index.rst (45151B)
1 .. _mozilla_projects_nss_tools_nss_tools_modutil: 2 3 NSS Tools modutil 4 ================= 5 6 .. _using_the_security_module_database_(modutil): 7 8 `Using the Security Module Database (modutil) <#using_the_security_module_database_(modutil)>`__ 9 ------------------------------------------------------------------------------------------------ 10 11 .. container:: 12 13 Newsgroup: `mozilla.dev.tech.crypto <news://news.mozilla.org/mozilla.dev.tech.crypto>`__ 14 The Security Module Database Tool is a command-line utility for managing PKCS #11 module 15 information within ``secmod.db`` files or within hardware tokens. You can use the tool to add and 16 delete PKCS #11 modules, change passwords, set defaults, list module contents, enable or disable 17 slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic 18 operations. This tool can also create ``key3.db``, ``cert8.db``, and ``secmod.db`` security 19 database files. 20 21 The tasks associated with security module database management are part of a process that 22 typically also involves managing key databases (``key3.db`` files) and certificate databases 23 (``cert8.db`` files). The key, certificate, and PKCS #11 module management process generally 24 begins with creating the keys and key database necessary to generate and manage certificates and 25 the certificate database. This document discusses security module database management. For 26 information on certificate database and key database management, see `Using the Certificate 27 Database Tool <certutil.html>`__. 28 29 .. _availability_2: 30 31 ` <#availability_2>`__ Availability 32 ----------------------------------- 33 34 .. container:: 35 36 This tool is known to build on Solaris 2.5.1 (SunOS 5.5.1) and Windows NT 4.0. 37 38 .. _syntax_2: 39 40 ` <#syntax_2>`__ Syntax 41 ----------------------- 42 43 .. container:: 44 45 To run the Security Module Database Tool, type the command 46 ``modutil``\ *option*\ ``[``\ *arguments*\ ``]`` where *option* and *arguments* are combinations 47 of the options and arguments listed in the following section. Each command takes one option. Each 48 option may take zero or more arguments. To see a usage string, issue the command without options. 49 50 .. _options_and_arguments: 51 52 `Options and Arguments <#options_and_arguments>`__ 53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 54 55 .. container:: 56 57 Options specify an action. Option arguments modify an action. The options and arguments for the 58 ``modutil`` command are defined as follows: 59 60 +-------------------------------------------------+-------------------------------------------------+ 61 | **Options** | | 62 +-------------------------------------------------+-------------------------------------------------+ 63 | ``-create`` | Create new ``secmod.db``, ``key3.db``, and | 64 | | ``cert8.db`` files. Use the ``-dbdir`` | 65 | | *directory* argument to specify a directory. If | 66 | | any of these databases already exist in a | 67 | | specified directory, the Security Module | 68 | | Database Tool displays an error message. | 69 +-------------------------------------------------+-------------------------------------------------+ 70 | ``-list [``\ *modulename*\ ``]`` | Display basic information about the contents of | 71 | | the ``secmod.db`` file. Use *modulename* to | 72 | | display detailed information about a particular | 73 | | module and its slots and tokens. | 74 +-------------------------------------------------+-------------------------------------------------+ 75 | ``-add``\ *modulename* | Add the named PKCS #11 module to the database. | 76 | | Use this option with the ``-libfile``, | 77 | | ``-ciphers``, and ``-mechanisms`` arguments. | 78 +-------------------------------------------------+-------------------------------------------------+ 79 | ``-jar``\ *JAR-file* | Add a new PKCS #11 module to the database using | 80 | | the named JAR file. Use this option with the | 81 | | ``-installdir`` and ``-tempdir`` arguments. The | 82 | | JAR file uses the Netscape Server PKCS #11 JAR | 83 | | format to identify all the files to be | 84 | | installed, the module's name, the mechanism | 85 | | flags, and the cipher flags. The JAR file | 86 | | should also contain any files to be installed | 87 | | on the target machine, including the PKCS #11 | 88 | | module library file and other files such as | 89 | | documentation. See the section `JAR | 90 | | Installation File <modutil.html#1043224>`__ for | 91 | | information on creating the special script | 92 | | needed to perform an installation through a | 93 | | server or with the Security Module Database | 94 | | Tool (that is, in environments without | 95 | | JavaScript support). For general installation | 96 | | instructions and to install a module in | 97 | | environments where JavaScript support is | 98 | | available (as in Netscape Communicator), see | 99 | | the document `Using the JAR Installation | 100 | | Manager to Install a PKCS #11 Cryptographic | 101 | | Module <http://developer.netscape.co | 102 | | m/docs/manuals/security/jmpkcs/jimpkcs.htm>`__. | 103 +-------------------------------------------------+-------------------------------------------------+ 104 | ``-delete``\ *modulename* | Delete the named module. Note that you cannot | 105 | | delete the Netscape Communicator internal PKCS | 106 | | #11 module. | 107 +-------------------------------------------------+-------------------------------------------------+ 108 | ``-changepw``\ *tokenname* | Change the password on the named token. If the | 109 | | token has not been initialized, this option | 110 | | initializes the password. Use this option with | 111 | | the ``-pwfile`` and ``-newpwfile`` arguments. | 112 | | In this context, the term "password" is | 113 | | equivalent to a personal identification number | 114 | | (PIN). | 115 +-------------------------------------------------+-------------------------------------------------+ 116 | ``-default``\ *modulename* | Specify the security mechanisms for which the | 117 | | named module will be a default provider. The | 118 | | security mechanisms are specified with the | 119 | | ``-mechanisms`` *mechanism-list* argument. | 120 +-------------------------------------------------+-------------------------------------------------+ 121 | ``-undefault``\ *modulename* | Specify the security mechanisms for which the | 122 | | named module will *not* be a default provider. | 123 | | The security mechanisms are specified with | 124 | | the\ ``-mechanisms`` *mechanism-list* argument. | 125 +-------------------------------------------------+-------------------------------------------------+ 126 | ``-enable``\ *modulename* | Enable all slots on the named module. Use the | 127 | | ``[-slot``\ *slotname*\ ``]``\ argument to | 128 | | enable a specific slot. | 129 +-------------------------------------------------+-------------------------------------------------+ 130 | ``-disable``\ *modulename* | Disable all slots on the named module. Use the | 131 | | ``[-slot``\ *slotname*\ ``]``\ argument to | 132 | | disable a specific slot. | 133 +-------------------------------------------------+-------------------------------------------------+ 134 | ``-fips [true | false]`` | Enable (``true``) or disable (``false``) FIPS | 135 | | 140-2 compliance for the Netscape Communicator | 136 | | internal module. | 137 +-------------------------------------------------+-------------------------------------------------+ 138 | ``-force`` | Disable the Security Module Database Tool's | 139 | | interactive prompts so it can be run from a | 140 | | script. Use this option only after manually | 141 | | testing each planned operation to check for | 142 | | warnings and to ensure that bypassing the | 143 | | prompts will cause no security lapses or loss | 144 | | of database integrity. | 145 +-------------------------------------------------+-------------------------------------------------+ 146 | **Arguments** | | 147 +-------------------------------------------------+-------------------------------------------------+ 148 | ``-dbdir``\ *directory* | Specify the database directory in which to | 149 | | access or create security module database | 150 | | files. On Unix, the Security Module Database | 151 | | Tool defaults to the user's Netscape directory. | 152 | | Windows NT has no default directory, so | 153 | | ``-dbdir`` must be used to specify a directory. | 154 +-------------------------------------------------+-------------------------------------------------+ 155 | ``-dbprefix`` *prefix* | Specify the prefix used on the ``cert8.db`` and | 156 | | ``key3.db`` files (for example, ``my_cert8.db`` | 157 | | and ``my_key3.db``). This option is provided as | 158 | | a special case. Changing the names of the | 159 | | certificate and key databases is not | 160 | | recommended. | 161 +-------------------------------------------------+-------------------------------------------------+ 162 | ``-libfile``\ *library-file* | Specify a path to the DLL or other library file | 163 | | containing the implementation of the PKCS #11 | 164 | | interface module that is being added to the | 165 | | database. | 166 +-------------------------------------------------+-------------------------------------------------+ 167 | ``-ciphers``\ *cipher-enable-list* | Enable specific ciphers in a module that is | 168 | | being added to the database. The | 169 | | *cipher-enable-list* is a colon-delimited list | 170 | | of cipher names. Enclose this list in quotation | 171 | | marks if it contains spaces. The following | 172 | | cipher is currently available: ``FORTEZZA``. | 173 +-------------------------------------------------+-------------------------------------------------+ 174 | ``-mechanisms``\ *mechanism-list* | Specify the security mechanisms for which a | 175 | | particular module will be flagged as a default | 176 | | provider. The *mechanism-list* is a | 177 | | colon-delimited list of mechanism names. | 178 | | Enclose this list in quotation marks if it | 179 | | contains spaces. The module becomes a default | 180 | | provider for the listed mechanisms when those | 181 | | mechanisms are enabled. If more than one module | 182 | | claims to be a particular mechanism's default | 183 | | provider, that mechanism's default provider is | 184 | | undefined. The following mechanisms are | 185 | | currently available: ``RSA``, ``DSA``, ``RC2``, | 186 | | ``RC4``, ``RC5``, ``DES``, ``DH``, | 187 | | ``FORTEZZA``, ``SHA1``, ``MD5``, ``MD2``, | 188 | | ``RANDOM`` (for random number generation), and | 189 | | ``FRIENDLY`` (meaning certificates are publicly | 190 | | readable). | 191 +-------------------------------------------------+-------------------------------------------------+ 192 | ``-installdir``\ *root-installation-directory* | Specify the root installation directory | 193 | | relative to which files will be installed by | 194 | | the ``-jar`` *JAR-file* option. This directory | 195 | | should be one below which it is appropriate to | 196 | | store dynamic library files (for example, a | 197 | | server's root directory or the Netscape | 198 | | Communicator root directory). | 199 +-------------------------------------------------+-------------------------------------------------+ 200 | ``-tempdir``\ *temporary-directory* | The temporary directory is the location where | 201 | | temporary files will be created in the course | 202 | | of installation by the ``-jar`` *JAR-file* | 203 | | option. If no temporary directory is specified, | 204 | | the current directory will be used. | 205 +-------------------------------------------------+-------------------------------------------------+ 206 | ``-pwfile``\ *old-password-file* | Specify a text file containing a token's | 207 | | existing password so that a password can be | 208 | | entered automatically when the ``-changepw`` | 209 | | *tokenname* option is used to change passwords. | 210 +-------------------------------------------------+-------------------------------------------------+ 211 | ``-newpwfile``\ *new-password-file* | Specify a text file containing a token's new or | 212 | | replacement password so that a password can be | 213 | | entered automatically with the ``-changepw`` | 214 | | *tokenname* option. | 215 +-------------------------------------------------+-------------------------------------------------+ 216 | ``-slot``\ *slotname* | Specify a particular slot to be enabled or | 217 | | disabled with the ``-enable`` *modulename* or | 218 | | ``-disable`` *modulename* options. | 219 +-------------------------------------------------+-------------------------------------------------+ 220 | -nocertdb | Do not open the certificate or key databases. | 221 | | This has several effects: | 222 | | | 223 | | - With the ``-create`` command, only a | 224 | | ``secmod.db`` file will be created; | 225 | | ``cert8.db`` and ``key3.db`` will not be | 226 | | created. | 227 | | - With the ``-jar`` command, signatures on the | 228 | | JAR file will not be checked. | 229 | | - With the ``-changepw`` command, the password | 230 | | on the Netscape internal module cannot be | 231 | | set or changed, since this password is | 232 | | stored in ``key3.db``. | 233 +-------------------------------------------------+-------------------------------------------------+ 234 235 .. _usage_2: 236 237 ` <#usage_2>`__ Usage 238 --------------------- 239 240 .. container:: 241 242 The Security Module Database Tool's capabilities are grouped as follows, using these combinations 243 of options and arguments. The options and arguments in square brackets are optional, those 244 without square brackets are required. 245 246 - Creating a set of security management database files (``key3.db``, ``cert8.db``, and 247 ``secmod.db``): 248 249 ``-create`` 250 251 - Displaying basic module information or detailed information about the contents of a given 252 module: 253 254 ``-list [``\ *modulename*\ ``]`` 255 256 - Adding a PKCS #11 module, which includes setting a supporting library file, enabling ciphers, 257 and setting default provider status for various security mechanisms: 258 259 ``-add``\ *modulename*\ ``-libfile``\ *library-file* 260 ``[-ciphers``\ *cipher-enable-list*\ ``] [-mechanisms``\ *mechanism-list*\ ``]`` 261 262 - Adding a PKCS #11 module from an existing JAR file: 263 264 ``-jar``\ *JAR-file* ``-installdir``\ *root-installation-directory* 265 ``[-tempdir``\ *temporary-directory*\ ``]`` 266 267 - Deleting a specific PKCS #11 module from a security module database: 268 269 ``-delete``\ *modulename* 270 271 - Initializing or changing a token's password: 272 273 ``-changepw``\ *tokenname* 274 ``[-pwfile``\ *old-password-file*\ ``] [-newpwfile``\ *new-password-file*\ ``]`` 275 276 - Setting the default provider status of various security mechanisms in an existing PKCS #11 277 module: 278 279 ``-default``\ *modulename* ``-mechanisms``\ *mechanism-list* 280 281 - Clearing the default provider status of various security mechanisms in an existing PKCS #11 282 module: 283 284 ``-undefault``\ *modulename* ``-mechanisms``\ *mechanism-list* 285 286 - Enabling a specific slot or all slots within a module: 287 288 ``-enable``\ *modulename* ``[-slot``\ *slotname*\ ``]`` 289 290 - Disabling a specific slot or all slots within a module: 291 292 ``-disable``\ *modulename* ``[-slot``\ *slotname*\ ``]`` 293 294 - Enabling or disabling FIPS 140-2 compliance within the Netscape Communicator internal module: 295 296 ``-fips [true | false]`` 297 298 - Disabling interactive prompts for the Security Module Database Tool, to support scripted 299 operation: 300 301 ``-force`` 302 303 .. _jar_installation_file: 304 305 `JAR Installation File <#jar_installation_file>`__ 306 -------------------------------------------------- 307 308 .. container:: 309 310 When a JAR file is run by a server, by the Security Module Database Tool, or by any program that 311 does not interpret JavaScript, a special information file must be included in the format 312 described below. This information file contains special scripting and must be declared in the JAR 313 archive's manifest file. The script can have any name. The metainfo tag for this is 314 ``Pkcs11_install_script``. To declare meta-information in the manifest file, put it in a file 315 that is passed to the `Netscape Signing 316 Tool <http://developer.netscape.com/docs/manuals/signedobj/signtool/index.htm>`__. 317 318 .. _sample_script: 319 320 `Sample Script <#sample_script>`__ 321 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 322 323 .. container:: 324 325 For example, the PKCS #11 installer script could be in the file ``pk11install.`` If so, the 326 metainfo file for the `Netscape Signing 327 Tool <http://developer.netscape.com/docs/manuals/signedobj/signtool/index.htm>`__ would include a 328 line such as this: 329 .. code:: 330 331 + Pkcs11_install_script: pk11install 332 333 The sample script file could contain the following: 334 .. code:: 335 336 ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc } 337 Platforms { 338 WINNT::x86 { 339 ModuleName { "Fortezza Module" } 340 ModuleFile { win32/fort32.dll } 341 DefaultMechanismFlags{0x0001} 342 DefaultCipherFlags{0x0001} 343 Files { 344 win32/setup.exe { 345 Executable 346 RelativePath { %temp%/setup.exe } 347 } 348 win32/setup.hlp { 349 RelativePath { %temp%/setup.hlp } 350 } 351 win32/setup.cab { 352 RelativePath { %temp%/setup.cab } 353 } 354 } 355 } 356 WIN95::x86 { 357 EquivalentPlatform {WINNT::x86} 358 } 359 SUNOS:5.5.1:sparc { 360 ModuleName { "Fortezza UNIX Module" } 361 ModuleFile { unix/fort.so } 362 DefaultMechanismFlags{0x0001} 363 CipherEnableFlags{0x0001} 364 Files { 365 unix/fort.so { 366 RelativePath{%root%/lib/fort.so} 367 AbsolutePath{/usr/local/netscape/lib/fort.so} 368 FilePermissions{555} 369 } 370 xplat/instr.html { 371 RelativePath{%root%/docs/inst.html} 372 AbsolutePath{/usr/local/netscape/docs/inst.html} 373 FilePermissions{555} 374 } 375 } 376 } 377 IRIX:6.2:mips { 378 EquivalentPlatform { SUNOS:5.5.1:sparc } 379 } 380 } 381 382 .. _script_grammar: 383 384 `Script Grammar <#script_grammar>`__ 385 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 386 387 .. container:: 388 389 The script file grammar is as follows: 390 .. code:: 391 392 --> valuelist 393 394 .. code:: 395 396 valuelist --> value valuelist 397 <null> 398 399 .. code:: 400 401 value ---> key_value_pair 402 string 403 404 .. code:: 405 406 key_value_pair --> key { valuelist } 407 408 .. code:: 409 410 key --> string 411 412 .. code:: 413 414 string --> simple_string 415 "complex_string" 416 417 .. code:: 418 419 simple_string --> [^ \t\n\""{""}"]+ 420 (No whitespace, quotes, or braces.) 421 422 .. code:: 423 424 complex_string --> ([^\"\\\r\n]|(\\\")|(\\\\))+ (Quotes and 425 backslashes must be escaped with a backslash. A complex string must not 426 include newlines or carriage returns.) 427 428 Outside of complex strings, all white space (for example, spaces, tabs, and carriage returns) is 429 considered equal and is used only to delimit tokens. 430 431 `Keys <#keys>`__ 432 ~~~~~~~~~~~~~~~~ 433 434 .. container:: 435 436 Keys are case-insensitive. This section discusses the following keys: `Global 437 Keys <modutil.html#1042778>`__ 438 `Per-Platform Keys <modutil.html#1040459>`__ 439 `Per-File Keys <modutil.html#1040510>`__ 440 .. rubric:: Global Keys 441 :name: global_keys 442 443 ``ForwardCompatible`` Gives a list of platforms that are forward compatible. If the current 444 platform cannot be found in the list of supported platforms, then the ``ForwardCompatible`` list 445 is checked for any platforms that have the same OS and architecture in an earlier version. If one 446 is found, its attributes are used for the current platform. ``Platforms`` (required) Gives a list 447 of platforms. Each entry in the list is itself a key-value pair: the key is the name of the 448 platform and the value list contains various attributes of the platform. The ``ModuleName``, 449 ``ModuleFile``, and ``Files`` attributes must be specified for each platform unless an 450 ``EquivalentPlatform`` attribute is specified. The platform string is in the following format: 451 *system name*\ ``:``\ *OS release*\ ``:``\ *architecture*. The installer obtains these values 452 from NSPR. *OS release* is an empty string on non-Unix operating systems. The following system 453 names and platforms are currently defined by NSPR: 454 455 - AIX (rs6000) 456 - BSDI (x86) 457 - FREEBSD (x86) 458 - HPUX (hppa1.1) 459 - IRIX (mips) 460 - LINUX (ppc, alpha, x86) 461 - MacOS (PowerPC) 462 - NCR (x86) 463 - NEC (mips) 464 - OSF (alpha) 465 - SOLARIS (sparc) 466 - SONY (mips) 467 - SUNOS (sparc) 468 - WINNT (x86) 469 470 Here are some examples of valid platform strings: 471 .. code:: 472 473 IRIX:6.2:mips 474 SUNOS:5.5.1:sparc 475 Linux:2.0.32:x86 476 WIN95::x86. 477 478 .. rubric:: Per-Platform Keys 479 :name: per-platform_keys 480 481 These keys have meaning only within the value list of an entry in the ``Platforms`` list. 482 ``ModuleName`` (required) Gives the common name for the module. This name will be used to 483 reference the module from Netscape Communicator, the Security Module Database tool (``modutil``), 484 servers, or any other program that uses the Netscape security module database. ``ModuleFile`` 485 (required) Names the PKCS #11 module file (DLL or ``.so``) for this platform. The name is given 486 as the relative path of the file within the JAR archive. ``Files`` (required) Lists the files 487 that need to be installed for this module. Each entry in the file list is a key-value pair: the 488 key is the path of the file in the JAR archive, and the value list contains attributes of the 489 file. At least ``RelativePath`` or ``AbsolutePath`` must be specified for each file. 490 ``DefaultMechanismFlags`` Specifies mechanisms for which this module will be a default provider. 491 This key-value pair is a bitstring specified in hexadecimal (0x) format. It is constructed as a 492 bitwise OR of the following constants. If the ``DefaultMechanismFlags`` entry is omitted, the 493 value defaults to 0x0. 494 .. code:: 495 496 RSA: 0x00000001 497 DSA: 0x00000002 498 RC2: 0x00000004 499 RC4: 0x00000008 500 DES: 0x00000010 501 DH: 0x00000020 502 FORTEZZA: 0x00000040 503 RC5: 0x00000080 504 SHA1: 0x00000100 505 MD5: 0x00000200 506 MD2: 0x00000400 507 RANDOM: 0x08000000 508 FRIENDLY: 0x10000000 509 OWN_PW_DEFAULTS: 0x20000000 510 DISABLE: 0x40000000 511 512 ``CipherEnableFlags`` Specifies ciphers that this module provides but Netscape Communicator does 513 not, so that Communicator can enable them. This key is a bitstring specified in hexadecimal (0x) 514 format. It is constructed as a bitwise OR of the following constants. If the 515 ``CipherEnableFlags`` entry is omitted, the value defaults to 0x0. 516 .. code:: 517 518 FORTEZZA: 0x0000 0001 519 520 ``EquivalentPlatform`` Specifies that the attributes of the named platform should also be used 521 for the current platform. Saves typing when there is more than one platform using the same 522 settings. 523 .. rubric:: Per-File Keys 524 :name: per-file_keys 525 526 These keys have meaning only within the value list of an entry in a ``Files`` list. At least one 527 of ``RelativePath`` and ``AbsolutePath`` must be specified. If both are specified, the relative 528 path is tried first, and the absolute path is used only if no relative root directory is provided 529 by the installer program. ``RelativePath`` Specifies the destination directory of the file, 530 relative to some directory decided at install time. Two variables can be used in the relative 531 path: "``%root%``" and "``%temp%``". "``%root%``" is replaced at run time with the directory 532 relative to which files should be installed; for example, it may be the server's root directory 533 or the Netscape Communicator root directory. The "``%temp%``" directory is created at the 534 beginning of the installation and destroyed at the end. The purpose of "``%temp%``" is to hold 535 executable files (such as setup programs) or files that are used by these programs. For example, 536 a Windows installation might consist of a ``setup.exe`` installation program, a help file, and a 537 ``.cab`` file containing compressed information. All these files could be installed in the 538 temporary directory. Files destined for the temporary directory are guaranteed to be in place 539 before any executable file is run; they are not deleted until all executable files have finished. 540 ``AbsolutePath`` Specifies the destination directory of the file as an absolute path. If both 541 ``RelativePath`` and ``AbsolutePath`` are specified, the installer attempts to use the relative 542 path; if it is unable to determine a relative path, it uses the absolute path. ``Executable`` 543 Specifies that the file is to be executed during the course of the installation. Typically this 544 string would be used for a setup program provided by a module vendor, such as a self-extracting 545 ``setup.exe``. More than one file can be specified as executable, in which case the files are run 546 in the order in which they are specified in the script file. ``FilePermissions`` Interpreted as a 547 string of octal digits, according to the standard Unix format. This string is a bitwise OR of the 548 following constants: 549 .. code:: 550 551 user read: 0400 552 user write: 0200 553 user execute: 0100 554 group read: 0040 555 group write: 0020 556 group execute: 0010 557 other read: 0004 558 other write: 0002 559 other execute: 0001 560 561 Some platforms may not understand these permissions. They are applied only insofar as they make 562 sense for the current platform. If this attribute is omitted, a default of 777 is assumed. 563 564 .. _examples_2: 565 566 ` <#examples_2>`__ Examples 567 --------------------------- 568 569 .. container:: 570 571 `Creating Database Files <modutil.html#1028724>`__ 572 `Displaying Module Information <modutil.html#1034026>`__ 573 `Setting a Default Provider <modutil.html#1028731>`__ 574 `Enabling a Slot <modutil.html#1034020>`__ 575 `Enabling FIPS Compliance <modutil.html#1034010>`__ 576 `Adding a Cryptographic Module <modutil.html#1042489>`__ 577 `Installing a Cryptographic Module from a JAR File <modutil.html#1042502>`__ 578 `Changing the Password on a Token <modutil.html#1043961>`__ 579 580 .. _creating_database_files: 581 582 `Creating Database Files <#creating_database_files>`__ 583 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 584 585 .. container:: 586 587 This example creates a set of security management database files in the specified directory: 588 .. code:: 589 590 modutil -create -dbdir c:\databases 591 592 The Security Module Database Tool displays a warning: 593 .. code:: 594 595 WARNING: Performing this operation while Communicator is running could 596 cause corruption of your security databases. If Communicator is 597 currently running, you should exit Communicator before continuing this 598 operation. Type 'q <enter>' to abort, or <enter> to continue: 599 600 After you press Enter, the tool displays the following: 601 .. code:: 602 603 Creating "c:\databases\key3.db"...done. 604 Creating "c:\databases\cert8.db"...done. 605 Creating "c:\databases\secmod.db"...done. 606 607 .. _displaying_module_information: 608 609 `Displaying Module Information <#displaying_module_information>`__ 610 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 611 612 .. container:: 613 614 This example gives detailed information about the specified module: 615 .. code:: 616 617 modutil -list "Netscape Internal PKCS #11 Module" -dbdir c:\databases 618 619 The Security Module Database Tool displays information similar to this: 620 .. code:: 621 622 Using database directory c:\databases... 623 -------------------------------------------------------- 624 Name: Netscape Internal PKCS #11 Module 625 Library file: **Internal ONLY module** 626 Manufacturer: Netscape Communications Corp 627 Description: Communicator Internal Crypto Svc 628 PKCS #11 Version 2.0 629 Library Version: 4.0 630 Cipher Enable Flags: None 631 Default Mechanism Flags: RSA:DSA:RC2:RC4:DES:SHA1:MD5:MD2 632 633 .. code:: 634 635 Slot: Communicator Internal Cryptographic Services Version 4.0 636 Manufacturer: Netscape Communications Corp 637 Type: Software 638 Version Number: 4.1 639 Firmware Version: 0.0 640 Status: Enabled 641 Token Name: Communicator Generic Crypto Svcs 642 Token Manufacturer: Netscape Communications Corp 643 Token Model: Libsec 4.0 644 Token Serial Number: 0000000000000000 645 Token Version: 4.0 646 Token Firmware Version: 0.0 647 Access: Write Protected 648 Login Type: Public (no login required) 649 User Pin: NOT Initialized 650 651 .. code:: 652 653 Slot: Communicator User Private Key and Certificate Services 654 Manufacturer: Netscape Communications Corp 655 Type: Software 656 Version Number: 3.0 657 Firmware Version: 0.0 658 Status: Enabled 659 Token Name: Communicator Certificate DB 660 Token Manufacturer: Netscape Communications Corp 661 Token Model: Libsec 4.0 662 Token Serial Number: 0000000000000000 663 Token Version: 7.0 664 Token Firmware Version: 0.0 665 Access: NOT Write Protected 666 Login Type: Login required 667 User Pin: NOT Initialized 668 669 .. _setting_a_default_provider: 670 671 `Setting a Default Provider <#setting_a_default_provider>`__ 672 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 673 674 .. container:: 675 676 This example makes the specified module a default provider for the RSA, DSA, and RC2 security 677 mechanisms: 678 .. code:: 679 680 modutil -default "Cryptographic Module" -dbdir 681 c:\databases -mechanisms RSA:DSA:RC2 682 683 The Security Module Database Tool displays a warning: 684 .. code:: 685 686 WARNING: Performing this operation while Communicator is running could 687 cause corruption of your security databases. If Communicator is 688 currently running, you should exit Communicator before continuing this 689 operation. Type 'q <enter>' to abort, or <enter> to continue: 690 691 After you press Enter, the tool displays the following: 692 .. code:: 693 694 Using database directory c:\databases... 695 696 .. code:: 697 698 Successfully changed defaults. 699 700 .. _enabling_a_slot: 701 702 `Enabling a Slot <#enabling_a_slot>`__ 703 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 704 705 .. container:: 706 707 This example enables a particular slot in the specified module: 708 .. code:: 709 710 modutil -enable "Cryptographic Module" -slot 711 "Cryptographic Reader" -dbdir c:\databases 712 713 The Security Module Database Tool displays a warning: 714 .. code:: 715 716 WARNING: Performing this operation while Communicator is running could 717 cause corruption of your security databases. If Communicator is 718 currently running, you should exit Communicator before continuing this 719 operation. Type 'q <enter>' to abort, or <enter> to continue: 720 721 After you press Enter, the tool displays the following: 722 .. code:: 723 724 Using database directory c:\databases... 725 726 .. code:: 727 728 Slot "Cryptographic Reader" enabled. 729 730 .. _enabling_fips_compliance: 731 732 `Enabling FIPS Compliance <#enabling_fips_compliance>`__ 733 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 734 735 .. container:: 736 737 This example enables FIPS 140-2 compliance in Communicator's internal module: 738 .. code:: 739 740 modutil -dbdir "C:\databases" -fips true 741 742 The Security Module Database Tool displays a warning: 743 .. code:: 744 745 WARNING: Performing this operation while the browser is running could cause 746 corruption of your security databases. If the browser is currently running, 747 you should exit browser before continuing this operation. Type 748 'q <enter>' to abort, or <enter> to continue: 749 750 After you press Enter, the tool displays the following: 751 .. code:: 752 753 FIPS mode enabled. 754 755 .. _adding_a_cryptographic_module: 756 757 `Adding a Cryptographic Module <#adding_a_cryptographic_module>`__ 758 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 759 760 .. container:: 761 762 This example adds a new cryptographic module to the database: 763 .. code:: 764 765 C:\modutil> modutil -dbdir "C:\databases" -add "Cryptorific Module" - 766 libfile "C:\winnt\system32\crypto.dll" -mechanisms RSA:DSA:RC2:RANDOM 767 768 The Security Module Database Tool displays a warning: 769 .. code:: 770 771 WARNING: Performing this operation while Communicator is running could 772 cause corruption of your security databases. If Communicator is 773 currently running, you should exit Communicator before continuing this 774 operation. Type 'q <enter>' to abort, or <enter> to continue: 775 776 After you press Enter, the tool displays the following: 777 .. code:: 778 779 Using database directory C:\databases... 780 Module "Cryptorific Module" added to database. 781 C:\modutil> 782 783 .. _installing_a_cryptographic_module_from_a_jar_file: 784 785 `Installing a Cryptographic Module from a JAR File <#installing_a_cryptographic_module_from_a_jar_file>`__ 786 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 787 788 .. container:: 789 790 This example installs a cryptographic module from the following sample installation script. 791 .. code:: 792 793 Platforms { 794 WinNT::x86 { 795 ModuleName { "Cryptorific Module" } 796 ModuleFile { crypto.dll } 797 DefaultMechanismFlags{0x0000} 798 CipherEnableFlags{0x0000} 799 Files { 800 crypto.dll { 801 RelativePath{ %root%/system32/crypto.dll } 802 } 803 setup.exe { 804 Executable 805 RelativePath{ %temp%/setup.exe } 806 } 807 } 808 } 809 Win95::x86 { 810 EquivalentPlatform { Winnt::x86 } 811 } 812 } 813 814 To install from the script, use the following command. The root directory should be the Windows 815 root directory (for example, ``c:\\windows``, or ``c:\\winnt``). 816 .. code:: 817 818 C:\modutil> modutil -dbdir "c:\databases" -jar 819 install.jar -installdir "C:/winnt" 820 821 The Security Module Database Tool displays a warning: 822 .. code:: 823 824 WARNING: Performing this operation while Communicator is running could 825 cause corruption of your security databases. If Communicator is 826 currently running, you should exit Communicator before continuing this 827 operation. Type 'q <enter>' to abort, or <enter> to continue: 828 829 After you press Enter, the tool displays the following: 830 .. code:: 831 832 Using database directory c:\databases... 833 834 .. code:: 835 836 This installation JAR file was signed by: 837 ---------------------------------------------- 838 839 .. code:: 840 841 **SUBJECT NAME** 842 843 .. code:: 844 845 C=US, ST=California, L=Mountain View, CN=Cryptorific Inc., OU=Digital ID 846 Class 3 - Netscape Object Signing, OU="www.verisign.com/repository/CPS 847 Incorp. by Ref.,LIAB.LTD(c)9 6", OU=www.verisign.com/CPS Incorp.by Ref 848 . LIABILITY LTD.(c)97 VeriSign, OU=VeriSign Object Signing CA - Class 3 849 Organization, OU="VeriSign, Inc.", O=VeriSign Trust Network **ISSUER 850 NAME**, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 851 VeriSign, OU=VeriSign Object Signing CA - Class 3 Organization, 852 OU="VeriSign, Inc.", O=VeriSign Trust Network 853 ---------------------------------------------- 854 855 .. code:: 856 857 Do you wish to continue this installation? (y/n) y 858 Using installer script "installer_script" 859 Successfully parsed installation script 860 Current platform is WINNT::x86 861 Using installation parameters for platform WinNT::x86 862 Installed file crypto.dll to C:/winnt/system32/crypto.dll 863 Installed file setup.exe to ./pk11inst.dir/setup.exe 864 Executing "./pk11inst.dir/setup.exe"... 865 "./pk11inst.dir/setup.exe" executed successfully 866 Installed module "Cryptorific Module" into module database 867 868 .. code:: 869 870 Installation completed successfully 871 C:\modutil> 872 873 .. _changing_the_password_on_a_token: 874 875 `Changing the Password on a Token <#changing_the_password_on_a_token>`__ 876 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 877 878 .. container:: 879 880 This example changes the password for a token on an existing module. 881 .. code:: 882 883 C:\modutil> modutil -dbdir "c:\databases" -changepw 884 "Communicator Certificate DB" 885 886 The Security Module Database Tool displays a warning: 887 .. code:: 888 889 WARNING: Performing this operation while Communicator is running could 890 cause corruption of your security databases. If Communicator is 891 currently running, you should exit Communicator before continuing this 892 operation. Type 'q <enter>' to abort, or <enter> to continue: 893 894 After you press Enter, the tool displays the following: 895 .. code:: 896 897 Using database directory c:\databases... 898 Enter old password: 899 Incorrect password, try again... 900 Enter old password: 901 Enter new password: 902 Re-enter new password: 903 Token "Communicator Certificate DB" password changed successfully. 904 C:\modutil> 905 906 --------------