HP-UX Kernel Cryptographic Module 2.0 User Guide Abstract This document describes how to install, configure, and troubleshoot HP-UX KCM on HP-UX 11i v3 platforms. It is intended for system and network administrators who have knowledge of operating system concepts, commands, and configuration.
© Copyright 2013, 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents HP secure development lifecycle......................................................................4 1 Overview..................................................................................................5 Supported configuration............................................................................................................5 Features provided in this release.................................................................................................
HP secure development lifecycle Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides the ability to authenticate HP-UX software. Software delivered through this release has been digitally signed using HP's private key. You can now verify the authenticity of the software before installing the products, delivered through this release. To verify the software signatures in signed depot, the following products must be installed on your system: • B.11.31.
1 Overview The HP-UX Kernel Cryptographic Module ( HP-UX KCM ) is a common cryptographic library in HP-UX Kernel. It is a library of core cryptographic algorithms, which are used by HP-UX Kernel products. HP-UX KCM implements FIPS 140-2 compliant algorithms for commonly used cryptographic operations such as data encryption/decryption, sign/verify, digest, HMAC, and random number generation.
RSA 1024 and 1536 Generate key pair, Sign, Asymmetric key operations Verify, Wrap key, and Unwrap key SHA-1 160 Digest Digest operations HMAC-SHA1 160 Digest (with key) Key-Hash Message Authentication Code (HMAC) The interfaces supported by the library follows RSA Security Inc. PKCS#11 V.2.20 specification. For more information see, PKCS#11 specifications document.
Table 1 Mechanisms supported by HP-UX KCM (continued) Mechanism Functions CKM_SHA512_RSA_PKCS √ CKM_AES_KEY_GEN CKM_AES_CBC • √ √ CKM_SHA_1 √ CKM_SHA256 √ CKM_SHA384 √ CKM_SHA512 √ CKM_SHA_1_HMAC √ CKM_SHA256_HMAC √ CKM_SHA384_HMAC √ CKM_SHA512_HMAC √ HP-UX KCM implements the following PKCS#11 APIs, which are relevant for the cryptographic functions supported by KCM. Table 2 (page 7) lists the functions supported by KCM.
Table 2 Functions supported by HP-UX KCM (continued) Category Decryption functions Message digesting functions Function Description C_Encrypt Encrypts single-part data C_EncryptUpdate Continues a multiple-part encryption operation C_EncryptFinal Finishes a multiple-part encryption operation C_DecryptInit Initializes a decryption operation C_Decrypt Decrypts single-part encrypted data C_DecryptUpdate Continues a multiple-part decryption operation C_DecryptFinal Finishes a multiple-part decr
// Open session. Required for every crypto operation CK_SESSION_HANDLE hSession; rv = C_OpenSession( 0, 0, NULL, NULL, ); // Set mechanism – type of crypto operation CK_MECHANISM digestMechanism = { 0, NULL, 0 }; digestMechanism.
2 Installing HP-UX KCM This chapter discusses the installation procedure for HP-UX KCM. IMPORTANT: HP-UX KCM 2.0 requires approximately 1.5 MB of disk space after installation. To install HP-UX KCM: 1. Log in as root. 2. Download HP-UX KCM from the HP Software Depot. 3. Save the HP-UX KCM depot as a local file on the target system. For example: in .depot 4. Verify the depot file on your system using the following command: $ swlist -d @ /tmp/HPUX-KCM.depot 5.
3 Configuring HP-UX KCM The products integrated with HP-UX KCM must define the install-time and run-time dependency on HP-UX KCM. This helps to install and load KCM automatically along with the product dependent on HP-UX KCM. NOTE: • Before loading HP-UX KCM modules, ensure that /stand/current/mod and /etc directories are accessible. • HP-UX KCM modules cannot be loaded as a static module as this is not a valid FIPS mode of operation.
4 Troubleshooting This chapter explains some of the problem scenarios that you might encounter while working with the HP-UX KCM. General guidelines to troubleshoot HP-UX KCM At the time of this release there are no issues reported with HP-UX KCM. If any error occurs, HP-UX KCM logs the message into the syslog file. All the log messages by HP-UX KCM are prefixed with either libkcm_core> or libkcm_pkcs11> or libkcm_nonfips>.
5 Removing HP-UX KCM This chapter discusses the procedure to remove HP-UX KCM. To remove HP-UX KCM: 1. Verify whether HP-UX KCM is already installed by running the following command: swlist –l bundle | grep –i kcm If HP-UX KCM is already installed on the system, a message similar to the following is displayed: HPUX-KCM A.02.00.00 HP-UX Kernel Cryptographic Module 2.
6 Support and other resources Information to collect before contacting HP Be sure to have the following information available before you contact HP: • Software product name • Hardware product model number • Operating system type and version • Applicable error message • Third-party hardware or software • Technical support registration number (if applicable) How to contact HP Use the following methods to contact HP technical support: • See the Contact HP worldwide website • Use the GET HELP FRO
Typographic conventions The following conventions are used in this document: Book title The title of a book. On the web, this can be a hyperlink to the book itself. Command A command name or command phrase, for example ls -a. [] Optional content in syntax. {} Required content in syntax. | Character that separates items in a list of choices. ... Indication that the preceding element can be repeated one or more times.
7 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.
Index A API considerations, 6 H HP-UX Kernel Cryptographic Module (HP-UX KCM), 5 S Sample code, 8 T Typographic conventions, 15 17
Glossary HP-UX Kernel Cryptographic Module (HP-UX KCM) Public-Key Cryptography Standards (PKCS) SO: A Security Officer user.
