfs_login(5)

pam_smb_passwd(5)

pam_tsol_account(5)

pam_unix_account(5)

pam_unix_auth(5)

pam_unix_cred(5)

pam_unix_session(5)

pkcs11_kernel(5)

pkcs11_kms(5)

pkcs11_softtoken(5)

pkcs11_tpm(5)

POSIX.1(5)

POSIX.2(5)

POSIX(5)

privileges(5)

prof(5)

pthreads(5)

RBAC(5)

rbac(5)

regex(5)

regexp(5)

resource_controls(5)

sgml(5)

smf(5)

smf_bootstrap(5)

smf_method(5)

smf_restarter(5)

smf_security(5)

smf_template(5)

solaris10(5)

solbook(5)

stability(5)

standard(5)

standards(5)

step(5)

sticky(5)

SUS(5)

SUSv2(5)

SUSv3(5)

SVID3(5)

SVID(5)

tecla(5)

teclarc(5)

term(5)

threads(5)

trusted_extensions(5)

vgrindefs(5)

wbem(5)

xcvr_addr(5)

xcvr_id(5)

xcvr_inuse(5)

XNS4(5)

XNS(5)

XNS5(5)

XPG3(5)

XPG4(5)

XPG4v2(5)

XPG(5)

xVM(5)

xvm(5)

zones(5)

pkcs11_kms

- RSA PKCS#11 provider for the Key Management Server

Synopsis

/usr/lib/security/pkcs11_kms.so
/usr/lib/security/64/pkcs11_kms.so

Description

The pkcs11_kms.so object implements the RSA PKCS#11 v2.20 specification using the Key Management Server (KMS) client protocols to talk to a KMS secure key storage appliance. This provider implements the PKCS#11 specification and communicates to a remote KMS using the (private) KMS client protocol.

The following PKCS#11 mechanisms are supported in this provider: CKM_AES_KEY_GEN, CKM_AES_CBC_PAD, and CKM_AES_CBC.

The following PKCS#11 interfaces are supported by this provider: 

C_Initialize
C_Finalize
C_GetInfo
C_GetAttributeValue
C_SetAttributeValue
C_GetFunctionList
C_GetSlotList
C_GetSlotInfo
C_GetTokenInfo
C_GetMechanismList
C_GetMechanismInfo
C_InitToken
C_SetPIN
C_Login
C_Logout
C_FindObjectsInit/C_FindObjects/C_FindObjectsFinal
C_GenerateKey
C_EncryptInit/C_Encrypt/C_EncryptFinal
C_DecryptInit/C_Decrypt/C_DecryptFinal
C_DestroyObject
C_OpenSession
C_CloseSession
C_CloseAllSessions

All other functions return CKR_FUNCTION_NOT_SUPPORTED when called.

Prerequisites

The pkcs11_kms provider can only be used on a system which has access to a KMS. The KMS administrator must configure a user profile and agent ID for each user (or application) that is accessing the KMS. This is done through the KMS utilities that are part of the KMS administrative tools and are not bundled in Solaris.

Once the KMS administrator has configured the KMS for use and communicated the parameters to the client, that is, Solaris user or application, the Solaris PKCS#11 KMS provider can be initialized for use.

Initializing the KMS is done through the use of the kmscfg(1M) utility. At a minimum, the kmscfg requires the user to enter the name of the KMS profile, the name of the KMS Agent, the initial password used to secure the profile, and the IP address of the KMS in order to initialize the local provider configuration files for further use.

See the kmscfg(1M) manual page for details.

Once kmscfg has been run and the local token namespace has been configured, the user can then initialize the token for use. Initializing the token is done using the pktool(1) command as follows:

$ pktool inittoken currlabel=KMS

The user has to supply the default SO (security officer) PIN before being able to initialize the KMS provider for use. The default SO PIN is whatever was used by the KMS administrator when initially setting up the KMS profile. The user initializing the token must know this passphrase in order to initialize the provider.

Once the provider is initialized, the user PIN can be changed from the default values. Again, pktool(1) is used to change the PIN value.

Use the following command to change the local PIN:

$ pktool setpin token=KMS

The PIN provided for the pktool setpin operation or by calling C_Login() and C_SetPIN() functions can be any string of characters with a length between 1 and 256 and no embedded nulls.

Accessing the Token

After a user initializes their token, they can begin using it with pktool(1), decrypt(1), encrypt(1), or by writing PKCS11 applications and specifying the KMS token.

Examples

Example 1 Creating a Key in the KMS

The following command creates a key in the KMS:

$ pktool genkey token=KMS label=mykey1 keytype=aes keylen=256

Example 2 Encrypting a File Using a Key from the KMS

The following command encrypts a file using a key from the KMS:

$ encrypt -a aes -K mykey1 -T KMS -i input.txt -o output.enc

Example 3 Decrypting a File Using a Key From the KMS

The following command decrypts a file using a key from the KMS:

$ decrypt -a aes -K mykey1 -T KMS -i output.enc -o output.txt

Attributes

See attributes(5) for a description of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
/system/library/security/crypto/pkcs11_kms
Interface Stability
Committed
MT-Level
MT-Safe with Exceptions. See below.
Standard
PKCS#11 v2.20

Exceptions to MT-Safe attribute are documented in section 6.5.2 of RSA PKCS#11 v2.20.

See Also

decrypt(1), encrypt(1), pktool(1), cryptoadm(1M), kmscfg(1M), libpkcs11(3LIB), attributes(5)

KMS 2.2: Administration Guide

Notes

pkcs11_kms.so uses a private directory for holding configuration files and other data needed to initialize the connection to the KMS. The private directory is local to the host on which it was first created. By default, the KMS token directory space is in /var/kms/$USERNAME. The default KMS directory can be overridden by setting the KMSTOKEN_DIR environment variable prior to using the kmscfg(1M), decrypt(1), encrypt(1), and pktool(1) commands.

Copyright © 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next