The updated man page for kmfcfg(1) is in the case directory (orig, diff, and new)
-Wyllys Wyllys Ingersoll wrote: > Template Version: @(#)sac_nextcase 1.64 07/13/07 SMI > This information is Copyright 2007 Sun Microsystems > 1. Introduction > 1.1. Project/Component Working Name: > KMF Pluggability Enhancements > 1.2. Name of Document Author/Supplier: > Author: Huie Lee > 1.3 Date of This Document: > 17 October, 2007 > 4. Technical Description > Proposal: KMF Dynamic Plugin Support > Submitter: Huie-Ying Lee > Sponsor: Wyllys Ingersoll > > Interface Taxonomy: libkmf - Committed > kmfcfg CLI - Uncommitted > /etc/crypto/kmf.conf - Private > > Release Binding: micro/patch > > ============================================================================= > Background: > ============================================================================= > Currently, all three plugins in KMF (key management framework) are hard-coded > in libkmf and KMF is unable to accomodate additional plugins automatically. > This enhancement will provide capabilities for users to add/remove additional > plugins dynamically. > > ======================================================= > A New Private configuration file: /etc/crypto/kmf.conf > Interface Taxonomy: Private > ======================================================= > > The KMF configuration file is "/etc/crypto/kmf.conf" with permission > "644". This file specifies only non-default keystore plugins with the > following format: > > keystore:modulepath=xxx[;option=option_str] > > The "keystore" field specifies the keystore name. > > The "modulepath" field specifies the pathname to a KMF plugin shared > library object. If the pathname is not absolute, shared library > objects are assumed to be relative to /usr/lib/security/$ISA/. > The ISA token is replaced by an implementation defined directory name > which defines the path relative to the calling program's instruction > set architecture. > > The option field specifies an option string which would only > be processed by the plugin. > > > ================================================== > Changes to the kmfcfg command > ================================================== > 1) A new "install" subcommand will be added to the kmfcfg command. > > $kmfcfg install keystore=keystore_name modulepath=path [option=option_str] > > This command installs a new plugin into the Key Management framework. > Internally, a new entry for this plugin will be added into the > /etc/crypto/kmf.conf file. > > > 2) A new "uninstall" subcommand will be added to the kmfcfg command. > > $kmfcfg uninstall keystore=keystore_name > > This command will uninstall the plugin with the kstype name. > Intenally, the entry with the keystore name will be removed from > /etc/crypto/kmf.conf file. > > 3) A new "plugin" parameter will be added to the list subcommand. > > $kmfcfg list plugin > > - This command displays all the plugins in the system, including 3 default > plugins. For example, if there is an additional plugin in the system, > the output will look like > > $kmfcfg list plugin > pkcs11:kmf_pkcs11.so.1 (built-in) > file:kmf_openssl.so.1 (built-in) > nss:kmf_nss.so.1 (built-in) > new_plugin:/opt/lib/new_plugin.so.1;option=debug > > Note that without the "plugin" keyword, "kmfcfg list" will show the policy > stuff as before. > > 4) A new "modify plugin" subcommand will be added to the modify subcommand. > > $ kmfcfg modify plugin keystore=keystore_name option=option_str > > This subcommand allows an admininstrator to modify the plugin option. > The plugin option is defined by the plugin and will be interpreted by the > plugin specifically, therefore this command will accept any option string. > > ================================================== > Changes to libkmf (Committed) > ================================================== > 1) A new kmf_get_plugin_info() API will be added. > > KMF_RETURN > kmf_get_plugin_info(KMF_HANDLE_T handle, char *keystore_name, > KMF_KEYSTORE_TYPE *kstype, char **option) > > kstype_name - input > kstype - output > option - output > > This function takes a keystore name as input and returns a new > KMF_KEYSTORE_TYPE value. If the option argument is not NULL, then > this function will return the plugin option if this is an option > string specified for the plugin. > > Note that the returned "kstype" value should be used to access the new > plugin's SPI. > > ========================================================= > New plugin package requirement and class action scripts > ====================================================== > For a new plugin library, we would like it to be installed into the Key > Management Framework during the pkgadd time and uninstalled during the pkgrm > time automatically. To achieve this, two class action scripts will be added > in the /usr/sadm/install/scripts directory. > > i.kmfconf -> the installation class action script > r.kmfconf -> the removal class action script > > Accordingly, the new plugin package should do the following: > > 1. Add the "kmfconf" class into the CLASSES string of the pkginfo.tmpl > file. > > 2. Create an input file "kmf.conf" in the "etc/crypto" directory and > The syntax of the input file is same as the kmf.conf file > > keystore:modulepath=xxx[;option=xxx] > > 6. Resources and Schedule > 6.4. Steering Committee requested information > 6.4.1. Consolidation C-team Name: > ON > 6.5. ARC review type: FastTrack > 6.6. ARC Exposure: open >
