Developer's Guide to Oracle® Solaris 11 Security

Exit Print View

Updated: July 2014

KMF Policy Enforcement Mechanisms

KMF policy is a hierarchical tree of policies. A default policy is defined when the system is installed. The default policy applies unless the application asserts a different policy.

Policy parameters control the use of X.509 certificates by an application. KMF policy applies to all certificates and is not restricted to any particular keystore.

Use the kmfcfg(1) utility to manage the KMF policy database and configure plugins. You can use kmfcfg to list, create, modify, delete, import, and export policy definitions in the system default database file /etc/security/kmfpolicy.xml or in a user-defined database file. Note that you cannot modify the default policy in the system KMF policy database. For plugin configuration, you can use kmfcfg to display plugin information, install or uninstall a KMF plugin, and modify the plugin option.

    The following list shows some of the KMF policy attributes. See the kmfcfg(1) man page for a complete list and descriptions of these policy attributes.

  • Policy Name. Applications reference this name.

  • Default Keystore. Examples include NSS, files, PKCS11.

  • Ignore Date. Ignore the validity periods defined in the certificates when evaluating their validity.

  • Ignore Unknown EKU. Ignore any unrecognized EKU values in the Extended Key Usage extension.

  • Token Label. This attribute only applies to NSS or PKCS11 keystores.

  • Validation Method. Examples include OCSP and CRL.

  • Key Usage Values. This attribute is a comma separated list of key usage values that are required by the policy being defined. These bits must be set in order to use the certificate.

  • Extended Key Usage Values. This attribute is a comma separated list of Extended Key Usage OIDs that are required by the policy being defined. These OIDS must be present in order to use the certificate.

See the kmfpolicy.h file for definitions of policy data types.

    The following plugin libraries are provided in Oracle Solaris KMF:

  • PKCS#11 keystore plugin: kmf_pkcs11

  • OpenSSL keystore plugin: kmf_openssl

  • NSS keystore plugin: kmf_nss