SunOS man pages : sckmd (1)
Maintenance Commands sckmd(1M)
NAME
sckmd - Sun Fire 15000 key management daemon
SYNOPSIS
/platform/SUNW,Sun-Fire-15000/lib/sckmd
DESCRIPTION
sckmd is a server process that resides on a Sun Fire 15000
domain. sckmd maintains the Internet Protocol Security
(IPsec) Security Associations (SAs) needed to secure the
communication between the Sun Fire 15000 System Controller
(SC) and the cvcd(1M) and dcs(1M) daemons running on a Sun
Fire 15000 domain. See ipsec(7P) for a description of Secu-
rity Associations.
sckmd receives SAs from the SC and provides these SAs to the
Security Association Databases (SADBs) using pf_key(7P).
sckmd normally starts up at system boot time. Each domain
supports only one running sckmd process at a time.
FILES
/etc/inet/ipsecinit.conf
Configuration file for default system-wide IPsec poli-
cies
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
___________________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|____________________________________|
| Architecture | Sun Fire 15000 systems |
|_____________________________|____________________________________|
| Availability | SUNWsckmx.u, SUNWsckmu.u, SUNWsckmr|
|_____________________________|____________________________________|
SEE ALSO
cvcd(1M), dcs(1M), ipsecconf(1M), attributes(5),
authmd5h(7M), encr3des(7M), ipsec(7P), pf_key(7P)
Sun Enterprise 10000 SSP Reference Manual
Sun System Management Services (SMS) Reference Manual
NOTES
IPsec is used by Sun Fire 15000 systems to secure the com-
munication between the SC, and the cvcd(1M) and dcs(1M) dae-
mons running on a domain. System-wide IPsec policies for
these daemons are configured on a domain with ipsecconf(1M).
SunOS 5.8 Last change: 6 Apr 2001 1
Maintenance Commands sckmd(1M)
Default policies are defined when the SUNWsckmr package is
installed on a Sun Fire 15000 domain at OS install time.
Package SUNWsckmr configures default system-wide policies
for cvcd(1M) and dcs(1M) by adding the following entries in
/etc/inet/ipsecinit.conf:
{ dport sun-dr ulp tcp } permit { auth_alg md5 }
{ sport sun-dr ulp tcp } apply { auth_alg md5 sa unique }
{ dport cvc_hostd ulp tcp } permit { auth_alg md5 }
{ sport cvc_hostd ulp tcp } apply { auth_alg md5 sa unique }
The cvc_hostd service represents cvcd(1M) and the sun-dr
service represents dcs(1M) in the preceding entries.
These policies conform to the format defined by ipsec(7P)
and require HMAC-MD5 authentication. See authmd5h(7M).
System-wide policies for cvcd(1M) and dcs(1M) configured on
a domain using ipsecconf(1M) must match the IPsec policies
defined for these services on the SC. On an SC, IPsec poli-
cies for these services are defined by the SMS key manage-
ment daemon. Refer to thekmd(1M) man page in the Sun System
Management Services (SMS) Reference Manual.
IPsec encryption or authentication with encryption can be
enabled on the domain using the encr_algs and encr_auth_algs
properties, as described in the ipsecconf(1M) manual page.
For example, the following ipsecconf(1M) entries require
Triple-DES and HMAC-MD5 authentication for the network con-
sole cvcd(1M) service:
{ dport cvc_hostd ulp tcp } permit { encr_algs 3des encr_auth_algs md5 }
{ sport cvc_hostd ulp tcp } apply { encr_algs 3des encr_auth_algs md5 sa unique }
See encr3des(7M) for Triple-DES authentication and
authmd5h(7M) for HMAC-M5 authentication.
SunOS 5.8 Last change: 6 Apr 2001 2
|
 |
|
|
