kmd(1M) manages the IPSec security associations (SAs) needed to secure the communication between the system controller (SC) and servers running on a domain. kmd manages per-socket policies for connections initiated by clients on the SC to servers on a domain. kmd manages shared policies for connections initiated by clients on the domain to servers on the SC.

The current default configuration includes authentication policies for the dca(1M) and dxs(1M) clients on the SC which connect to the dcs(1M) and cvcd(1M) servers on a domain.

This daemon is started automatically by the ssd(1M) daemon. Do not start it manually from the command line.

The following exit values are returned:

0

Successful completion

>0

An error occurred.

The following file is used to configure kmd:

/etc/opt/SUNWSMS/config/kmd_policy.cf

kmd_policy.cf configures the shared and per-socket policies managed by kmd.

Changes to the policies are made by editing the kmd_policy.cf file on the SC. Corresponding changes must be made on the affected domain(s).

The format of kmd_policy.cf is a table of eight fields separated by the pipe '|' character. The fields are identified below.

dir|d_port|protocol|sa_type|auth_alg|encr_alg|domain|login

The fields are defined as:

dir--- Direction to connect from. Values: sctodom, domtosc

d_port--- Destination port

protocol--- Protocol for the socket. Values: tcp, udp

sa_type--- Security association type. Values: ah, esp

auth_alg--- Authentication algorithm. Values: none, md5, sha1

encr_alg--- Encryption algorithm. Values: none, des, 3des

domain--- Domain ID. Values: integers 0 - 17, space A space for the domain ID defines a policy which applies to all domains. A policy for a specific domain overrides a policy which applied to all domains.

login--- Login name. Values: Any valid login name. The default policies in the kmd_policy.cf file are shown below.

sctodom|665|tcp|ah|md5|none| |sms-dca|

sctodom|442|tcp|ah|md5|none| |sms-dxs|

The configuration of policies on a domain is the standard IPSec configuration file

(/etc/inet/ipsecconf.init).

The default policies are shown below.

{ dport sun-dr } permit { auth_alg md5 }

{ sport sun-dr } apply {auth_alg md5 sa unique }

{ dport cvc_hostd } permit { auth_alg md5 }

{ sport cvc_hostd } apply {auth_alg md5 sa unique }

See attributes(5) for descriptions of the following attributes:

ssd(1m), sckmd(1m), ipsecconf(1m), pf_key(1m), ipsec(1m), dca(1m), dxs(1m), dcs(1m), cvcd(1m)