2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH KMFCFG 1 "Feb 3, 2009"
8 kmfcfg \- Key Management Policy and Plugin Configuration Utility
12 \fBkmfcfg\fR \fIsubcommand\fR [\fIoption\fR ...]
18 The \fBkmfcfg\fR command allows users to configure Key Management Framework
19 (KMF) policy databases. The KMF policy database (DB) restricts the use of keys
20 and certificates that are managed through the KMF framework.
23 \fBkmfcfg\fR provides the ability to list, create, modify, delete, import and
24 export policy definitions either in the system default database file
25 \fB/etc/security/kmfpolicy.xml\fR or a user-defined database file.
28 For plugin configuration, \fBkmfcfg\fR allows users to display plugin
29 information, install or uninstall a KMF plugin, and modify the plugin option.
33 The following subcommands are supported:
41 Adds a new policy into the policy database file.
43 The format for the \fBcreate\fR subcommand is as follows:
47 create [dbfile=\fIdbfile\fR] policy=\fIpolicyname\fR
48 [ignore-date=true|false]
49 [ignore-unknown-eku=true|false]
50 [ignore-trust-anchor=true|false]
51 [validity-adjusttime=\fIadjusttime\fR]
52 [ta-name=trust anchor subject DN]
53 [ta-serial=trust anchor serial number]
54 [ocsp-responder=\fIURL\fR]
55 [ocsp-proxy=\fIURL\fR]
56 [ocsp-use-cert-responder=true|false]
57 [ocsp-response-lifetime=timelimit]
58 [ocsp-ignore-response-sign=true|false]
59 [ocsp-responder-cert-name=Issuer DN]
60 [ocsp-responder-cert-serial=\fIserial number\fR]
61 [crl-basefilename=\fIbasefilename\fR]
62 [crl-directory=\fIdirectory\fR]
63 [crl-get-crl-uri=true|false]
65 [crl-ignore-crl-sign=true|false]
66 [crl-ignore-crl-date=true|false]
67 [keyusage=digitalSignature|nonRepudiation
68 |keyEncipherment | dataEncipherment |
69 keyAgreement |keyCertSign |
70 cRLSign | encipherOnly | decipherOnly],[...]
71 [ekunames=serverAuth | clientAuth |
72 codeSigning | emailProtection |
73 ipsecEndSystem | ipsecTunnel |
74 ipsecUser | timeStamping |
76 [ekuoids=\fIOID,OID,OID...\fR]
81 The \fBcreate\fR subcommand supports the following options:
85 \fB\fBcrl-basefilename=\fR\fIfilename\fR\fR
89 \fB\fBcrl-directory=\fR\fIdirectory\fR\fR
93 These two attributes are used to specify the location for CRL files. The
94 \fBcrl-basefilename\fR attribute represents the base filename for a CRL file.
95 The \fBcrl-directory\fR attribute represents the directory for CRL files, which
96 defaults to the current directory.
98 If the \fBcrl-get-crl-uri\fR attribute is set to \fBtrue\fR and the
99 \fBcrl-basefilename\fR is not specified, the \fBbasefilename\fR for the cached
100 CRL file is the basename of the URI used to fetch the CRL file.
102 If the \fBcrl-get-crl-uri\fR attribute is set to \fBfalse\fR the
103 \fBcrl-basefilename\fR needs to be specified to indicate an input CRL file. The
104 setting for \fBcrl-get-crl-uri\fR is \fBfalse\fR by default.
106 These two attributes only apply to the file-based CRL plugins. The current
107 file-based CRL plugins are \fBfile\fR and \fBpkcs11\fR keystores. For the
108 \fBnss\fR keystore, the CRL location is always the NSS internal database.
114 \fB\fBcrl-get-crl-uri=true | false\fR\fR
118 Configure if a CRL file is fetched and cached dynamically as part of the
119 certificate validation, using the URI information from the certificate's
120 distribution points extension.
122 The default for this attribute is \fBfalse\fR.
128 \fB\fBcrl-ignore-crl-date=true | false\fR\fR
132 If \fBcrl-ignore-crl-date\fR is set to true, the validity time period of the
135 The default for this attribute is \fBfalse\fR.
141 \fB\fBcrl-ignore-crl-sign=true | false\fR\fR
145 If \fBcrl-ignore-crl-sign\fR is set to \fBtrue\fR, the signature of the CRL is
148 The default for this attribute is \fBfalse\fR.
154 \fB\fBcrl-proxy=\fR \fIURL\fR\fR
158 Sets the proxy server name and port for dynamically retrieving a CRL file when
159 \fBcrl-get-crl-uri\fR is set to \fBtrue\fR.
161 The port number is optional. If the port number is not specified, the default
162 value is \fB8080\fR. An example \fBcrl-proxy\fR setting might be:
163 \fBcrl-proxy=webcache.sfbay:8080\fR.
169 \fB\fBdbfile=\fR\fIdbfile\fR\fR
173 The DB file to add the new policy. If not specified, the default is the system
174 KMF policy database file \fB/etc/security/kmfpolicy.xml\fR.
180 \fB\fBekuoids=\fR\fIEKUOIDS\fR\fR
184 A comma separated list of Extended Key Usage OIDs that are required by the
185 policy being defined. The OIDs are expressed in \fBdot notation\fR, for
186 example, \fB1.2.3.4\fR. An example \fBekuoids\fR setting might be:
187 \fBekuoids=1.2.3.4,9.8.7.6.5\fR.
193 \fB\fBekunames=\fR\fIEKUNAMES\fR\fR
197 A comma separated list of Extended Key Usage names that are required by the
198 policy being defined. The list of values allowed for \fIEKUNAMES\fR are:
199 \fBserverAuth\fR, \fBclientAuth\fR, \fBcodeSigning\fR, \fBemailProtection\fR,
200 \fBipsecEndSystem\fR, \fBipsecTunnel\fR, \fBipsecUser\fR, \fBtimeStamping\fR,
201 and \fBOCSPSigning\fR
203 The OCSP, CRL, key usage and extended key usage checkings are off by default.
204 To turn on any one of them, specify one or more attributes for the particular
205 checking. For example, if the \fBocsp-responder\fR attribute is set, then the
206 OCSP checking is turned on. If the \fBekuname\fR attribute or the \fBekuoids\fR
207 attribute is set, then the extended key usage checking is turned on.
213 \fB\fBignore-date=true | false\fR\fR
217 Set the \fBIgnore Date\fR option for this policy. By default this value is
218 \fBfalse\fR. If \fBtrue\fR is specified, the policy ignores the validity
219 periods defined in the certificates when evaluating their validity.
225 \fB\fBignore-unknown-eku=true | false\fR\fR
229 Set the \fBIgnore Unknown EKU\fR option for this policy. By default this value
230 is \fBfalse\fR. If \fBtrue\fR, the policy ignores any unrecognized EKU values
231 in the Extended Key Usage extension.
237 \fB\fBignore-trust-anchor=true | false\fR\fR
241 Set the \fBIgnore Trust Anchor\fR option for this policy. By default this value
242 is \fBfalse\fR. If \fBtrue\fR is specified, the policy does not verify the
243 signature of the subject certificate using trust anchor certificate at
250 \fB\fBkeyusage=\fR\fIKUVALUES\fR\fR
254 A comma separated list of key usage values that are required by the policy
255 being defined. The list of values allowed are: \fBdigitalSignature\fR,
256 \fBnonRepudiation\fR, \fBkeyEncipherment\fR, \fBdataEncipherment\fR,
257 \fBkeyAgreement\fR, \fBkeyCertSign\fR, \fBcRLSign\fR, \fBencipherOnly\fR,
264 \fB\fBocsp-ignore-response-sign=true | false\fR\fR
268 If this attribute is set to \fBtrue\fR, the signature of the OCSP response is
269 not verified. This attribute value is default to \fBfalse\fR.
275 \fB\fBocsp-proxy=\fR\fIURL\fR\fR
279 Set the proxy server name and port for OCSP. The port number is optional. If
280 the port number is not specified, the default value is 8080. An example
281 \fBocsp-proxy\fR setting might be: \fBocsp-proxy="webcache.sfbay:8080"\fR
287 \fB\fBocsp-response-lifetime=\fR\fItimelimit\fR\fR
291 Set the \fBfreshness\fR period that a response must be. The \fItimelimit\fR can
292 be specified by \fInumber-day\fR, \fInumber-hour\fR, \fInumber-minute\fR, or
293 \fInumber-second\fR. An example \fBocsp-response-lifetime\fR setting might
294 be:\fBocsp-response-lifetime=6-hour\fR.
300 \fB\fBocsp-responder-cert-name=\fR\fIIssuerDN\fR\fR
304 \fB\fBocsp-responder-cert-serial=\fR\fIserialNumber\fR\fR
308 These two attributes represent the OCSP responder certificate. The
309 \fBocsp-responder-cert-name\fR is to specify the issuer name of the
310 certificate. See the \fBta-name\fR option for example. The
311 \fIocsp-responder-cert-serial\fR is for the serial number and must be specified
312 as a hex value, for example, \fB0x0102030405060708090a0b0c0d0e0f\fR. If an OCSP
313 responder is different from the issuer of the certificate and if the OCSP
314 response needs to be verified, an OCSP responder certificate information should
321 \fB\fBocsp-responder=\fR\fIURL\fR\fR
325 Set the OCSP responder URL for use with the OCSP validation method. For
326 example, \fBocsp-responder=http://ocsp.verisign.com/ocsp/status\fR
332 \fBo\fBcsp-use-cert-responder=true | fals\fRe\fR
336 Configure this policy to always use the responder defined in the certificate
343 \fB\fBpolicy=\fR\fIpolicyname\fR\fR
347 The policy record to be created. \fIpolicyname\fR is required.
353 \fB\fBvalidity-adjusttime=\fR\fIadjusttime\fR\fR
357 Set the adjust time for both ends of validity period for a certificate. The
358 time can be specified by \fInumber-day, number-hour, number-minute, or
359 number-second\fR. An example \fBvalidity-adjusttime\fR setting might be:
360 \fBvalidity-adjusttime=6-hour. ta-name="Subject DN" ta-serial=serialNumber\fR
362 These two attributes represent the trust anchor certificate and are used to
363 find the trust anchor certificate in the keystore. The \fIta-name\fR is to
364 specify the distinguished name of the trust anchor certificate subject name.
365 For example, \fBta-name="O=Sun Microsystems Inc., \ OU=Solaris Security
366 Technologies Group, \ L=Ashburn, ST=VA, C=US, CN=John Smith"\fR The serial
367 number of the TA certificate. This, along with the Issuer DN, is used to find
368 the TA certificate in the keystore. The serial number must be specified as a
369 hex value, for example, \fB0x0102030405060708090a0b0c0d0e\fR The trust anchor
370 attributes need to be set, if the value of \fBignore-trust-anchor\fR attribute
383 Deletes any policy matching the indicated policy name. The system default
384 policy (\fBdefault\fR) cannot be deleted.
386 The format for the \fBdelete\fR subcommand is as follows:
390 delete [dbfile=\fIdbfile\fR] policy=\fIpolicyname\fR
395 The \fBdelete\fR subcommand supports the following options:
399 \fBdbfile=\fIdbfile\fR\fR
402 Read policy definitions from the indicated file. If \fIdbfile\fR is not
403 specified, , the default is the system KMF policy database file:
404 \fB/etc/security/kmfpolicy.xml\fR.
410 \fBpolicy=\fIpolicyname\fR\fR
413 The name of the policy to delete. \fIpolicyname\fR is required, if using the
426 Exports a policy from one policy database file to another policy database file.
428 The format for the \fBexport\fR subcommand is as follows:
432 kmfcfg export policy=\fIpolicyname\fR outfile=\fInewdbfile\fR [dbfile=\fIdbfile\fR]
437 The \fBexport\fR subcommand supports the following options:
441 \fBdbfile=\fIdbfile\fR\fR
444 The DB file where the exported policy is read. If \fIdbfile\fR is not
445 specified, the default is the system KMF policy database file:
446 \fB/etc/security/kmfpolicy.xml\fR.
452 \fBoutfile=\fIoutputdbfile\fR\fR
455 The DB file where the exported policy is stored.
461 \fBpolicy=\fIpolicyname\fR\fR
464 The policy record to be exported.
476 Displays help for the \fBkmfcfg\fR command.
478 The format for the \fBhelp\fR subcommand is as follows:
496 Imports a policy from one policy database file to another policy database file.
498 The format for the \fBimport\fR subcommand is as follows:
502 kmfcfg import policy=\fIpolicyname\fR infile=\fIinputdbfile\fR [dbfile=\fIdbfile\fR]
507 The \fBimport\fR subcommand supports the following options:
511 \fBpolicy=\fIpolicyname\fR\fR
514 The policy record to be imported.
520 \fBinfile=\fIinputdbfile\fR\fR
523 The DB file to read the policy from.
529 \fBdbfile=\fIoutdbfile\fR\fR
532 The DB file to add the new policy. If not specified, the default is the system
533 KMF policy database file \fB/etc/security/kmfpolicy.xml\fR.
545 Without arguments, lists all policy definitions from the default system
548 The format for the \fBlist\fR subcommand is as follows:
552 list [dbfile=\fIdbfile\fR] [policy=\fIpolicyname\fR]
557 The \fBlist\fR subcommand supports the following options:
561 \fBdbfile=\fIdbfile\fR\fR
564 Reads policy definitions from the indicated file. If not specified, the default
565 is the system KMF policy database file \fB/etc/security/kmfpolicy.xml\fR.
571 \fBpolicy=\fIpolicyname\fR\fR
574 Only display policy definition for the named policy.
586 Modifies any policy matching the indicated name. The system default policy
587 (\fBdefault\fR) cannot be modified.
589 The format for the \fBmodify\fR subcommand is as follows:
593 modify [dbfile=\fIdbfile\fR] policy=\fIpolicyname\fR
594 [ignore-date=true|false]
595 [ignore-unknown-eku=true|false]
596 [ignore-trust-anchor=true|false]
597 [validity-adjusttime=\fIadjusttime\fR]
598 [ta-name=trust anchor subject DN]
599 [ta-serial=trust anchor serial number]
600 [ocsp-responder=\fIURL\fR]
601 [ocsp-proxy=\fIURL\fR]
602 [ocsp-use-cert-responder=true|false]
603 [ocsp-response-lifetime=timelimit]
604 [ocsp-ignore-response-sign=true|false]
605 [ocsp-responder-cert-name=Issuer DN]
606 [ocsp-responder-cert-serial=serial number]
607 [ocsp-none=true|false]
608 [crl-basefilename=\fIbasefilename\fR]
609 [crl-directory=\fIdirectory\fR]
610 [crl-get-crl-uri=true|false]
612 [crl-ignore-crl-sign=true|false]
613 [crl-ignore-crl-date=true|false]
614 [crl-none=true|false]
615 [keyusage=digitalSignature| nonRepudiation
616 |keyEncipherment | dataEncipherment |
617 keyAgreement |keyCertSign |
618 cRLSign | encipherOnly | decipherOnly],[...]
619 [keyusage-none=true|false]
620 [ekunames=serverAuth | clientAuth |
621 codeSigning | emailProtection |
622 ipsecEndSystem | ipsecTunnel |
623 ipsecUser | timeStamping |
625 [ekuoids=OID,OID,OID]
626 [eku-none=true|false]
631 The \fBmodify\fR subcommand supports many of the same options as the
632 \fBcreate\fR subcommand. For descriptions of shared options, see the create
635 The \fBmodify\fR subcommand supports the following unique options:
639 \fB\fBcrl-none=true | false\fR\fR
642 If \fBcrl-none\fR is set to \fBtrue\fR, CRL checking is turned off. If this
643 attribute is set to \fBtrue\fR, other CRL attributes cannot be set.
649 \fBdfile=[\fIdbfile\fR]\fR
652 The database file to modify a policy. If not specified, the default is the
653 system KMF policy database file \fB/etc/security/kmfpolicy.xml\fR.
659 \fBeku-none=true | false\fR
662 If \fBeku-none\fR is set to \fBtrue\fR, extended key usage checking is turned
663 off. The extended key usage attributes, \fBekuname\fR and \fBekuoids\fR cannot
664 be set at the same time if \fBeku-none\fR is set to \fBtrue\fR.
670 \fBkeyusage-none=true | false\fR
673 If \fBkeyusage-none\fR is set to true, key usage checking is turned off.
675 The \fBkeyusage\fR attribute cannot be set at the same time if this attribute
676 is set to \fBtrue\fR.
682 \fBocsp-none=true | false\fR
685 If \fBocsp-none\fR is set to true, OCSP checking is turned off. Any other OCSP
686 attribute is not set at the same time if this attribute is set to \fBtrue\fR.
692 \fBpolicy=\fIpolicyname\fR\fR
695 The name of the policy to modify. \fIpolicyname\fR is required.
696 The \fBdefault\fR policy in the system KMF policy database cannot be modified.
701 .SS "Plugin Subcommands"
705 \fB\fBinstall keystore=\fR\fIkeystore_name\fR \fBmodulepath=\fR\fIpathname\fR\e
706 \fB[option=\fR\fIoption_str\fR\fB]\fR\fR
710 Install a plugin into the system. The \fBmodulepath\fR field specifies the
711 pathname to a KMF plugin shared library object. If \fIpathname\fR is not
712 specified as an absolute pathname, shared library objects are assumed to be
713 relative to \fB/lib/security/$ISA/\fR. The \fBISA\fR token is replaced by an
714 implementation defined directory name which defines the pathname relative to
715 the calling program's instruction set architecture.
721 \fB\fBlist plugin\fR\fR
725 Display KMF plugin information.
727 Without the \fBplugin\fRkeyword, \fBkmfcfg list\fR shows the policy information
728 as described in the \fBSUBCOMMANDS\fR section.
734 \fB\fBmodify plugin keystore=\fR\fIkeystore_name\fR
735 \fBoption=\fR\fIoption_str\fR\fR
739 Modify the \fBplugin\fR option. The \fBplugin\fR option is defined by the
740 plugin and is interpreted by the plugin specifically, therefore this command
741 accepts any option string.
743 Without the \fBplugin\fR keyword, \fBkmfcfg modify\fR updates the policy
744 configuration as described in the \fBSUBCOMMANDS\fR section.
750 \fB\fBuninstall keystore=\fR\fIkeystore_name\fR\fR
754 Uninstall the plugin with the \fIkeystore_name\fR.
759 \fBExample 1 \fRCreating a New Policy
762 The following example creates a new policy called IPSEC in the system database:
767 $ kmfcfg create IPSEC \e
768 ignore-trust-anchor=true \e
769 ocsp-use-cert-responder=true \e
770 keyusage=keyAgreement,keyEncipherment,dataEncipherment \e
771 ekuname=ipsecTunnel,ipsecUser
779 The following exit values are returned:
786 Successful completion.
802 \fB\fB/etc/security/kmfpolicy.xml\fR\fR
806 Default system policy database
812 See \fBattributes\fR(5) for descriptions of the following attributes:
820 ATTRIBUTE TYPE ATTRIBUTE VALUE
822 Interface Stability Uncommitted