| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Verifying File Integrity by Using BART (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Security Attributes in Oracle Solaris (Reference)
Part IV Cryptographic Services
11. Cryptographic Framework (Overview)
12. Cryptographic Framework (Tasks)
Using the Key Management Framework (Tasks)
Using the Key Management Framework (Task Map)
How to Create a Certificate by Using the pktool gencert Command
How to Import a Certificate Into Your Keystore
How to Export a Certificate and Private Key in PKCS #12 Format
How to Generate a Passphrase by Using the pktool setpin Command
How to Generate a Key Pair by Using the pktool genkeypair Command
How to Sign a Certificate Request by Using the pktool signcsr Command
How to Manage Third-Party Plugins in KMF
Part V Authentication Services and Secure Communication
14. Using Pluggable Authentication Modules
17. Using Simple Authentication and Security Layer
18. Network Services Authentication (Tasks)
19. Introduction to the Kerberos Service
20. Planning for the Kerberos Service
21. Configuring the Kerberos Service (Tasks)
22. Kerberos Error Messages and Troubleshooting
23. Administering Kerberos Principals and Policies (Tasks)
24. Using Kerberos Applications (Tasks)
25. The Kerberos Service (Reference)
The Key Management Framework (KMF) provides a unified approach to managing public key technologies (PKI). Oracle Solaris has several different applications that make use of PKI technologies. Each application provides its own programming interfaces, key storage mechanisms, and administrative utilities. If an application provides a policy enforcement mechanism, the mechanism applies to that application only. With KMF, applications use a unified set of administrative tools, a single set of programming interfaces, and a single policy enforcement mechanism. These features manage the PKI needs of all applications that adopt these interfaces.
KMF unifies the management of public key technologies with the following interfaces:
pktool command – This command manages PKI objects, such as certificates, in a variety of keystores.
kmfcfg command – This command manages the PKI policy database and third-party plugins.
PKI policy decisions include operations such as the validation method for an operation. Also, PKI policy can limit the scope of a certificate. For example, PKI policy might assert that a certificate can be used only for specific purposes. Such a policy would prevent that certificate from being used for other requests.
KMF library – This library contains programming interfaces that abstract the underlying keystore mechanism.
Applications do not have to choose one particular keystore mechanism, but can migrate from one mechanism to another mechanism. The supported keystores are PKCS #11, NSS, and OpenSSL. The library includes a pluggable framework so that new keystore mechanisms can be added. Therefore, applications that use the new mechanisms would require only minor modifications to use a new keystore.
KMF provides methods for managing the storage of keys and provides the overall policy for the use of those keys. KMF manages the policy, keys, and certificates for three public key technologies:
Tokens from PKCS #11 providers, that is, from the Cryptographic Framework
NSS, that is, Network Security Services
OpenSSL, a file-based keystore
The kmfcfg tool can create, modify, or delete KMF policy entries. The tool also manages plugins to the framework. KMF manages keystores through the pktool command. For more information, see the kmfcfg(1) and pktool(1) man pages, and the following sections.
KMF policy is stored in a database. This policy database is accessed internally by all applications that use the KMF programming interfaces. The database can constrain the use of the keys and certificates that are managed by the KMF library. When an application attempts to verify a certificate, the application checks the policy database. The kmfcfg command modifies the policy database.
The kmfcfg command provides the following subcommands for plugins:
list plugin – Lists plugins that are managed by KMF.
install plugin – Installs the plugin by the module's path name and creates a keystore for the plugin. To remove the plugin from KMF, you remove the keystore.
uninstall plugin – Removes the plugin from KMF by removing its keystore.
modify plugin – Enables the plugin to be run with an option that is defined in the code for the plugin, such as debug.
For more information, see the kmfcfg(1) man page. For the procedure, see How to Manage Third-Party Plugins in KMF.
KMF manages the keystores for three public key technologies, PKCS #11 tokens, NSS, and OpenSSL. For all of these technologies, the pktool command enables you to do the following:
Generate a self-signed certificate.
Generate a certificate request.
Generate a symmetric key.
Generate a public/private key pair.
Generate a PKCS #10 certificate signing request (CSR) to be sent to an external certificate authority (CA) to be signed.
Sign a PKCS #10 CSR.
Import objects into the keystore.
List the objects in the keystore.
Delete objects from the keystore.
Download a CRL.
For the PKCS #11 and NSS technologies, the pktool command also enables you to set a PIN by generating a passphrase:
Generate a passphrase for the keystore.
Generate a passphrase for an object in the keystore.
For examples of using the pktool utility, see the pktool(1) man page and Using the Key Management Framework (Task Map).
|