JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Developer's Guide to Oracle Solaris 11 Security     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  Oracle Solaris Security for Developers (Overview)

2.  Developing Privileged Applications

3.  Writing PAM Applications and Services

4.  Writing Applications That Use GSS-API

5.  GSS-API Client Example

6.  GSS-API Server Example

7.  Writing Applications That Use SASL

8.  Introduction to the Oracle Solaris Cryptographic Framework

9.  Writing User-Level Cryptographic Applications

10.  Introduction to the Oracle Solaris Key Management Framework

Oracle Solaris Key Management Framework Features

Oracle Solaris Key Management Framework Components

KMF Key Management Tool

KMF Policy Enforcement Mechanisms

KMF Application Programming Interfaces

Oracle Solaris Key Management Framework Example Application

KMF Headers and Libraries

KMF Basic Data Types

KMF Application Results Verification

Complete KMF Application Source Code

A.  Secure Coding Guidelines for Developers

B.  Sample C-Based GSS-API Programs

C.  GSS-API Reference

D.  Specifying an OID

E.  Source Code for SASL Example

F.  SASL Reference Tables

Glossary

Index

Oracle Solaris Key Management Framework Components

This section describes the following KMF components:

KMF Key Management Tool

The following pktool(1) subcommands specifically support KMF:

delete

Delete objects in the keystore.

download

Download a CRL or certificate file from an external source.

export

Export objects from the keystore to a file.

gencert

Create a self-signed X.509v3 certificate.

gencsr

Create a PKCS#10 Certificate Signing Request (CSR) file.

genkey

Create a symmetric key in the keystore.

help

Displays a help message.

import

Import objects from an external source.

inittoken

Initialize a PKCS#11 token.

list

List a summary of objects in the keystore.

setpin

Change user authentication passphrase for keystore access.

signcsr

Sign a PKCS#10 CSR.

tokens

List all visible PKCS#11 tokens.

KMF Policy Enforcement Mechanisms

KMF policy is a hierarchical tree of policies. A default policy is defined when the system is installed. The default policy applies unless the application asserts a different policy.

Policy parameters control the use of X.509 certificates by an application. KMF policy applies to all certificates and is not restricted to any particular keystore.

Use the kmfcfg(1) utility to manage the KMF policy database and configure plugins. You can use kmfcfg to list, create, modify, delete, import, and export policy definitions in the system default database file /etc/security/kmfpolicy.xml or in a user-defined database file. Note that you cannot modify the default policy in the system KMF policy database. For plugin configuration, you can use kmfcfg to display plugin information, install or uninstall a KMF plugin, and modify the plugin option.

The following list shows some of the KMF policy attributes. See the kmfcfg(1) man page for a complete list and descriptions of these policy attributes.

See the kmfpolicy.h file for definitions of policy data types.

The following plugin libraries are provided in Oracle Solaris KMF:

KMF Application Programming Interfaces

The Oracle Solaris KMF provides abstract APIs for PKI operations. Applications written to KMF can access multiple keystores such as files (OpenSSL), NSS, and PKCS11 tokens and multiple validation modules such as OCSP and CRL checking. The KMF API can be extended by third parties for proprietary and legacy implementations.

The KMF APIs are provided in the Key Management Framework Library, libkmf(3LIB). These APIs enable your application to create and manage public key objects such as public/private keypairs, certificates, CSRs, certificate validation, CRLs, and OCSP response processing.

The KMF APIs are defined in the kmfapi.h file, and structures and types are defined in the kmftypes.h file. The kmfapi.h file lists the functions in the following groups: