Strong Cryptography in Solaris Zone

Question

I'm trying to setup a Kerberos KDC on a Solaris zone but ran into a bit of a problem with the Cryptographic Framework on Solaris 10

even though the packages for strong encryption (SUNWcry & SUNWcryr) are installed the stronger keys seem only to be available in the global zone:

Global-Zone:

# encrypt -l
Algorithm       Keysize:  Min   Max (bits)
------------------------------------------
aes                       128   256
arcfour                     8  2048
des                        64    64
3des                      128   192

Nonglobal-Zone:

# encrypt -l
Algorithm       Keysize:  Min   Max (bits)
------------------------------------------
aes                       128   128
arcfour                     8   128
des                        64    64
3des                      128   192

"cryptoadm list" gives the same list of providers on the global and non-global zone.

Has anyone an Idea how I can enable the stronger keys on the non-global zone? Or maybe if this is actually by design?

I've seen the issue on Solaris 10 Updates 8,9 and 10. Only on Solaris 11 11/11 it seems to be gone, but Solaris 11 is not yet an option in this setup.

Has anyone here ever done a KDC setup in a Solaris Zone? and maybe has some good pointers of how to automatically (at least as much as possible) setup Kerberos Clients? — Marcel G, Jan 27 '12 at 12:30

score 1 · Accepted Answer · answered Jan 31 '12 at 12:39

I got a solution: (provided by Oracle Support)

This is apparently a bug in the packaging of SUNWcry/SUNWcryr, which can not be fixed during the Solaris 10 release cycle (as said before it is fixed for me on Solaris 11).

Bug report examples: 6534506, 6759852

Workaround:

replace pkcs11_softtoken with pkcs11_softtoken_extra in cryptoadm

(within the zone)

# cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so mechanism=all
# cryptoadm enable provider=/usr/lib/security/\$ISA/pkcs11_softtoken_extra.so mechanism=all

NOTE:

If the second command failed with an error no such file or directory, then you can do the alternate procedure:

(within the zone)

# cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so mechanism=all
# vi /etc/crypto/pkcs11.conf

Change the:

/usr/lib/security/$ISA/pkcs11_softtoken.so:enabledlist=

To:

/usr/lib/security/$ISA/pkcs11_softtoken_extra.so

Save the file and run:

# encrypt -l
Algorithm       Keysize:  Min   Max (bits)
------------------------------------------
aes                       128   256
arcfour                     8  2048
des                        64    64
3des                      128   192

you should now be good to go.

Strong Cryptography in Solaris Zone

1 Answers1

Workaround:

NOTE:

Linked