0 Replies Latest reply: Jan 24, 2012 12:27 PM by marcel g RSS

    Strong Cryptography in Solaris Zone

    marcel g
      I'm trying to setup a Kerberos KDC on a Solaris zone but ran into a bit of a problem with the Cryptographic Framework on Solaris 10. Even though the packages for strong encryption (SUNWcry & SUNWcryr) are installed, the stronger keys seem only to be available in the global zone:

      Global-Zone:
      # encrypt -l
      Algorithm       Keysize:  Min   Max (bits)
      ------------------------------------------
      aes                       128   256
      arcfour                     8  2048
      des                        64    64
      3des                      128   192
      Nonglobal-Zone:
      # encrypt -l
      Algorithm       Keysize:  Min   Max (bits)
      ------------------------------------------ 
      aes                       128   128
      arcfour                     8   128
      des                        64    64
      3des                      128   192
      "cryptoadm list" reports the same list of providers on the global and non-global zone.

      Has anyone an idea how I can enable the stronger keys on the non-global zone? Or maybe if this is actually by design?

      I've seen the issue on Solaris 10 Updates 8 (10/09), 9 (9/10) and 10 (8/11). Only on Solaris 11 11/11 it seems to be gone, but Solaris 11 is not yet an option in this setup.