xref: /illumos-gate/usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/manual-key.xml (revision 2bbdd445a21f9d61f4a0ca0faf05d5ceb2bd91f3)
1<?xml version="1.0"?>
2<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
3<!--
4 Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
5 Use is subject to license terms.
6
7 CDDL HEADER START
8
9 The contents of this file are subject to the terms of the
10 Common Development and Distribution License (the "License").
11 You may not use this file except in compliance with the License.
12
13 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
14 or http://www.opensolaris.org/os/licensing.
15 See the License for the specific language governing permissions
16 and limitations under the License.
17
18 When distributing Covered Code, include this CDDL HEADER in each
19 file and include the License file at usr/src/OPENSOLARIS.LICENSE.
20 If applicable, add the following below this CDDL HEADER, with the
21 fields enclosed by brackets "[]" replaced with your own identifying
22 information: Portions Copyright [yyyy] [name of copyright owner]
23
24 CDDL HEADER END
25
26        ident	"%Z%%M%	%I%	%E% SMI"
27
28        NOTE:  This service manifest is not editable; its contents will
29        be overwritten by package or patch operations, including
30        operating system upgrade.  Make customizations in a different
31        file.
32-->
33<service_bundle type='manifest' name='SUNWcsr:manual-key'>
34
35<service
36        name='network/ipsec/manual-key'
37        type='service'
38        version='1'>
39
40        <!-- The 'manual-key' service is delivered disabled
41	because there is not a default configuration file.
42        See note below on changing the default configuration file. -->
43
44        <create_default_instance enabled='false' />
45
46        <single_instance />
47
48	<!-- Read/Write access to /var/run required for lock files -->
49	<dependency
50		name='filesystem'
51		grouping='require_all'
52		restart_on='none'
53		type='service'>
54		<service_fmri
55			value='svc:/system/filesystem/minimal'
56		/>
57	</dependency>
58	<!-- Kernel needs to know IPsec supported algorithms -->
59        <dependency
60                name='algorithms'
61                grouping='require_all'
62                restart_on='none'
63                type='service'>
64                <service_fmri
65                        value='svc:/network/ipsec/ipsecalgs'
66                />
67        </dependency>
68
69        <!-- If we are enabled, we should be running fairly early -->
70
71        <dependent
72                name='ipseckey-network'
73                grouping='optional_all'
74                restart_on='none'>
75                <service_fmri
76                        value='svc:/milestone/network'
77                />
78        </dependent>
79
80        <exec_method
81                type='method'
82                name='start'
83                exec='/usr/sbin/ipseckey -f  %{config/config_file}'
84                timeout_seconds='60'
85        />
86
87	<!-- To prevent ipseckey generating warnings about duplicate
88	SAs when the service is refreshed, ipseckey will flush the
89	existing SAs when its called from smf(5). -->
90
91        <exec_method
92                type='method'
93                name='refresh'
94                exec='/usr/sbin/ipseckey -f  %{config/config_file}'
95                timeout_seconds='60'
96        />
97
98        <exec_method
99                type='method'
100                name='stop'
101                exec='/usr/sbin/ipseckey flush'
102                timeout_seconds='60'
103        />
104
105	<property_group name='general' type='framework'>
106		<!-- A user with this authorization can:
107
108			svcadm restart manual-key
109			svcadm refresh manual-key
110			svcadm mark <state> manual-key
111			svcadm clear manual-key
112
113		see auths(1) and user_attr(4)-->
114
115		<propval
116			name='action_authorization'
117			type='astring'
118			value='solaris.smf.manage.ipsec'
119		/>
120		<!-- A user with this authorization can:
121
122			svcadm disable manual-key
123			svcadm enable manual-key
124
125		see auths(1) and user_attr(4)-->
126
127		<propval
128			name='value_authorization'
129			type='astring'
130			value='solaris.smf.manage.ipsec'
131		/>
132	</property_group>
133
134        <!-- The properties defined below can be changed by a user
135	with 'solaris.smf.value.ipsec' authorization using the
136	svccfg(1M) command.
137
138	EG:
139
140        svccfg -s manual-key setprop config/config_file = /new/config_file
141
142	The new configurations will be read on service refresh:
143
144	svcadm refresh ipsec/manual-key
145
146	Note: svcadm disable/enable does not use the new property
147	until after the service has been refreshed.
148
149        ***Do not edit this manifest to change these properties! -->
150
151        <property_group name='config' type='application'>
152                <propval
153                        name='config_file'
154                        type='astring'
155                        value='/etc/inet/secret/ipseckeys'
156                />
157		<propval
158			name='value_authorization'
159			type='astring'
160			value='solaris.smf.value.ipsec'
161		/>
162        </property_group>
163
164        <property_group name='startd' type='framework'>
165                <propval
166                        name='duration'
167                        type='astring'
168                        value='transient'
169                />
170        </property_group>
171
172        <stability value='Unstable' />
173
174        <template>
175                <common_name>
176                        <loctext xml:lang='C'>
177                                manually keyed IPsec startup
178                        </loctext>
179                </common_name>
180                <description>
181                        <loctext xml:lang='C'>
182                                Loads static security associations
183                        </loctext>
184                </description>
185                <documentation>
186                        <manpage title='ipseckey' section='1M'
187                                manpath='/usr/share/man' />
188                </documentation>
189        </template>
190</service>
191</service_bundle>
192
193