42 \fBikeadm\fR [\fB-np\fR] [read | write] [rule | preshared | certcache] \fIfile\fR
43 .fi
44
45 .LP
46 .nf
47 \fBikeadm\fR [\fB-np\fR] [dump | pls | rule | preshared]
48 .fi
49
50 .LP
51 .nf
52 \fBikeadm\fR [\fB-np\fR] flush [p1 | certcache]
53 .fi
54
55 .LP
56 .nf
57 \fBikeadm\fR help
58 [get | set | add | del | read | write | dump | flush | token]
59 .fi
60
61 .SH DESCRIPTION
62 .sp
63 .LP
64 The \fBikeadm\fR utility retrieves information from and manipulates the
65 configuration of the Internet Key Exchange (\fBIKE\fR) protocol daemon,
66 \fBin.iked\fR(1M).
67 .sp
68 .LP
69 \fBikeadm\fR supports a set of operations, which may be performed on one or
70 more of the supported object types. When invoked without arguments,
71 \fBikeadm\fR enters interactive mode which prints a prompt to the standard
72 output and accepts commands from the standard input until the end-of-file is
73 reached.
74 .sp
75 .LP
76 Because \fBikeadm\fR manipulates sensitive keying information, you must be
77 superuser to use this command. Additionally, some of the commands available
78 require that the daemon be running in a privileged mode, which is established
79 when the daemon is started.
80 .sp
81 .LP
82 For details on how to use this command securely see .
83 .SH OPTIONS
84 .sp
85 .LP
86 The following options are supported:
87 .sp
88 .ne 2
89 .na
90 \fB\fB-n\fR\fR
91 .ad
92 .sp .6
93 .RS 4n
94 Prevent attempts to print host and network names symbolically when reporting
95 actions. This is useful, for example, when all name servers are down or are
96 otherwise unreachable.
97 .RE
98
99 .sp
100 .ne 2
101 .na
102 \fB\fB-p\fR\fR
103 .ad
104 .sp .6
105 .RS 4n
106 Paranoid. Do not print any keying material, even if saving Security
107 Associations. Instead of an actual hexadecimal digit, print an \fBX\fR when
108 this flag is turned on.
109 .RE
110
111 .SH USAGE
112 .SS "Commands"
113 .sp
114 .LP
115 The following commands are supported:
116 .sp
117 .ne 2
118 .na
119 \fB\fBadd\fR\fR
120 .ad
121 .sp .6
122 .RS 4n
123 Add the specified object. This option can be used to add a new policy rule or a
124 new preshared key to the current (running) in.iked configuration. When adding a
125 new preshared key, the command cannot be invoked from the command line, as it
126 will contain keying material. The rule or key being added is specified using
127 appropriate id-value pairs as described in the \fBID FORMATS\fR section.
128 .RE
129
130 .sp
131 .ne 2
132 .na
133 \fB\fBdel\fR\fR
239 .RS 4n
240 Log into a PKCS#11 token object and grant access to keying material or log out
241 and invalidate access to keying material.
242 .sp
243 \fBtoken\fR can be run as a normal user with the following authorizations:
244 .RS +4
245 .TP
246 .ie t \(bu
247 .el o
248 \fBtoken\fR login: \fBsolaris.network.ipsec.ike.token.login\fR
249 .RE
250 .RS +4
251 .TP
252 .ie t \(bu
253 .el o
254 \fBtoken\fR logout: \fBsolaris.network.ipsec.ike.token.logout\fR
255 .RE
256 .RE
257
258 .SS "Object Types"
259 .sp
260 .ne 2
261 .na
262 \fBdebug\fR
263 .ad
264 .sp .6
265 .RS 4n
266 Specifies the daemon's debug level. This determines the amount and type of
267 output provided by the daemon about its operations. The debug level is actually
268 a bitmask, with individual bits enabling different types of information.
269 .sp
270
271 .sp
272 .TS
273 c c c
274 l l l .
275 Description Flag Nickname
276 _
277 Certificate management 0x0001 cert
278 Key management 0x0002 key
279 Operational 0x0004 op
399 .el o
400 Count of all failed \fBP1\fR \fBSA\fRs where the peer was the initiator
401 .RE
402 .RS +4
403 .TP
404 .ie t \(bu
405 .el o
406 Whether a PKCS#11 library is in use, and if applicable, the PKCS#11 library
407 that is loaded. See .
408 .RE
409 .RE
410
411 .sp
412 .ne 2
413 .na
414 \fBdefaults\fR
415 .ad
416 .sp .6
417 .RS 4n
418 Display default values used by the \fBin.iked\fR daemon. Some values can be
419 overriden in the daemon configuration file (see \fBike.config\fR(4)); for these
420 values, the token name is displayed in the \fBget defaults\fR output. The
421 output will reflect where a configuration token has changed the default.
422 .sp
423 Default values might be ignored in the event a peer system makes a valid
424 alternative proposal or they can be overriden by per-rule values established in
425 \fBike.config\fR. In such instances, a \fBget defaults\fR command continues to
426 display the default values, not the values used to override the defaults.
427 .RE
428
429 .sp
430 .ne 2
431 .na
432 \fBp1\fR
433 .ad
434 .sp .6
435 .RS 4n
436 An \fBIKE\fR Phase 1 \fBSA\fR. A \fBp1\fR object is identified by an \fBIP\fR
437 address pair or a cookie pair; identification formats are described below.
438 .RE
439
440 .sp
441 .ne 2
442 .na
443 \fBrule\fR
444 .ad
445 .sp .6
446 .RS 4n
447 An \fBIKE\fR policy rule, defining the acceptable security characteristics for
448 Phase 1 \fBSA\fRs between specified local and remote identities. A rule is
449 identified by its label; identification formats are described below.
450 .RE
451
452 .sp
453 .ne 2
454 .na
455 \fBpreshared\fR
456 .ad
457 .sp .6
458 .RS 4n
459 A preshared key, including the local and remote identification and applicable
460 \fBIKE\fR mode. A preshared key is identified by an \fBIP\fR address pair or an
461 identity pair; identification formats are described below.
462 .RE
463
464 .SS "Id Formats"
465 .sp
466 .LP
467 Commands like \fBadd\fR, \fBdel\fR, and \fBget\fR require that additional
468 information be specified on the command line. In the case of the delete and get
469 commands, all that is required is to minimally identify a given object; for the
470 add command, the full object must be specified.
471 .sp
472 .LP
473 Minimal identification is accomplished in most cases by a pair of values. For
474 \fBIP\fR addresses, the local addr and then the remote addr are specified,
475 either in dot-notation for IPv4 addresses, colon-separated hexadecimal format
476 for IPv6 addresses, or a host name present in the host name database. If a host
477 name is given that expands to more than one address, the requested operation
478 will be performed multiple times, once for each possible combination of
479 addresses.
480 .sp
481 .LP
482 Identity pairs are made up of a local type-value pair, followed by the remote
483 type-value pair. Valid types are:
484 .sp
485 .ne 2
531 Synonym for \fBuser_fqdn\fR.
532 .RE
533
534 .sp
535 .LP
536 A cookie pair is made up of the two cookies assigned to a Phase 1 Security
537 Association (\fBSA\fR) when it is created; first is the initiator's, followed
538 by the responder's. A cookie is a 64-bit number.
539 .sp
540 .LP
541 Finally, a label (which is used to identify a policy rule) is a character
542 string assigned to the rule when it is created.
543 .sp
544 .LP
545 Formatting a rule or preshared key for the add command follows the format rules
546 for the in.iked configuration files. Both are made up of a series of id-value
547 pairs, contained in curly braces (\fB{\fR and \fB}\fR). See \fBike.config\fR(4)
548 and \fBike.preshared\fR(4) for details on the formatting of rules and preshared
549 keys.
550 .SH SECURITY
551 .sp
552 .LP
553 The \fBikeadm\fR command allows a privileged user to enter cryptographic keying
554 information. If an adversary gains access to such information, the security of
555 IPsec traffic is compromised. The following issues should be taken into account
556 when using the \fBikeadm\fR command.
557 .RS +4
558 .TP
559 .ie t \(bu
560 .el o
561 Is the \fBTTY\fR going over a network (interactive mode)?
562 .sp
563 If it is, then the security of the keying material is the security of the
564 network path for this \fBTTY\fR's traffic. Using \fBikeadm\fR over a clear-text
565 telnet or rlogin session is risky. Even local windows may be vulnerable to
566 attacks where a concealed program that reads window events is present.
567 .RE
568 .RS +4
569 .TP
570 .ie t \(bu
571 .el o
775 .sp
776
777 .LP
778 \fBExample 13 \fRLogging into a PKCS#11 Token
779 .sp
780 .LP
781 The following command shows logging into a PKCS#11 token object and unlocking
782 private keys:
783
784 .sp
785 .in +2
786 .nf
787 example# \fBikeadm token login "Sun Metaslot"\fR
788 Enter PIN for PKCS#11 token:
789 ikeadm: PKCS#11 operation successful
790 .fi
791 .in -2
792 .sp
793
794 .SH EXIT STATUS
795 .sp
796 .LP
797 The following exit values are returned:
798 .sp
799 .ne 2
800 .na
801 \fB\fB0\fR\fR
802 .ad
803 .RS 12n
804 Successful completion.
805 .RE
806
807 .sp
808 .ne 2
809 .na
810 \fB\fBnon-zero\fR\fR
811 .ad
812 .RS 12n
813 An error occurred. Writes an appropriate error message to standard error.
814 .RE
815
816 .SH ATTRIBUTES
817 .sp
818 .LP
819 See \fBattributes\fR(5) for descriptions of the following attributes:
820 .sp
821
822 .sp
823 .TS
824 box;
825 c | c
826 l | l .
827 ATTRIBUTE TYPE ATTRIBUTE VALUE
828 _
829 Interface Stability Not an Interface
830 .TE
831
832 .SH SEE ALSO
833 .sp
834 .LP
835 \fBin.iked\fR(1M), \fBike.config\fR(4), \fBike.preshared\fR(4),
836 \fBattributes\fR(5), \fBipsec\fR(7P)
837 .sp
838 .LP
839 Schneier, Bruce, \fIApplied Cryptography: Protocols, Algorithms, and Source
840 Code in C\fR, Second Edition, John Wiley & Sons, New York, NY, 1996.
841 .SH NOTES
842 .sp
843 .LP
844 As \fBin.iked\fR can run only in the global zone and exclusive-IP zones, this
845 command is not useful in shared-IP zones.
|
42 \fBikeadm\fR [\fB-np\fR] [read | write] [rule | preshared | certcache] \fIfile\fR
43 .fi
44
45 .LP
46 .nf
47 \fBikeadm\fR [\fB-np\fR] [dump | pls | rule | preshared]
48 .fi
49
50 .LP
51 .nf
52 \fBikeadm\fR [\fB-np\fR] flush [p1 | certcache]
53 .fi
54
55 .LP
56 .nf
57 \fBikeadm\fR help
58 [get | set | add | del | read | write | dump | flush | token]
59 .fi
60
61 .SH DESCRIPTION
62 .LP
63 The \fBikeadm\fR utility retrieves information from and manipulates the
64 configuration of the Internet Key Exchange (\fBIKE\fR) protocol daemon,
65 \fBin.iked\fR(1M).
66 .sp
67 .LP
68 \fBikeadm\fR supports a set of operations, which may be performed on one or
69 more of the supported object types. When invoked without arguments,
70 \fBikeadm\fR enters interactive mode which prints a prompt to the standard
71 output and accepts commands from the standard input until the end-of-file is
72 reached.
73 .sp
74 .LP
75 Because \fBikeadm\fR manipulates sensitive keying information, you must be
76 superuser to use this command. Additionally, some of the commands available
77 require that the daemon be running in a privileged mode, which is established
78 when the daemon is started.
79 .sp
80 .LP
81 For details on how to use this command securely see .
82 .SH OPTIONS
83 .LP
84 The following options are supported:
85 .sp
86 .ne 2
87 .na
88 \fB\fB-n\fR\fR
89 .ad
90 .sp .6
91 .RS 4n
92 Prevent attempts to print host and network names symbolically when reporting
93 actions. This is useful, for example, when all name servers are down or are
94 otherwise unreachable.
95 .RE
96
97 .sp
98 .ne 2
99 .na
100 \fB\fB-p\fR\fR
101 .ad
102 .sp .6
103 .RS 4n
104 Paranoid. Do not print any keying material, even if saving Security
105 Associations. Instead of an actual hexadecimal digit, print an \fBX\fR when
106 this flag is turned on.
107 .RE
108
109 .SH USAGE
110 .SS "Commands"
111 .LP
112 The following commands are supported:
113 .sp
114 .ne 2
115 .na
116 \fB\fBadd\fR\fR
117 .ad
118 .sp .6
119 .RS 4n
120 Add the specified object. This option can be used to add a new policy rule or a
121 new preshared key to the current (running) in.iked configuration. When adding a
122 new preshared key, the command cannot be invoked from the command line, as it
123 will contain keying material. The rule or key being added is specified using
124 appropriate id-value pairs as described in the \fBID FORMATS\fR section.
125 .RE
126
127 .sp
128 .ne 2
129 .na
130 \fB\fBdel\fR\fR
236 .RS 4n
237 Log into a PKCS#11 token object and grant access to keying material or log out
238 and invalidate access to keying material.
239 .sp
240 \fBtoken\fR can be run as a normal user with the following authorizations:
241 .RS +4
242 .TP
243 .ie t \(bu
244 .el o
245 \fBtoken\fR login: \fBsolaris.network.ipsec.ike.token.login\fR
246 .RE
247 .RS +4
248 .TP
249 .ie t \(bu
250 .el o
251 \fBtoken\fR logout: \fBsolaris.network.ipsec.ike.token.logout\fR
252 .RE
253 .RE
254
255 .SS "Object Types"
256 .ne 2
257 .na
258 \fBdebug\fR
259 .ad
260 .sp .6
261 .RS 4n
262 Specifies the daemon's debug level. This determines the amount and type of
263 output provided by the daemon about its operations. The debug level is actually
264 a bitmask, with individual bits enabling different types of information.
265 .sp
266
267 .sp
268 .TS
269 c c c
270 l l l .
271 Description Flag Nickname
272 _
273 Certificate management 0x0001 cert
274 Key management 0x0002 key
275 Operational 0x0004 op
395 .el o
396 Count of all failed \fBP1\fR \fBSA\fRs where the peer was the initiator
397 .RE
398 .RS +4
399 .TP
400 .ie t \(bu
401 .el o
402 Whether a PKCS#11 library is in use, and if applicable, the PKCS#11 library
403 that is loaded. See .
404 .RE
405 .RE
406
407 .sp
408 .ne 2
409 .na
410 \fBdefaults\fR
411 .ad
412 .sp .6
413 .RS 4n
414 Display default values used by the \fBin.iked\fR daemon. Some values can be
415 overridden in the daemon configuration file (see \fBike.config\fR(4)); for these
416 values, the token name is displayed in the \fBget defaults\fR output. The
417 output will reflect where a configuration token has changed the default.
418 .sp
419 Default values might be ignored in the event a peer system makes a valid
420 alternative proposal or they can be overridden by per-rule values established in
421 \fBike.config\fR. In such instances, a \fBget defaults\fR command continues to
422 display the default values, not the values used to override the defaults.
423 .RE
424
425 .sp
426 .ne 2
427 .na
428 \fBp1\fR
429 .ad
430 .sp .6
431 .RS 4n
432 An \fBIKE\fR Phase 1 \fBSA\fR. A \fBp1\fR object is identified by an \fBIP\fR
433 address pair or a cookie pair; identification formats are described below.
434 .RE
435
436 .sp
437 .ne 2
438 .na
439 \fBrule\fR
440 .ad
441 .sp .6
442 .RS 4n
443 An \fBIKE\fR policy rule, defining the acceptable security characteristics for
444 Phase 1 \fBSA\fRs between specified local and remote identities. A rule is
445 identified by its label; identification formats are described below.
446 .RE
447
448 .sp
449 .ne 2
450 .na
451 \fBpreshared\fR
452 .ad
453 .sp .6
454 .RS 4n
455 A preshared key, including the local and remote identification and applicable
456 \fBIKE\fR mode. A preshared key is identified by an \fBIP\fR address pair or an
457 identity pair; identification formats are described below.
458 .RE
459
460 .SS "Id Formats"
461 .LP
462 Commands like \fBadd\fR, \fBdel\fR, and \fBget\fR require that additional
463 information be specified on the command line. In the case of the delete and get
464 commands, all that is required is to minimally identify a given object; for the
465 add command, the full object must be specified.
466 .sp
467 .LP
468 Minimal identification is accomplished in most cases by a pair of values. For
469 \fBIP\fR addresses, the local addr and then the remote addr are specified,
470 either in dot-notation for IPv4 addresses, colon-separated hexadecimal format
471 for IPv6 addresses, or a host name present in the host name database. If a host
472 name is given that expands to more than one address, the requested operation
473 will be performed multiple times, once for each possible combination of
474 addresses.
475 .sp
476 .LP
477 Identity pairs are made up of a local type-value pair, followed by the remote
478 type-value pair. Valid types are:
479 .sp
480 .ne 2
526 Synonym for \fBuser_fqdn\fR.
527 .RE
528
529 .sp
530 .LP
531 A cookie pair is made up of the two cookies assigned to a Phase 1 Security
532 Association (\fBSA\fR) when it is created; first is the initiator's, followed
533 by the responder's. A cookie is a 64-bit number.
534 .sp
535 .LP
536 Finally, a label (which is used to identify a policy rule) is a character
537 string assigned to the rule when it is created.
538 .sp
539 .LP
540 Formatting a rule or preshared key for the add command follows the format rules
541 for the in.iked configuration files. Both are made up of a series of id-value
542 pairs, contained in curly braces (\fB{\fR and \fB}\fR). See \fBike.config\fR(4)
543 and \fBike.preshared\fR(4) for details on the formatting of rules and preshared
544 keys.
545 .SH SECURITY
546 .LP
547 The \fBikeadm\fR command allows a privileged user to enter cryptographic keying
548 information. If an adversary gains access to such information, the security of
549 IPsec traffic is compromised. The following issues should be taken into account
550 when using the \fBikeadm\fR command.
551 .RS +4
552 .TP
553 .ie t \(bu
554 .el o
555 Is the \fBTTY\fR going over a network (interactive mode)?
556 .sp
557 If it is, then the security of the keying material is the security of the
558 network path for this \fBTTY\fR's traffic. Using \fBikeadm\fR over a clear-text
559 telnet or rlogin session is risky. Even local windows may be vulnerable to
560 attacks where a concealed program that reads window events is present.
561 .RE
562 .RS +4
563 .TP
564 .ie t \(bu
565 .el o
769 .sp
770
771 .LP
772 \fBExample 13 \fRLogging into a PKCS#11 Token
773 .sp
774 .LP
775 The following command shows logging into a PKCS#11 token object and unlocking
776 private keys:
777
778 .sp
779 .in +2
780 .nf
781 example# \fBikeadm token login "Sun Metaslot"\fR
782 Enter PIN for PKCS#11 token:
783 ikeadm: PKCS#11 operation successful
784 .fi
785 .in -2
786 .sp
787
788 .SH EXIT STATUS
789 .LP
790 The following exit values are returned:
791 .sp
792 .ne 2
793 .na
794 \fB\fB0\fR\fR
795 .ad
796 .RS 12n
797 Successful completion.
798 .RE
799
800 .sp
801 .ne 2
802 .na
803 \fB\fBnon-zero\fR\fR
804 .ad
805 .RS 12n
806 An error occurred. Writes an appropriate error message to standard error.
807 .RE
808
809 .SH ATTRIBUTES
810 .LP
811 See \fBattributes\fR(5) for descriptions of the following attributes:
812 .sp
813
814 .sp
815 .TS
816 box;
817 c | c
818 l | l .
819 ATTRIBUTE TYPE ATTRIBUTE VALUE
820 _
821 Interface Stability Not an Interface
822 .TE
823
824 .SH SEE ALSO
825 .LP
826 \fBin.iked\fR(1M), \fBike.config\fR(4), \fBike.preshared\fR(4),
827 \fBattributes\fR(5), \fBipsec\fR(7P)
828 .sp
829 .LP
830 Schneier, Bruce, \fIApplied Cryptography: Protocols, Algorithms, and Source
831 Code in C\fR, Second Edition, John Wiley & Sons, New York, NY, 1996.
832 .SH NOTES
833 .LP
834 As \fBin.iked\fR can run only in the global zone and exclusive-IP zones, this
835 command is not useful in shared-IP zones.
|