The following file is used to configure kmd:
-
/etc/opt/SUNWSMS/config/kmd_policy.cf
-
kmd_policy.cf configures the shared and per-socket policies managed by kmd.
Changes to the policies are made by editing the kmd_policy.cf file on the SC. Corresponding changes must be made on the affected domain(s).
The format of kmd_policy.cf is a table of eight fields separated by the pipe '|' character. The fields are identified below.
dir|d_port|protocol|sa_type|auth_alg|encr_alg|domain|login
The fields are defined as:
dir--- Direction to connect from. Values: sctodom, domtosc
d_port--- Destination port
protocol--- Protocol for the socket. Values: tcp, udp
sa_type--- Security association type. Values: ah, esp
auth_alg--- Authentication algorithm. Values: none, md5, sha1
encr_alg--- Encryption algorithm. Values: none, des, 3des
domain--- Domain ID. Values: integers 0 - 17, space A space for the domain ID defines a policy which applies to all domains. A policy for a specific domain overrides a policy which applied to all domains.
login--- Login name. Values: Any valid login name. The default policies in the kmd_policy.cf file are shown below.
sctodom|665|tcp|ah|md5|none| |sms-dca|
sctodom|442|tcp|ah|md5|none| |sms-dxs|
The configuration of policies on a domain is the standard IPSec configuration file
(/etc/inet/ipsecconf.init).
The default policies are shown below.
{ dport sun-dr } permit { auth_alg md5 }
{ sport sun-dr } apply {auth_alg md5 sa unique }
{ dport cvc_hostd } permit { auth_alg md5 }
{ sport cvc_hostd } apply {auth_alg md5 sa unique }
|