|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library|
The framework provides commands for administrators, for users, and for developers who supply providers:
Administrative commands – The cryptoadm command provides a list subcommand to list the available providers and their capabilities. Regular users can run the cryptoadm list and the cryptoadm --help commands.
All other cryptoadm subcommands require you to assume a role that includes the Crypto Management rights profile, or to become superuser. Subcommands such as disable, install, and uninstall are available for administering the framework. For more information, see the cryptoadm(1M) man page.
The svcadm command is used to manage the kcfd daemon, and to refresh cryptographic policy in the kernel. For more information, see the svcadm(1M) man page.
User-level commands – The digest and mac commands provide file integrity services. The encrypt and decrypt commands protect files from eavesdropping. To use these commands, see Protecting Files With the Cryptographic Framework (Task Map).
The cryptoadm command administers a running Cryptographic Framework. The command is part of the Crypto Management rights profile. This profile can be assigned to a role for secure administration of the Cryptographic Framework. The cryptoadm command manages the following:
Displaying cryptographic provider information
Disabling or enabling provider mechanisms
Disabling or enabling the metaslot
The svcadm command is used to enable, refresh, and disable the cryptographic services daemon, kcfd. This command is part of the Service Management Facility (SMF) feature of Oracle Solaris. svc:/system/cryptosvcs is the service instance for the Cryptographic Framework. For more information, see the smf(5) and svcadm(1M) man pages.
The Cryptographic Framework provides user-level commands to check the integrity of files, to encrypt files, and to decrypt files. A separate command, elfsign, enables providers to sign binaries for use with the framework.
mac command – Computes a message authentication code (MAC) for one or more files or for stdin. A MAC associates data with an authenticated message. A MAC enables a receiver to verify that the message came from the sender and that the message has not been tampered with. The sha1_mac and md5_hmac mechanisms can compute a MAC.
encrypt command – Encrypts files or stdin with a symmetric cipher. The encrypt -l command lists the algorithms that are available. Mechanisms that are listed under a user-level library are available to the encrypt command. The framework provides AES, DES, 3DES (Triple-DES), and ARCFOUR mechanisms for user encryption.
The elfsign command has subcommands to request a certificate, sign binaries, and verify the signature on a binary. Unsigned binaries cannot be used by the Cryptographic Framework. Providers that have verifiable signed binaries can use the framework.
Third parties can plug their providers into the Cryptographic Framework. A third-party provider can be one of the following objects:
Loadable kernel software module, such as an encryption algorithm, MAC function, or digest function
Kernel device driver for a hardware accelerator
The objects from a provider must be signed with a certificate from Oracle. The certificate request is based on a private key that the third party selects, and a certificate that Oracle provides. The certificate request is sent to Oracle, which registers the third party and then issues the certificate. The third party then signs its provider object with the certificate from Oracle.
The loadable kernel software modules and the kernel device drivers for hardware accelerators must also register with the kernel. Registration is through the Cryptographic Framework SPI (service provider interface).