This section describes how to administer the software providers and the hardware providers in the Cryptographic Framework. You can, for example, disable the implementation of an algorithm from one software provider. You can then force the system to use the algorithm from a different software provider.
Caution - Do not disable the default providers that are included with the Oracle Solaris operating system. In particular, the pkcs11_softtoken provider is a required part of Oracle Solaris and must not be disabled by using the cryptoadm command. Some of the cryptographic algorithms may be hardware accelerated. Administrators can run the following command to view a list of cryptographic algorithms for their system and check the HW column in the output:
$ cryptoadm list -vm provider='/usr/lib/security/$ISA/pkcs11_softtoken.so'`For more information, see the pkcs11_softtoken(7) man page.
If you have a strict requirement to use only FIPS 140-2 validated cryptography, you must be running the Oracle Solaris 11.3 SRU 5.6 release. Oracle completed a FIPS 140-2 validation against the Cryptographic Framework in this specific release. Oracle Solaris 11.4 builds on this validated foundation and includes software improvements that address performance, functionality, and reliability. Whenever possible, you should configure Oracle Solaris 11.4 in FIPS 140-2 mode to take advantage of these improvements.
Review Using a FIPS 140-2 Enabled System in Oracle Solaris 11.4 and plan an overall FIPS 140-2 policy for your systems.