svcadm(8)을 검색하려면 섹션에서 8 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
kmfcfg(1)
kmfcfg(1) User Commands kmfcfg(1)
NAME
kmfcfg - Key Management Policy and Plugin Configuration Utility
SYNOPSIS
kmfcfg subcommand [option ...]
DESCRIPTION
The kmfcfg command allows users to configure Key Management Framework
(KMF) policy databases. The KMF policy database (DB) restricts the use
of keys and certificates that are managed through the KMF framework.
kmfcfg provides the ability to list, create, modify, delete, import and
export policy definitions either in the system default database file
/etc/security/kmfpolicy.xml or a user-defined database file.
For plugin configuration, kmfcfg allows users to display plugin infor‐
mation, install or uninstall a KMF plugin, and modify the plugin
option.
SUBCOMMANDS
The following subcommands are supported:
create
Adds a new policy into the policy database file.
The format for the create subcommand is as follows:
kmfcfg create [dbfile=dbfile] policy=policyname
[ignore-date=true|false]
[ignore-unknown-eku=true|false]
[ignore-trust-anchor=true|false]
[ignore-cert-revoke-responder-timeout=true|false]
[cert-revoke-responder-timeout=timeout in seconds]
[trust-intermediate-cas=true|false]
[max-cert-path-length=max length in cert path]
[validity-adjusttime=adjusttime]
[ta-name=trust anchor subject DN | search]
[ta-serial=trust anchor serial number]
[http-proxy=URL]
[http-proxy-none=true|false]
[ocsp-responder=URL]
[ocsp-proxy=URL]
[ocsp-use-cert-responder=true|false]
[ocsp-response-lifetime=timelimit]
[ocsp-ignore-response-sign=true|false]
[ocsp-responder-cert-name=Issuer DN]
[ocsp-responder-cert-serial=serial number]
[crl-basefilename=basefilename | search]
[crl-directory=directory]
[crl-get-crl-uri=true|false]
[crl-proxy=URL]
[crl-ignore-crl-sign=true|false]
[crl-ignore-crl-date=true|false]
[bypass-ipsec-policy=true|false]
[keyusage=digitalSignature | nonRepudiation |
keyEncipherment | dataEncipherment |
keyAgreement | keyCertSign |
cRLSign | encipherOnly | decipherOnly],[...]
[ekunames=serverAuth | clientAuth |
codeSigning | emailProtection |
ipsecEndSystem | ipsecTunnel |
ipsecUser | timeStamping |
OCSPSigning],[...]
[ekuoids=OID,OID,OID...]
[mapper-name=name of the mapper]
[mapper-dir=dir where mapper library resides]
[mapper-path=full pathname of mapper library]
[mapper-options=mapper options]
The create subcommand supports the following options:
cert-revoke-responder-timeout=timeout
Set the maximum timeout value in seconds to wait for the CRL or
OCSP responder. The default value is 30 seconds. The maximum
timeout value is 300 seconds.
crl-basefilename=filename | search
crl-directory=directory
These two attributes are used to specify the location for CRL
files. The crl-basefilename attribute represents the base file‐
name for a CRL file. The crl-directory attribute represents the
directory for CRL files, which defaults to the current direc‐
tory. When the value search is used instead of an explicit CRL
filename, the KMF will search for all the valid CRL files under
the specified CRL directory to see if the certificate to be
validated is revoked.
If the crl-get-crl-uri attribute is set to true and the crl-
basefilename is not specified, the basefilename for the cached
CRL file is the basename of the URI used to fetch the CRL file.
If the crl-get-crl-uri attribute is set to false the crl-base‐
filename needs to be specified to indicate an input CRL file or
all possible CRL files under a CRL directory by the search
value. The setting for crl-get-crl-uri is false by default.
These two attributes only apply to the file-based CRL plugins.
The current file-based CRL plugins are file and pkcs11 key‐
stores.
crl-get-crl-uri=true | false
Configure if a CRL file is fetched and cached dynamically as
part of the certificate validation, using the URI information
from the certificate's distribution points extension.
The default for this attribute is false.
crl-ignore-crl-date=true | false
If crl-ignore-crl-date is set to true, the validity time period
of the CRL is not checked.
The default for this attribute is false.
crl-ignore-crl-sign=true | false
If crl-ignore-crl-sign is set to true, the signature of the CRL
is not checked.
The default for this attribute is false.
crl-proxy=URL
Sets the proxy server name and port for dynamically retrieving
a CRL file when crl-get-crl-uri is set to true. This value
takes precedence over the global http-proxy value.
The port number is optional. If the port number is not speci‐
fied, the default value is 8080. An example crl-proxy setting
might be: crl-proxy=webcache.example.com:8080.
dbfile=dbfile
The DB file to add the new policy. If not specified, the
default is the system KMF policy database file /etc/secu‐
rity/kmfpolicy.xml.
ekuoids=EKUOIDS
A comma separated list of Extended Key Usage OIDs that are
required by the policy being defined. The OIDs are expressed in
dot notation, for example, 1.2.3.4. An example ekuoids setting
might be: ekuoids=1.2.3.4,9.8.7.6.5.
ekunames=EKUNAMES
A comma separated list of Extended Key Usage names that are
required by the policy being defined. The list of values
allowed for EKUNAMES are: serverAuth, clientAuth, codeSigning,
emailProtection, ipsecEndSystem, ipsecTunnel, ipsecUser, timeS‐
tamping, and OCSPSigning
The OCSP, CRL, key usage and extended key usage checkings are
off by default. To turn on any one of them, specify one or more
attributes for the particular checking. For example, if the
ocsp-responder attribute is set, then the OCSP checking is
turned on. If the ekuname attribute or the ekuoids attribute is
set, then the extended key usage checking is turned on.
http-proxy=URL
Sets the proxy server name and port for contacting servers for
CRLs, OCSP, or downloading certificates.
The port number is optional. If the port number is not speci‐
fied, the default value is 8080. An example crl-proxy setting
might be: crl-proxy=webcache.example.com:8080.
ignore-cert-revoke-responder-timeout=true | false
Define the behavior after a cert-revoke-responder-timeout expi‐
ration occurs. The default value is false, which means if the
time defined in cert-revoke-responder-timeout is expired, the
certificate validation will fail immediately. Otherwise, if the
value is true, the certificate validation will bypass the CRL
and/or OCSP checks and continue with the next step in the
series of steps done for validation.
ignore-date=true | false
Set the Ignore Date option for this policy. By default this
value is false. If true is specified, the policy ignores the
validity periods defined in the certificates when evaluating
their validity.
ignore-trust-anchor=true | false
Set the Ignore Trust Anchor option for this policy. By default
this value is false. If true is specified, the policy does not
verify the signature of the subject certificate using trust
anchor certificate at validation.
ignore-unknown-eku=true | false
Set the Ignore Unknown EKU option for this policy. By default
this value is false. If true, the policy ignores any unrecog‐
nized EKU values in the Extended Key Usage extension.
keyusage=KUVALUES
A comma separated list of key usage values that are required by
the policy being defined. The list of values allowed are: digi‐
talSignature, nonRepudiation, keyEncipherment, dataEncipher‐
ment, keyAgreement, keyCertSign, cRLSign, encipherOnly, deci‐
pherOnly
mapper-name=name
mapper-dir=directory
mapper-path=path
mapper-options=options
These four options support the certificate to name mapping.
mapper-name provides the name of the mapper. For example, the
name "cn" represents the mapper object kmf_mapper_cn.so.1. map‐
per-dir overrides the default mapper directory /lib/crypto.
mapper-path specifies the full path to the mapper object. map‐
per-options is an ASCII-only string of a maximum of 255 bytes
long. Its format is mapper specific but mappers are expected to
accept a comma separated list of options, for example casesen‐
sitive,ignoredomain. mapper-path and mapper-name are mutually
exclusive. mapper-dir can be set only if mapper-name is set.
mapper-options can be set only if mapper-name or mapper-path is
set. Trying to use any of the above mentioned incorrect set‐
tings results in an error and the policy database is not modi‐
fied.
max-cert-path-length=number
Specifies the maximum certificate length allowed in the cer‐
tificate chain. The default value is 32.
ocsp-ignore-response-sign=true | false
If this attribute is set to true, the signature of the OCSP
response is not verified. By default this value is false.
ocsp-proxy=URL
Set the proxy server name and port for OCSP. The port number is
optional. If the port number is not specified, the default
value is 8080. An example ocsp-proxy setting might be: ocsp-
proxy="webcache.example.com:8080"
This value takes precedence over the global http-proxy value.
ocsp-response-lifetime=timelimit
Set the freshness period that a response must be. The timelimit
can be specified by number-day, number-hour, number-minute, or
number-second. An example ocsp-response-lifetime setting might
be:ocsp-response-lifetime=6-hour.
ocsp-responder-cert-name=IssuerDN
ocsp-responder-cert-serial=serialNumber
These two attributes represent the OCSP responder certificate.
The ocsp-responder-cert-name is to specify the issuer name of
the certificate. See the ta-name option for example. The ocsp-
responder-cert-serial is for the serial number and must be
specified as a hex value, for example,
0x0102030405060708090a0b0c0d0e0f. If an OCSP responder is dif‐
ferent from the issuer of the certificate and if the OCSP
response needs to be verified, an OCSP responder certificate
information should be provided.
ocsp-responder=URL
Set the OCSP responder URL for use with the OCSP validation
method. For example, ocsp-responder=http://ocsp.exam‐
ple.com/ocsp/status
ocsp-use-cert-responder=true | false
Configure this policy to always use the responder defined in
the certificate itself if possible.
policy=policyname
The policy record to be created. policyname is required.
ta-name=trust anchor subject DN | search
ta-name identifies the trust anchor used to validate a certifi‐
cate. The KMF policy engine does not do full PKIX path valida‐
tion, but rather just treats the trust anchor as if it were the
parent of the certificate to be validated.
If an explicit Subject DN is specified, it must be combined
with a ta-serial value to uniquely identify the certificate to
use. Also, the certificate identified must be available in the
keystore that is selected.
If the value search is used instead of an explicit subject and
serial number, the KMF policy engine attempts to locate a cer‐
tificate that matches the issuer name of the certificate to be
validated and uses that for the validation.
If search is used, the ta-serial value is ignored.
ta-serial=trust anchor serial number
If the ta-name is specified as an explicit subject name, the
serial number of that certificate must be indicated by the ta-
serial value. The serial number must be represented in hexadec‐
imal format, for example, ta-serial=0x01020a0b.
trust-intermediate-cas true | false
The root of the trust chain can be an intermediate CA certifi‐
cate if this policy is set to trust intermediate. By default
this value is false. If true is specified, the certificate val‐
idation will be proceeded on the partial chain when the chain
is not anchored to a TA certificate.
validity-adjusttime=adjusttime
Set the adjust time for both ends of validity period for a cer‐
tificate. The time can be specified by number-day, number-hour,
number-minute, or number-second. An example validity-adjusttime
setting might be: validity-adjusttime=6-hour. ta-name="Subject
DN" ta-serial=serialNumber
These two attributes represent the trust anchor certificate and
are used to find the trust anchor certificate in the keystore.
The ta-name is to specify the distinguished name of the trust
anchor certificate subject name. For example, ta-name="O=Oracle
Corporation, OU=Solaris Security Technologies Group, L=Ashburn,
ST=VA, C=US, CN=John Smith". The ta-serial is to specify the
serial number of the TA certificate. The serial number must be
specified as a hex value, for example,
0x0102030405060708090a0b0c0d0e. This, along with the Issuer DN,
is used to find the TA certificate in the keystore. The trust
anchor attributes need to be set if the value of ignore-trust-
anchor attribute is false.
delete
Deletes any policy matching the indicated policy name. The system
default policy (default) cannot be deleted.
The format for the delete subcommand is as follows:
kmfcfg delete [dbfile=dbfile] policy=policyname
The delete subcommand supports the following options:
dbfile=dbfile Read policy definitions from the indicated
file. If dbfile is not specified, the default
is the system KMF policy database file:
/etc/security/kmfpolicy.xml.
policy=policyname The name of the policy to delete. policyname
is required, if using the system database.
export
Exports a policy from one policy database file to another policy
database file.
The format for the export subcommand is as follows:
kmfcfg export policy=policyname outfile=newdbfile [dbfile=dbfile]
The export subcommand supports the following options:
dbfile=dbfile The DB file where the exported policy is
read. If dbfile is not specified, the
default is the system KMF policy database
file: /etc/security/kmfpolicy.xml.
outfile=outputdbfile The DB file where the exported policy is
stored.
policy=policyname The policy record to be exported.
help
Displays help for the kmfcfg command.
The format for the help subcommand is as follows:
kmfcfg help
import
Imports a policy from one policy database file to another policy
database file.
The format for the import subcommand is as follows:
kmfcfg import policy=policyname infile=inputdbfile [dbfile=dbfile]
The import subcommand supports the following options:
dbfile=outdbfile The DB file to add the new policy. If not
specified, the default is the system KMF pol‐
icy database file /etc/security/kmfpol‐
icy.xml.
infile=inputdbfile The DB file to read the policy from.
policy=policyname The policy record to be imported.
list
Without arguments, lists all policy definitions from the default
system database.
The format for the list subcommand is as follows:
kmfcfg list [dbfile=dbfile] [policy=policyname]
The list subcommand supports the following options:
dbfile=dbfile Reads policy definitions from the indicated
file. If not specified, the default is the
system KMF policy database file /etc/secu‐
rity/kmfpolicy.xml.
policy=policyname Only display policy definition for the named
policy.
modify
Modifies any policy matching the indicated name. The system default
policy (default) cannot be modified.
The format for the modify subcommand is as follows:
kmfcfg modify [dbfile=dbfile] policy=policyname
[ignore-date=true|false]
[ignore-unknown-eku=true|false]
[ignore-trust-anchor=true|false]
[ignore-cert-revoke-responder-timeout=true|false]
[cert-revoke-responder-timeout=timeout in seconds]
[trust-intermediate-cas=true|false]
[max-cert-path-length=max length in cert path]
[validity-adjusttime=adjusttime]
[ta-name=trust anchor subject DN]
[ta-serial=trust anchor serial number]
[http-proxy=URL]
[http-proxy-none=true|false]
[ocsp-responder=URL]
[ocsp-proxy=URL]
[ocsp-use-cert-responder=true|false]
[ocsp-response-lifetime=timelimit]
[ocsp-ignore-response-sign=true|false]
[ocsp-responder-cert-name=Issuer DN]
[ocsp-responder-cert-serial=serial number]
[ocsp-none=true|false]
[crl-basefilename=basefilename | search]]
[crl-directory=directory]
[crl-get-crl-uri=true|false]
[crl-proxy=URL]
[crl-ignore-crl-sign=true|false]
[crl-ignore-crl-date=true|false]
[crl-none=true|false]
[bypass-ipsec-policy=true|false]
[keyusage=digitalSignature | nonRepudiation |
keyEncipherment | dataEncipherment |
keyAgreement | keyCertSign |
cRLSign | encipherOnly | decipherOnly],[...]
[keyusage-none=true|false]
[ekunames=serverAuth | clientAuth | codeSigning |
emailProtection | ipsecEndSystem | ipsecTunnel |
ipsecUser | timeStamping | OCSPSigning],[...]
[ekuoids=OID,OID,OID]
[eku-none=true|false]
[mapper-name=name of the mapper]
[mapper-dir=dir where mapper library resides]
[mapper-path=full pathname of mapper library]
[mapper-options=mapper options]
The modify subcommand supports many of the same options as the cre‐
ate subcommand. For descriptions of shared options, see the create
subcommand.
The modify subcommand supports the following unique options:
crl-none=true | false
If crl-none is set to true, CRL checking is turned off. If this
attribute is set to true, other CRL attributes cannot be set.
dbfile=[dbfile]
The database file to modify a policy. If not specified, the
default is the system KMF policy database file /etc/secu‐
rity/kmfpolicy.xml.
eku-none=true | false
If eku-none is set to true, extended key usage checking is
turned off. The extended key usage attributes, ekuname and
ekuoids cannot be set at the same time if eku-none is set to
true.
keyusage-none=true | false
If keyusage-none is set to true, key usage checking is turned
off.
The keyusage attribute cannot be set at the same time if this
attribute is set to true.
http-proxy-none=true | false
If http-proxy-none is set to true, the global http-proxy is
reset to no proxy.
bypass-ipsec-policy=true | false
If bypass-ipsec-policy is set to true, network connections ini‐
tiated by KMF will attempt to bypass global IPsec policy. This
operation requires the sys_ip_config privilege. In the absence
of this privilege, the connection will still be attempted on a
best effort basis.
ocsp-none=true | false
If ocsp-none is set to true, OCSP checking is turned off. Any
other OCSP attribute is not set at the same time if this
attribute is set to true.
policy=policyname
The name of the policy to modify. policyname is required. The
default policy in the system KMF policy database cannot be mod‐
ified.
Plugin Subcommands
install keystore=keystore_name modulepath=pathname [option=option_str]
Install a plugin into the system. The modulepath field specifies
the pathname to a KMF plugin shared library object. If pathname is
not specified as an absolute pathname, shared library objects are
assumed to be relative to /lib/security/$ISA/. The ISA token is
replaced by an implementation defined directory name which defines
the pathname relative to the calling program's instruction set
architecture.
list plugin
Display KMF plugin information.
Without the plugin keyword, kmfcfg list shows the policy informa‐
tion as described in the SUBCOMMANDS section.
modify plugin keystore=keystore_name option=option_str
Modify the plugin option. The plugin option is defined by the plug‐
in and is interpreted by the plugin specifically, therefore this
command accepts any option string.
Without the plugin keyword, kmfcfg modify updates the policy con‐
figuration as described in the SUBCOMMANDS section.
uninstall keystore=keystore_name
Uninstall the plugin with the keystore_name.
EXAMPLES
Example 1 Creating a New Policy
The following example creates a new policy called IPSEC in the system
database:
$ kmfcfg create dbfile=ipsec.xml policy=IPSEC \
ignore-trust-anchor=true \
ocsp-use-cert-responder=true \
keyusage=keyAgreement,keyEncipherment,dataEncipherment \
ekunames=ipsecTunnel,ipsecUser
EXIT STATUS
The following exit values are returned:
0 Successful completion.
> 0 An error occurred.
FILES
/etc/security/kmfpolicy.xml
Default system policy database
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/core-os _ Interface StabilityUncom‐
mitted
SEE ALSO
attributes(7)
HISTORY
The bypass-ipsec-policy, cert-revoke-responder-timeout, http-proxy,
http-proxy-none, ignore-cert-revoke-responder-timeout, max-cert-path-
length, and trust-intermediate-cas attributes were added in Oracle
Solaris 11.2.0.
The mapper-dir, mapper-name, mapper-path, and mapper-options attributes
were added in Solaris 11.0.
Plugin support, including the install, list plugin, modify plugin, and
uninstall subcommands, was added in Solaris 11.0.
The kmfcfg command and all other subcommands & attributes were added in
Solaris 10 8/07 (Update 4).
Oracle Solaris 11.4 21 Jun 2021 kmfcfg(1)