6253 F_GETLK doesn't always return lock owner

[illumos-gate.git] / usr / src / man / man1m / in.iked.1m

'\" te
.\" Copyright (C) 2009, Sun Microsystems, Inc. All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH IN.IKED 1M "Jan 27, 2009"
.SH NAME
in.iked \- daemon for the Internet Key Exchange (IKE)
.SH SYNOPSIS
.LP
.nf
\fB/usr/lib/inet/in.iked\fR [\fB-d\fR] [\fB-f\fR \fIfilename\fR] [\fB-p\fR \fIlevel\fR]
.fi

.LP
.nf
\fB/usr/lib/inet/in.iked\fR \fB-c\fR [\fB-f\fR \fIfilename\fR]
.fi

.SH DESCRIPTION
.sp
.LP
\fBin.iked\fR performs automated key management for IPsec using the Internet
Key Exchange (\fBIKE\fR) protocol.
.sp
.LP
\fBin.iked\fR implements the following:
.RS +4
.TP
.ie t \(bu
.el o
\fBIKE\fR authentication with either pre-shared keys, \fBDSS\fR signatures,
\fBRSA\fR signatures, or \fBRSA\fR encryption.
.RE
.RS +4
.TP
.ie t \(bu
.el o
Diffie-Hellman key derivation using either \fB768\fR, \fB1024\fR, or
\fB1536\fR-bit public key moduli.
.RE
.RS +4
.TP
.ie t \(bu
.el o
Authentication protection with cipher choices of \fBAES\fR, \fBDES\fR,
Blowfish, or \fB3DES\fR, and hash choices of either \fBHMAC-MD5\fR or
\fBHMAC-SHA-1\fR. Encryption in \fBin.iked\fR is limited to the \fBIKE\fR
authentication and key exchange. See \fBipsecesp\fR(7P) for information
regarding IPsec protection choices.
.RE
.sp
.LP
\fBin.iked\fR is managed by the following \fBsmf\fR(5) service:
.sp
.in +2
.nf
svc:/network/ipsec/ike
.fi
.in -2
.sp

.sp
.LP
This service is delivered disabled because the configuration file needs to be
created before the service can be enabled. See \fBike.config\fR(4) for the
format of this file.
.sp
.LP
See "Service Management Facility" for information on managing the \fBsmf\fR(5)
service.
.sp
.LP
\fBin.iked\fR listens for incoming \fBIKE\fR requests from the network and for
requests for outbound traffic using the \fBPF_KEY\fR socket. See
\fBpf_key\fR(7P).
.sp
.LP
\fBin.iked\fR has two support programs that are used for IKE administration and
diagnosis: \fBikeadm\fR(1M) and \fBikecert\fR(1M).
.sp
.LP
The \fBikeadm\fR(1M) command can read the \fB/etc/inet/ike/config\fR file as a
\fBrule\fR, then pass the configuration information to the running
\fBin.iked\fR daemon using a doors interface.
.sp
.in +2
.nf
example# \fBikeadm read rule /etc/inet/ike/config\fR
.fi
.in -2
.sp

.sp
.LP
Refreshing the \fBike\fR \fBsmf\fR(5) service provided to manage the
\fBin.iked\fR daemon sends a \fBSIGHUP\fR signal to the \fBin.iked\fR daemon,
which will (re)read \fB/etc/inet/ike/config\fR and reload the certificate
database.
.sp
.LP
The preceding two commands have the same effect, that is, to update the running
IKE daemon with the latest configuration. See "Service Management Facility" for
more details on managing the \fBin.iked\fR daemon.
.SS "Service Management Facility"
.sp
.LP
The IKE daemon (\fBin.iked\fR) is managed by the service management facility,
\fBsmf\fR(5). The following group of services manage the components of IPsec:
.sp
.in +2
.nf
svc:/network/ipsec/ipsecalgs   (See ipsecalgs(1M))
svc:/network/ipsec/policy      (See ipsecconf(1M))
svc:/network/ipsec/manual-key  (See ipseckey(1M))
svc:/network/ipsec/ike         (see ike.config(4))
.fi
.in -2
.sp

.sp
.LP
The manual-key and \fBike\fR services are delivered \fBdisabled\fR because the
system administrator must create configuration files for each service, as
described in the respective man pages listed above.
.sp
.LP
The correct administrative procedure is to create the configuration file for
each service, then enable each service using \fBsvcadm\fR(1M).
.sp
.LP
The \fBike\fR service has a dependency on the \fBipsecalgs\fR and \fBpolicy\fR
services. These services should be enabled before the \fBike\fR service.
Failure to do so results in the \fBike\fR service entering maintenance mode.
.sp
.LP
If the configuration needs to be changed, edit the configuration file then
refresh the service, as follows:
.sp
.in +2
.nf
example# \fBsvcadm refresh ike\fR
.fi
.in -2
.sp

.sp
.LP
The following properties are defined for the \fBike\fR service:
.sp
.ne 2
.na
\fB\fBconfig/admin_privilege\fR\fR
.ad
.sp .6
.RS 4n
Defines the level that \fBikeadm\fR(1M) invocations can change or observe the
running \fBin.iked\fR. The acceptable values for this property are the same as
those for the \fB-p\fR option. See the description of \fB-p\fR in
\fBOPTIONS\fR.
.RE

.sp
.ne 2
.na
\fB\fBconfig/config_file\fR\fR
.ad
.sp .6
.RS 4n
Defines the configuration file to use. The default value is
\fB/etc/inet/ike/config\fR. See \fBike.config\fR(4) for the format of this
file. This property has the same effect as the \fB-f\fR flag. See the
description of \fB-f\fR in \fBOPTIONS\fR.
.RE

.sp
.ne 2
.na
\fB\fBconfig/debug_level\fR\fR
.ad
.sp .6
.RS 4n
Defines the amount of debug output that is written to the \fBdebug_logfile\fR
file, described below. The default value for this is \fBop\fR or
\fBoperator\fR. This property controls the recording of information on events
such as re-reading the configuration file. Acceptable value for
\fBdebug_level\fR are listed in the \fBikeadm\fR(1M) man page. The value
\fBall\fR is equivalent to the \fB-d\fR flag. See the description of \fB-d\fR
in \fBOPTIONS\fR.
.RE

.sp
.ne 2
.na
\fB\fBconfig/debug_logfile\fR\fR
.ad
.sp .6
.RS 4n
Defines where debug output should be written. The messages written here are
from debug code within \fBin.iked\fR. Startup error messages are recorded by
the \fBsmf\fR(5) framework and recorded in a service-specific log file. Use any
of the following commands to examine the \fBlogfile\fR property:
.sp
.in +2
.nf
example# \fBsvcs -l ike\fR
example# \fBsvcprop ike\fR
example# \fBsvccfg -s ike listprop\fR
.fi
.in -2
.sp

The values for these log file properties might be different, in which case both
files should be inspected for errors.
.RE

.sp
.ne 2
.na
\fB\fBconfig/ignore_errors\fR\fR
.ad
.sp .6
.RS 4n
A boolean value that controls \fBin.iked\fR's behavior should the configuration
file have syntax errors. The default value is \fBfalse\fR, which causes
\fBin.iked\fR to enter maintenance mode if the configuration is invalid.
.sp
Setting this value to \fBtrue\fR causes the IKE service to stay online, but
correct operation requires the administrator to configure the running daemon
with \fBikeadm\fR(1M). This option is provided for compatibility with previous
releases.
.RE

.sp
.LP
These properties can be modified using \fBsvccfg\fR(1M) by users who have been
assigned the following authorization:
.sp
.in +2
.nf
solaris.smf.value.ipsec
.fi
.in -2
.sp

.sp
.LP
PKCS#11 token objects can be unlocked or locked by using \fBikeadm\fR token
login and \fBikeadm\fR token logout, respectively. Availability of private
keying material stored on these PKCS#11 token objects can be observed with:
\fBikeadm dump certcache\fR. The following authorizations allow users to log
into and out of PKCS#11 token objects:
.sp
.in +2
.nf
solaris.network.ipsec.ike.token.login
solaris.network.ipsec.ike.token.logout
.fi
.in -2
.sp

.sp
.LP
See \fBauths\fR(1), \fBikeadm\fR(1M), \fBuser_attr\fR(4), \fBrbac\fR(5).
.sp
.LP
The service needs to be refreshed using \fBsvcadm\fR(1M) before a new property
value is effective. General, non-modifiable properties can be viewed with the
\fBsvcprop\fR(1) command.
.sp
.in +2
.nf
# \fBsvccfg -s ipsec/ike setprop config/config_file = \e
/new/config_file\fR
# \fBsvcadm refresh ike\fR
.fi
.in -2
.sp

.sp
.LP
Administrative actions on this service, such as enabling, disabling,
refreshing, and requesting restart can be performed using \fBsvcadm\fR(1M). A
user who has been assigned the authorization shown below can perform these
actions:
.sp
.in +2
.nf
solaris.smf.manage.ipsec
.fi
.in -2
.sp

.sp
.LP
The service's status can be queried using the \fBsvcs\fR(1) command.
.sp
.LP
The \fBin.iked\fR daemon is designed to be run under \fBsmf\fR(5) management.
While the \fBin.iked\fR command can be run from the command line, this is
discouraged. If the \fBin.iked\fR command is to be run from the command line,
the \fBike\fR \fBsmf\fR(5) service should be disabled first. See
\fBsvcadm\fR(1M).
.SH OPTIONS
.sp
.LP
The following options are supported:
.sp
.ne 2
.na
\fB\fB-c\fR\fR
.ad
.RS 15n
Check the syntax of a configuration file.
.RE

.sp
.ne 2
.na
\fB\fB-d\fR\fR
.ad
.RS 15n
Use debug mode. The process stays attached to the controlling terminal and
produces large amounts of debugging output. This option is deprecated. See
"Service Management Facility" for more details.
.RE

.sp
.ne 2
.na
\fB\fB-f\fR \fIfilename\fR\fR
.ad
.RS 15n
Use \fIfilename\fR instead of \fB/etc/inet/ike/config\fR. See
\fBike.config\fR(4) for the format of this file. This option is deprecated. See
"Service Management Facility" for more details.
.RE

.sp
.ne 2
.na
\fB\fB-p\fR \fIlevel\fR\fR
.ad
.RS 15n
Specify privilege level (\fIlevel\fR). This option sets how much
\fBikeadm\fR(1M) invocations can change or observe about the running
\fBin.iked\fR.
.sp
Valid \fIlevels\fR are:
.sp
.ne 2
.na
\fB0\fR
.ad
.RS 5n
Base level
.RE

.sp
.ne 2
.na
\fB1\fR
.ad
.RS 5n
Access to preshared key info
.RE

.sp
.ne 2
.na
\fB2\fR
.ad
.RS 5n
Access to keying material
.RE

If \fB-p\fR is not specified, \fIlevel\fR defaults to \fB0\fR.
.sp
This option is deprecated. See "Service Management Facility" for more details.
.RE

.SH SECURITY
.sp
.LP
This program has sensitive private keying information in its image. Care should
be taken with any core dumps or system dumps of a running \fBin.iked\fR daemon,
as these files contain sensitive keying information. Use the \fBcoreadm\fR(1M)
command to limit any corefiles produced by \fBin.iked\fR.
.SH FILES
.sp
.ne 2
.na
\fB\fB/etc/inet/ike/config\fR\fR
.ad
.sp .6
.RS 4n
Default configuration file.
.RE

.sp
.ne 2
.na
\fB\fB/etc/inet/secret/ike.privatekeys/*\fR\fR
.ad
.sp .6
.RS 4n
Private keys. A private key \fBmust\fR have a matching public-key certificate
with the same filename in \fB/etc/inet/ike/publickeys/\fR.
.RE

.sp
.ne 2
.na
\fB\fB/etc/inet/ike/publickeys/*\fR\fR
.ad
.sp .6
.RS 4n
Public-key certificates. The names are only important with regard to matching
private key names.
.RE

.sp
.ne 2
.na
\fB\fB/etc/inet/ike/crls/*\fR\fR
.ad
.sp .6
.RS 4n
Public key certificate revocation lists.
.RE

.sp
.ne 2
.na
\fB\fB/etc/inet/secret/ike.preshared\fR\fR
.ad
.sp .6
.RS 4n
\fBIKE\fR pre-shared secrets for Phase I authentication.
.RE

.SH SEE ALSO
.sp
.LP
\fBsvcs\fR(1), \fBcoreadm\fR(1M), \fBikeadm\fR(1M), \fBikecert\fR(1M),
\fBsvccfg\fR(1M), \fBsvcadm\fR(1M), \fBike.config\fR(4), \fBattributes\fR(5),
\fBsmf\fR(5), \fBipsecesp\fR(7P), \fBpf_key\fR(7P)
.sp
.LP
Harkins, Dan and Carrel, Dave. \fIRFC 2409, Internet Key Exchange (IKE)\fR.
Network Working Group. November 1998.
.sp
.LP
Maughan, Douglas, Schertler, M., Schneider, M., Turner, J. \fIRFC 2408,
Internet Security Association and Key Management Protocol (ISAKMP)\fR. Network
Working Group. November 1998.
.sp
.LP
Piper, Derrell, \fIRFC 2407, The Internet IP Security Domain of Interpretation
for ISAKMP\fR. Network Working Group. November 1998.