Administering the Cryptographic Framework (Tasks)

This section describes how to administer the software providers and the hardware providers in the Cryptographic Framework. Software providers and hardware providers can be removed from use when desirable. For example, you can disable the implementation of an algorithm from one software provider. You can then force the system to use the algorithm from a different software provider.

Administering the Cryptographic Framework (Task Map)

The following task map points to procedures for administering software and hardware providers in the Cryptographic Framework.

Task	Description	For Instructions
List the providers in the Cryptographic Framework.	Lists the algorithms, libraries, and hardware devices that are available for use in the Cryptographic Framework.	How to List Available Providers
Enable FIPS-140 mode.	Runs the Cryptographic Framework to a U.S. government standard for cryptography modules.	How to Use the Cryptographic Framework in FIPS-140 Mode
Add a software provider.	Adds a PKCS #11 library or a kernel module to the Cryptographic Framework. The provider must be signed.	How to Add a Software Provider
Prevent the use of a user-level mechanism.	Removes a software mechanism from use. The mechanism can be enabled again.	How to Prevent the Use of a User-Level Mechanism
Temporarily disable mechanisms from a kernel module.	Temporarily removes a mechanism from use. Usually used for testing.	How to Prevent the Use of a Kernel Software Provider
Uninstall a library.	Removes a user-level software provider from use.	Example 12-21
Uninstall a kernel provider.	Removes a kernel software provider from use.	Example 12-23
List available hardware providers.	Shows the attached hardware, shows the mechanisms that the hardware provides, and shows which mechanisms are enabled for use.	How to List Hardware Providers
Disable mechanisms from a hardware provider.	Ensures that selected mechanisms on a hardware accelerator are not used.	How to Disable Hardware Provider Mechanisms and Features
Restart or refresh cryptographic services.	Ensures that cryptographic services are available.	How to Refresh or Restart All Cryptographic Services

How to List Available Providers

The Cryptographic Framework provides algorithms for several types of consumers:

User-level providers provide a PKCS #11 cryptographic interface to applications that are linked with the libpkcs11 library
Kernel software providers provide algorithms for IPsec, Kerberos, and other Oracle Solaris kernel components
Kernel hardware providers provide algorithms that are available to kernel consumers and to applications through the pkcs11_kernel library

List the providers in a brief format.

Note - The contents and format of the providers list varies for different Oracle Solaris releases and different platforms. Run the cryptoadm list command on your system to see the providers that your system supports.

Only those mechanisms at the user level are available for use by regular users.

% cryptoadm list
User-level providers:
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
Provider: /usr/lib/security/$ISA/pkcs11_tpm.so

Kernel software providers:
    des
    aes
    arcfour
    blowfish
    ecc
    sha1
    sha2
    md4
    md5
    rsa
    swrand
    n2rng/0
    ncp/0
    n2cp/0

List the providers and their mechanisms in the Cryptographic Framework.

All mechanisms are listed in the following output. However, some of the listed mechanisms might be unavailable for use. To list only the mechanisms that the administrator has approved for use, see Example 12-16.

The output is truncated for display purposes.

% cryptoadm list -m
User-level providers:
=====================

Provider: /usr/lib/security/$ISA/pkcs11_kernel.so

Mechanisms:
CKM_DSA                      
CKM_RSA_X_509                
CKM_RSA_PKCS                 
...
CKM_SHA256_HMAC_GENERAL      
CKM_SSL3_MD5_MAC             

Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
Mechanisms:
CKM_DES_CBC                  
CKM_DES_CBC_PAD              
CKM_DES_ECB                  
CKM_DES_KEY_GEN              
CKM_DES_MAC_GENERAL          
...
CKM_ECDSA_SHA1               
CKM_ECDH1_DERIVE             

Provider: /usr/lib/security/$ISA/pkcs11_tpm.so
/usr/lib/security/$ISA/pkcs11_tpm.so: no slots presented.

Kernel providers:
==========================
des: CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC
aes: CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR,CKM_AES_CCM,CKM_AES_GCM,CKM_AES_GMAC,
CKM_AES_CFB128,CKM_AES_XTS,CKM_AES_XCBC_MAC
arcfour: CKM_RC4
blowfish: CKM_BLOWFISH_ECB,CKM_BLOWFISH_CBC
ecc: CKM_EC_KEY_PAIR_GEN,CKM_ECDH1_DERIVE,CKM_ECDSA,CKM_ECDSA_SHA1
sha1: CKM_SHA_1,CKM_SHA_1_HMAC,CKM_SHA_1_HMAC_GENERAL
sha2: CKM_SHA224,CKM_SHA224_HMAC,...CKM_SHA512_256_HMAC_GENERAL

md4: CKM_MD4
md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL
rsa: CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS,CKM_SHA224_RSA_PKCS,
CKM_SHA256_RSA_PKCS,CKM_SHA384_RSA_PKCS,CKM_SHA512_RSA_PKCS
swrand: No mechanisms presented.
n2rng/0: No mechanisms presented.
ncp/0: CKM_DSA,CKM_RSA_X_509,CKM_RSA_PKCS,CKM_RSA_PKCS_KEY_PAIR_GEN,
CKM_DH_PKCS_KEY_PAIR_GEN,CKM_DH_PKCS_DERIVE,CKM_EC_KEY_PAIR_GEN,
CKM_ECDH1_DERIVE,CKM_ECDSA
n2cp/0: CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB,CKM_DES3_CBC,...CKM_SSL3_SHA1_MAC

Example 12-15 Finding the Existing Cryptographic Mechanisms

In the following example, all mechanisms that the user-level library, pkcs11_softtoken, offers are listed.

% cryptoadm list -m provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
Mechanisms:
CKM_DES_CBC                  
CKM_DES_CBC_PAD              
CKM_DES_ECB                  
CKM_DES_KEY_GEN              
CKM_DES_MAC_GENERAL          
CKM_DES_MAC 
…
CKM_ECDSA                    
CKM_ECDSA_SHA1               
CKM_ECDH1_DERIVE

Example 12-16 Finding the Available Cryptographic Mechanisms

Policy determines which mechanisms are available for use. The administrator sets the policy. An administrator can choose to disable mechanisms from a particular provider. The -p option displays the list of mechanisms that are permitted by the policy that the administrator has set.

% cryptoadm list -p
User-level providers:
=====================
/usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled.random is enabled.
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, random is enabled.
/usr/lib/security/$ISA/pkcs11_tpm.so: all mechanisms are enabled.

Kernel providers:
==========================
des: all mechanisms are enabled.
aes: all mechanisms are enabled.
arcfour: all mechanisms are enabled.
blowfish: all mechanisms are enabled.
ecc: all mechanisms are enabled.
sha1: all mechanisms are enabled.
sha2: all mechanisms are enabled.
md4: all mechanisms are enabled.
md5: all mechanisms are enabled.
rsa: all mechanisms are enabled.
swrand: random is enabled.
n2rng/0: all mechanisms are enabled. random is enabled.
ncp/0: all mechanisms are enabled.
n2cp/0: all mechanisms are enabled.

Example 12-17 Determining Which Cryptographic Mechanisms Perform Which Functions

Mechanisms perform specific cryptographic functions, such as signing or key generation. The -v -m options display every mechanism and its functions.

In this instance, the administrator wants to determine for which functions the CKM_ECDSA* mechanisms can be used.

% cryptoadm list -vm
User-level providers:
=====================
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
Number of slots: 3
Slot #2
Description: ncp/0 Crypto Accel Asym 1.0                                     
...
CKM_ECDSA                    163  571  X  .  .  .  X  .  X  .  .  .  .  .  .  .
...

Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
...
CKM_ECDSA       112 571  .  .  .  .  X  .  X  .  .  .  .  .  .  .  .
CKM_ECDSA_SHA1  112 571  .  .  .  .  X  .  X  .  .  .  .  .  .  .  .
...
Kernel providers:
=================
...
ecc: CKM_EC_KEY_PAIR_GEN,CKM_ECDH1_DERIVE,CKM_ECDSA,CKM_ECDSA_SHA1
...

The listing indicates that these mechanisms are available from the following user-level providers:

CKM_ECDSA and CKM_ECDSA_SHA1 – As software implementation in /usr/lib/security/$ISA/pkcs11_softtoken.so library
CKM_ECDSA – Accelerated by ncp/0 Crypto Accel Asym 1.0 in /usr/lib/security/$ISA/pkcs11_kernel.so library

Each item in an entry represents a piece of information about the mechanism. For these ECC mechanisms, the listing indicates the following:

Minimum length – 112 bytes
Maximum length – 571 bytes
Hardware – Is or is not available on hardware.
Encrypt – Is not used to encrypt data.
Decrypt – Is not used to decrypt data.
Digest – Is not used to create message digests.
Sign – Is used to sign data.
Sign + Recover – Is not used to sign data, where the data can be recovered from the signature.
Verify – Is used to verify signed data.
Verify + Recover– Is not used to verify data that can be recovered from the signature.
Key generation – Is not used to generate a private key.
Pair generation – Is not used to generate a key pair.
Wrap – Is not used to wrap. that is, encrypt, an existing key.
Unwrap – Is not used to unwrap a wrapped key.
Derive – Is not used to derive a new key from a base key.
EC Caps – Absent EC capabilities that are not covered by previous items

How to Add a Software Provider

Before You Begin

You must become an administrator who is assigned the Crypto Management rights profile. For more information, see How to Use Your Assigned Administrative Rights.

List the software providers that are available to the system.

% cryptoadm list
User-level providers:
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
/usr/lib/security/$ISA/pkcs11_tpm.so: all mechanisms are enabled.

Kernel software providers:
    des
    aes
    arcfour
    blowfish
    sha1
    sha2
    md4
    md5
    rsa
    swrand
    n2rng/0
    ncp/0
    n2cp/0

Add the provider from a repository.
Existing provider software has been issued a certificate by Oracle.
Refresh the providers.
You need to refresh providers if you added a software provider, or if you added hardware and specified policy for the hardware.
```
# svcadm refresh svc:/system/cryptosvc
```

Locate the new provider on the list.

In this case, a new kernel software provider was installed.

# cryptoadm list 
…
Kernel software providers:
    des
    aes
    arcfour
    blowfish
    ecc 
    sha1
    sha2
    md4
    md5
    rsa
    swrand
    sha3 <-- added provider
…

Example 12-18 Adding a User-Level Software Provider

In the following example, a signed PKCS #11 library is installed.

# pkgadd -d /cdrom/cdrom0/SolarisNew
Answer the prompts
# svcadm refresh system/cryptosvc
# cryptoadm list
user-level providers:
==========================
    /usr/lib/security/$ISA/pkcs11_kernel.so
    /usr/lib/security/$ISA/pkcs11_softtoken.so
    /usr/lib/security/$ISA/pkcs11_tpm.so
    /opt/lib/$ISA/libpkcs11.so.1 <-- added provider

Developers who are testing a library with the Cryptographic Framework can install the library manually.

# cryptoadm install provider=/opt/lib/\$ISA/libpkcs11.so.1

How to Use the Cryptographic Framework in FIPS-140 Mode

By default, FIPS-140 mode is disabled in Oracle Solaris. In this procedure, you create a new boot environment (BE) for FIPS-140 mode, then enable FIPS-140 and boot into the new BE. This method enables you to recover from system panics that can result from FIPS-140 compliance tests. For more information, see the cryptoadm(1M) man page and Cryptographic Framework and FIPS-140.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.

Determine if the system is in FIPS-140 mode.

% cryptoadm list fips-140
User-level providers:
=====================
/usr/lib/security/$ISA/pkcs11_softtoken: FIPS-140 mode is disabled.

Kernel software providers:
==========================
des: FIPS-140 mode is disabled.
aes: FIPS-140 mode is disabled.
ecc: FIPS-140 mode is disabled.
sha1: FIPS-140 mode is disabled.
sha2: FIPS-140 mode is disabled.
rsa: FIPS-140 mode is disabled.
swrand: FIPS-140 mode is disabled.

Kernel hardware providers:
=========================:

Create a new BE for your FIPS-140 version of the Cryptographic Framework.
Before you enable FIPS-140 mode, you must first create, activate, and boot a new BE by using the beadm command. A FIPS-140-enabled system runs compliance tests that can cause a panic if they fail. Therefore, it is important to have an available BE that you can boot to get your system up and running while you debug issues with the FIPS-140 boundary.
1. Create a BE based on your current BE.
  In this example, you create a BE named S11.1-FIPS.
```
# beadm create S11.1-FIPS-140
```
2. Activate that BE.
```
# beadm activate S11.1-FIPS-140
```
3. Reboot the system.
4. Enable FIPS-140 mode in the new BE.
```
# cryptoadm enable fips-140
```
  Note - This subcommand does not disable the non-FIPS-140 approved algorithms from the user-level pkcs11_softtoken library and the kernel software providers. The consumers of the framework are responsible for using only FIPS-140-approved algorithms.
  For more information about the effects of FIPS-140 mode, see the cryptoadm(1M) man page.

When you want to run without FIPS-140 enabled, disable FIPS-140 mode.

You can reboot to the original BE or disable FIPS-140 in the current BE.

Boot to the original BE.

# beadm list
BE               Active Mountpoint Space   Policy Created
--               ------ ---------- -----   ------ -------
S11.1            -      -          48.22G   static 2012-10-10 10:10
S11.1-FIPS-140   NR     /          287.01M  static 2012-11-18 18:18
# beadm activate S11.1
# beadm list
BE               Active Mountpoint Space   Policy Created
--               ------ ---------- -----   ------ -------
S11.1            R      -          48.22G   static 2012-10-10 10:10
S11.1-FIPS-140   N      /          287.01M  static 2012-11-18 18:18
# reboot

Disable FIPS-140 mode in the current BE and reboot.
```
# cryptoadm disable fips-140
```
FIPS-140 mode remains in operation until the system is rebooted.
```
# reboot
```

How to Prevent the Use of a User-Level Mechanism

If some of the cryptographic mechanisms from a library provider should not be used, you can remove selected mechanisms. This procedure uses the DES mechanisms in the pkcs11_softtoken library as an example.

Before You Begin

You must become an administrator who is assigned the Crypto Management rights profile. For more information, see How to Use Your Assigned Administrative Rights.

List the mechanisms that are offered by a particular user-level software provider.

% cryptoadm list -m provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
/usr/lib/security/$ISA/pkcs11_softtoken.so:
CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB,CKM_DES_KEY_GEN,
CKM_DES3_CBC,CKM_DES3_CBC_PAD,CKM_DES3_ECB,CKM_DES3_KEY_GEN,
CKM_AES_CBC,CKM_AES_CBC_PAD,CKM_AES_ECB,CKM_AES_KEY_GEN,
…

List the mechanisms that are available for use.

$ cryptoadm list -p
user-level providers:
=====================
…
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled.
random is enabled.
…

Disable the mechanisms that should not be used.

$ cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so \
> mechanism=CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB

List the mechanisms that are available for use.

$ cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled,
except CKM_DES_ECB,CKM_DES_CBC_PAD,CKM_DES_CBC. random is enabled.

Example 12-19 Enabling a User-Level Software Provider Mechanism

In the following example, a disabled DES mechanism is again made available for use.

$ cryptoadm list -m provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
/usr/lib/security/$ISA/pkcs11_softtoken.so:
CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB,CKM_DES_KEY_GEN,
CKM_DES3_CBC,CKM_DES3_CBC_PAD,CKM_DES3_ECB,CKM_DES3_KEY_GEN,
…
$ cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled,
except CKM_DES_ECB,CKM_DES_CBC_PAD,CKM_DES_CBC. random is enabled.
$ cryptoadm enable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so \
> mechanism=CKM_DES_ECB
$ cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled,
except CKM_DES_CBC_PAD,CKM_DES_CBC. random is enabled.

Example 12-20 Enabling All User-Level Software Provider Mechanisms

In the following example, all mechanisms from the user-level library are enabled.

$ cryptoadm enable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so all
$ cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled.
random is enabled.

Example 12-21 Permanently Removing User-Level Software Provider Availability

In the following example, the libpkcs11.so.1 library is removed.

$ cryptoadm uninstall provider=/opt/lib/\$ISA/libpkcs11.so.1
$ cryptoadm list
user-level providers:
    /usr/lib/security/$ISA/pkcs11_kernel.so
    /usr/lib/security/$ISA/pkcs11_softtoken.so
    /usr/lib/security/$ISA/pkcs11_tpm.so

kernel providers:
…

How to Prevent the Use of a Kernel Software Provider

If the Cryptographic Framework provides multiple modes of a provider such as AES, you might remove a slow mechanism from use, or a corrupted mechanism. This procedure uses the AES algorithm as an example.

Before You Begin

You must become an administrator who is assigned the Crypto Management rights profile. For more information, see How to Use Your Assigned Administrative Rights.

List the mechanisms that are offered by a particular kernel software provider.

$ cryptoadm list -m provider=aes
aes: CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR,CKM_AES_CCM,CKM_AES_GCM,CKM_AES_GMAC,
CKM_AES_CFB128,CKM_AES_XTS,CKM_AES_XCBC_MAC

List the mechanisms that are available for use.

$ cryptoadm list -p provider=aes
aes: all mechanisms are enabled.

Disable the mechanism that should not be used.

$ cryptoadm disable provider=aes mechanism=CKM_AES_ECB

List the mechanisms that are available for use.

$ cryptoadm list -p provider=aes
aes: all mechanisms are enabled, except CKM_AES_ECB.

Example 12-22 Enabling a Kernel Software Provider Mechanism

In the following example, a disabled AES mechanism is again made available for use.

cryptoadm list -m provider=aes
aes: CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR,CKM_AES_CCM,
CKM_AES_GCM,CKM_AES_GMAC,CKM_AES_CFB128,CKM_AES_XTS,CKM_AES_XCBC_MAC
$ cryptoadm list -p provider=aes
aes: all mechanisms are enabled, except CKM_AES_ECB.
$ cryptoadm enable provider=aes mechanism=CKM_AES_ECB
$ cryptoadm list -p provider=aes
aes: all mechanisms are enabled.

Example 12-23 Temporarily Removing Kernel Software Provider Availability

In the following example, the AES provider is temporarily removed from use. The unload subcommand is useful to prevent a provider from being loaded automatically while the provider is being uninstalled. For example, the unload subcommand would be used when installing a patch that affects the provider.

$ cryptoadm unload provider=aes

$ cryptoadm list 
…
Kernel software providers:
    des
    aes (inactive)
    arcfour
    blowfish
    ecc
    sha1
    sha2
    md4
    md5
    rsa
    swrand
    n2rng/0
    ncp/0
    n2cp/0

The AES provider is unavailable until the Cryptographic Framework is refreshed.

$ svcadm refresh system/cryptosvc

$ cryptoadm list 
…
Kernel software providers:
    des
    aes
    arcfour
    blowfish
    ecc
    sha1
    sha2
    md4
    md5
    rsa
    swrand
    n2rng/0
    ncp/0
    n2cp/0

If a kernel consumer is using the kernel software provider, the software is not unloaded. An error message is displayed and the provider continues to be available for use.

Example 12-24 Permanently Removing Software Provider Availability

In the following example, the AES provider is removed from use. Once removed, the AES provider does not appear in the policy listing of kernel software providers.

$ cryptoadm uninstall provider=aes

$ cryptoadm list 
…
Kernel software providers:
    des
    arcfour
    blowfish
    ecc
    sha1
    sha2
    md4
    md5
    rsa
    swrand
    n2rng/0
    ncp/0
    n2cp/0

If a kernel consumer is using the kernel software provider, an error message is displayed and the provider continues to be available for use.

Example 12-25 Reinstalling a Removed Kernel Software Provider

In the following example, the AES kernel software provider is reinstalled.

$ cryptoadm install provider=aes \
mechanism=CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR,CKM_AES_CCM,
CKM_AES_GCM,CKM_AES_GMAC,CKM_AES_CFB128,CKM_AES_XTS,CKM_AES_XCBC_MAC

$ cryptoadm list 
…
Kernel software providers:
    des
    aes
    arcfour
    blowfish
    ecc
    sha1
    sha2
    md4
    md5
    rsa
    swrand
    n2rng/0
    ncp/0
    n2cp/0

How to List Hardware Providers

Hardware providers are automatically located and loaded. For more information, see driver.conf(4) man page.

Before You Begin

When you have hardware that expects to be used within the Cryptographic Framework, the hardware registers with the SPI in the kernel. The framework checks that the hardware driver is signed. Specifically, the framework checks that the object file of the driver is signed with a certificate that Sun issues.

For example, the Sun Crypto Accelerator 6000 board (mca), the ncp driver for the cryptographic accelerator on the UltraSPARC T1 and T2 processors (ncp), and the n2cp driver for the UltraSPARC T2 processors (n2cp) plug hardware mechanisms into the framework.

For information about getting your provider signed, see Binary Signatures for Third-Party Software.

List the hardware providers that are available on the system.
```
% cryptoadm list
… 
kernel hardware providers:
   ncp/0
```

List the mechanisms that the chip or the board provides.

% cryptoadm list -m provider=ncp/0
ncp/0:
CKM_DSA
CKM_RSA_X_509
...
CKM_ECDH1_DERIVE
CKM_ECDSA

List the mechanisms that are available for use on the chip or the board.
```
% cryptoadm list -p provider=ncp/0
ncp/0: all mechanisms are enabled.
```

How to Disable Hardware Provider Mechanisms and Features

You can selectively disable mechanisms and the random number feature from a hardware provider. To enable them again, see Example 12-26. The hardware in this example, the Sun Crypto Accelerator 1000 board, provides a random number generator.

Before You Begin

You must become an administrator who is assigned the Crypto Management rights profile. For more information, see How to Use Your Assigned Administrative Rights.

Choose the mechanisms or feature to disable.

List the hardware provider.

# cryptoadm list
...
Kernel hardware providers:
    dca/0

Disable selected mechanisms.

# cryptoadm list -m provider=dca/0
dca/0: CKM_RSA_PKCS, CKM_RSA_X_509, CKM_DSA, CKM_DES_CBC, CKM_DES3_CBC
random is enabled.
# cryptoadm disable provider=dca/0 mechanism=CKM_DES_CBC,CKM_DES3_CBC
# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are enabled except CKM_DES_CBC,CKM_DES3_CBC.
random is enabled.

Disable the random number generator.

# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are enabled. random is enabled.
# cryptoadm disable provider=dca/0 random
# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are enabled. random is disabled.

Disable all mechanisms. Do not disable the random number generator.

# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are enabled. random is enabled.
# cryptoadm disable provider=dca/0 mechanism=all
# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are disabled. random is enabled.

Disable every feature and mechanism on the hardware.

# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are enabled. random is enabled.
# cryptoadm disable provider=dca/0 all
# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are disabled. random is disabled.

Example 12-26 Enabling Mechanisms and Features on a Hardware Provider

In the following examples, disabled mechanisms on a piece of hardware are selectively enabled.

# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are enabled except CKM_DES_ECB,CKM_DES3_ECB

.
random is enabled.
# cryptoadm enable provider=dca/0 mechanism=CKM_DES3_ECB
# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are enabled except CKM_DES_ECB. 
random is enabled.

In the following example, only the random generator is enabled.

# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are enabled, except CKM_MD5,CKM_MD5_HMAC,…. 
random is disabled.
# cryptoadm enable provider=dca/0 random
# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are enabled, except CKM_MD5,CKM_MD5_HMAC,….
random is enabled.

In the following example, only the mechanisms are enabled. The random generator continues to be disabled.

# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are enabled, except CKM_MD5,CKM_MD5_HMAC,….
random is disabled.
# cryptoadm enable provider=dca/0 mechanism=all
# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are enabled. random is disabled.

In the following example, every feature and mechanism on the board is enabled.

# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are enabled, except CKM_DES_ECB,CKM_DES3_ECB.
random is disabled.
# cryptoadm enable provider=dca/0 all
# cryptoadm list -p provider=dca/0
dca/0: all mechanisms are enabled. random is enabled.

How to Refresh or Restart All Cryptographic Services

By default, the Cryptographic Framework is enabled. When the kcfd daemon fails for any reason, the Service Management Facility (SMF) can be used to restart cryptographic services. For more information, see the smf(5) and svcadm(1M) man pages. For the effect on zones of restarting cryptographic services, see Cryptographic Services and Zones.

Before You Begin

You must become an administrator who is assigned the Crypto Management rights profile. For more information, see How to Use Your Assigned Administrative Rights.

Check the status of cryptographic services.

% svcs cryptosvc
 STATE          STIME    FMRI
offline         Dec_09   svc:/system/cryptosvc:default

Enable cryptographic services.
```
# svcadm enable svc:/system/cryptosvc
```

Example 12-27 Refreshing Cryptographic Services

In the following example, cryptographic services are refreshed in the global zone. Therefore, kernel-level cryptographic policy in every non-global zone is also refreshed.

# svcadm refresh system/cryptosvc

Skip Navigation Links
Exit Print View
	Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library