cacao(5) Maintenance Commands cacao(5)NAMEcacao - describes the security files associated with the common agent
container
DESCRIPTION
This man page describes the various security files, security stores,
certificate files and certificate stores associated with the common
agent container. The instancename part of the file specification
locates the files related to a specific instance of the container. If
you specify the default instancename (called default), then the files
are associated with the default daemon instance. This default instance
is created automatically and cannot be deleted.
FILES
Security and certificate files and stores
/etc/cacao/instances/instance-name/security
Secret password file
/etc/cacao/instances/instance-name/security/password
This secret password is used to protect some stores, keys and cer‐
tificates and to assert identity provided by well-known clients.
Network Security Services (NSS) security files
/etc/cacao/instances/instance-name/security/nss
The directory for security files related to NSS.
Local CA security files
/etc/cacao/instances/instance-name/security/nss/localca
This is the directory for security files related to the local Cer‐
tificate Authority, (CA). The local CA, and therefore this direc‐
tory, only exists if NSS is available on the host. The local CA is
used to sign both agent and C/Java clients certificates. It is
trusted by both the agent itself and C/Java clients.
Local CA key store
/etc/cacao/instances/instance-name/security/nss/localca/key3.db
This is where local CA public and private keys (nickname: cacao_ca)
are held. This store is protected by the secret password. Only
superuser is authorized to write to it and create new server or
client certificates validated by this CA and trusted by the agent.
Local CA certificate store
/etc/cacao/instances/instance-name/security/nss/localca/cert8.db
This is where the local CA self-signed certificate ( cacao_ca) is
stored. This store is protected by the secret password. Only supe‐
ruser is authorized to write to it.
Local CA certificate file
/etc/cacao/instances/instance-name/secu‐
rity/nss/localca/localca.cert
A file containing the local CA self-signed certificate.
Security files related to well-known C clients using NSS
/etc/cacao/instances/instance-name/security/nss/wellknown
This is the directory for security files related to well-known C
clients using NSS. This directory only exists if NSS is available
on the host.
Key store for well-known NSS clients
/etc/cacao/instances/instance-name/security/nss/wellknown/key3.db
This is the key store for well-known clients public and private
keys, ( cacao_wellknown). This store is protected by the secret
password so only superuser is authorized to run a well-known
client.
Certificate store for well-known NSS clients
/etc/cacao/instances/instance-name/security/nss/wellknown/cert8.db
This store contains the local CA certificate ( cacao_ca) so that
well-known clients trust the agent. It also contains the well-known
NSS client certificate ( cacao_wellknown), signed by the local CA.
This store is protected by the secret password so only superuser is
authorized to run a well-known client.
Certificate file of well-known NSS clients
/etc/cacao/instances/instance-name/security/nss/wellknown/well‐
known.cert
A file containing the well-known NSS clients certificate.
Security files related to unknown C clients using NSS
/etc/cacao/instances/instance-name/security/nss/unknown
This is the directory for security files related to unknown C
clients using NSS. This directory only exists if NSS is available
on the host.
Key store for unknown NSS clients
/etc/cacao/instances/instance-name/security/nss/unknown/key3.db
This key store contains the key for unknown NSS clients. It con‐
tains no key by default. This store is protected by a non-secret
password (unknownpass) so any user can run an unknown NSS client.
Certificate store for unknown NSS clients
/etc/cacao/instances/instance-name/security/nss/unknown/cert8.db
This store contains the local CA certificate ( cacao_ca) so that
unknown clients trust the agent. This store is protected by a non-
secret password (unknownpass) so any user can run an unknown NSS
client.
Security files related to the common agent container's managementdaemon
/etc/cacao/instances/instance-name/security/jsse
This directory contains security files related to the common agent
container management daemon and its Java clients.
Agent security store
/etc/cacao/instances/instance-name/security/jsse/keystore
This file contains the management daemon's public and private keys
( cacao_agent). In addition, it also contains the agent certificate
( cacao_agent), which is signed by the local CA if it exists, or is
self-signed if the local CA does not exist. This store is protected
by the secret password so only superuser is authorized to run the
agent and well-known Java clients. Only superuser is allowed to
modify the store itself. Agent keys are protected by the same
password.
Trust store for the common agent container's management daemon and
clients
/etc/cacao/instances/instance-name/security/jsse/truststore
This file contains the local CA certificate if NSS was found (
cacao_ca). If NSS is not available, the file contains the self-
signed agent certificate ( cacao_agent). Truststore is protected by
a non-secret password (trustpass) so that any Java client, unknown
or well-known, trusts the agent. Only superuser is authorized to
insert or remove trusted certificates due to file system permis‐
sions. The certificate is protected by the same password.
Agent certificate file
/etc/cacao/instances/instance-name/security/jsse/agent.cert
This directory holds a file containing the agent certificate. This
file is signed by the local CA if NSS was found, or is self-signed
if NSS is not found.
ATTRIBUTES
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWcacao │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Evolving │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSO
cacaoadm.1m, cacaourl.5
Oracle Solaris May 2010 cacao(5)