modutil [command] [options]
michael@0: At most one command can be specified. With no arguments,
michael@0: modutil prints a usage message.
michael@0:
| Command | Description | michael@0:
|---|---|
michael@0: -add module name -libfile library file
michael@0: [-ciphers cipher enable list]
michael@0: [-mechanisms default mechanism list]
michael@0: |
michael@0: Adds a new module to the database with the given name.
michael@0:
michael@0: library file is the path of the DLL or other library file michael@0: containing the module's implementation of the PKCS #11 interface. michael@0: michael@0: cipher enable flags is a colon-separated list of ciphers michael@0: that will be enabled on this module. The list should be enclosed within quotes michael@0: if necessary to prevent shell interpretation. The following ciphers are michael@0: currently available: michael@0:
default mechanism flags is a colon-separated list of michael@0: mechanisms for which this module should be the default provider. The michael@0: list should be enclosed within quotes if necessary to prevent shell michael@0: interpretation. This michael@0: list does not enable the mechanisms; it only specifies that this module michael@0: will be a default provider for the listed mechanisms. If more than michael@0: one module claims to be a default provider for a given mechanism, it is michael@0: undefined which will actually be chosen to provide that mechanism. The michael@0: following mechanisms are currently available: michael@0:
|
michael@0:
-changepw token name
michael@0: [-pwfile old password file]
michael@0: [-newpwfile new password file] |
michael@0: Changes the password on the named token. If the token has not been
michael@0: initialized, this command will initialize the PIN.
michael@0: If a password file is given, the password will be read from that file;
michael@0: otherwise, the password will be obtained interactively.
michael@0: Storing passwords in a file is much less secure than supplying them
michael@0: interactively.
michael@0: The password on the Netscape internal module cannot be changed if
michael@0: the |
michael@0:
-create |
michael@0: Creates a new secmod[ule].db, key3.db, and cert7.db in the directory
michael@0: specified with the
michael@0: -dbdir option, if one is specified. If no directory is
michael@0: specified, UNIX systems will use the user's .netscape directory, while other
michael@0: systems will return with an error message. If any of these databases already
michael@0: exist in the chosen directory, an error message is returned.
michael@0: If used with |
michael@0:
-default module name
michael@0: -mechanisms mechanism list
michael@0: |
michael@0: Specifies that the given module will be a default provider of the
michael@0: listed mechanisms. The mechanism list is the same as in the -add
michael@0: command.
michael@0: |
michael@0:
-delete module name |
michael@0: Deletes the named module from the database | michael@0:
-disable module name
michael@0: [-slot slot name] |
michael@0: Disables the named slot. If no slot is specified, all slots on michael@0: the module are disabled. | michael@0:
-enable module name
michael@0: [-slot slot name] |
michael@0: Enables the named slot. If no slot is specified, all slots on michael@0: the module are enabled. | michael@0:
-fips [true | false] |
michael@0: Enables or disables FIPS mode on the internal module. Passing
michael@0: true enables FIPS mode, passing false disables
michael@0: FIPS mode. |
michael@0:
-force |
michael@0: Disables interactive prompts, so modutil can be run in a script. michael@0: Should only be used by experts, since the prompts may relate to security michael@0: or database integrity. Before using this option, test the command michael@0: interactively once to see the warnings that are produced. | michael@0:
-jar JAR file
michael@0: -installdir root installation directory
michael@0: [-tempdir temporary directory] |
michael@0: Adds a new module from the given JAR file. The JAR file uses the
michael@0: server PKCS #11 JAR format to describe the names of
michael@0: any files that need to be installed, the name of the module, mechanism flags,
michael@0: and cipher flags. The root installation directory
michael@0: is the directory relative to which files will be installed. This should be a
michael@0: directory
michael@0: under which it would be natural to store dynamic library files, such as
michael@0: a server's root directory, or Communicator's root directory.
michael@0: The temporary directory is where temporary modutil files
michael@0: will be created in the course of the installation. If no temporary directory
michael@0: is specified, the current directory will be used.
michael@0: If used with the |
michael@0:
-list [module name] |
michael@0: Without an argument, lists the PKCS #11 modules present in the module
michael@0: database.
michael@0: michael@0:michael@0:michael@0: % modutil -list michael@0: Using database directory /u/nicolson/.netscape... michael@0: michael@0: Listing of PKCS #11 Modules michael@0: ----------------------------------------------------------- michael@0: 1. Netscape Internal PKCS #11 Module michael@0: slots: 2 slots attached michael@0: status: loaded michael@0: michael@0: slot: Communicator Internal Cryptographic Services Version 4.0 michael@0: token: Communicator Generic Crypto Svcs michael@0: michael@0: slot: Communicator User Private Key and Certificate Services michael@0: token: Communicator Certificate DB michael@0: ----------------------------------------------------------- michael@0:michael@0: With an argument, provides a detailed description of the named module michael@0: and its slots and tokens. michael@0: michael@0:michael@0:michael@0: % modutil -list "Netscape Internal PKCS #11 Module" michael@0: Using database directory /u/nicolson/.netscape... michael@0: michael@0: ----------------------------------------------------------- michael@0: Name: Netscape Internal PKCS #11 Module michael@0: Library file: **Internal ONLY module** michael@0: Manufacturer: Netscape Communications Corp michael@0: Description: Communicator Internal Crypto Svc michael@0: PKCS #11 Version 2.0 michael@0: Library Version: 4.0 michael@0: Cipher Enable Flags: None michael@0: Default Mechanism Flags: RSA:DSA:RC2:RC4:DES:SHA1:MD5:MD2 michael@0: michael@0: Slot: Communicator Internal Cryptographic Services Version 4.0 michael@0: Manufacturer: Netscape Communications Corp michael@0: Type: Software michael@0: Version Number: 4.1 michael@0: Firmware Version: 0.0 michael@0: Status: Enabled michael@0: Token Name: Communicator Generic Crypto Svcs michael@0: Token Manufacturer: Netscape Communications Corp michael@0: Token Model: Libsec 4.0 michael@0: Token Serial Number: 0000000000000000 michael@0: Token Version: 4.0 michael@0: Token Firmware Version: 0.0 michael@0: Access: Write Protected michael@0: Login Type: Public (no login required) michael@0: User Pin: NOT Initialized michael@0: michael@0: Slot: Communicator User Private Key and Certificate Services michael@0: Manufacturer: Netscape Communications Corp michael@0: Type: Software michael@0: Version Number: 3.0 michael@0: Firmware Version: 0.0 michael@0: Status: Enabled michael@0: Token Name: Communicator Certificate DB michael@0: Token Manufacturer: Netscape Communications Corp michael@0: Token Model: Libsec 4.0 michael@0: Token Serial Number: 0000000000000000 michael@0: Token Version: 7.0 michael@0: Token Firmware Version: 0.0 michael@0: Access: NOT Write Protected michael@0: Login Type: Login required michael@0: User Pin: Initialized michael@0: michael@0: ----------------------------------------------------------- michael@0:michael@0: |
michael@0:
-undefault module name
michael@0: -mechanisms mechanism list |
michael@0: Specifies that the given module will NOT be a default provider of michael@0: the listed mechanisms. This command clears the default mechanism flags michael@0: for the given module. | michael@0:
| Option | Description |
|---|---|
-dbdir directory |
michael@0: Specifies which directory holds the module database. On UNIX systems, michael@0: the user's netscape directory is the default. On other systems, there is michael@0: no default, and this option must be used. | michael@0:
-nocertdb |
michael@0: Do not open the certificate or key databases. This has several effects.
michael@0: With the -create command, this means that only a secmod.db file
michael@0: will be created; cert7.db and key3.db will not be created. With the
michael@0: -jar command, signatures on the JAR file will not be checked.
michael@0: With the -changepw command, the password on the Netscape internal
michael@0: module cannot be set or changed, since this password is stored in key3.db.
michael@0: |
michael@0: