canmove, Confirmed users
937
edits
Rolesandservices: Difference between revisions
→Multiple Concurrent Operator Roles and Services
| Line 83: | Line 83: | ||
== Multiple Concurrent Operator Roles and Services == | == Multiple Concurrent Operator Roles and Services == | ||
The NSS module doesn't allow concurrent '''operators'''. | The NSS cryptographic module doesn't allow concurrent '''operators'''. | ||
* For Security Level 1, the operating system has been restricted to a single operator mode of operation, so concurrent operators are explicitly excluded (FIPS 140-2 Sec. 4.6.1). | * For Security Level 1, the operating system has been restricted to a single operator mode of operation, so concurrent operators are explicitly excluded (FIPS 140-2 Sec. 4.6.1). | ||
* On a multi-user operating system, this is enforced by creating the NSS certificate and key databases with the 0600 access permission bits. | * On a multi-user operating system, this is enforced by creating the NSS certificate and key databases with the 0600 access permission bits. | ||
<div class=note> | <div class=note> | ||
'''Note''': The NSS module does allow concurrent '''processes''' with the same user identity to access the module, with the restriction that all the concurrent processes must open the NSS databases in read-only mode. Each process accessing the NSS module needs to assume a role separately. The separation between the roles and services performed by concurrent processes is enforced by the process protection of the underlying operating system. | '''Note''': The NSS cryptographic module does allow concurrent '''processes''' with the same user identity to access the module, with the restriction that all the concurrent processes must open the NSS databases in read-only mode. Each process accessing the NSS cryptographic module needs to assume a role separately. The separation between the roles and services performed by concurrent processes is enforced by the process protection of the underlying operating system. | ||
The NSS module also allows a process to open multiple concurrent '''sessions''' (connections) with the module. PKCS #11 requires that when a session within a process assumes a role, all the concurrent sessions within the process assume that role (PKCS #11 v2.20, Sec. 11.4, C_Login). Therefore, the separation of the roles assumed by concurrent sessions and the corresponding services isn't an issue. | The NSS cryptographic module also allows a process to open multiple concurrent '''sessions''' (connections) with the module. PKCS #11 requires that when a session within a process assumes a role, all the concurrent sessions within the process assume that role (PKCS #11 v2.20, Sec. 11.4, C_Login). Therefore, the separation of the roles assumed by concurrent sessions and the corresponding services isn't an issue. | ||
</div> | </div> | ||