KMFCFG(1) User Commands KMFCFG(1)
NAME
kmfcfg - Key Management Policy and Plugin Configuration Utility
SYNOPSIS
kmfcfg subcommand [
option ...]
DESCRIPTION
The
kmfcfg command allows users to configure Key Management Framework
(KMF) policy databases. The KMF policy database (DB) restricts the
use of keys and certificates that are managed through the KMF
framework.
kmfcfg provides the ability to list, create, modify, delete, import
and export policy definitions either in the system default database
file
/etc/security/kmfpolicy.xml or a user-defined database file.
For plugin configuration,
kmfcfg allows users to display plugin
information, install or uninstall a KMF plugin, and modify the plugin
option.
SUBCOMMANDS
The following subcommands are supported:
create Adds a new policy into the policy database file.
The format for the
create subcommand is as follows:
create [dbfile=
dbfile] policy=
policyname [ignore-date=true|false]
[ignore-unknown-eku=true|false]
[ignore-trust-anchor=true|false]
[validity-adjusttime=
adjusttime]
[ta-name=trust anchor subject DN]
[ta-serial=trust anchor serial number]
[ocsp-responder=
URL]
[ocsp-proxy=
URL]
[ocsp-use-cert-responder=true|false]
[ocsp-response-lifetime=timelimit]
[ocsp-ignore-response-sign=true|false]
[ocsp-responder-cert-name=Issuer DN]
[ocsp-responder-cert-serial=
serial number]
[crl-basefilename=
basefilename]
[crl-directory=
directory]
[crl-get-crl-uri=true|false]
[crl-proxy=
URL]
[crl-ignore-crl-sign=true|false]
[crl-ignore-crl-date=true|false]
[keyusage=digitalSignature|nonRepudiation
|keyEncipherment | dataEncipherment |
keyAgreement |keyCertSign |
cRLSign | encipherOnly | decipherOnly],[...]
[ekunames=serverAuth | clientAuth |
codeSigning | emailProtection |
ipsecEndSystem | ipsecTunnel |
ipsecUser | timeStamping |
OCSPSigning],[...]
[ekuoids=
OID,OID,OID...]
The
create subcommand supports the following options:
crl-basefilename=filename crl-directory=directory These two attributes are used to specify the location for CRL
files. The
crl-basefilename attribute represents the base
filename for a CRL file. The
crl-directory attribute
represents the directory for CRL files, which defaults to the
current directory.
If the
crl-get-crl-uri attribute is set to
true and the
crl- basefilename is not specified, the
basefilename for the
cached CRL file is the basename of the URI used to fetch the
CRL file.
If the
crl-get-crl-uri attribute is set to
false the
crl- basefilename needs to be specified to indicate an input CRL
file. The setting for
crl-get-crl-uri is
false by default.
These two attributes only apply to the file-based CRL
plugins. The current file-based CRL plugins are
file and
pkcs11 keystores. For the
nss keystore, the CRL location is
always the NSS internal database.
crl-get-crl-uri=true | false Configure if a CRL file is fetched and cached dynamically as
part of the certificate validation, using the URI information
from the certificate's distribution points extension.
The default for this attribute is
false.
crl-ignore-crl-date=true | false If
crl-ignore-crl-date is set to true, the validity time
period of the CRL is not checked.
The default for this attribute is
false.
crl-ignore-crl-sign=true | false If
crl-ignore-crl-sign is set to
true, the signature of the
CRL is not checked.
The default for this attribute is
false.
crl-proxy= URL Sets the proxy server name and port for dynamically
retrieving a CRL file when
crl-get-crl-uri is set to
true.
The port number is optional. If the port number is not
specified, the default value is
8080. An example
crl-proxy setting might be:
crl-proxy=webcache.example.org:8080.
dbfile=dbfile The DB file to add the new policy. If not specified, the
default is the system KMF policy database file
/etc/security/kmfpolicy.xml.
ekuoids=EKUOIDS A comma separated list of Extended Key Usage OIDs that are
required by the policy being defined. The OIDs are expressed
in
dot notation, for example,
1.2.3.4. An example
ekuoids setting might be:
ekuoids=1.2.3.4,9.8.7.6.5.
ekunames=EKUNAMES A comma separated list of Extended Key Usage names that are
required by the policy being defined. The list of values
allowed for
EKUNAMES are:
serverAuth,
clientAuth,
codeSigning,
emailProtection,
ipsecEndSystem,
ipsecTunnel,
ipsecUser,
timeStamping, and
OCSPSigning The OCSP, CRL, key usage and extended key usage checkings are
off by default. To turn on any one of them, specify one or
more attributes for the particular checking. For example, if
the
ocsp-responder attribute is set, then the OCSP checking
is turned on. If the
ekuname attribute or the
ekuoids attribute is set, then the extended key usage checking is
turned on.
ignore-date=true | false Set the
Ignore Date option for this policy. By default this
value is
false. If
true is specified, the policy ignores the
validity periods defined in the certificates when evaluating
their validity.
ignore-unknown-eku=true | false Set the
Ignore Unknown EKU option for this policy. By default
this value is
false. If
true, the policy ignores any
unrecognized EKU values in the Extended Key Usage extension.
ignore-trust-anchor=true | false Set the
Ignore Trust Anchor option for this policy. By
default this value is
false. If
true is specified, the policy
does not verify the signature of the subject certificate
using trust anchor certificate at validation.
keyusage=KUVALUES A comma separated list of key usage values that are required
by the policy being defined. The list of values allowed are:
digitalSignature,
nonRepudiation,
keyEncipherment,
dataEncipherment,
keyAgreement,
keyCertSign,
cRLSign,
encipherOnly,
decipherOnly ocsp-ignore-response-sign=true | false If this attribute is set to
true, the signature of the OCSP
response is not verified. This attribute value is default to
false.
ocsp-proxy=URL Set the proxy server name and port for OCSP. The port number
is optional. If the port number is not specified, the default
value is 8080. An example
ocsp-proxy setting might be:
ocsp- proxy="webcache.example.org:8080" ocsp-response-lifetime=timelimit Set the
freshness period that a response must be. The
timelimit can be specified by
number-day,
number-hour,
number-minute, or
number-second. An example
ocsp-response- lifetime setting might be:
ocsp-response-lifetime=6-hour.
ocsp-responder-cert-name=IssuerDN ocsp-responder-cert-serial=serialNumber These two attributes represent the OCSP responder
certificate. The
ocsp-responder-cert-name is to specify the
issuer name of the certificate. See the
ta-name option for
example. The
ocsp-responder-cert-serial is for the serial
number and must be specified as a hex value, for example,
0x0102030405060708090a0b0c0d0e0f. If an OCSP responder is
different from the issuer of the certificate and if the OCSP
response needs to be verified, an OCSP responder certificate
information should be provided.
ocsp-responder=URL Set the OCSP responder URL for use with the OCSP validation
method. For example,
ocsp- responder=http://ocsp.verisign.com/ocsp/status ocsp-use-cert-responder=true | false
Configure this policy to always use the responder defined in
the certificate itself if possible.
policy=policyname The policy record to be created.
policyname is required.
validity-adjusttime=adjusttime Set the adjust time for both ends of validity period for a
certificate. The time can be specified by
number-day, number- hour, number-minute, or number-second. An example
validity- adjusttime setting might be:
validity-adjusttime=6-hour. ta- name="Subject DN" ta-serial=serialNumber These two attributes represent the trust anchor certificate
and are used to find the trust anchor certificate in the
keystore. The
ta-name is to specify the distinguished name of
the trust anchor certificate subject name. For example,
ta- name="O=Sun Microsystems Inc., OU=Solaris Security Technologies Group, L=Ashburn, ST=VA, C=US, CN=John Smith" The serial number of the TA certificate. This, along with the
Issuer DN, is used to find the TA certificate in the
keystore. The serial number must be specified as a hex value,
for example,
0x0102030405060708090a0b0c0d0e The trust anchor
attributes need to be set, if the value of
ignore-trust- anchor attribute is false.
delete Deletes any policy matching the indicated policy name. The system
default policy (
default) cannot be deleted.
The format for the
delete subcommand is as follows:
delete [dbfile=
dbfile] policy=
policyname The
delete subcommand supports the following options:
dbfile=dbfile Read policy definitions from the indicated
file. If
dbfile is not specified, the
default is the system KMF policy database
file:
/etc/security/kmfpolicy.xml.
policy=policyname The name of the policy to delete.
policyname is required, if using the system database.
export Exports a policy from one policy database file to another policy
database file.
The format for the
export subcommand is as follows:
kmfcfg export policy=
policyname outfile=
newdbfile [dbfile=
dbfile]
The
export subcommand supports the following options:
dbfile=dbfile The DB file where the exported policy is
read. If
dbfile is not specified, the
default is the system KMF policy database
file:
/etc/security/kmfpolicy.xml.
outfile=outputdbfile The DB file where the exported policy is
stored.
policy=policyname The policy record to be exported.
help Displays help for the
kmfcfg command.
The format for the
help subcommand is as follows:
help
import Imports a policy from one policy database file to another policy
database file.
The format for the
import subcommand is as follows:
kmfcfg import policy=
policyname infile=
inputdbfile [dbfile=
dbfile]
The
import subcommand supports the following options:
policy=policyname The policy record to be imported.
infile=inputdbfile The DB file to read the policy from.
dbfile=outdbfile The DB file to add the new policy. If not
specified, the default is the system KMF
policy database file
/etc/security/kmfpolicy.xml.
list Without arguments, lists all policy definitions from the default
system database.
The format for the
list subcommand is as follows:
list [dbfile=
dbfile] [policy=
policyname]
The
list subcommand supports the following options:
dbfile=dbfile Reads policy definitions from the indicated
file. If not specified, the default is the
system KMF policy database file
/etc/security/kmfpolicy.xml.
policy=policyname Only display policy definition for the named
policy.
modify Modifies any policy matching the indicated name. The system
default policy (
default) cannot be modified.
The format for the
modify subcommand is as follows:
modify [dbfile=
dbfile] policy=
policyname [ignore-date=true|false]
[ignore-unknown-eku=true|false]
[ignore-trust-anchor=true|false]
[validity-adjusttime=
adjusttime]
[ta-name=trust anchor subject DN]
[ta-serial=trust anchor serial number]
[ocsp-responder=
URL]
[ocsp-proxy=
URL]
[ocsp-use-cert-responder=true|false]
[ocsp-response-lifetime=timelimit]
[ocsp-ignore-response-sign=true|false]
[ocsp-responder-cert-name=Issuer DN]
[ocsp-responder-cert-serial=serial number]
[ocsp-none=true|false]
[crl-basefilename=
basefilename]
[crl-directory=
directory]
[crl-get-crl-uri=true|false]
[crl-proxy=URL]
[crl-ignore-crl-sign=true|false]
[crl-ignore-crl-date=true|false]
[crl-none=true|false]
[keyusage=digitalSignature| nonRepudiation
|keyEncipherment | dataEncipherment |
keyAgreement |keyCertSign |
cRLSign | encipherOnly | decipherOnly],[...]
[keyusage-none=true|false]
[ekunames=serverAuth | clientAuth |
codeSigning | emailProtection |
ipsecEndSystem | ipsecTunnel |
ipsecUser | timeStamping |
OCSPSigning],[...]
[ekuoids=OID,OID,OID]
[eku-none=true|false]
The
modify subcommand supports many of the same options as the
create subcommand. For descriptions of shared options, see the
create subcommand.
The
modify subcommand supports the following unique options:
crl-none=true | false If
crl-none is set to
true, CRL
checking is turned off. If this
attribute is set to
true, other CRL
attributes cannot be set.
dfile=[dbfile]
The database file to modify a
policy. If not specified, the
default is the system KMF policy
database file
/etc/security/kmfpolicy.xml.
eku-none=true | false If
eku-none is set to
true,
extended key usage checking is
turned off. The extended key usage
attributes,
ekuname and
ekuoids cannot be set at the same time if
eku-none is set to
true.
keyusage-none=true | false If
keyusage-none is set to true,
key usage checking is turned off.
The
keyusage attribute cannot be
set at the same time if this
attribute is set to
true.
ocsp-none=true | false If
ocsp-none is set to true, OCSP
checking is turned off. Any other
OCSP attribute is not set at the
same time if this attribute is set
to
true.
policy=policyname The name of the policy to modify.
policyname is required. The
default policy in the system KMF
policy database cannot be modified.
Plugin Subcommands
install keystore=keystore_name modulepath=pathname\
[option=option_str] Install a plugin into the system. The
modulepath field specifies
the pathname to a KMF plugin shared library object. If
pathname is not specified as an absolute pathname, shared library objects
are assumed to be relative to
/lib/security/$ISA/. The
ISA token
is replaced by an implementation defined directory name which
defines the pathname relative to the calling program's
instruction set architecture.
list plugin Display KMF plugin information.
Without the
plugin keyword,
kmfcfg list shows the policy
information as described in the
SUBCOMMANDS section.
modify plugin keystore=keystore_name option=option_str Modify the
plugin option. The
plugin option is defined by the
plugin and is interpreted by the plugin specifically, therefore
this command accepts any option string.
Without the
plugin keyword,
kmfcfg modify updates the policy
configuration as described in the
SUBCOMMANDS section.
uninstall keystore=keystore_name Uninstall the plugin with the
keystore_name.
EXAMPLES
Example 1: Creating a New Policy
The following example creates a new policy called IPSEC in the system
database:
$ kmfcfg create IPSEC \
ignore-trust-anchor=true \
ocsp-use-cert-responder=true \
keyusage=keyAgreement,keyEncipherment,dataEncipherment \
ekuname=ipsecTunnel,ipsecUser
EXIT STATUS
The following exit values are returned:
0 Successful completion.
>0 An error occurred.
FILES
/etc/security/kmfpolicy.xml Default system policy database
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Uncommitted |
+--------------------+-----------------+
SEE ALSO
attributes(7) November 22, 2021 KMFCFG(1)
