Managing Encryption and Certificates in Oracle® Solaris 11.2

Exit Print View

Updated: September 2014

Managing Public Key Technologies

KMF centralizes the management of public key technologies (PKI). Oracle Solaris has several different applications that make use of PKI technologies. Each application provides its own programming interfaces, key storage mechanisms, and administrative utilities. If an application provides a policy enforcement mechanism, the mechanism applies to that application only. With KMF, applications use a unified set of administrative tools, a single set of programming interfaces, and a single policy enforcement mechanism. These features manage the PKI needs of all applications that adopt these interfaces.

    KMF unifies the management of public key technologies with the following interfaces:

  • pktool command – Manages PKI objects, such as certificates, in a variety of keystores.

  • kmfcfg command – Manages the PKI policy database and third-party plugins.

    PKI policy decisions include operations such as the validation method for an operation. Also, PKI policy can limit the scope of a certificate. For example, PKI policy might assert that a certificate can be used only for specific purposes. Such a policy would prevent that certificate from being used for other requests.

  • KMF library – Contains programming interfaces that abstract the underlying keystore mechanism.

    Applications do not have to choose one particular keystore mechanism, but can migrate from one mechanism to another mechanism. The supported keystores are PKCS #11, NSS, and OpenSSL. The library includes a pluggable framework so that new keystore mechanisms can be added. Therefore, applications that use the new mechanisms would require only minor modifications to use a new keystore.