HP-UX Kernel Cryptographic Module 2.1 User Guide Abstract This document describes how to install, configure, and troubleshoot HP-UX KCM on HP-UX 11i v3 platforms. It is intended for system and network administrators who have knowledge of operating system concepts, commands, and configuration.
© Copyright 2013, 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents HP secure development lifecycle......................................................................4 1 Overview..................................................................................................5 Supported configuration............................................................................................................5 Features provided in this release.................................................................................................
HP secure development lifecycle Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides the ability to authenticate HP-UX software. Software delivered through this release has been digitally signed using HP's private key. You can now verify the authenticity of the software before installing the products, delivered through this release. To verify the software signatures in signed depot, the following products must be installed on your system: • B.11.31.
1 Overview The HP-UX Kernel Cryptographic Module ( HP-UX KCM ) is a common cryptographic library in HP-UX Kernel. It is a library of core cryptographic algorithms, which are used by HP-UX Kernel products. HP-UX KCM implements FIPS 140-2 compliant algorithms for commonly used cryptographic operations such as data encryption/decryption, sign/verify, digest, HMAC, and random number generation.
HP-UX KCM also implements the following algorithms, which are required for supportability purposes even though they are not FIPS 140-2 compliant.
• Table 1 (page 7) describes the mechanisms supported by HP-UX KCM.
Table 2 Functions supported by HP-UX KCM (continued) Category Function Session management functions C_OpenSession C_CloseSession Closes a session C_GetSessionInfo Obtains information about the session Creates an object C_DestroyObject Destroys an object C_EncryptInit Initializes an encryption operation C_Encrypt Encrypts single-part data C_EncryptUpdate Continues a multiple-part encryption operation C_EncryptFinal Finishes a multiple-part encryption operation C_DecryptInit Initializes a de
Table 2 Functions supported by HP-UX KCM (continued) Category Random number generation functions Function Description C_UnwrapKey Unwraps (decrypts) a key C_GenerateRandom Generates random data For more information on APIs, see PKCS#11 specifications document. Example usage of HP-UX KCM // pkcs11 header files #include "pkcs11_kcm.h" #include "pkcs11.h" // Initialize the module. Required only once during lifetime of the application CK_RV rv = C_Initialize( NULL_PTR ); // Open session.
2 Installing HP-UX KCM This chapter discusses the installation procedure for HP-UX KCM. IMPORTANT: HP-UX KCM 2.1 requires approximately 1.5 MB of disk space after installation. To install HP-UX KCM: 1. Log in as root. 2. Download HP-UX KCM from the HP Software Depot. 3. Save the HP-UX KCM depot as a local file on the target system. For example: in .depot 4. Verify the depot file on your system using the following command: $ swlist -d @ /tmp/HPUX-KCM.depot 5.
3 Configuring HP-UX KCM The products integrated with HP-UX KCM must define the install-time and run-time dependency on HP-UX KCM. This helps to install and load KCM automatically along with the product dependent on HP-UX KCM. NOTE: • Before loading HP-UX KCM modules, ensure that the following paths are accessible: ◦ /stand/current/mod ◦ /usr/conf/mod ◦ /etc • HP-UX KCM modules cannot be loaded as a static module as this is not a valid FIPS mode of operation.
Configuring HP-UX KCM to enable FIPS mode By default, HP-UX KCM is in Non-FIPS mode. To enable FIPS mode, follow the steps mentioned below: 1. To verify that KCM-FIPS product is installed, run the following command: #swlist -l product | grep -i kcm Expected Output: KCM KCM-FIPS A.02.01.00 A.01.00.00 HP-UX Kernel Cryptographic Module (Non-FIPS and PKCS11) HP-UX Kernel Cryptographic Module If KCM-FIPS is not installed, install it from HP-UX KCM 2.1 depot. 2.
4 Troubleshooting This chapter explains some of the problem scenarios that you might encounter while working with the HP-UX KCM. General guidelines to troubleshoot HP-UX KCM At the time of this release there are no issues reported with HP-UX KCM. If any error occurs, HP-UX KCM logs the message into the syslog file. All the log messages by HP-UX KCM are prefixed with either libkcm_core> or libkcm_pkcs11> or libkcm_nonfips>.
5 Removing HP-UX KCM This chapter discusses the procedure to remove HP-UX KCM. To remove HP-UX KCM: 1. Verify whether HP-UX KCM is already installed by running the following command: swlist –l bundle | grep –i kcm If HP-UX KCM is already installed on the system, a message similar to the following is displayed: HPUX-KCM A.02.01.00 HP-UX Kernel Cryptographic Module 2.
6 Support and other resources Information to collect before contacting HP Be sure to have the following information available before you contact HP: • Software product name • Hardware product model number • Operating system type and version • Applicable error message • Third-party hardware or software • Technical support registration number (if applicable) How to contact HP Use the following methods to contact HP technical support: • See the Contact HP worldwide website • Use the GET HELP FRO
Typographic conventions The following conventions are used in this document: Book title The title of a book. On the web, this can be a hyperlink to the book itself. 16 Command A command name or command phrase, for example ls -a. [] Optional content in syntax. {} Required content in syntax. | Character that separates items in a list of choices. ... Indication that the preceding element can be repeated one or more times.
7 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.
Index A API considerations, 6 H HP-UX Kernel Cryptographic Module (HP-UX KCM), 5 S Sample code, 9 T Typographic conventions, 16 18 Index
Glossary Federal Information Processing Standard 140-2 ( FIPS 140-2 ) HP-UX Kernel Cryptographic Module (HP-UX KCM) Public-Key Cryptography Standards (PKCS) SO: A Security Officer user.
