Skip Navigation Links | |
Exit Print View | |
Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Verifying File Integrity by Using BART (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Security Attributes in Oracle Solaris (Reference)
Part IV Cryptographic Services
11. Cryptographic Framework (Overview)
Introduction to the Cryptographic Framework
Scope of the Cryptographic Framework
Administrative Commands in the Cryptographic Framework
User-Level Commands in the Cryptographic Framework
Binary Signatures for Third-Party Software
Plugins to the Cryptographic Framework
Cryptographic Services and Zones
Cryptographic Framework and FIPS-140
Cryptographic Framework and the SPARC T-Series Servers in This Release
12. Cryptographic Framework (Tasks)
Part V Authentication Services and Secure Communication
14. Using Pluggable Authentication Modules
17. Using Simple Authentication and Security Layer
18. Network Services Authentication (Tasks)
19. Introduction to the Kerberos Service
20. Planning for the Kerberos Service
21. Configuring the Kerberos Service (Tasks)
22. Kerberos Error Messages and Troubleshooting
23. Administering Kerberos Principals and Policies (Tasks)
24. Using Kerberos Applications (Tasks)
25. The Kerberos Service (Reference)
The following list of definitions and examples is useful when working with the Cryptographic Framework.
Algorithms – Cryptographic algorithms. These are established, recursive computational procedures that encrypt or hash input. Encryption algorithms can be symmetric or asymmetric. Symmetric algorithms use the same key for encryption and decryption. Asymmetric algorithms, which are used in public-key cryptography, require two keys. Hashing functions are also algorithms.
Examples of algorithms include:
Symmetric algorithms, such as AES and ARCFOUR
Asymmetric algorithms, such as Diffie-Hellman and RSA
Hashing functions, such as MD5
Consumers – Are users of the cryptographic services that come from providers. Consumers can be applications, end users, or kernel operations.
Examples of consumers include:
Applications, such as IKE
End users, such as a regular user who runs the encrypt command
Kernel operations, such as IPsec
Keystore – In the Cryptographic Framework, is persistent storage for token objects, often used interchangeably with token. For information about a reserved keystore, see Metaslot in this list of definitions.
Mechanism – Is the application of a mode of an algorithm for a particular purpose.
For example, a DES mechanism that is applied to authentication, such as CKM_DES_MAC, is a separate mechanism from a DES mechanism that is applied to encryption, CKM_DES_CBC_PAD.
Metaslot – Is a single slot that presents a union of the capabilities of other slots which are loaded in the framework. The metaslot eases the work of dealing with all of the capabilities of the providers that are available through the framework. When an application that uses the metaslot requests an operation, the metaslot figures out which actual slot should perform the operation. Metaslot capabilities are configurable, but configuration is not required. The metaslot is on by default. To configure the metaslot, see the cryptoadm(1M) man page.
The metaslot does not have its own keystore. Rather, the metaslot reserves the use of a keystore from one of the actual slots in the Cryptographic Framework. By default, the metaslot reserves the Sun Crypto Softtoken keystore. The keystore that is used by the metaslot is not shown as one of the available slots.
Users can specify an alternate keystore for metaslot by setting the environment variables ${METASLOT_OBJECTSTORE_SLOT} and ${METASLOT_OBJECTSTORE_TOKEN}, or by running the cryptoadm command. For more information, see the libpkcs11(3LIB), pkcs11_softtoken(5), and cryptoadm(1M) man pages.
Mode – Is a version of a cryptographic algorithm. For example, CBC (Cipher Block Chaining) is a different mode from ECB (Electronic Code Book). The AES algorithm has two modes, CKM_AES_ECB and CKM_AES_CBC.
Policy – Is the choice, by an administrator, of which mechanisms to make available for use. By default, all providers and all mechanisms are available for use. The disabling of any mechanism would be an application of policy. The enabling of a disabled mechanism would also be an application of policy.
Providers – Are cryptographic services that consumers use. Providers plug in to the framework, so are also called plugins.
Examples of providers include:
PKCS #11 libraries, such as pkcs11_softtoken.so
Modules of cryptographic algorithms, such as aes and arcfour
Device drivers and their associated hardware accelerators, such as the mca driver for the Sun Crypto Accelerator 6000
Slot – Is an interface to one or more cryptographic devices. Each slot, which corresponds to a physical reader or other device interface, might contain a token. A token provides a logical view of a cryptographic device in the framework.
Token – In a slot, a token provides a logical view of a cryptographic device in the framework.