User Commands kmfcfg(1)
NAME
kmfcfg - Key Management Policy and Plugin Configuration
Utility
SYNOPSIS
kmfcfg subcommand [option ...]
DESCRIPTION
The kmfcfg command allows users to configure Key Management
Framework (KMF) policy databases. The KMF policy database
(DB) restricts the use of keys and certificates that are
managed through the KMF framework.
kmfcfg provides the ability to list, create, modify, delete,
import and export policy definitions either in the system
default database file /etc/security/kmfpolicy.xml or a
user-defined database file.
For plugin configuration, kmfcfg allows users to display
plugin information, install or uninstall a KMF plugin, and
modify the plugin option.
SUBCOMANDS
The following subcommands are supported:
create
Adds a new policy into the policy database file.
The format for the create subcommand is as follows:
create [dbfile=dbfile] policy=policyname
[ignore-date=truefalse]
[ignore-unknown-eku=truefalse]
[ignore-trust-anchor=truefalse]
[validity-adjusttime=adjusttime]
[ta-name=trust anchor subject DN]
[ta-serial=trust anchor serial number]
[ocsp-responder=URL]
[ocsp-proxy=URL]
[ocsp-use-cert-responder=truefalse]
[ocsp-response-lifetime=timelimit]
[ocsp-ignore-response-sign=truefalse]
[ocsp-responder-cert-name=Issuer DN]
[ocsp-responder-cert-serial=serial number]
[crl-basefilename=basefilename]
[crl-directory=directory]
[crl-get-crl-uri=truefalse]
[crl-proxy=URL]
SunOS 5.11 Last change: 3 Feb 2009 1
User Commands kmfcfg(1)
[crl-ignore-crl-sign=truefalse]
[crl-ignore-crl-date=truefalse]
[keyusage=digitalSignaturenonRepudiation
keyEncipherment dataEncipherment
keyAgreement keyCertSign
cRLSign encipherOnly decipherOnly],[...]
[ekunames=serverAuth clientAuth
codeSigning emailProtection
ipsecEndSystem ipsecTunnel
ipsecUser timeStamping
OCSPSigning],[...]
[ekuoids=OID,OID,OID...]
The create subcommand supports the following options:
crl-basefilename=filename
crl-directory=directory
These two attributes are used to specify the loca-
tion for CRL files. The crl-basefilename attribute
represents the base filename for a CRL file. The
crl-directory attribute represents the directory for
CRL files, which defaults to the current directory.
If the crl-get-crl-uri attribute is set to true and
the crl-basefilename is not specified, the base-
filename for the cached CRL file is the basename of
the URI used to fetch the CRL file.
If the crl-get-crl-uri attribute is set to false the
crl-basefilename needs to be specified to indicate
an input CRL file. The setting for crl-get-crl-uri
is false by default.
These two attributes only apply to the file-based
CRL plugins. The current file-based CRL plugins are
file and pkcs11 keystores. For the nss keystore, the
CRL location is always the NS internal database.
crl-get-crl-uri=true false
Configure if a CRL file is fetched and cached dynam-
ically as part of the certificate validation, using
the URI information from the certificate's distribu-
tion points extension.
The default for this attribute is false.
SunOS 5.11 Last change: 3 Feb 2009 2
User Commands kmfcfg(1)
crl-ignore-crl-date=true false
If crl-ignore-crl-date is set to true, the validity
time period of the CRL is not checked.
The default for this attribute is false.
crl-ignore-crl-sign=true false
If crl-ignore-crl-sign is set to true, the signature
of the CRL is not checked.
The default for this attribute is false.
crl-proxy= URL
Sets the proxy server name and port for dynamically
retrieving a CRL file when crl-get-crl-uri is set to
true.
The port number is optional. If the port number is
not specified, the default value is 8080. An example
crl-proxy setting might be: crl-
proxy=webcache.sfbay:8080.
dbfile=dbfile
The DB file to add the new policy. If not specified,
the default is the system KMF policy database file
/etc/security/kmfpolicy.xml.
ekuoids=EKUOIDS
A comma separated list of Extended Key Usage OIDs
that are required by the policy being defined. The
OIDs are expressed in dot notation, for example,
1.2.3.4. An example ekuoids setting might be:
ekuoids=1.2.3.4,9.8.7.6.5.
ekunames=EKUNAMES
A comma separated list of Extended Key Usage names
that are required by the policy being defined. The
list of values allowed for EKUNAMES are: serverAuth,
clientAuth, codeSigning, emailProtection,
ipsecEndSystem, ipsecTunnel, ipsecUser, timeStamp-
ing, and OCSPSigning
SunOS 5.11 Last change: 3 Feb 2009 3
User Commands kmfcfg(1)
The OCSP, CRL, key usage and extended key usage
checkings are off by default. To turn on any one of
them, specify one or more attributes for the partic-
ular checking. For example, if the ocsp-responder
attribute is set, then the OCSP checking is turned
on. If the ekuname attribute or the ekuoids attri-
bute is set, then the extended key usage checking is
turned on.
ignore-date=true false
Set the Ignore Date option for this policy. By
default this value is false. If true is specified,
the policy ignores the validity periods defined in
the certificates when evaluating their validity.
ignore-unknown-eku=true false
Set the Ignore Unknown EKU option for this policy.
By default this value is false. If true, the policy
ignores any unrecognized EKU values in the Extended
Key Usage extension.
ignore-trust-anchor=true false
Set the Ignore Trust Anchor option for this policy.
By default this value is false. If true is speci-
fied, the policy does not verify the signature of
the subject certificate using trust anchor certifi-
cate at validation.
keyusage=KUVALUES
A comma separated list of key usage values that are
required by the policy being defined. The list of
values allowed are: digitalSignature, nonRepudia-
tion, keyEncipherment, dataEncipherment, keyAgree-
ment, keyCertSign, cRLSign, encipherOnly, deci-
pherOnly
ocsp-ignore-response-sign=true false
If this attribute is set to true, the signature of
the OCSP response is not verified. This attribute
value is default to false.
SunOS 5.11 Last change: 3 Feb 2009 4
User Commands kmfcfg(1)
ocsp-proxy=URL
Set the proxy server name and port for OCSP. The
port number is optional. If the port number is not
specified, the default value is 8080. An example
ocsp-proxy setting might be: ocsp-
proxy="webcache.sfbay:8080"
ocsp-response-lifetime=timelimit
Set the freshness period that a response must be.
The timelimit can be specified by number-day,
number-hour, number-minute, or number-second. An
example ocsp-response-lifetime setting might
be:ocsp-response-lifetime=6-hour.
ocsp-responder-cert-name=IssuerDN
ocsp-responder-cert-serial=serialNumber
These two attributes represent the OCSP responder
certificate. The ocsp-responder-cert-name is to
specify the issuer name of the certificate. See the
ta-name option for example. The ocsp-responder-
cert-serial is for the serial number and must be
specified as a hex value, for example,
0x0102030405060708090a0b0c0d0e0f. If an OCSP
responder is different from the issuer of the certi-
ficate and if the OCSP response needs to be veri-
fied, an OCSP responder certificate information
should be provided.
ocsp-responder=URL
Set the OCSP responder URL for use with the OCSP
validation method. For example, ocsp-
responder=http:/ocsp.verisign.com/ocsp/status
ocsp-use-cert-responder=true false
Configure this policy to always use the responder
defined in the certificate itself if possible.
policy=policyname
The policy record to be created. policyname is
required.
SunOS 5.11 Last change: 3 Feb 2009 5
User Commands kmfcfg(1)
validity-adjusttime=adjusttime
Set the adjust time for both ends of validity period
for a certificate. The time can be specified by
number-day, number-hour, number-minute, or number-
second. An example validity-adjusttime setting might
be: validity-adjusttime=6-hour. ta-name="Subject DN"
ta-serial=serialNumber
These two attributes represent the trust anchor cer-
tificate and are used to find the trust anchor cer-
tificate in the keystore. The ta-name is to specify
the distinguished name of the trust anchor certifi-
cate subject name. For example, ta-name="O=Sun
Microsystems Inc., OU=Solaris Security Technologies
Group, L=Ashburn, ST=VA, C=US, CN=John Smith" The
serial number of the TA certificate. This, along
with the Issuer DN, is used to find the TA certifi-
cate in the keystore. The serial number must be
specified as a hex value, for example,
0x0102030405060708090a0b0c0d0e The trust anchor
attributes need to be set, if the value of ignore-
trust-anchor attribute is false.
delete
Deletes any policy matching the indicated policy name.
The system default policy (default) cannot be deleted.
The format for the delete subcommand is as follows:
delete [dbfile=dbfile] policy=policyname
The delete subcommand supports the following options:
dbfile=dbfile Read policy definitions from the
indicated file. If dbfile is not
specified, , the default is the
system KMF policy database file:
/etc/security/kmfpolicy.xml.
policy=policyname The name of the policy to delete.
policyname is required, if using
the system database.
SunOS 5.11 Last change: 3 Feb 2009 6
User Commands kmfcfg(1)
export
Exports a policy from one policy database file to
another policy database file.
The format for the export subcommand is as follows:
kmfcfg export policy=policyname outfile=newdbfile [dbfile=dbfile]
The export subcommand supports the following options:
dbfile=dbfile The DB file where the exported
policy is read. If dbfile is not
specified, the default is the
system KMF policy database file:
/etc/security/kmfpolicy.xml.
outfile=outputdbfile The DB file where the exported
policy is stored.
policy=policyname The policy record to be
exported.
help
Displays help for the kmfcfg command.
The format for the help subcommand is as follows:
help
import
Imports a policy from one policy database file to
another policy database file.
The format for the import subcommand is as follows:
kmfcfg import policy=policyname infile=inputdbfile [dbfile=dbfile]
The import subcommand supports the following options:
SunOS 5.11 Last change: 3 Feb 2009 7
User Commands kmfcfg(1)
policy=policyname The policy record to be imported.
infile=inputdbfile The DB file to read the policy
from.
dbfile=outdbfile The DB file to add the new policy.
If not specified, the default is
the system KMF policy database
file /etc/security/kmfpolicy.xml.
list
Without arguments, lists all policy definitions from the
default system database.
The format for the list subcommand is as follows:
list [dbfile=dbfile] [policy=policyname]
The list subcommand supports the following options:
dbfile=dbfile Reads policy definitions from the
indicated file. If not specified,
the default is the system KMF pol-
icy database file
/etc/security/kmfpolicy.xml.
policy=policyname Only display policy definition for
the named policy.
modify
Modifies any policy matching the indicated name. The
system default policy (default) cannot be modified.
The format for the modify subcommand is as follows:
modify [dbfile=dbfile] policy=policyname
[ignore-date=truefalse]
[ignore-unknown-eku=truefalse]
[ignore-trust-anchor=truefalse]
[validity-adjusttime=adjusttime]
[ta-name=trust anchor subject DN]
[ta-serial=trust anchor serial number]
SunOS 5.11 Last change: 3 Feb 2009 8
User Commands kmfcfg(1)
[ocsp-responder=URL]
[ocsp-proxy=URL]
[ocsp-use-cert-responder=truefalse]
[ocsp-response-lifetime=timelimit]
[ocsp-ignore-response-sign=truefalse]
[ocsp-responder-cert-name=Issuer DN]
[ocsp-responder-cert-serial=serial number]
[ocsp-none=truefalse]
[crl-basefilename=basefilename]
[crl-directory=directory]
[crl-get-crl-uri=truefalse]
[crl-proxy=URL]
[crl-ignore-crl-sign=truefalse]
[crl-ignore-crl-date=truefalse]
[crl-none=truefalse]
[keyusage=digitalSignature nonRepudiation
keyEncipherment dataEncipherment
keyAgreement keyCertSign
cRLSign encipherOnly decipherOnly],[...]
[keyusage-none=truefalse]
[ekunames=serverAuth clientAuth
codeSigning emailProtection
ipsecEndSystem ipsecTunnel
ipsecUser timeStamping
OCSPSigning],[...]
[ekuoids=OID,OID,OID]
[eku-none=truefalse]
The modify subcommand supports many of the same options
as the create subcommand. For descriptions of shared
options, see the create subcommand.
The modify subcommand supports the following unique
options:
crl-none=true false If crl-none is set to
true, CRL checking is
turned off. If this attri-
bute is set to true, other
CRL attributes cannot be
set.
dfile=[dbfile] The database file to
modify a policy. If not
specified, the default is
the system KMF policy
database file
/etc/security/kmfpolicy.xml.
SunOS 5.11 Last change: 3 Feb 2009 9
User Commands kmfcfg(1)
eku-none=true false If eku-none is set to
true, extended key usage
checking is turned off.
The extended key usage
attributes, ekuname and
ekuoids cannot be set at
the same time if eku-none
is set to true.
keyusage-none=true false If keyusage-none is set to
true, key usage checking
is turned off.
The keyusage attribute
cannot be set at the same
time if this attribute is
set to true.
ocsp-none=true false If ocsp-none is set to
true, OCSP checking is
turned off. Any other OCSP
attribute is not set at
the same time if this
attribute is set to true.
policy=policyname The name of the policy to
modify. policyname is
required. Thedefaultpolicy
in the system KMF policy
database cannot be modi-
fied.
Plugin Subcommands
install keystore=keystorename modulepath=pathname\
[option=optionstr]
Install a plugin into the system. The modulepath field
specifies the pathname to a KMF plugin shared library
object. If pathname is not specified as an absolute
pathname, shared library objects are assumed to be rela-
tive to /lib/security/$ISA/. The ISA token is replaced
by an implementation defined directory name which
defines the pathname relative to the calling program's
instruction set architecture.
SunOS 5.11 Last change: 3 Feb 2009 10
User Commands kmfcfg(1)
list plugin
Display KMF plugin information.
Without the pluginkeyword, kmfcfg list shows the policy
information as described in the SUBCOMANDS section.
modify plugin keystore=keystorename option=optionstr
Modify the plugin option. The plugin option is defined
by the plugin and is interpreted by the plugin specifi-
cally, therefore this command accepts any option string.
Without the plugin keyword, kmfcfg modify updates the
policy configuration as described in the SUBCOMANDS
section.
uninstall keystore=keystorename
Uninstall the plugin with the keystorename.
EXAMPLES
Example 1 Creating a New Policy
The following example creates a new policy called IPSEC in
the system database:
$ kmfcfg create IPSEC \
ignore-trust-anchor=true \
ocsp-use-cert-responder=true \
keyusage=keyAgreement,keyEncipherment,dataEncipherment \
ekuname=ipsecTunnel,ipsecUser
EXIT STATUS
The following exit values are returned:
0 Successful completion.
>0 An error occurred.
FILES
/etc/security/kmfpolicy.xml
SunOS 5.11 Last change: 3 Feb 2009 11
User Commands kmfcfg(1)
Default system policy database
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWcsu
Interface Stability Uncommitted
SEE ALSO
attributes(5)
SunOS 5.11 Last change: 3 Feb 2009 12
|
