I'm trying to setup a Kerberos KDC on a Solaris zone but ran into a bit of a problem with the Cryptographic Framework on Solaris 10
even though the packages for strong encryption (SUNWcry & SUNWcryr) are installed the stronger keys seem only to be available in the global zone:
Global-Zone:
# encrypt -l
Algorithm Keysize: Min Max (bits)
------------------------------------------
aes 128 256
arcfour 8 2048
des 64 64
3des 128 192
Nonglobal-Zone:
# encrypt -l
Algorithm Keysize: Min Max (bits)
------------------------------------------
aes 128 128
arcfour 8 128
des 64 64
3des 128 192
"cryptoadm list" gives the same list of providers on the global and non-global zone.
Has anyone an Idea how I can enable the stronger keys on the non-global zone? Or maybe if this is actually by design?
I've seen the issue on Solaris 10 Updates 8,9 and 10. Only on Solaris 11 11/11 it seems to be gone, but Solaris 11 is not yet an option in this setup.
I got a solution: (provided by Oracle Support)
This is apparently a bug in the packaging of SUNWcry/SUNWcryr, which can not be fixed during the Solaris 10 release cycle (as said before it is fixed for me on Solaris 11).
Bug report examples: 6534506, 6759852
Workaround:
replace pkcs11_softtoken with pkcs11_softtoken_extra in cryptoadm
(within the zone)
NOTE:
If the second command failed with an error no such file or directory, then you can do the alternate procedure:
(within the zone)
Change the:
To:
Save the file and run:
you should now be good to go.