Hallo, dies ist ein Test.
PWD: /www/data-lst1/unixsoft/unixsoft/kaempfer/.public_html
Running in File Mode
Relative path: ./../../../../../../usr/man/man1/kmfcfg.1
Real path: /usr/share/man/man1/kmfcfg.1
Zurück
'\" te .\" Copyright (c) 2009, 2021, Oracle and/or its affiliates. .TH kmfcfg 1 "21 Jun 2021" "Oracle Solaris 11.4" "User Commands" .SH NAME kmfcfg \- Key Management Policy and Plugin Configuration Utility .SH SYNOPSIS .LP .nf \fBkmfcfg\fR \fIsubcommand\fR [\fIoption\fR ...] .fi .SH DESCRIPTION .sp .LP The \fBkmfcfg\fR command allows users to configure Key Management Framework (KMF) policy databases. The KMF policy database (DB) restricts the use of keys and certificates that are managed through the KMF framework. .sp .LP \fBkmfcfg\fR provides the ability to list, create, modify, delete, import and export policy definitions either in the system default database file \fB/etc/security/kmfpolicy.xml\fR or a user-defined database file. .sp .LP For plugin configuration, \fBkmfcfg\fR allows users to display plugin information, install or uninstall a KMF plugin, and modify the plugin option. .SH SUBCOMMANDS .sp .LP The following subcommands are supported: .sp .ne 2 .mk .na \fB\fBcreate\fR\fR .ad .br .sp .6 .RS 4n Adds a new policy into the policy database file. .sp The format for the \fBcreate\fR subcommand is as follows: .sp .sp .in +2 .nf \fBkmfcfg create\fR [\fBdbfile=\fR\fIdbfile\fR] \fBpolicy=\fR\fIpolicyname\fR [\fBignore-date=\fR\fBtrue\fR|\fBfalse\fR] [\fBignore-unknown-eku=\fR\fBtrue\fR|\fBfalse\fR] [\fBignore-trust-anchor=\fR\fBtrue\fR|\fBfalse\fR] [\fBignore-cert-revoke-responder-timeout=\fR\fBtrue\fR|\fBfalse\fR] [\fBcert-revoke-responder-timeout=\fR\fItimeout in seconds\fR] [\fBtrust-intermediate-cas=\fR\fBtrue\fR|\fBfalse\fR] [\fBmax-cert-path-length=\fR\fImax length in cert path\fR] [\fBvalidity-adjusttime=\fR\fIadjusttime\fR] [\fBta-name=\fR\fItrust anchor subject DN\fR | \fBsearch\fR] [\fBta-serial=\fR\fItrust anchor serial number\fR] [\fBhttp-proxy=\fR\fIURL\fR] [\fBhttp-proxy-none=\fR\fBtrue\fR|\fBfalse\fR] [\fBocsp-responder=\fR\fIURL\fR] [\fBocsp-proxy=\fR\fIURL\fR] [\fBocsp-use-cert-responder=\fR\fBtrue\fR|\fBfalse\fR] [\fBocsp-response-lifetime=\fR\fItimelimit\fR] [\fBocsp-ignore-response-sign=\fR\fBtrue\fR|\fBfalse\fR] [\fBocsp-responder-cert-name=\fR\fIIssuer DN\fR] [\fBocsp-responder-cert-serial=\fR\fIserial number\fR] [\fBcrl-basefilename=\fR\fIbasefilename\fR | search] [\fBcrl-directory=\fR\fIdirectory\fR] [\fBcrl-get-crl-uri=\fR\fBtrue\fR|\fBfalse\fR] [\fBcrl-proxy=\fR\fIURL\fR] [\fBcrl-ignore-crl-sign=\fR\fBtrue\fR|\fBfalse\fR] [\fBcrl-ignore-crl-date=\fR\fBtrue\fR|\fBfalse\fR] [\fBbypass-ipsec-policy=\fR\fBtrue\fR|\fBfalse\fR] [\fBkeyusage=\fR\fBdigitalSignature\fR | \fBnonRepudiation\fR | \fBkeyEncipherment\fR | \fBdataEncipherment\fR | \fBkeyAgreement\fR | \fBkeyCertSign\fR | \fBcRLSign\fR | \fBencipherOnly\fR | \fBdecipherOnly\fR],[...] [\fBekunames=\fR\fBserverAuth\fR | \fBclientAuth\fR | \fBcodeSigning\fR | \fBemailProtection\fR | \fBipsecEndSystem\fR | \fBipsecTunnel\fR | \fBipsecUser\fR | \fBtimeStamping\fR | \fBOCSPSigning\fR],[...] [\fBekuoids=\fR\fIOID,OID,OID...\fR] [\fBmapper-name=\fR\fIname of the mapper\fR] [\fBmapper-dir=\fR\fIdir where mapper library resides\fR] [\fBmapper-path=\fR\fIfull pathname of mapper library\fR] [\fBmapper-options=\fR\fImapper options\fR] .fi .in -2 .sp The \fBcreate\fR subcommand supports the following options: .sp .ne 2 .mk .na \fB\fBcert-revoke-responder-timeout=\fR\fItimeout\fR\fR .ad .br .sp .6 .RS 4n Set the maximum timeout value in seconds to wait for the CRL or OCSP responder. The default value is 30 seconds. The maximum timeout value is 300 seconds. .RE .sp .ne 2 .mk .na \fB\fBcrl-basefilename=\fR\fIfilename\fR | \fBsearch\fR\fR .ad .br .na \fB\fBcrl-directory=\fR\fIdirectory\fR\fR .ad .br .sp .6 .RS 4n These two attributes are used to specify the location for CRL files. The \fBcrl-basefilename\fR attribute represents the base filename for a CRL file. The \fBcrl-directory\fR attribute represents the directory for CRL files, which defaults to the current directory. When the value \fBsearch\fR is used instead of an explicit CRL filename, the KMF will search for all the valid CRL files under the specified CRL directory to see if the certificate to be validated is revoked. .sp If the \fBcrl-get-crl-uri\fR attribute is set to \fBtrue\fR and the \fBcrl-basefilename\fR is not specified, the \fBbasefilename\fR for the cached CRL file is the basename of the URI used to fetch the CRL file. .sp If the \fBcrl-get-crl-uri\fR attribute is set to \fBfalse\fR the \fBcrl-basefilename\fR needs to be specified to indicate an input CRL file or all possible CRL files under a CRL directory by the \fBsearch\fR value. The setting for \fBcrl-get-crl-uri\fR is \fBfalse\fR by default. .sp These two attributes only apply to the file-based CRL plugins. The current file-based CRL plugins are \fBfile\fR and \fBpkcs11\fR keystores. .RE .sp .ne 2 .mk .na \fB\fBcrl-get-crl-uri=true | false\fR\fR .ad .br .sp .6 .RS 4n Configure if a CRL file is fetched and cached dynamically as part of the certificate validation, using the URI information from the certificate's distribution points extension. .sp The default for this attribute is \fBfalse\fR. .RE .sp .ne 2 .mk .na \fB\fBcrl-ignore-crl-date=true | false\fR\fR .ad .br .sp .6 .RS 4n If \fBcrl-ignore-crl-date\fR is set to true, the validity time period of the CRL is not checked. .sp The default for this attribute is \fBfalse\fR. .RE .sp .ne 2 .mk .na \fB\fBcrl-ignore-crl-sign=true | false\fR\fR .ad .br .sp .6 .RS 4n If \fBcrl-ignore-crl-sign\fR is set to \fBtrue\fR, the signature of the CRL is not checked. .sp The default for this attribute is \fBfalse\fR. .RE .sp .ne 2 .mk .na \fB\fBcrl-proxy=\fR\fIURL\fR\fR .ad .br .sp .6 .RS 4n Sets the proxy server name and port for dynamically retrieving a CRL file when \fBcrl-get-crl-uri\fR is set to \fBtrue\fR. This value takes precedence over the global \fBhttp-proxy\fR value. .sp The port number is optional. If the port number is not specified, the default value is \fB8080\fR. An example \fBcrl-proxy\fR setting might be: \fBcrl-proxy=webcache.example.com:8080\fR. .RE .sp .ne 2 .mk .na \fB\fBdbfile=\fR\fIdbfile\fR\fR .ad .br .sp .6 .RS 4n The DB file to add the new policy. If not specified, the default is the system KMF policy database file \fB/etc/security/kmfpolicy.xml\fR. .RE .sp .ne 2 .mk .na \fB\fBekuoids=\fR\fIEKUOIDS\fR\fR .ad .br .sp .6 .RS 4n A comma separated list of Extended Key Usage OIDs that are required by the policy being defined. The OIDs are expressed in \fBdot notation\fR, for example, \fB1.2.3.4\fR. An example \fBekuoids\fR setting might be: \fBekuoids=1.2.3.4,9.8.7.6.5\fR. .RE .sp .ne 2 .mk .na \fB\fBekunames=\fR\fIEKUNAMES\fR\fR .ad .br .sp .6 .RS 4n A comma separated list of Extended Key Usage names that are required by the policy being defined. The list of values allowed for \fIEKUNAMES\fR are: \fBserverAuth\fR, \fBclientAuth\fR, \fBcodeSigning\fR, \fBemailProtection\fR, \fBipsecEndSystem\fR, \fBipsecTunnel\fR, \fBipsecUser\fR, \fBtimeStamping\fR, and \fBOCSPSigning\fR .sp The OCSP, CRL, key usage and extended key usage checkings are off by default. To turn on any one of them, specify one or more attributes for the particular checking. For example, if the \fBocsp-responder\fR attribute is set, then the OCSP checking is turned on. If the \fBekuname\fR attribute or the \fBekuoids\fR attribute is set, then the extended key usage checking is turned on. .RE .sp .ne 2 .mk .na \fB\fBhttp-proxy\fR=\fIURL\fR\fR .ad .br .sp .6 .RS 4n Sets the proxy server name and port for contacting servers for CRLs, OCSP, or downloading certificates. .sp The port number is optional. If the port number is not specified, the default value is 8080. An example \fBcrl-proxy\fR setting might be: \fBcrl-proxy=webcache.example.com:8080\fR. .RE .sp .ne 2 .mk .na \fB\fBignore-cert-revoke-responder-timeout=true\fR | \fBfalse\fR\fR .ad .br .sp .6 .RS 4n Define the behavior after a \fBcert-revoke-responder-timeout\fR expiration occurs. The default value is \fBfalse\fR, which means if the time defined in \fBcert-revoke-responder-timeout\fR is expired, the certificate validation will fail immediately. Otherwise, if the value is \fBtrue\fR, the certificate validation will bypass the CRL and/or OCSP checks and continue with the next step in the series of steps done for validation. .RE .sp .ne 2 .mk .na \fB\fBignore-date=true | false\fR\fR .ad .br .sp .6 .RS 4n Set the \fBIgnore Date\fR option for this policy. By default this value is \fBfalse\fR. If \fBtrue\fR is specified, the policy ignores the validity periods defined in the certificates when evaluating their validity. .RE .sp .ne 2 .mk .na \fB\fBignore-trust-anchor=true | false\fR\fR .ad .br .sp .6 .RS 4n Set the \fBIgnore Trust Anchor\fR option for this policy. By default this value is \fBfalse\fR. If \fBtrue\fR is specified, the policy does not verify the signature of the subject certificate using trust anchor certificate at validation. .RE .sp .ne 2 .mk .na \fB\fBignore-unknown-eku=true | false\fR\fR .ad .br .sp .6 .RS 4n Set the \fBIgnore Unknown EKU\fR option for this policy. By default this value is \fBfalse\fR. If \fBtrue\fR, the policy ignores any unrecognized EKU values in the Extended Key Usage extension. .RE .sp .ne 2 .mk .na \fB\fBkeyusage=\fR\fIKUVALUES\fR\fR .ad .br .sp .6 .RS 4n A comma separated list of key usage values that are required by the policy being defined. The list of values allowed are: \fBdigitalSignature\fR, \fBnonRepudiation\fR, \fBkeyEncipherment\fR, \fBdataEncipherment\fR, \fBkeyAgreement\fR, \fBkeyCertSign\fR, \fBcRLSign\fR, \fBencipherOnly\fR, \fBdecipherOnly\fR .RE .sp .ne 2 .mk .na \fB\fBmapper-name=\fR\fIname\fR\fR .ad .br .na \fB\fBmapper-dir=\fR\fIdirectory\fR\fR .ad .br .na \fB\fBmapper-path=\fR\fIpath\fR\fR .ad .br .na \fB\fBmapper-options=\fR\fIoptions\fR\fR .ad .br .sp .6 .RS 4n These four options support the certificate to name mapping. \fBmapper-name\fR provides the name of the mapper. For example, the name "\fBcn\fR" represents the mapper object \fBkmf_mapper_cn.so.1\fR. \fBmapper-dir\fR overrides the default mapper directory \fB/lib/crypto\fR. \fBmapper-path\fR specifies the full path to the mapper object. \fBmapper-options\fR is an ASCII-only string of a maximum of 255 bytes long. Its format is mapper specific but mappers are expected to accept a comma separated list of options, for example \fBcasesensitive,ignoredomain\fR. \fBmapper-path\fR and \fBmapper-name\fR are mutually exclusive. \fBmapper-dir\fR can be set only if \fBmapper-name\fR is set. \fBmapper-options\fR can be set only if \fBmapper-name\fR or \fBmapper-path\fR is set. Trying to use any of the above mentioned incorrect settings results in an error and the policy database is not modified. .RE .sp .ne 2 .mk .na \fB\fBmax-cert-path-length\fR=\fInumber\fR\fR .ad .br .sp .6 .RS 4n Specifies the maximum certificate length allowed in the certificate chain. The default value is 32. .RE .sp .ne 2 .mk .na \fB\fBocsp-ignore-response-sign=true | false\fR\fR .ad .br .sp .6 .RS 4n If this attribute is set to \fBtrue\fR, the signature of the OCSP response is not verified. By default this value is \fBfalse\fR. .RE .sp .ne 2 .mk .na \fB\fBocsp-proxy=\fR\fIURL\fR\fR .ad .br .sp .6 .RS 4n Set the proxy server name and port for OCSP. The port number is optional. If the port number is not specified, the default value is 8080. An example \fBocsp-proxy\fR setting might be: \fBocsp-proxy="webcache.example.com:8080"\fR .sp This value takes precedence over the global \fBhttp-proxy\fR value. .RE .sp .ne 2 .mk .na \fB\fBocsp-response-lifetime=\fR\fItimelimit\fR\fR .ad .br .sp .6 .RS 4n Set the \fBfreshness\fR period that a response must be. The \fItimelimit\fR can be specified by \fInumber-day\fR, \fInumber-hour\fR, \fInumber-minute\fR, or \fInumber-second\fR. An example \fBocsp-response-lifetime\fR setting might be:\fBocsp-response-lifetime=6-hour\fR. .RE .sp .ne 2 .mk .na \fB\fBocsp-responder-cert-name=\fR\fIIssuerDN\fR\fR .ad .br .na \fB\fBocsp-responder-cert-serial=\fR\fIserialNumber\fR\fR .ad .br .sp .6 .RS 4n These two attributes represent the OCSP responder certificate. The \fBocsp-responder-cert-name\fR is to specify the issuer name of the certificate. See the \fBta-name\fR option for example. The \fIocsp-responder-cert-serial\fR is for the serial number and must be specified as a hex value, for example, \fB0x0102030405060708090a0b0c0d0e0f\fR. If an OCSP responder is different from the issuer of the certificate and if the OCSP response needs to be verified, an OCSP responder certificate information should be provided. .RE .sp .ne 2 .mk .na \fB\fBocsp-responder=\fR\fIURL\fR\fR .ad .br .sp .6 .RS 4n Set the OCSP responder URL for use with the OCSP validation method. For example, \fBocsp-responder=http://ocsp.example.com/ocsp/status\fR .RE .sp .ne 2 .mk .na \fB\fBocsp-use-cert-responder=true | false\fR\fR .ad .br .sp .6 .RS 4n Configure this policy to always use the responder defined in the certificate itself if possible. .RE .sp .ne 2 .mk .na \fB\fBpolicy=\fR\fIpolicyname\fR\fR .ad .br .sp .6 .RS 4n The policy record to be created. \fIpolicyname\fR is required. .RE .sp .ne 2 .mk .na \fB\fBta-name=\fR\fItrust anchor subject DN\fR | \fBsearch\fR\fR .ad .br .sp .6 .RS 4n \fBta-name\fR identifies the trust anchor used to validate a certificate. The KMF policy engine does not do full PKIX path validation, but rather just treats the trust anchor as if it were the parent of the certificate to be validated. .sp If an explicit Subject DN is specified, it must be combined with a \fBta-serial\fR value to uniquely identify the certificate to use. Also, the certificate identified must be available in the keystore that is selected. .sp If the value \fBsearch\fR is used instead of an explicit subject and serial number, the KMF policy engine attempts to locate a certificate that matches the issuer name of the certificate to be validated and uses that for the validation. .sp If \fBsearch\fR is used, the \fBta-serial\fR value is ignored. .RE .sp .ne 2 .mk .na \fB\fBta-serial=\fR\fItrust anchor serial number\fR\fR .ad .br .sp .6 .RS 4n If the \fBta-name\fR is specified as an explicit subject name, the serial number of that certificate must be indicated by the \fBta-serial\fR value. The serial number must be represented in hexadecimal format, for example, \fBta-serial=0x01020a0b\fR. .RE .sp .ne 2 .mk .na \fB\fBtrust-intermediate-cas\fR \fBtrue\fR | \fBfalse\fR\fR .ad .br .sp .6 .RS 4n The root of the trust chain can be an intermediate CA certificate if this policy is set to \fBtrust intermediate\fR. By default this value is \fBfalse\fR. If \fBtrue\fR is specified, the certificate validation will be proceeded on the partial chain when the chain is not anchored to a TA certificate. .RE .sp .ne 2 .mk .na \fB\fBvalidity-adjusttime=\fR\fIadjusttime\fR\fR .ad .br .sp .6 .RS 4n Set the adjust time for both ends of validity period for a certificate. The time can be specified by \fInumber-day, number-hour, number-minute, or number-second\fR. An example \fBvalidity-adjusttime\fR setting might be: \fBvalidity-adjusttime=6-hour. ta-name="Subject DN" ta-serial=serialNumber\fR .sp These two attributes represent the trust anchor certificate and are used to find the trust anchor certificate in the keystore. The \fIta-name\fR is to specify the distinguished name of the trust anchor certificate subject name. For example, \fBta-name="O=Oracle Corporation, OU=Solaris Security Technologies Group, L=Ashburn, ST=VA, C=US, CN=John Smith"\fR. The \fIta-serial\fR is to specify the serial number of the TA certificate. The serial number must be specified as a hex value, for example, \fB0x0102030405060708090a0b0c0d0e\fR. This, along with the Issuer DN, is used to find the TA certificate in the keystore. The trust anchor attributes need to be set if the value of \fBignore-trust-anchor\fR attribute is false. .RE .RE .sp .ne 2 .mk .na \fB\fBdelete\fR\fR .ad .br .sp .6 .RS 4n Deletes any policy matching the indicated policy name. The system default policy (\fBdefault\fR) cannot be deleted. .sp The format for the \fBdelete\fR subcommand is as follows: .sp .sp .in +2 .nf \fBkmfcfg delete\fR [\fBdbfile=\fR\fIdbfile\fR] \fBpolicy=\fR\fIpolicyname\fR .fi .in -2 .sp The \fBdelete\fR subcommand supports the following options: .sp .ne 2 .mk .na \fB\fBdbfile=\fR\fIdbfile\fR\fR .ad .RS 21n .rt Read policy definitions from the indicated file. If \fBdbfile\fR is not specified, the default is the system KMF policy database file: \fB/etc/security/kmfpolicy.xml\fR. .RE .sp .ne 2 .mk .na \fB\fBpolicy=\fR\fIpolicyname\fR\fR .ad .RS 21n .rt The name of the policy to delete. \fIpolicyname\fR is required, if using the system database. .RE .RE .sp .ne 2 .mk .na \fB\fBexport\fR\fR .ad .br .sp .6 .RS 4n Exports a policy from one policy database file to another policy database file. .sp The format for the \fBexport\fR subcommand is as follows: .sp .sp .in +2 .nf \fBkmfcfg export\fR \fBpolicy=\fR\fIpolicyname\fR \fBoutfile=\fR\fInewdbfile\fR [\fBdbfile=\fR\fIdbfile\fR] .fi .in -2 .sp The \fBexport\fR subcommand supports the following options: .sp .ne 2 .mk .na \fB\fBdbfile=\fR\fIdbfile\fR\fR .ad .RS 24n .rt The DB file where the exported policy is read. If \fIdbfile\fR is not specified, the default is the system KMF policy database file: \fB/etc/security/kmfpolicy.xml\fR. .RE .sp .ne 2 .mk .na \fB\fBoutfile=\fR\fIoutputdbfile\fR\fR .ad .RS 24n .rt The DB file where the exported policy is stored. .RE .sp .ne 2 .mk .na \fB\fBpolicy=\fR\fIpolicyname\fR\fR .ad .RS 24n .rt The policy record to be exported. .RE .RE .sp .ne 2 .mk .na \fB\fBhelp\fR\fR .ad .br .sp .6 .RS 4n Displays help for the \fBkmfcfg\fR command. .sp The format for the \fBhelp\fR subcommand is as follows: .sp .in +2 .nf \fBkmfcfg help\fR .fi .in -2 .sp .RE .sp .ne 2 .mk .na \fB\fBimport\fR\fR .ad .br .sp .6 .RS 4n Imports a policy from one policy database file to another policy database file. .sp The format for the \fBimport\fR subcommand is as follows: .sp .sp .in +2 .nf \fBkmfcfg import\fR \fBpolicy=\fR\fIpolicyname\fR \fBinfile=\fR\fIinputdbfile\fR [\fBdbfile=\fR\fIdbfile\fR] .fi .in -2 .sp The \fBimport\fR subcommand supports the following options: .sp .ne 2 .mk .na \fB\fBdbfile=\fR\fIoutdbfile\fR\fR .ad .RS 22n .rt The DB file to add the new policy. If not specified, the default is the system KMF policy database file \fB/etc/security/kmfpolicy.xml\fR. .RE .sp .ne 2 .mk .na \fB\fBinfile=\fR\fIinputdbfile\fR\fR .ad .RS 22n .rt The DB file to read the policy from. .RE .sp .ne 2 .mk .na \fB\fBpolicy=\fR\fIpolicyname\fR\fR .ad .RS 22n .rt The policy record to be imported. .RE .RE .sp .ne 2 .mk .na \fB\fBlist\fR\fR .ad .br .sp .6 .RS 4n Without arguments, lists all policy definitions from the default system database. .sp The format for the \fBlist\fR subcommand is as follows: .sp .sp .in +2 .nf \fBkmfcfg list\fR [\fBdbfile=\fR\fIdbfile\fR] [\fBpolicy=\fR\fIpolicyname\fR] .fi .in -2 .sp The \fBlist\fR subcommand supports the following options: .sp .ne 2 .mk .na \fB\fBdbfile=\fR\fIdbfile\fR\fR .ad .RS 21n .rt Reads policy definitions from the indicated file. If not specified, the default is the system KMF policy database file \fB/etc/security/kmfpolicy.xml\fR. .RE .sp .ne 2 .mk .na \fB\fBpolicy=\fR\fIpolicyname\fR\fR .ad .RS 21n .rt Only display policy definition for the named policy. .RE .RE .sp .ne 2 .mk .na \fB\fBmodify\fR\fR .ad .br .sp .6 .RS 4n Modifies any policy matching the indicated name. The system default policy (\fBdefault\fR) cannot be modified. .sp The format for the \fBmodify\fR subcommand is as follows: .sp .sp .in +2 .nf \fBkmfcfg modify\fR [\fBdbfile=\fR\fIdbfile\fR] policy=\fIpolicyname\fR [\fBignore-date=\fR\fBtrue\fR|\fBfalse\fR] [\fBignore-unknown-eku=\fR\fBtrue\fR|\fBfalse\fR] [\fBignore-trust-anchor=\fR\fBtrue\fR|\fBfalse\fR] [\fBignore-cert-revoke-responder-timeout=\fR\fBtrue\fR|\fBfalse\fR] [\fBcert-revoke-responder-timeout=\fR\fItimeout in seconds\fR] [\fBtrust-intermediate-cas=\fR\fBtrue\fR|\fBfalse\fR] [\fBmax-cert-path-length=\fR\fImax length in cert path\fR] [\fBvalidity-adjusttime=\fR\fIadjusttime\fR] [\fBta-name=\fR\fItrust anchor subject DN\fR] [\fBta-serial=\fR\fItrust anchor serial number\fR] [\fBhttp-proxy=\fR\fIURL\fR] [\fBhttp-proxy-none=\fR\fBtrue\fR|\fBfalse\fR] [\fBocsp-responder=\fR\fIURL\fR] [\fBocsp-proxy=\fR\fIURL\fR] [\fBocsp-use-cert-responder=\fR\fBtrue\fR|\fBfalse\fR] [\fBocsp-response-lifetime=\fR\fItimelimit\fR] [\fBocsp-ignore-response-sign=\fR\fBtrue\fR|\fBfalse\fR] [\fBocsp-responder-cert-name=\fR\fIIssuer DN\fR] [\fBocsp-responder-cert-serial=\fR\fIserial number\fR] [\fBocsp-none=\fR\fBtrue\fR|\fBfalse\fR] [\fBcrl-basefilename=\fR\fIbasefilename\fR | search]] [\fBcrl-directory=\fR\fIdirectory\fR] [\fBcrl-get-crl-uri=\fR\fBtrue\fR|\fBfalse\fR] [\fBcrl-proxy=\fR\fIURL\fR] [\fBcrl-ignore-crl-sign=\fR\fBtrue\fR|\fBfalse\fR] [\fBcrl-ignore-crl-date=\fR\fBtrue\fR|\fBfalse\fR] [\fBcrl-none=\fR\fBtrue\fR|\fBfalse\fR] [\fBbypass-ipsec-policy=\fR\fBtrue\fR|\fBfalse\fR] [\fBkeyusage=\fR\fBdigitalSignature\fR | \fBnonRepudiation\fR | \fBkeyEncipherment\fR | \fBdataEncipherment\fR | \fBkeyAgreement\fR | \fBkeyCertSign\fR | \fBcRLSign\fR | \fBencipherOnly\fR | \fBdecipherOnly\fR],[...] [\fBkeyusage-none=\fR\fBtrue\fR|\fBfalse\fR] [\fBekunames=\fR\fBserverAuth\fR | \fBclientAuth\fR | \fBcodeSigning\fR | \fBemailProtection\fR | \fBipsecEndSystem\fR | \fBipsecTunnel\fR | \fBipsecUser\fR | \fBtimeStamping\fR | \fBOCSPSigning\fR],[...] [\fBekuoids=\fR\fIOID,OID,OID\fR] [\fBeku-none=\fR\fBtrue\fR|\fBfalse\fR] [\fBmapper-name=\fR\fIname of the mapper\fR] [\fBmapper-dir=\fR\fIdir where mapper library resides\fR] [\fBmapper-path=\fR\fIfull pathname of mapper library\fR] [\fBmapper-options=\fR\fImapper options\fR] .fi .in -2 .sp The \fBmodify\fR subcommand supports many of the same options as the \fBcreate\fR subcommand. For descriptions of shared options, see the \fBcreate\fR subcommand. .sp The \fBmodify\fR subcommand supports the following unique options: .sp .ne 2 .mk .na \fB\fBcrl-none=true | false\fR\fR .ad .br .sp .6 .RS 4n If \fBcrl-none\fR is set to \fBtrue\fR, CRL checking is turned off. If this attribute is set to \fBtrue\fR, other CRL attributes cannot be set. .RE .sp .ne 2 .mk .na \fB\fBdbfile=[\fR\fIdbfile\fR\fB]\fR\fR .ad .br .sp .6 .RS 4n The database file to modify a policy. If not specified, the default is the system KMF policy database file \fB/etc/security/kmfpolicy.xml\fR. .RE .sp .ne 2 .mk .na \fB\fBeku-none=true | false\fR\fR .ad .br .sp .6 .RS 4n If \fBeku-none\fR is set to \fBtrue\fR, extended key usage checking is turned off. The extended key usage attributes, \fBekuname\fR and \fBekuoids\fR cannot be set at the same time if \fBeku-none\fR is set to \fBtrue\fR. .RE .sp .ne 2 .mk .na \fB\fBkeyusage-none=true | false\fR\fR .ad .br .sp .6 .RS 4n If \fBkeyusage-none\fR is set to true, key usage checking is turned off. .sp The \fBkeyusage\fR attribute cannot be set at the same time if this attribute is set to \fBtrue\fR. .RE .sp .ne 2 .mk .na \fB\fBhttp-proxy-none=true | false\fR\fR .ad .br .sp .6 .RS 4n If \fBhttp-proxy-none\fR is set to true, the global \fBhttp-proxy\fR is reset to no proxy. .RE .sp .ne 2 .mk .na \fB\fBbypass-ipsec-policy=true | false\fR\fR .ad .br .sp .6 .RS 4n If \fBbypass-ipsec-policy\fR is set to true, network connections initiated by KMF will attempt to bypass global IPsec policy. This operation requires the \fBsys_ip_config\fR privilege. In the absence of this privilege, the connection will still be attempted on a best effort basis. .RE .sp .ne 2 .mk .na \fB\fBocsp-none=true | false\fR\fR .ad .br .sp .6 .RS 4n If \fBocsp-none\fR is set to true, OCSP checking is turned off. Any other OCSP attribute is not set at the same time if this attribute is set to \fBtrue\fR. .RE .sp .ne 2 .mk .na \fB\fBpolicy=\fR\fIpolicyname\fR\fR .ad .br .sp .6 .RS 4n The name of the policy to modify. \fIpolicyname\fR is required. The \fBdefault\fR policy in the system KMF policy database cannot be modified. .RE .RE .SS "Plugin Subcommands" .sp .ne 2 .mk .na \fB\fBinstall keystore=\fR\fIkeystore_name\fR \fBmodulepath=\fR\fIpathname\fR \fB[option=\fR\fIoption_str\fR\fB]\fR\fR .ad .br .sp .6 .RS 4n Install a plugin into the system. The \fBmodulepath\fR field specifies the pathname to a KMF plugin shared library object. If \fIpathname\fR is not specified as an absolute pathname, shared library objects are assumed to be relative to \fB/lib/security/$ISA/\fR. The \fBISA\fR token is replaced by an implementation defined directory name which defines the pathname relative to the calling program's instruction set architecture. .RE .sp .ne 2 .mk .na \fB\fBlist plugin\fR\fR .ad .br .sp .6 .RS 4n Display KMF plugin information. .sp Without the \fBplugin\fR keyword, \fBkmfcfg list\fR shows the policy information as described in the \fBSUBCOMMANDS\fR section. .RE .sp .ne 2 .mk .na \fB\fBmodify plugin keystore=\fR\fIkeystore_name\fR \fBoption=\fR\fIoption_str\fR\fR .ad .br .sp .6 .RS 4n Modify the \fBplugin\fR option. The \fBplugin\fR option is defined by the plugin and is interpreted by the plugin specifically, therefore this command accepts any option string. .sp Without the \fBplugin\fR keyword, \fBkmfcfg modify\fR updates the policy configuration as described in the \fBSUBCOMMANDS\fR section. .RE .sp .ne 2 .mk .na \fB\fBuninstall keystore=\fR\fIkeystore_name\fR\fR .ad .br .sp .6 .RS 4n Uninstall the plugin with the \fIkeystore_name\fR. .RE .SH EXAMPLES .LP \fBExample 1\fR Creating a New Policy .sp .LP The following example creates a new policy called IPSEC in the system database: .sp .in +2 .nf $ \fBkmfcfg create dbfile=ipsec.xml policy=IPSEC \e ignore-trust-anchor=true \e ocsp-use-cert-responder=true \e keyusage=keyAgreement,keyEncipherment,dataEncipherment \e ekunames=ipsecTunnel,ipsecUser\fR .fi .in -2 .sp .SH EXIT STATUS .sp .LP The following exit values are returned: .sp .ne 2 .mk .na \fB\fB0\fR\fR .ad .RS 7n .rt Successful completion. .RE .sp .ne 2 .mk .na \fB\fB> 0\fR\fR .ad .RS 7n .rt An error occurred. .RE .SH FILES .sp .ne 2 .mk .na \fB\fB/etc/security/kmfpolicy.xml\fR\fR .ad .br .sp .6 .RS 4n Default system policy database .RE .SH ATTRIBUTES .sp .LP See \fBattributes\fR(7) for descriptions of the following attributes: .sp .TS tab( ) box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) . ATTRIBUTE TYPE ATTRIBUTE VALUE _ Availability system/core-os _ Interface Stability Uncommitted .TE .sp .SH SEE ALSO .sp .LP \fBattributes\fR(7) .SH HISTORY .sp .LP The \fBbypass-ipsec-policy\fR, \fBcert-revoke-responder-timeout\fR, \fBhttp-proxy\fR, \fBhttp-proxy-none\fR, \fBignore-cert-revoke-responder-timeout\fR, \fBmax-cert-path-length\fR, and \fBtrust-intermediate-cas\fR attributes were added in Oracle Solaris 11.2.0. .sp .LP The \fBmapper-dir\fR, \fBmapper-name\fR, \fBmapper-path\fR, and \fBmapper-options\fR attributes were added in Solaris 11.0. .sp .LP Plugin support, including the \fBinstall\fR, \fBlist plugin\fR, \fBmodify plugin\fR, and \fBuninstall\fR subcommands, was added in Solaris 11.0. .sp .LP The \fBkmfcfg\fR command and all other subcommands & attributes were added in Solaris 10 8/07 (Update 4).