This document describes how to install, configure, and troubleshoot HPUX-KCM on HP-UX 11i v3 platforms. It is intended for
system and network administrators who have knowledge of operating system concepts, commands, and configuration.
HP Part Number: 5900-3288
Published: October 2013
Edition: 1
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial
Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under
vendor's standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express
warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.
The HP-UX Kernel Cryptographic Module ( HP-UX KCM ) is a common cryptographic library in
HP-UX Kernel. It is a library of core cryptographic algorithms, which are used by HP-UX Kernel
products.
HP-UX KCM implements FIPS 140-2 compliant algorithms for commonly used cryptographic
operations such as data encryption/decryption, sign/verify, digest, HMAC, and random number
generation.
HP-UX KCM is available in HP-UX Kernel as a dynamically loadable library with well-defined
interfaces to invoke the crypto functions. This helps to bring modularity and standardization in the
usage of crypto algorithms across the HP-UX Kernel products. HP-UX KCM is available on HP
Integrity platform running HP-UX 11iv3.
HP-UX KCM is undergoing FIPS 140-2 Level 1 validation and is currently in NIST Review Pending
state.
The interfaces supported by the library follows RSA Security Inc. PKCS#11 V.2.20 specification.
For more information on PKCS, see PKCS #11 v2.20: Cryptographic Token Interface Standard
document.
NOTE:This link will take you outside the Hewlett-Packard (HP) Web site. HP does not control
and is not responsible for information outside of HP.com.
Supported configuration
The supported configuration for HPUX-KCM is HP-UX 11i v3 for HP Integrity Servers.
Features provided in this release
This section discusses the new features available in the HP-UX KCM version 1.0.
The table below lists the FIPS 140-2 compliant algorithms, key lengths, modes, and operations
Digest operations (FIPS 180-3 compliant)Digest256, 384, and 512SHA-2
Key-Hash Message Authentication Code
(HMAC)
NIST SP800-90A compliant DRBGGenerate randomRNG
HP-UX KCM also implements the following algorithms, which are required for supportability purposes
even though they are not FIPS 140-2 compliant.
AES
4Overview
128, 192, and 256
Mode: CFB
PurposeOperationsKey sizeNon FIPS algo
Symmetric key operationsGenerate, Encrypt, and
Decrypt
1024 and 1536RSA
Verify, Wrap key, and
Unwrap key
Asymmetric key operationsGenerate key pair, Sign,
Digest operationsDigest160SHA-1
The interfaces supported by the library follows RSA Security Inc. PKCS#11 V.2.20 specification.
For more information see, PKCS#11 specifications document.
PKCS #11 API considerations
Following are the API considerations for PKCS#11:
•In PKCS#11 terminology, KCM is a soft token used for software implementation. Hardware
related functions, data types, and features are not implemented by default.
•There is only one conceptual slot with slotID=0 and conceptual token is assumed to be present
in the slot.
•KCM does not store public or private token objects such as keys/certificates. Following are
the ramifications of this consideration:
◦KCM does not implement PIN related functions or functions that require PIN (For example,
C_Login) specified by PKCS#11.
◦Session type will be R/W user functions by default. There is no distinction between R/O
and R/W session types.
◦No distinction is made between user session and SO session. The user is considered as
logged in by default at the point of opening a session and logged out when the session
is closed.
Digest (with key)160HMAC-SHA1
Key-Hash Message Authentication Code
(HMAC)
•KCM implements CK_RV type functions and does not support CK_NOTIFY type. Hence it does
not support callback functions and events.
•Multiple thread access to a single PKCS#11 session is not supported.
•There will be limited support for objects and object related functions as per the scope of APIs
implemented by KCM. They are used only to invoke KCM supported PKCS#11 functions and
retrieve the data returned by functions.
•Table 1 (page 5) describes the mechanisms supported by HPUX-KCM.
Table 1 Mechanisms supported by HPUX-KCM
FunctionsMechanism
Encrypt
and
Decrypt
Sign
and
Verify
VR
1
DigestSR and
Gen Key or
Key Pair
√CKM_RSA_PKCS_KEY_PAIR_GEN
and
Unwrap
√√√CKM_RSA_PKCS
DeriveWrap
√CKM_SHA256_RSA_PKCS
√CKM_SHA384_RSA_PKCS
PKCS #11 API considerations5
Table 1 Mechanisms supported by HPUX-KCM (continued)
FunctionsMechanism
√CKM_SHA512_RSA_PKCS
√CKM_AES_KEY_GEN
√CKM_AES_CBC
√CKM_SHA_1
√CKM_SHA256
√CKM_SHA384
√CKM_SHA512
√CKM_SHA_1_HMAC
√CKM_SHA256_HMAC
√CKM_SHA384_HMAC
√CKM_SHA512_HMAC
•HPUX-KCM implements the following PKCS#11 APIs, which are relevant for the cryptographic
functions supported by KCM. Table 2 (page 6) lists the functions supported by KCM.
6.Install HPUX-KCM using an interactive swinstall session or the following swinstall
command:
$ swinstall -s /tmp/HPUX-KCM.depot HPUX-KCM
The swinstall utility will install the HPUX-KCM components.
7.Verify the installation using the following command:
$ swverify HPUX-KCM
If HPUX-KCM is installed correctly on the system, the swverify command will include the
following text in the data it reports:
* Verification succeeded
9
3 Configuring HP-UX KCM
The products integrated with HP-UX KCM must define the install-time and run-time dependency on
HP-UX KCM. This helps to install and load KCM automatically along with the product dependent
on HP-UX KCM.
NOTE:
•Before loading HPUX-KCM modules, ensure that /stand/current/mod and /etc directories
are accessible.
•HPUX-KCM modules cannot be loaded as a static module as this is not a valid FIPS mode of
operation.
•In case a Kernel configuration containing KCM modules are saved (by using kconfig –s
), before loading the saved Kernel configuration, ensure that the KCM versions are consistent.
For example, HPUX-KCM 1.0 is installed in a system and the Kernel configuration is saved
as ‘backup’. Later KCM is upgraded to 2.0 on the same system. If for some reason, the
‘backup’ Kernel configuration is rebooted, then this leads to an inconsistent state as ‘backup’
contains HPUX-KCM 1.0, whereas the current installed version of HPUX-KCM is 2.0.
An example of defining dependency on HPUX-KCM is given below:
Install-time dependency:
This chapter explains some of the problem scenarios that you might encounter while working with
the HP-UX KCM.
General guidelines to troubleshoot HPUX-KCM
At the time of this release there are no issues reported with HPUX-KCM.
If any error occurs, HPUX-KCM logs the message into the syslog file. All the log messages by
HPUX-KCM are prefixed with either libkcm_core> or libkcm_pkcs11> or libkcm_nonfips>.
To verify the errors reported by HPUX-KCM, run the command:
grep libkcm_ /var/adm/syslog/syslog.log
11
5 Removing HP-UX KCM
This chapter discusses the procedure to remove HP-UX KCM.
To remove HPUX-KCM:
1.Verify whether HPUX-KCM is already installed by running the following command:
swlist –l bundle | grep –i kcm
If HPUX-KCM is already installed on the system, a message similar to the following is displayed:
2.Remove HPUX-KCM by running the following command:
swremove HPUX-KCM
12Removing HP-UX KCM
6 Support and other resources
Information to collect before contacting HP
Be sure to have the following information available before you contact HP:
•Software product name
•Hardware product model number
•Operating system type and version
•Applicable error message
•Third-party hardware or software
•Technical support registration number (if applicable)
How to contact HP
Use the following methods to contact HP technical support:
•See the Contact HP worldwide website
•Use the GET HELP FROM HP link on the
HP Support Center website.
•In the United States, call +1 800 334 5144 to contact HP by telephone. This service is available
24 hours a day, 7 days a week. For continuous quality improvement, conversations might be
recorded or monitored.
Documentation feedback
HP welcomes your feedback. To make comments and suggestions about product documentation,
send a message to:
docsfeedback@hp.com
Include the document title and part number in your message. All submissions become the property
of HP.
Information to collect before contacting HP13
Typographic conventions
The following conventions are used in this document:
Book titleThe title of a book. On the web, this can be a hyperlink to the book itself.
CommandA command name or command phrase, for example ls -a.
[ ]Optional content in syntax.
{ }Required content in syntax.
|Character that separates items in a list of choices.
...Indication that the preceding element can be repeated one or more times.
WARNINGAn alert that calls attention to important information that if not understood or
followed can result in personal injury.
CAUTIONAn alert that calls attention to important information that if not understood or
followed can result in data loss, data corruption, or damage to hardware or
software.
IMPORTANTAn alert that calls attention to essential information.
NOTEAn alert that contains additional or supplementary information.
14Support and other resources
Index
A
API considerations, 5
H
HP-UX Kernel Cryptographic Module (HP-UX KCM), 4
S
Sample code, 7
T
Typographic conventions, 14
15
Glossary
HP-UX Kernel
Cryptographic
Module (HP-UX
KCM)
Public-Key
Cryptography
Standards (PKCS)
SO: A Security
Officer user.
SR: Sign Recover
VR: Verify Recover
16Glossary
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.