Print this page
10057 Man page misspellings ouput particuliar overriden
Reviewed by: Gergő Mihály Doma <domag02@gmail.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1m/ikeadm.1m
+++ new/usr/src/man/man1m/ikeadm.1m
1 1 '\" te
2 2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 6 .TH IKEADM 1M "Jan 27, 2009"
7 7 .SH NAME
8 8 ikeadm \- manipulate Internet Key Exchange (IKE) parameters and state
9 9 .SH SYNOPSIS
10 10 .LP
11 11 .nf
12 12 \fBikeadm\fR [\fB-np\fR]
13 13 .fi
14 14
15 15 .LP
16 16 .nf
17 17 \fBikeadm\fR [\fB-np\fR] get [debug | priv | stats | defaults]
18 18 .fi
19 19
20 20 .LP
21 21 .nf
22 22 \fBikeadm\fR [\fB-np\fR] set [debug | priv] [level] [file]
23 23 .fi
24 24
25 25 .LP
26 26 .nf
27 27 \fBikeadm\fR [\fB-np\fR] [get | del] [p1 | rule | preshared] [id]
28 28 .fi
29 29
30 30 .LP
31 31 .nf
32 32 \fBikeadm\fR [\fB-np\fR] add [rule | preshared] { \fIdescription\fR }
33 33 .fi
34 34
35 35 .LP
36 36 .nf
37 37 ikeadm [\fB-np\fR] token [login | logout] \fIPKCS#11_Token_Object\fR
38 38 .fi
39 39
40 40 .LP
41 41 .nf
42 42 \fBikeadm\fR [\fB-np\fR] [read | write] [rule | preshared | certcache] \fIfile\fR
43 43 .fi
44 44
45 45 .LP
46 46 .nf
47 47 \fBikeadm\fR [\fB-np\fR] [dump | pls | rule | preshared]
48 48 .fi
49 49
50 50 .LP
51 51 .nf
|
↓ open down ↓ |
51 lines elided |
↑ open up ↑ |
52 52 \fBikeadm\fR [\fB-np\fR] flush [p1 | certcache]
53 53 .fi
54 54
55 55 .LP
56 56 .nf
57 57 \fBikeadm\fR help
58 58 [get | set | add | del | read | write | dump | flush | token]
59 59 .fi
60 60
61 61 .SH DESCRIPTION
62 -.sp
63 62 .LP
64 63 The \fBikeadm\fR utility retrieves information from and manipulates the
65 64 configuration of the Internet Key Exchange (\fBIKE\fR) protocol daemon,
66 65 \fBin.iked\fR(1M).
67 66 .sp
68 67 .LP
69 68 \fBikeadm\fR supports a set of operations, which may be performed on one or
70 69 more of the supported object types. When invoked without arguments,
71 70 \fBikeadm\fR enters interactive mode which prints a prompt to the standard
72 71 output and accepts commands from the standard input until the end-of-file is
73 72 reached.
|
↓ open down ↓ |
1 lines elided |
↑ open up ↑ |
74 73 .sp
75 74 .LP
76 75 Because \fBikeadm\fR manipulates sensitive keying information, you must be
77 76 superuser to use this command. Additionally, some of the commands available
78 77 require that the daemon be running in a privileged mode, which is established
79 78 when the daemon is started.
80 79 .sp
81 80 .LP
82 81 For details on how to use this command securely see .
83 82 .SH OPTIONS
84 -.sp
85 83 .LP
86 84 The following options are supported:
87 85 .sp
88 86 .ne 2
89 87 .na
90 88 \fB\fB-n\fR\fR
91 89 .ad
92 90 .sp .6
93 91 .RS 4n
94 92 Prevent attempts to print host and network names symbolically when reporting
95 93 actions. This is useful, for example, when all name servers are down or are
96 94 otherwise unreachable.
97 95 .RE
98 96
99 97 .sp
100 98 .ne 2
101 99 .na
102 100 \fB\fB-p\fR\fR
|
↓ open down ↓ |
8 lines elided |
↑ open up ↑ |
103 101 .ad
104 102 .sp .6
105 103 .RS 4n
106 104 Paranoid. Do not print any keying material, even if saving Security
107 105 Associations. Instead of an actual hexadecimal digit, print an \fBX\fR when
108 106 this flag is turned on.
109 107 .RE
110 108
111 109 .SH USAGE
112 110 .SS "Commands"
113 -.sp
114 111 .LP
115 112 The following commands are supported:
116 113 .sp
117 114 .ne 2
118 115 .na
119 116 \fB\fBadd\fR\fR
120 117 .ad
121 118 .sp .6
122 119 .RS 4n
123 120 Add the specified object. This option can be used to add a new policy rule or a
124 121 new preshared key to the current (running) in.iked configuration. When adding a
125 122 new preshared key, the command cannot be invoked from the command line, as it
126 123 will contain keying material. The rule or key being added is specified using
127 124 appropriate id-value pairs as described in the \fBID FORMATS\fR section.
128 125 .RE
129 126
130 127 .sp
131 128 .ne 2
132 129 .na
133 130 \fB\fBdel\fR\fR
134 131 .ad
135 132 .sp .6
136 133 .RS 4n
137 134 Delete a specific object or objects from \fBin.iked\fR's current configuration.
138 135 This operation is available for \fBIKE\fR (Phase 1) \fBSA\fRs, policy rules,
139 136 and preshared keys. The object to be deleted is specified as described in the
140 137 \fBId Formats\fR.
141 138 .RE
142 139
143 140 .sp
144 141 .ne 2
145 142 .na
146 143 \fB\fBdump\fR\fR
147 144 .ad
148 145 .sp .6
149 146 .RS 4n
150 147 Display all objects of the specified type known to \fBin.iked\fR. This option
151 148 can be used to display all Phase 1 \fBSA\fRs, policy rules, preshared keys, or
152 149 the certificate cache. A large amount of output may be generated by this
153 150 command.
154 151 .RE
155 152
156 153 .sp
157 154 .ne 2
158 155 .na
159 156 \fB\fBflush\fR\fR
160 157 .ad
161 158 .sp .6
162 159 .RS 4n
163 160 Remove all \fBIKE\fR (Phase 1) \fBSA\fRs or cached certificates from
164 161 \fBin.iked\fR.
165 162 .sp
166 163 Note that flushing the \fBcertcache\fR will also (as a side-effect) update IKE
167 164 with any new certificates added or removed.
168 165 .RE
169 166
170 167 .sp
171 168 .ne 2
172 169 .na
173 170 \fB\fBget\fR\fR
174 171 .ad
175 172 .sp .6
176 173 .RS 4n
177 174 Lookup and display the specified object. May be used to view the current debug
178 175 or privilege level, global statistics and default values for the daemon, or a
179 176 specific \fBIKE\fR (Phase 1) \fBSA\fR, policy rule, or preshared key. The
180 177 latter three object types require that identifying information be passed in;
181 178 the appropriate specification for each object type is described below.
182 179 .RE
183 180
184 181 .sp
185 182 .ne 2
186 183 .na
187 184 \fB\fBhelp\fR\fR
188 185 .ad
189 186 .sp .6
190 187 .RS 4n
191 188 Print a brief summary of commands, or, when followed by a command, prints
192 189 information about that command.
193 190 .RE
194 191
195 192 .sp
196 193 .ne 2
197 194 .na
198 195 \fB\fBread\fR\fR
199 196 .ad
200 197 .sp .6
201 198 .RS 4n
202 199 Update the current \fBin.iked\fR configuration by reading the policy rules or
203 200 preshared keys from either the default location or from the file specified.
204 201 .RE
205 202
206 203 .sp
207 204 .ne 2
208 205 .na
209 206 \fB\fBset\fR\fR
210 207 .ad
211 208 .sp .6
212 209 .RS 4n
213 210 Adjust the current debug or privilege level. If the debug level is being
214 211 modified, an output file may optionally be specified; the output file
215 212 \fBmust\fR be specified if the daemon is running in the background and is not
216 213 currently printing to a file. When changing the privilege level, adjustments
217 214 may only be made to lower the access level; it cannot be increased using
218 215 ikeadm.
219 216 .RE
220 217
221 218 .sp
222 219 .ne 2
223 220 .na
224 221 \fB\fBwrite\fR\fR
225 222 .ad
226 223 .sp .6
227 224 .RS 4n
228 225 Write the current \fBin.iked\fR policy rule set or preshared key set to the
229 226 specified file. A destination file must be specified. This command should not
230 227 be used to overwrite the existing configuration files.
231 228 .RE
232 229
233 230 .sp
234 231 .ne 2
235 232 .na
236 233 \fB\fBtoken\fR\fR
237 234 .ad
238 235 .sp .6
239 236 .RS 4n
240 237 Log into a PKCS#11 token object and grant access to keying material or log out
241 238 and invalidate access to keying material.
242 239 .sp
243 240 \fBtoken\fR can be run as a normal user with the following authorizations:
244 241 .RS +4
245 242 .TP
246 243 .ie t \(bu
247 244 .el o
248 245 \fBtoken\fR login: \fBsolaris.network.ipsec.ike.token.login\fR
|
↓ open down ↓ |
125 lines elided |
↑ open up ↑ |
249 246 .RE
250 247 .RS +4
251 248 .TP
252 249 .ie t \(bu
253 250 .el o
254 251 \fBtoken\fR logout: \fBsolaris.network.ipsec.ike.token.logout\fR
255 252 .RE
256 253 .RE
257 254
258 255 .SS "Object Types"
259 -.sp
260 256 .ne 2
261 257 .na
262 258 \fBdebug\fR
263 259 .ad
264 260 .sp .6
265 261 .RS 4n
266 262 Specifies the daemon's debug level. This determines the amount and type of
267 263 output provided by the daemon about its operations. The debug level is actually
268 264 a bitmask, with individual bits enabling different types of information.
269 265 .sp
270 266
271 267 .sp
272 268 .TS
273 269 c c c
274 270 l l l .
275 271 Description Flag Nickname
276 272 _
277 273 Certificate management 0x0001 cert
278 274 Key management 0x0002 key
279 275 Operational 0x0004 op
280 276 Phase 1 SA creation 0x0008 phase1
281 277 Phase 2 SA creation 0x0010 phase2
282 278 PF_KEY interface 0x0020 pfkey
283 279 Policy management 0x0040 policy
284 280 Proposal construction 0x0080 prop
285 281 Door interface 0x0100 door
286 282 Config file processing 0x0200 config
287 283 All debug flags 0x3ff all
288 284 .TE
289 285
290 286 When specifying the debug level, either a number (decimal or hexadecimal) or a
291 287 string of nicknames may be given. For example, \fB88\fR, \fB0x58\fR, and
292 288 \fBphase1\fR+\fBphase2\fR+\fBpolicy\fR are all equivalent, and will turn on
293 289 debug for \fBphase 1\fR \fBsa\fR creation, \fBphase 2 sa\fR creation, and
294 290 policy management. A string of nicknames may also be used to remove certain
295 291 types of information; \fBall-op\fR has the effect of turning on all debug
296 292 \fBexcept\fR for operational messages; it is equivalent to the numbers
297 293 \fB1019\fR or \fB0x3fb\fR.
298 294 .RE
299 295
300 296 .sp
301 297 .ne 2
302 298 .na
303 299 \fBpriv\fR
304 300 .ad
305 301 .sp .6
306 302 .RS 4n
307 303 Specifies the daemon's access privilege level. The possible values are:
308 304 .sp
309 305 .in +2
310 306 .nf
311 307 Description Level Nickname
312 308 Base level 0 base
313 309 Access to preshared key info 1 modkeys
314 310 Access to keying material 2 keymat
315 311 .fi
316 312 .in -2
317 313 .sp
318 314
319 315 By default, \fBin.iked\fR is started at the base level. A command-line option
320 316 can be used to start the daemon at a higher level. \fBikeadm\fR can be used to
321 317 lower the level, but it cannot be used to raise the level.
322 318 .sp
323 319 Either the numerical level or the nickname may be used to specify the target
324 320 privilege level.
325 321 .sp
326 322 In order to get, add, delete, dump, read, or write preshared keys, the
327 323 privilege level must at least give access to preshared key information.
328 324 However, when viewing preshared keys (either using the get or dump command),
329 325 the key itself will only be available if the privilege level gives access to
330 326 keying material. This is also the case when viewing Phase 1 \fBSA\fRs.
331 327 .RE
332 328
333 329 .sp
334 330 .ne 2
335 331 .na
336 332 \fBstats\fR
337 333 .ad
338 334 .sp .6
339 335 .RS 4n
340 336 Global statistics from the daemon, covering both successful and failed Phase 1
341 337 \fBSA\fR creation.
342 338 .sp
343 339 Reported statistics include:
344 340 .RS +4
345 341 .TP
346 342 .ie t \(bu
347 343 .el o
348 344 Count of current P1 \fBSA\fRs which the local entity initiated
349 345 .RE
350 346 .RS +4
351 347 .TP
352 348 .ie t \(bu
353 349 .el o
354 350 Count of current P1 \fBSA\fRs where the local entity was the responder
355 351 .RE
356 352 .RS +4
357 353 .TP
358 354 .ie t \(bu
359 355 .el o
360 356 Count of all P1 \fBSA\fRs which the local entity initiated since boot
361 357 .RE
362 358 .RS +4
363 359 .TP
364 360 .ie t \(bu
365 361 .el o
366 362 Count of all P1 \fBSA\fRs where the local entity was the responder since boot
367 363 .RE
368 364 .RS +4
369 365 .TP
370 366 .ie t \(bu
371 367 .el o
372 368 Count of all attempted \fBP1\fR \fBSA\fRs since boot, where the local entity
373 369 was the initiator; includes failed attempts
374 370 .RE
375 371 .RS +4
376 372 .TP
377 373 .ie t \(bu
378 374 .el o
379 375 Count of all attempted P1 \fBSA\fRs since boot, where the local entity was the
380 376 responder; includes failed attempts
381 377 .RE
382 378 .RS +4
383 379 .TP
384 380 .ie t \(bu
385 381 .el o
386 382 Count of all failed attempts to initiate a \fBP1\fR \fBSA\fR, where the failure
387 383 occurred because the peer did not respond
388 384 .RE
389 385 .RS +4
390 386 .TP
391 387 .ie t \(bu
392 388 .el o
393 389 Count of all failed attempts to initiate a P1 \fBSA\fR, where the peer
394 390 responded
395 391 .RE
396 392 .RS +4
397 393 .TP
398 394 .ie t \(bu
399 395 .el o
400 396 Count of all failed \fBP1\fR \fBSA\fRs where the peer was the initiator
401 397 .RE
402 398 .RS +4
403 399 .TP
404 400 .ie t \(bu
405 401 .el o
406 402 Whether a PKCS#11 library is in use, and if applicable, the PKCS#11 library
407 403 that is loaded. See .
408 404 .RE
|
↓ open down ↓ |
139 lines elided |
↑ open up ↑ |
409 405 .RE
410 406
411 407 .sp
412 408 .ne 2
413 409 .na
414 410 \fBdefaults\fR
415 411 .ad
416 412 .sp .6
417 413 .RS 4n
418 414 Display default values used by the \fBin.iked\fR daemon. Some values can be
419 -overriden in the daemon configuration file (see \fBike.config\fR(4)); for these
415 +overridden in the daemon configuration file (see \fBike.config\fR(4)); for these
420 416 values, the token name is displayed in the \fBget defaults\fR output. The
421 417 output will reflect where a configuration token has changed the default.
422 418 .sp
423 419 Default values might be ignored in the event a peer system makes a valid
424 -alternative proposal or they can be overriden by per-rule values established in
420 +alternative proposal or they can be overridden by per-rule values established in
425 421 \fBike.config\fR. In such instances, a \fBget defaults\fR command continues to
426 422 display the default values, not the values used to override the defaults.
427 423 .RE
428 424
429 425 .sp
430 426 .ne 2
431 427 .na
432 428 \fBp1\fR
433 429 .ad
434 430 .sp .6
435 431 .RS 4n
436 432 An \fBIKE\fR Phase 1 \fBSA\fR. A \fBp1\fR object is identified by an \fBIP\fR
437 433 address pair or a cookie pair; identification formats are described below.
438 434 .RE
439 435
440 436 .sp
441 437 .ne 2
442 438 .na
443 439 \fBrule\fR
444 440 .ad
445 441 .sp .6
446 442 .RS 4n
447 443 An \fBIKE\fR policy rule, defining the acceptable security characteristics for
448 444 Phase 1 \fBSA\fRs between specified local and remote identities. A rule is
449 445 identified by its label; identification formats are described below.
450 446 .RE
451 447
452 448 .sp
453 449 .ne 2
454 450 .na
|
↓ open down ↓ |
20 lines elided |
↑ open up ↑ |
455 451 \fBpreshared\fR
456 452 .ad
457 453 .sp .6
458 454 .RS 4n
459 455 A preshared key, including the local and remote identification and applicable
460 456 \fBIKE\fR mode. A preshared key is identified by an \fBIP\fR address pair or an
461 457 identity pair; identification formats are described below.
462 458 .RE
463 459
464 460 .SS "Id Formats"
465 -.sp
466 461 .LP
467 462 Commands like \fBadd\fR, \fBdel\fR, and \fBget\fR require that additional
468 463 information be specified on the command line. In the case of the delete and get
469 464 commands, all that is required is to minimally identify a given object; for the
470 465 add command, the full object must be specified.
471 466 .sp
472 467 .LP
473 468 Minimal identification is accomplished in most cases by a pair of values. For
474 469 \fBIP\fR addresses, the local addr and then the remote addr are specified,
475 470 either in dot-notation for IPv4 addresses, colon-separated hexadecimal format
476 471 for IPv6 addresses, or a host name present in the host name database. If a host
477 472 name is given that expands to more than one address, the requested operation
478 473 will be performed multiple times, once for each possible combination of
479 474 addresses.
480 475 .sp
481 476 .LP
482 477 Identity pairs are made up of a local type-value pair, followed by the remote
483 478 type-value pair. Valid types are:
484 479 .sp
485 480 .ne 2
486 481 .na
487 482 \fBprefix\fR
488 483 .ad
489 484 .sp .6
490 485 .RS 4n
491 486 An address prefix.
492 487 .RE
493 488
494 489 .sp
495 490 .ne 2
496 491 .na
497 492 \fBfqdn\fR
498 493 .ad
499 494 .sp .6
500 495 .RS 4n
501 496 A fully-qualified domain name.
502 497 .RE
503 498
504 499 .sp
505 500 .ne 2
506 501 .na
507 502 \fBdomain\fR
508 503 .ad
509 504 .sp .6
510 505 .RS 4n
511 506 Domain name, synonym for fqdn.
512 507 .RE
513 508
514 509 .sp
515 510 .ne 2
516 511 .na
517 512 \fBuser_fqdn\fR
518 513 .ad
519 514 .sp .6
520 515 .RS 4n
521 516 User identity of the form \fIuser\fR@fqdn.
522 517 .RE
523 518
524 519 .sp
525 520 .ne 2
526 521 .na
527 522 \fBmailbox\fR
528 523 .ad
529 524 .sp .6
530 525 .RS 4n
531 526 Synonym for \fBuser_fqdn\fR.
532 527 .RE
533 528
534 529 .sp
535 530 .LP
536 531 A cookie pair is made up of the two cookies assigned to a Phase 1 Security
537 532 Association (\fBSA\fR) when it is created; first is the initiator's, followed
538 533 by the responder's. A cookie is a 64-bit number.
539 534 .sp
540 535 .LP
|
↓ open down ↓ |
65 lines elided |
↑ open up ↑ |
541 536 Finally, a label (which is used to identify a policy rule) is a character
542 537 string assigned to the rule when it is created.
543 538 .sp
544 539 .LP
545 540 Formatting a rule or preshared key for the add command follows the format rules
546 541 for the in.iked configuration files. Both are made up of a series of id-value
547 542 pairs, contained in curly braces (\fB{\fR and \fB}\fR). See \fBike.config\fR(4)
548 543 and \fBike.preshared\fR(4) for details on the formatting of rules and preshared
549 544 keys.
550 545 .SH SECURITY
551 -.sp
552 546 .LP
553 547 The \fBikeadm\fR command allows a privileged user to enter cryptographic keying
554 548 information. If an adversary gains access to such information, the security of
555 549 IPsec traffic is compromised. The following issues should be taken into account
556 550 when using the \fBikeadm\fR command.
557 551 .RS +4
558 552 .TP
559 553 .ie t \(bu
560 554 .el o
561 555 Is the \fBTTY\fR going over a network (interactive mode)?
562 556 .sp
563 557 If it is, then the security of the keying material is the security of the
564 558 network path for this \fBTTY\fR's traffic. Using \fBikeadm\fR over a clear-text
565 559 telnet or rlogin session is risky. Even local windows may be vulnerable to
566 560 attacks where a concealed program that reads window events is present.
567 561 .RE
568 562 .RS +4
569 563 .TP
570 564 .ie t \(bu
571 565 .el o
572 566 Is the file accessed over the network or readable to the world (read/write
573 567 commands)?
574 568 .sp
575 569 A network-mounted file can be sniffed by an adversary as it is being read. A
576 570 world-readable file with keying material in it is also risky.
577 571 .RE
578 572 .sp
579 573 .LP
580 574 If your source address is a host that can be looked up over the network, and
581 575 your naming system itself is compromised, then any names used will no longer be
582 576 trustworthy.
583 577 .sp
584 578 .LP
585 579 Security weaknesses often lie in misapplication of tools, not the tools
586 580 themselves. It is recommended that administrators are cautious when using the
587 581 \fBikeadm\fR command. The safest mode of operation is probably on a console, or
588 582 other hard-connected \fBTTY\fR.
589 583 .sp
590 584 .LP
591 585 For additional information regarding this subject, see the afterward by Matt
592 586 Blaze in Bruce Schneier's \fIApplied Cryptography: Protocols, Algorithms, and
593 587 Source Code in C.\fR
594 588 .SH EXAMPLES
595 589 .LP
596 590 \fBExample 1 \fREmptying out all Phase 1 Security Associations
597 591 .sp
598 592 .LP
599 593 The following command empties out all Phase 1 Security Associations:
600 594
601 595 .sp
602 596 .in +2
603 597 .nf
604 598 example# \fBikeadm flush p1\fR
605 599 .fi
606 600 .in -2
607 601 .sp
608 602
609 603 .LP
610 604 \fBExample 2 \fRDisplaying all Phase 1 Security Associations
611 605 .sp
612 606 .LP
613 607 The following command displays all Phase 1 Security Associations:
614 608
615 609 .sp
616 610 .in +2
617 611 .nf
618 612 example# \fBikeadm dump p1\fR
619 613 .fi
620 614 .in -2
621 615 .sp
622 616
623 617 .LP
624 618 \fBExample 3 \fRDeleting a Specific Phase 1 Security Association
625 619 .sp
626 620 .LP
627 621 The following command deletes the specified Phase 1 Security Associations:
628 622
629 623 .sp
630 624 .in +2
631 625 .nf
632 626 example# \fBikeadm del p1 local_ip remote_ip\fR
633 627 .fi
634 628 .in -2
635 629 .sp
636 630
637 631 .LP
638 632 \fBExample 4 \fRAdding a Rule From a File
639 633 .sp
640 634 .LP
641 635 The following command adds a rule from a file:
642 636
643 637 .sp
644 638 .in +2
645 639 .nf
646 640 example# \fBikeadm add rule rule_file\fR
647 641 .fi
648 642 .in -2
649 643 .sp
650 644
651 645 .LP
652 646 \fBExample 5 \fRAdding a Preshared Key
653 647 .sp
654 648 .LP
655 649 The following command adds a preshared key:
656 650
657 651 .sp
658 652 .in +2
659 653 .nf
660 654 example# \fBikeadm\fR
661 655 ikeadm> \fBadd preshared { localidtype ip localid local_ip
662 656 remoteidtype ip remoteid remote_ip ike_mode main
663 657 key 1234567890abcdef1234567890abcdef }\fR
664 658 .fi
665 659 .in -2
666 660 .sp
667 661
668 662 .LP
669 663 \fBExample 6 \fRSaving All Preshared Keys to a File
670 664 .sp
671 665 .LP
672 666 The following command saves all preshared keys to a file:
673 667
674 668 .sp
675 669 .in +2
676 670 .nf
677 671 example# \fBikeadm write preshared target_file\fR
678 672 .fi
679 673 .in -2
680 674 .sp
681 675
682 676 .LP
683 677 \fBExample 7 \fRViewing a Particular Rule
684 678 .sp
685 679 .LP
686 680 The following command views a particular rule:
687 681
688 682 .sp
689 683 .in +2
690 684 .nf
691 685 example# \fBikeadm get rule rule_label\fR
692 686 .fi
693 687 .in -2
694 688 .sp
695 689
696 690 .LP
697 691 \fBExample 8 \fRReading in New Rules from \fBike.config\fR
698 692 .sp
699 693 .LP
700 694 The following command reads in new rules from the ike.config file:
701 695
702 696 .sp
703 697 .in +2
704 698 .nf
705 699 example# \fBikeadm read rules\fR
706 700 .fi
707 701 .in -2
708 702 .sp
709 703
710 704 .LP
711 705 \fBExample 9 \fRLowering the Privilege Level
712 706 .sp
713 707 .LP
714 708 The following command lowers the privilege level:
715 709
716 710 .sp
717 711 .in +2
718 712 .nf
719 713 example# \fBikeadm set priv base\fR
720 714 .fi
721 715 .in -2
722 716 .sp
723 717
724 718 .LP
725 719 \fBExample 10 \fRViewing the Debug Level
726 720 .sp
727 721 .LP
728 722 The following command shows the current debug level
729 723
730 724 .sp
731 725 .in +2
732 726 .nf
733 727 example# \fBikeadm get debug\fR
734 728 .fi
735 729 .in -2
736 730 .sp
737 731
738 732 .LP
739 733 \fBExample 11 \fRUsing stats to Verify Hardware Accelerator
740 734 .sp
741 735 .LP
742 736 The following example shows how stats may include an optional line at the end
743 737 to indicate if IKE is using a PKCS#11 library to accelerate public-key
744 738 operations, if applicable.
745 739
746 740 .sp
747 741 .in +2
748 742 .nf
749 743 example# \fBikeadm get stats\fR
750 744 Phase 1 SA counts:
751 745 Current: initiator: 0 responder: 0
752 746 Total: initiator: 21 responder: 27
753 747 Attempted:initiator: 21 responder: 27
754 748 Failed: initiator: 0 responder: 0
755 749 initiator fails include 0 time-out(s)
756 750 PKCS#11 library linked in from /opt/SUNWconn/lib/libpkcs11.so
757 751 example#
758 752 .fi
759 753 .in -2
760 754 .sp
761 755
762 756 .LP
763 757 \fBExample 12 \fRDisplaying the Certificate Cache
764 758 .sp
765 759 .LP
766 760 The following command shows the certificate cache and the status of associated
767 761 private keys, if applicable:
768 762
769 763 .sp
770 764 .in +2
771 765 .nf
772 766 example# \fBikeadm dump certcache\fR
773 767 .fi
774 768 .in -2
775 769 .sp
776 770
777 771 .LP
778 772 \fBExample 13 \fRLogging into a PKCS#11 Token
779 773 .sp
780 774 .LP
781 775 The following command shows logging into a PKCS#11 token object and unlocking
782 776 private keys:
783 777
784 778 .sp
|
↓ open down ↓ |
223 lines elided |
↑ open up ↑ |
785 779 .in +2
786 780 .nf
787 781 example# \fBikeadm token login "Sun Metaslot"\fR
788 782 Enter PIN for PKCS#11 token:
789 783 ikeadm: PKCS#11 operation successful
790 784 .fi
791 785 .in -2
792 786 .sp
793 787
794 788 .SH EXIT STATUS
795 -.sp
796 789 .LP
797 790 The following exit values are returned:
798 791 .sp
799 792 .ne 2
800 793 .na
801 794 \fB\fB0\fR\fR
802 795 .ad
803 796 .RS 12n
804 797 Successful completion.
805 798 .RE
806 799
|
↓ open down ↓ |
1 lines elided |
↑ open up ↑ |
807 800 .sp
808 801 .ne 2
809 802 .na
810 803 \fB\fBnon-zero\fR\fR
811 804 .ad
812 805 .RS 12n
813 806 An error occurred. Writes an appropriate error message to standard error.
814 807 .RE
815 808
816 809 .SH ATTRIBUTES
817 -.sp
818 810 .LP
819 811 See \fBattributes\fR(5) for descriptions of the following attributes:
820 812 .sp
821 813
822 814 .sp
823 815 .TS
824 816 box;
825 817 c | c
826 818 l | l .
827 819 ATTRIBUTE TYPE ATTRIBUTE VALUE
828 820 _
829 821 Interface Stability Not an Interface
830 822 .TE
831 823
832 824 .SH SEE ALSO
833 -.sp
834 825 .LP
835 826 \fBin.iked\fR(1M), \fBike.config\fR(4), \fBike.preshared\fR(4),
836 827 \fBattributes\fR(5), \fBipsec\fR(7P)
837 828 .sp
838 829 .LP
839 830 Schneier, Bruce, \fIApplied Cryptography: Protocols, Algorithms, and Source
840 831 Code in C\fR, Second Edition, John Wiley & Sons, New York, NY, 1996.
841 832 .SH NOTES
842 -.sp
843 833 .LP
844 834 As \fBin.iked\fR can run only in the global zone and exclusive-IP zones, this
845 835 command is not useful in shared-IP zones.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX