Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Administration: Security Services Oracle Solaris 11 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Security Attributes in Oracle Solaris (Reference)
Part IV Cryptographic Services
11. Cryptographic Framework (Overview)
12. Cryptographic Framework (Tasks)
Using the Cryptographic Framework (Task Map)
Protecting Files With the Cryptographic Framework (Tasks)
Protecting Files With the Cryptographic Framework (Task Map)
How to Generate a Symmetric Key by Using the dd Command
How to Generate a Symmetric Key by Using the pktool Command
How to Compute a Digest of a File
How to Compute a MAC of a File
How to Encrypt and Decrypt a File
Administering the Cryptographic Framework (Tasks)
Administering the Cryptographic Framework (Task Map)
How to List Available Providers
How to Add a Software Provider
How to Prevent the Use of a User-Level Mechanism
How to Prevent the Use of a Kernel Software Provider
How to List Hardware Providers
Part V Authentication Services and Secure Communication
14. Network Services Authentication (Tasks)
17. Using Secure Shell (Tasks)
19. Introduction to the Kerberos Service
20. Planning for the Kerberos Service
21. Configuring the Kerberos Service (Tasks)
22. Kerberos Error Messages and Troubleshooting
23. Administering Kerberos Principals and Policies (Tasks)
24. Using Kerberos Applications (Tasks)
25. The Kerberos Service (Reference)
This section describes how to administer the software providers and the hardware providers in the Cryptographic Framework. Software providers and hardware providers can be removed from use when desirable. For example, you can disable the implementation of an algorithm from one software provider. You can then force the system to use the algorithm from a different software provider.
The following task map points to procedures for administering software and hardware providers in the Cryptographic Framework.
|
The Cryptographic Framework provides algorithms for several types of consumers:
User-level providers provide a PKCS #11 cryptographic interface to applications that are linked with the libpkcs11 library
Kernel software providers provide algorithms for IPsec, Kerberos, and other Oracle Solaris kernel components
Kernel hardware providers provide algorithms that are available to kernel consumers and to applications through the pkcs11_kernel library
Note - The contents and format of the providers list varies for different Oracle Solaris releases. Run the cryptoadm list command on your system to see the providers that your system supports.
Only those mechanisms at the user level are available for use by regular users.
% cryptoadm list User-level providers: Provider: /usr/lib/security/$ISA/pkcs11_kernel.so Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so Provider: /usr/lib/security/$ISA/pkcs11_tpm.so Kernel software providers: des aes arcfour blowfish ecc sha1 sha2 md4 md5 rsa swrand Kernel hardware providers: ncp/0
All mechanisms are listed in the following output. However, some of the listed mechanisms might be unavailable for use. To list only the mechanisms that the administrator has approved for use, see Example 12-20.
The output is truncated for display purposes.
% cryptoadm list -m User-level providers: ===================== Provider: /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_kernel.so: no slots presented. Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so Mechanisms: CKM_DES_CBC CKM_DES_CBC_PAD CKM_DES_ECB CKM_DES_KEY_GEN CKM_DES_MAC_GENERAL ... CKM_ECDSA_SHA1 CKM_ECDH1_DERIVE Provider: /usr/lib/security/$ISA/pkcs11_tpm.so /usr/lib/security/$ISA/pkcs11_tpm.so: no slots presented. Kernel software providers: ========================== des: CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC aes: CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR,CKM_AES_CCM,CKM_AES_GCM,CKM_AES_GMAC arcfour: CKM_RC4 blowfish: CKM_BLOWFISH_ECB,CKM_BLOWFISH_CBC ecc: CKM_EC_KEY_PAIR_GEN,CKM_ECDH1_DERIVE,CKM_ECDSA,CKM_ECDSA_SHA1 sha1: CKM_SHA_1,CKM_SHA_1_HMAC,CKM_SHA_1_HMAC_GENERAL sha2: CKM_SHA256,CKM_SHA256_HMAC,CKM_SHA256_HMAC_GENERAL,CKM_SHA384,CKM_SHA384_HMAC, CKM_SHA384_HMAC_GENERAL,CKM_SHA512,CKM_SHA512_HMAC,CKM_SHA512_HMAC_GENERAL md4: CKM_MD4 md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL rsa: CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS, CKM_SHA256_RSA_PKCS,CKM_SHA384_RSA_PKCS,CKM_SHA512_RSA_PKCS swrand: No mechanisms presented. Kernel hardware providers: ========================== ncp/0: CKM_DSA,CKM_RSA_X_509,CKM_RSA_PKCS,CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_DH_PKCS_KEY_PAIR_GEN,CKM_DH_PKCS_DERIVE,CKM_EC_KEY_PAIR_GEN, CKM_ECDH1_DERIVE,CKM_ECDSA
Example 12-19 Finding the Existing Cryptographic Mechanisms
In the following example, all mechanisms that the user-level library, pkcs11_softtoken, offers are listed.
% cryptoadm list -m provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so Mechanisms: CKM_DES_CBC CKM_DES_CBC_PAD CKM_DES_ECB CKM_DES_KEY_GEN CKM_DES_MAC_GENERAL CKM_DES_MAC … CKM_ECDSA CKM_ECDSA_SHA1 CKM_ECDH1_DERIVE
Example 12-20 Finding the Available Cryptographic Mechanisms
Policy determines which mechanisms are available for use. The administrator sets the policy. An administrator can choose to disable mechanisms from a particular provider. The -p option displays the list of mechanisms that are permitted by the policy that the administrator has set.
% cryptoadm list -p User-level providers: ===================== /usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled. /usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, except CKM_MD5. random is enabled. /usr/lib/security/$ISA/pkcs11_tpm.so: all mechanisms are enabled. Kernel software providers: ========================== des: all mechanisms are enabled. aes: all mechanisms are enabled. arcfour: all mechanisms are enabled. blowfish: all mechanisms are enabled. ecc: all mechanisms are enabled. sha1: all mechanisms are enabled. sha2: all mechanisms are enabled. md4: all mechanisms are enabled. md5: all mechanisms are enabled. rsa: all mechanisms are enabled. swrand: random is enabled. Kernel hardware providers: ========================== ncp/0: all mechanisms are enabled. random is enabled.
Example 12-21 Determining Which Cryptographic Mechanisms Perform Which Functions
Mechanisms perform specific cryptographic functions, such as signing or key generation. The -v -m options display every mechanism and its functions.
In this instance, the administrator wants to determine for which functions the CKM_ECDSA* mechanisms can be used.
% cryptoadm list -vm User-level providers: ===================== Provider: /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_kernel.so: no slots presented. Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so ... CKM_ECDSA 112 571 . . . . X . X . . . . . . CKM_ECDSA_SHA1 112 571 . . . . X . X . . . . . . ...
The listing indicates that these user-level mechanisms are available from the /usr/lib/security/$ISA/pkcs11_softtoken.so library.
Each item in an entry represents a piece of information about the mechanism. For these ECC mechanisms, the listing indicates the following:
Minimum length – 112 bytes
Maximum length – 571 bytes
Hardware – Is not available on hardware.
Encrypt – Is not used to encrypt data.
Decrypt – Is not used to decrypt data.
Digest – Is not used to create message digests.
Sign – Is used to sign data.
Sign + Recover – Is not used to sign data, where the data can be recovered from the signature.
Verify – Is used to verify signed data.
Verify + Recover– Is not used to verify data that can be recovered from the signature.
Key generation – Is not used to generate a private key.
Pair generation – Is not used to generate a key pair.
Wrap – Is not used to wrap. that is, encrypt, an existing key.
Unwrap – Is not used to unwrap a wrapped key.
Derive – Is not used to derive a new key from a base key.
Before You Begin
You must be assigned the Crypto Management rights profile.
For more information, see How to Obtain Administrative Rights.
% cryptoadm list User-level providers: Provider: /usr/lib/security/$ISA/pkcs11_kernel.so Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so /usr/lib/security/$ISA/pkcs11_tpm.so: all mechanisms are enabled. Kernel software providers: des aes arcfour blowfish sha1 sha2 md4 md5 rsa swrand Kernel hardware providers: ncp/0
Existing provider software has been issued a certificate by Oracle.
You need to refresh providers if you added a software provider, or if you added hardware and specified policy for the hardware.
# svcadm refresh svc:/system/cryptosvc
In this case, a new kernel software provider was installed.
# cryptoadm list … Kernel software providers: des aes arcfour blowfish ecc sha1 sha2 md4 md5 rsa swrand sha3 <-- added provider …
Example 12-22 Adding a User-Level Software Provider
In the following example, a signed PKCS #11 library is installed.
# pkgadd -d /cdrom/cdrom0/SolarisNew Answer the prompts # svcadm refresh system/cryptosvc # cryptoadm list user-level providers: ========================== /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_softtoken.so /usr/lib/security/$ISA/pkcs11_tpm.so /opt/lib/$ISA/libpkcs11.so.1 <-- added provider
Developers who are testing a library with the Cryptographic Framework can install the library manually.
# cryptoadm install provider=/opt/lib/\$ISA/libpkcs11.so.1
If some of the cryptographic mechanisms from a library provider should not be used, you can remove selected mechanisms. This procedure uses the DES mechanisms in the pkcs11_softtoken library as an example.
Before You Begin
You must be assigned the Crypto Management rights profile.
For more information, see How to Obtain Administrative Rights.
% cryptoadm list -m provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so /usr/lib/security/$ISA/pkcs11_softtoken.so: CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB,CKM_DES_KEY_GEN, CKM_DES3_CBC,CKM_DES3_CBC_PAD,CKM_DES3_ECB,CKM_DES3_KEY_GEN, CKM_AES_CBC,CKM_AES_CBC_PAD,CKM_AES_ECB,CKM_AES_KEY_GEN, …
$ cryptoadm list -p user-level providers: ===================== … /usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled. random is enabled. …
$ cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so \ > mechanism=CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB
$ cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so /usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, except CKM_DES_ECB,CKM_DES_CBC_PAD,CKM_DES_CBC. random is enabled.
Example 12-23 Enabling a User-Level Software Provider Mechanism
In the following example, a disabled DES mechanism is again made available for use.
$ cryptoadm list -m provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so /usr/lib/security/$ISA/pkcs11_softtoken.so: CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB,CKM_DES_KEY_GEN, CKM_DES3_CBC,CKM_DES3_CBC_PAD,CKM_DES3_ECB,CKM_DES3_KEY_GEN, … $ cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so /usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, except CKM_DES_ECB,CKM_DES_CBC_PAD,CKM_DES_CBC. random is enabled. $ cryptoadm enable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so \ > mechanism=CKM_DES_ECB $ cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so /usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, except CKM_DES_CBC_PAD,CKM_DES_CBC. random is enabled.
Example 12-24 Enabling All User-Level Software Provider Mechanisms
In the following example, all mechanisms from the user-level library are enabled.
$ cryptoadm enable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so all $ cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so /usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled. random is enabled.
Example 12-25 Permanently Removing User-Level Software Provider Availability
In the following example, the libpkcs11.so.1 library is removed.
$ cryptoadm uninstall provider=/opt/lib/\$ISA/libpkcs11.so.1 $ cryptoadm list user-level providers: /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_softtoken.so /usr/lib/security/$ISA/pkcs11_tpm.so kernel software providers: …
If the Cryptographic Framework provides multiple modes of a provider such as AES, you might remove a slow mechanism from use, or a corrupted mechanism. This procedure uses the AES algorithm as an example.
Before You Begin
You must be assigned the Crypto Management rights profile.
For more information, see How to Obtain Administrative Rights.
$ cryptoadm list -m provider=aes aes: CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR,CKM_AES_CCM,CKM_AES_GCM,CKM_AES_GMAC
$ cryptoadm list -p provider=aes aes: all mechanisms are enabled.
$ cryptoadm disable provider=aes mechanism=CKM_AES_ECB
$ cryptoadm list -p provider=aes aes: all mechanisms are enabled, except CKM_AES_ECB.
Example 12-26 Enabling a Kernel Software Provider Mechanism
In the following example, a disabled AES mechanism is again made available for use.
cryptoadm list -m provider=aes aes: CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR,CKM_AES_CCM,CKM_AES_GCM,CKM_AES_GMAC $ cryptoadm list -p provider=aes aes: all mechanisms are enabled, except CKM_AES_ECB. $ cryptoadm enable provider=aes mechanism=CKM_AES_ECB $ cryptoadm list -p provider=aes aes: all mechanisms are enabled.
Example 12-27 Temporarily Removing Kernel Software Provider Availability
In the following example, the AES provider is temporarily removed from use. The unload subcommand is useful to prevent a provider from being loaded automatically while the provider is being uninstalled. For example, the unload subcommand would be used when installing a patch that affects the provider.
$ cryptoadm unload provider=aes
$ cryptoadm list … Kernel software providers: des aes (inactive) arcfour blowfish ecc sha1 sha2 md4 md5 rsa swrand
The AES provider is unavailable until the Cryptographic Framework is refreshed.
$ svcadm refresh system/cryptosvc
$ cryptoadm list … Kernel software providers: des aes arcfour blowfish ecc sha1 sha2 md4 md5 rsa swrand
If a kernel consumer is using the kernel software provider, the software is not unloaded. An error message is displayed and the provider continues to be available for use.
Example 12-28 Permanently Removing Software Provider Availability
In the following example, the AES provider is removed from use. Once removed, the AES provider does not appear in the policy listing of kernel software providers.
$ cryptoadm uninstall provider=aes
$ cryptoadm list … Kernel software providers: des arcfour blowfish ecc sha1 sha2 md4 md5 rsa swrand
If a kernel consumer is using the kernel software provider, an error message is displayed and the provider continues to be available for use.
Example 12-29 Reinstalling a Removed Kernel Software Provider
In the following example, the AES kernel software provider is reinstalled.
$ cryptoadm install provider=aes \ mechanism=CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR,CKM_AES_CCM,CKM_AES_GCM,CKM_AES_GMAC
$ cryptoadm list … Kernel software providers: des aes arcfour blowfish ecc sha1 sha2 md4 md5 rsa swrand
Hardware providers are automatically located and loaded. For more information, see driver.conf(4) man page.
Before You Begin
When you have hardware that expects to be used within the Cryptographic Framework, the hardware registers with the SPI in the kernel. The framework checks that the hardware driver is signed. Specifically, the framework checks that the object file of the driver is signed with a certificate that Sun issues.
For example, the Sun Crypto Accelerator 6000 board (mca), the ncp driver for the cryptographic accelerator on the UltraSPARC T1 and T2 processors (ncp), and the n2cp driver for the UltraSPARC T2 processors (n2cp) plug hardware mechanisms into the framework.
For information about getting your provider signed, see Binary Signatures for Third-Party Software.
% cryptoadm list … kernel hardware providers: ncp/0
% cryptoadm list -m provider=ncp/0 ncp/0: CKM_DSA CKM_RSA_X_509 ... CKM_ECDH1_DERIVE CKM_ECDSA
% cryptoadm list -p provider=ncp/0 ncp/0: all mechanisms are enabled.
You can selectively disable mechanisms and the random number feature from a hardware provider. To enable them again, see Example 12-30. The hardware in this example, the Sun Crypto Accelerator 1000 board, provides a random number generator.
Before You Begin
You must be assigned the Crypto Management rights profile.
For more information, see How to Obtain Administrative Rights.
List the hardware provider.
# cryptoadm list ... Kernel hardware providers: dca/0
# cryptoadm list -m provider=dca/0 dca/0: CKM_RSA_PKCS, CKM_RSA_X_509, CKM_DSA, CKM_DES_CBC, CKM_DES3_CBC random is enabled. # cryptoadm disable provider=dca/0 mechanism=CKM_DES_CBC,CKM_DES3_CBC # cryptoadm list -p provider=dca/0 dca/0: all mechanisms are enabled except CKM_DES_CBC,CKM_DES3_CBC. random is enabled.
# cryptoadm list -p provider=dca/0 dca/0: all mechanisms are enabled. random is enabled. # cryptoadm disable provider=dca/0 random # cryptoadm list -p provider=dca/0 dca/0: all mechanisms are enabled. random is disabled.
# cryptoadm list -p provider=dca/0 dca/0: all mechanisms are enabled. random is enabled. # cryptoadm disable provider=dca/0 mechanism=all # cryptoadm list -p provider=dca/0 dca/0: all mechanisms are disabled. random is enabled.
# cryptoadm list -p provider=dca/0 dca/0: all mechanisms are enabled. random is enabled. # cryptoadm disable provider=dca/0 all # cryptoadm list -p provider=dca/0 dca/0: all mechanisms are disabled. random is disabled.
Example 12-30 Enabling Mechanisms and Features on a Hardware Provider
In the following examples, disabled mechanisms on a piece of hardware are selectively enabled.
# cryptoadm list -p provider=dca/0 dca/0: all mechanisms are enabled except CKM_DES_ECB,CKM_DES3_ECB
. random is enabled. # cryptoadm enable provider=dca/0 mechanism=CKM_DES3_ECB # cryptoadm list -p provider=dca/0 dca/0: all mechanisms are enabled except CKM_DES_ECB. random is enabled.
In the following example, only the random generator is enabled.
# cryptoadm list -p provider=dca/0 dca/0: all mechanisms are enabled, except CKM_MD5,CKM_MD5_HMAC,…. random is disabled. # cryptoadm enable provider=dca/0 random # cryptoadm list -p provider=dca/0 dca/0: all mechanisms are enabled, except CKM_MD5,CKM_MD5_HMAC,…. random is enabled.
In the following example, only the mechanisms are enabled. The random generator continues to be disabled.
# cryptoadm list -p provider=dca/0 dca/0: all mechanisms are enabled, except CKM_MD5,CKM_MD5_HMAC,…. random is disabled. # cryptoadm enable provider=dca/0 mechanism=all # cryptoadm list -p provider=dca/0 dca/0: all mechanisms are enabled. random is disabled.
In the following example, every feature and mechanism on the board is enabled.
# cryptoadm list -p provider=dca/0 dca/0: all mechanisms are enabled, except CKM_DES_ECB,CKM_DES3_ECB. random is disabled. # cryptoadm enable provider=dca/0 all # cryptoadm list -p provider=dca/0 dca/0: all mechanisms are enabled. random is enabled.
By default, the Cryptographic Framework is enabled. When the kcfd daemon fails for any reason, the Service Management Facility (SMF) can be used to restart cryptographic services. For more information, see the smf(5) and svcadm(1M) man pages. For the effect on zones of restarting cryptographic services, see Cryptographic Services and Zones.
Before You Begin
You must be assigned the Crypto Management rights profile.
For more information, see How to Obtain Administrative Rights.
% svcs cryptosvc STATE STIME FMRI offline Dec_09 svc:/system/cryptosvc:default
# svcadm enable svc:/system/cryptosvc
Example 12-31 Refreshing Cryptographic Services
In the following example, cryptographic services are refreshed in the global zone. Therefore, kernel-level cryptographic policy in every non-global zone is also refreshed.
# svcadm refresh system/cryptosvc