| Solaris |
|
|
Key Management Framework
Status
- PSARC/2005/074 Approved 2005-07-19. Integrated into Build 53 of the ON consolidation.
- PSARC 2007/426 - KMFAPI Interface Taxonomy Changes - putback into build 74.
- PSARC 2007/465 - pktool symmetric key enhancements - putback into build 74
- PSARC 2008/037 - new EKU support for pktool and kmfcfg - putback into build 85
Key Management Framework
The goal of the project is to provide a unified set of interfaces (both programming APIs and administrative tools) for managing PKI objects in Solaris. Currently, there are at several different "keystore systems" that developers and administrators must choose when designing systems that employ PKI technologies - NSS, OpenSSL, and PKCS#11 are the 3 main choices for Solaris users. Each of these systems presents very different programming APIs and administrative tools and none of them has any sort of concept of a PKI policy enforcement system.
Details
KMF provides a generic interfaces that can be used to manipulate objects (keys, certificates) in all of the above mentioned keystores. The programming API layer is generic and allows the developer to specify which type of keystore is to be used. KMF will also provide plugin modules for each of the 3 systems so that new applications can be written to use any of the above keystores. A new management utility that will allow the administrator to manage PKI objects in all 3 keystores from a single utility, instead of learning 3 different utilities (openssl, certutil, pkutil).
Another unique feature of KMF is that it will provide a system-wide policy database that KMF applications can use to apply to applications, regardless of which type of keystore is being used. The administrator will be able to create policy definitions in a global database. KMF applications can then choose which policy they want to assert and then all subsequent KMF operations will behave according to the limitations of the policy being enforced. Policy definitions include rules for how validations is to be performed, key usage and extended key usage requirements, trust anchor definitions, OCSP parameters, and CRL DB parameters (location, etc).
Feature Summary
- Provide abstracted programming APIs for developing PKI applications
- Provide new administrative utility for managing PKI objects
- Provide new PKI policy database and enforcement system for PKI apps
More Information
- Source Codepdf
- Other Design whitepapers and presentations are available in the files section.
- Join the KMF mailing list
Terms of Use
|
Privacy
|
Trademarks
|
Copyright Policy
|
Site Guidelines
|
Site Map
|
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
© 2012, Oracle Corporation and/or its affiliates.