The following file is used to configure kmd:
-
/etc/opt/SUNWSMS/config/kmd_policy.cf
-
kmd_policy.cf configures the shared and per-socket policies managed by kmd.
Changes to the policies are made by editing the kmd_policy.cf file on the SC. Corresponding changes must be made on the affected domain(s).
The format of kmd_policy.cf is a table of eight fields separated by the pipe (|) character:
dir|d_port|protocol|sa_type|auth_alg|encr_alg|domain|login
The fields are defined as follows:
-
dir
- Direction to connect from.
Values: sctodom, domtosc
-
d_port
- Destination port.
-
protocol
- Protocol for the socket.
Values: tcp, udp
-
sa_type
- Security association type.
Values: ah, esp
-
auth_alg
- Authentication algorithm.
Values: none, md5, sha1
-
encr_alg
- Encryption algorithm.
Values: none, des, 3des
-
domain
- Domain ID.
Values: integers 0-17or a [space].
A space for the domain ID defines a policy that applies to all domains. A policy for a specific domain overrides a policy that applied to all domains.
-
login
- Login name.
Values: Any valid login name.
The default policies in the kmd_policy.cf file are as follows:
sctodom|665|tcp|ah|md5|none| |sms-dca|
sctodom|442|tcp|ah|md5|none| |sms-dxs|
The configuration of policies on a domain is the standard IPSec configuration file
(/etc/inet/ipsecconf.init).
The default policies are shown below.
{ dport sun-dr } permit { auth_alg md5 }
{ sport sun-dr } apply {auth_alg md5 sa
unique }
{ dport cvc_hostd } permit {auth_alg md5 }
{ sport cvc_hostd } apply {auth_alg md5 sa
unique }
|