HP-UX Kernel Cryptographic Module 1.0 User Guide Abstract This document describes how to install, configure, and troubleshoot HPUX-KCM on HP-UX 11i v3 platforms. It is intended for system and network administrators who have knowledge of operating system concepts, commands, and configuration.
© Copyright 2013 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 Overview..................................................................................................4 Supported configuration............................................................................................................4 Features provided in this release.................................................................................................4 PKCS #11 API considerations ....................................................................................................
1 Overview The HP-UX Kernel Cryptographic Module ( HP-UX KCM ) is a common cryptographic library in HP-UX Kernel. It is a library of core cryptographic algorithms, which are used by HP-UX Kernel products. HP-UX KCM implements FIPS 140-2 compliant algorithms for commonly used cryptographic operations such as data encryption/decryption, sign/verify, digest, HMAC, and random number generation.
RSA 1024 and 1536 Generate key pair, Sign, Asymmetric key operations Verify, Wrap key, and Unwrap key SHA-1 160 Digest Digest operations HMAC-SHA1 160 Digest (with key) Key-Hash Message Authentication Code (HMAC) The interfaces supported by the library follows RSA Security Inc. PKCS#11 V.2.20 specification. For more information see, PKCS#11 specifications document.
Table 1 Mechanisms supported by HPUX-KCM (continued) Mechanism Functions CKM_SHA512_RSA_PKCS √ CKM_AES_KEY_GEN CKM_AES_CBC • √ √ CKM_SHA_1 √ CKM_SHA256 √ CKM_SHA384 √ CKM_SHA512 √ CKM_SHA_1_HMAC √ CKM_SHA256_HMAC √ CKM_SHA384_HMAC √ CKM_SHA512_HMAC √ HPUX-KCM implements the following PKCS#11 APIs, which are relevant for the cryptographic functions supported by KCM. Table 2 (page 6) lists the functions supported by KCM.
Table 2 Functions supported by HPUX-KCM (continued) Category Decryption functions Message digesting functions Function Description C_Encrypt Encrypts single-part data C_EncryptUpdate Continues a multiple-part encryption operation C_EncryptFinal Finishes a multiple-part encryption operation C_DecryptInit Initializes a decryption operation C_Decrypt Decrypts single-part encrypted data C_DecryptUpdate Continues a multiple-part decryption operation C_DecryptFinal Finishes a multiple-part decry
// Open session. Required for every crypto operation CK_SESSION_HANDLE hSession; rv = C_OpenSession( 0, 0, NULL, NULL, ); // Set mechanism – type of crypto operation CK_MECHANISM digestMechanism = { 0, NULL, 0 }; digestMechanism.
2 Installing HP-UX KCM This chapter discusses the installation procedure for HPUX-KCM. IMPORTANT: HP-UX KCM 1.0 requires approximately 1.5 MB of disk space after installation. To install HP-UX KCM: 1. Log in as root. 2. Download HPUX-KCM from the HP Software Depot. 3. Save the HPUX-KCM depot as a local file on the target system. For example: in .depot 4. Verify the depot file on your system using the following command: $ swlist -d @ /tmp/HPUX-KCM.depot 5.
3 Configuring HP-UX KCM The products integrated with HP-UX KCM must define the install-time and run-time dependency on HP-UX KCM. This helps to install and load KCM automatically along with the product dependent on HP-UX KCM. NOTE: • Before loading HPUX-KCM modules, ensure that /stand/current/mod and /etc directories are accessible. • HPUX-KCM modules cannot be loaded as a static module as this is not a valid FIPS mode of operation.
4 Troubleshooting This chapter explains some of the problem scenarios that you might encounter while working with the HP-UX KCM. General guidelines to troubleshoot HPUX-KCM At the time of this release there are no issues reported with HPUX-KCM. If any error occurs, HPUX-KCM logs the message into the syslog file. All the log messages by HPUX-KCM are prefixed with either libkcm_core> or libkcm_pkcs11> or libkcm_nonfips>.
5 Removing HP-UX KCM This chapter discusses the procedure to remove HP-UX KCM. To remove HPUX-KCM: 1. Verify whether HPUX-KCM is already installed by running the following command: swlist –l bundle | grep –i kcm If HPUX-KCM is already installed on the system, a message similar to the following is displayed: HPUX-KCM A.01.00.00 HP-UX Kernel Cryptographic Module 2.
6 Support and other resources Information to collect before contacting HP Be sure to have the following information available before you contact HP: • Software product name • Hardware product model number • Operating system type and version • Applicable error message • Third-party hardware or software • Technical support registration number (if applicable) How to contact HP Use the following methods to contact HP technical support: • See the Contact HP worldwide website • Use the GET HELP FRO
Typographic conventions The following conventions are used in this document: Book title The title of a book. On the web, this can be a hyperlink to the book itself. 14 Command A command name or command phrase, for example ls -a. [] Optional content in syntax. {} Required content in syntax. | Character that separates items in a list of choices. ... Indication that the preceding element can be repeated one or more times.
Index A API considerations, 5 H HP-UX Kernel Cryptographic Module (HP-UX KCM), 4 S Sample code, 7 T Typographic conventions, 14 15
Glossary HP-UX Kernel Cryptographic Module (HP-UX KCM) Public-Key Cryptography Standards (PKCS) SO: A Security Officer user.
