and the
compliance
(1M)
and
compliance-tailor
(1M)
man pages.
■
Protecting executables from stack corruption is now a security extension in Oracle Solaris
rather than the
no_exec_userstack
system variable that previously was set in the
/etc/
system
file. The
nxstack
security extension is set by default. In addition, the
nxheap
security extension protects from heap corruption. For more information, see the
“Protecting
the Process Heap and Executable Stacks From Compromise” in
Securing Systems and
Attached Devices in Oracle Solaris 11.3
.
■
The Cryptographic Framework now includes the Camellia algorithm. To view the
mechanisms that Camellia supports, run the
cryptoadm list -m | grep camellia
command. The SPARC T4 Series and SPARC T8 Series servers provide hardware
acceleration for this algorithm.
■
The Kernel SSL proxy supports SSLv3, but disables it by default. See
“SSL Kernel Proxy
Encrypts Web Server Communications” in
Securing the Network in Oracle Solaris 11.3
.
■
The
pktool gencsr
command can now create certificates for certificate authorities that do
not follow the standard
PKCS #10: Certification Request Syntax Specification (
http://
)
. See the
pktool
(1)
man page.
■
When a certificate from a Certificate Authority (CA) is missing or corrupted, you can fix
the resulting problem by adding or removing certificates from the Oracle Solaris keystore.
For more information, see
“Adding CA Certificates to the Oracle Solaris CA Keystore” in
Managing Encryption and Certificates in Oracle Solaris 11.3
.
■
Oracle Solaris provides client support for KMIP version 1.1, enabling clients to
communicate with Key Management Interoperability Protocol (KMIP)-compliant servers
such as the Oracle Key Vault (OKV). PKCS #11 applications, as clients, can communicate
with KMIP-compliant servers to create and use asymmetric keys. See
Chapter 5, “KMIP
and PKCS #11 Client Applications” in
Managing Encryption and Certificates in Oracle
Solaris 11.3
.
■
Oracle Solaris offers an
openssh
implementation of Secure Shell. This OpenSSH
implementation is built on OpenSSH 7.2p2 plus additional features. The
sunssh
implementation is still the default. You use the
pkg mediator
command to switch between
the two implementations. For more information, see
“OpenSSH Implementation of Secure
Shell” in
Managing Secure Shell Access in Oracle Solaris 11.3
.
■
To aid in making the transition to IPsec and IKEv2, Oracle Solaris provides the
pass
action
and the
ike_version
option. The
pass
action enables a server to support IPsec and non-
IPsec clients, and the
ike_version
option enables you to specify the version of the IKE
protocol that an IPsec policy rule must use. This option helps a network run two versions of
the IKE protocol and require the newer IKE protocol on only those systems that can support
it. For information and links to examples, see
“What’s New in Network Security in Oracle
Solaris 11.3” in
Securing the Network in Oracle Solaris 11.3
.
