Administering the Cryptographic Framework

Language:

This section describes how to administer the software providers and the hardware providers in the Cryptographic Framework. You can, for example, disable the implementation of an algorithm from one software provider. You can then force the system to use the algorithm from a different software provider.

Caution - Do not disable the default providers that are included with the Oracle Solaris operating system. In particular, the pkcs11_softtoken provider is a required part of Oracle Solaris and must not be disabled by using the cryptoadm command. Some of the cryptographic algorithms may be hardware accelerated. Administrators can run the following command to view a list of cryptographic algorithms for their system and check the HW column in the output:

$ cryptoadm list -vm provider='/usr/lib/security/$ISA/pkcs11_softtoken.so'`

For more information, see the pkcs11_softtoken(5) man page.

Note - An important component of administering the Cryptographic Framework is to plan and implement your policy regarding FIPS 140-2, the U.S. Government computer security standard for cryptography modules.

If you have a strict requirement to use only FIPS 140-2 validated cryptography, you must be running the Oracle Solaris 11.3 SRU 5.6 release. Later Oracle Solaris releases build on this validated foundation and include software improvements that address performance, functionality, and reliability. Whenever possible, you should configure Oracle Solaris in FIPS 140-2 mode to take advantage of these improvements.

Review Using a FIPS 140-2 Enabled System in Oracle Solaris 11.3 and plan an overall FIPS 140-2 policy for your systems.

The following task map points to procedures for administering software and hardware providers in the Cryptographic Framework.

Table 3 Administering the Cryptographic Framework Task Map

Task	Description	For Instructions
Plan the FIPS 140-2 policy for your systems.	Decide on your plan for enabling FIPS 140-2 approved providers and consumers and implement your plan.	Using a FIPS 140-2 Enabled System in Oracle Solaris 11.3
List the providers in the Cryptographic Framework.	Lists the algorithms, libraries, and hardware devices that are available for use in the Cryptographic Framework.	Listing Available Providers
Enable FIPS 140-2 mode.	Runs the Cryptographic Framework to a U.S. government standard for cryptography modules.	How to Create a Boot Environment With FIPS 140-2 Enabled
Add a software provider.	Adds a PKCS #11 library or a kernel module to the Cryptographic Framework. The provider must be signed.	How to Add a Software Provider
Prevent the use of a user-level mechanism.	Removes a software mechanism from use. The mechanism can be enabled again.	How to Prevent the Use of a User-Level Mechanism
Temporarily disable mechanisms from a kernel module.	Temporarily removes a mechanism from use. Usually used for testing.	How to Prevent the Use of a Kernel Software Mechanism
Uninstall a library.	Removes a user-level software provider from use.	Example 18, Permanently Removing a User-Level Library
Uninstall a kernel provider.	Removes a kernel software provider from use.	Example 20, Temporarily Removing Kernel Software Provider Availability
Disable mechanisms from a hardware provider.	Ensures that selected mechanisms on a hardware accelerator are not used.	How to Disable Hardware Provider Mechanisms and Features
Restart or refresh cryptographic services.	Ensures that cryptographic services are available.	How to Refresh or Restart All Cryptographic Services