xref: /titanic_52/usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/manual-key.xml (revision e3320f40ba20e6851e73a3237eedf089700bf001)
1*e3320f40Smarkfen<?xml version="1.0"?>
2*e3320f40Smarkfen<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
3*e3320f40Smarkfen<!--
4*e3320f40Smarkfen Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
5*e3320f40Smarkfen Use is subject to license terms.
6*e3320f40Smarkfen
7*e3320f40Smarkfen CDDL HEADER START
8*e3320f40Smarkfen
9*e3320f40Smarkfen The contents of this file are subject to the terms of the
10*e3320f40Smarkfen Common Development and Distribution License (the "License").
11*e3320f40Smarkfen You may not use this file except in compliance with the License.
12*e3320f40Smarkfen
13*e3320f40Smarkfen You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
14*e3320f40Smarkfen or http://www.opensolaris.org/os/licensing.
15*e3320f40Smarkfen See the License for the specific language governing permissions
16*e3320f40Smarkfen and limitations under the License.
17*e3320f40Smarkfen
18*e3320f40Smarkfen When distributing Covered Code, include this CDDL HEADER in each
19*e3320f40Smarkfen file and include the License file at usr/src/OPENSOLARIS.LICENSE.
20*e3320f40Smarkfen If applicable, add the following below this CDDL HEADER, with the
21*e3320f40Smarkfen fields enclosed by brackets "[]" replaced with your own identifying
22*e3320f40Smarkfen information: Portions Copyright [yyyy] [name of copyright owner]
23*e3320f40Smarkfen
24*e3320f40Smarkfen CDDL HEADER END
25*e3320f40Smarkfen
26*e3320f40Smarkfen        ident	"%Z%%M%	%I%	%E% SMI"
27*e3320f40Smarkfen
28*e3320f40Smarkfen        NOTE:  This service manifest is not editable; its contents will
29*e3320f40Smarkfen        be overwritten by package or patch operations, including
30*e3320f40Smarkfen        operating system upgrade.  Make customizations in a different
31*e3320f40Smarkfen        file.
32*e3320f40Smarkfen-->
33*e3320f40Smarkfen<service_bundle type='manifest' name='SUNWcsr:manual-key'>
34*e3320f40Smarkfen
35*e3320f40Smarkfen<service
36*e3320f40Smarkfen        name='network/ipsec/manual-key'
37*e3320f40Smarkfen        type='service'
38*e3320f40Smarkfen        version='1'>
39*e3320f40Smarkfen
40*e3320f40Smarkfen        <!-- The 'manual-key' service is delivered disabled
41*e3320f40Smarkfen	because there is not a default configuration file.
42*e3320f40Smarkfen        See note below on changing the default configuration file. -->
43*e3320f40Smarkfen
44*e3320f40Smarkfen        <create_default_instance enabled='false' />
45*e3320f40Smarkfen
46*e3320f40Smarkfen        <single_instance />
47*e3320f40Smarkfen
48*e3320f40Smarkfen	<!-- Read/Write access to /var/run required for lock files -->
49*e3320f40Smarkfen	<dependency
50*e3320f40Smarkfen		name='filesystem'
51*e3320f40Smarkfen		grouping='require_all'
52*e3320f40Smarkfen		restart_on='none'
53*e3320f40Smarkfen		type='service'>
54*e3320f40Smarkfen		<service_fmri
55*e3320f40Smarkfen			value='svc:/system/filesystem/minimal'
56*e3320f40Smarkfen		/>
57*e3320f40Smarkfen	</dependency>
58*e3320f40Smarkfen	<!-- Kernel needs to know IPsec supported algorithms -->
59*e3320f40Smarkfen        <dependency
60*e3320f40Smarkfen                name='algorithms'
61*e3320f40Smarkfen                grouping='require_all'
62*e3320f40Smarkfen                restart_on='none'
63*e3320f40Smarkfen                type='service'>
64*e3320f40Smarkfen                <service_fmri
65*e3320f40Smarkfen                        value='svc:/network/ipsec/ipsecalgs'
66*e3320f40Smarkfen                />
67*e3320f40Smarkfen        </dependency>
68*e3320f40Smarkfen
69*e3320f40Smarkfen        <!-- If we are enabled, we should be running fairly early -->
70*e3320f40Smarkfen
71*e3320f40Smarkfen        <dependent
72*e3320f40Smarkfen                name='ipseckey-network'
73*e3320f40Smarkfen                grouping='optional_all'
74*e3320f40Smarkfen                restart_on='none'>
75*e3320f40Smarkfen                <service_fmri
76*e3320f40Smarkfen                        value='svc:/milestone/network'
77*e3320f40Smarkfen                />
78*e3320f40Smarkfen        </dependent>
79*e3320f40Smarkfen
80*e3320f40Smarkfen        <exec_method
81*e3320f40Smarkfen                type='method'
82*e3320f40Smarkfen                name='start'
83*e3320f40Smarkfen                exec='/usr/sbin/ipseckey -f  %{config/config_file}'
84*e3320f40Smarkfen                timeout_seconds='60'
85*e3320f40Smarkfen        />
86*e3320f40Smarkfen
87*e3320f40Smarkfen	<!-- To prevent ipseckey generating warnings about duplicate
88*e3320f40Smarkfen	SAs when the service is refreshed, ipseckey will flush the
89*e3320f40Smarkfen	existing SAs when its called from smf(5). -->
90*e3320f40Smarkfen
91*e3320f40Smarkfen        <exec_method
92*e3320f40Smarkfen                type='method'
93*e3320f40Smarkfen                name='refresh'
94*e3320f40Smarkfen                exec='/usr/sbin/ipseckey -f  %{config/config_file}'
95*e3320f40Smarkfen                timeout_seconds='60'
96*e3320f40Smarkfen        />
97*e3320f40Smarkfen
98*e3320f40Smarkfen        <exec_method
99*e3320f40Smarkfen                type='method'
100*e3320f40Smarkfen                name='stop'
101*e3320f40Smarkfen                exec='/usr/sbin/ipseckey flush'
102*e3320f40Smarkfen                timeout_seconds='60'
103*e3320f40Smarkfen        />
104*e3320f40Smarkfen
105*e3320f40Smarkfen	<property_group name='general' type='framework'>
106*e3320f40Smarkfen		<!-- A user with this authorization can:
107*e3320f40Smarkfen
108*e3320f40Smarkfen			svcadm restart manual-key
109*e3320f40Smarkfen			svcadm refresh manual-key
110*e3320f40Smarkfen			svcadm mark <state> manual-key
111*e3320f40Smarkfen			svcadm clear manual-key
112*e3320f40Smarkfen
113*e3320f40Smarkfen		see auths(1) and user_attr(4)-->
114*e3320f40Smarkfen
115*e3320f40Smarkfen		<propval
116*e3320f40Smarkfen			name='action_authorization'
117*e3320f40Smarkfen			type='astring'
118*e3320f40Smarkfen			value='solaris.smf.manage.ipsec'
119*e3320f40Smarkfen		/>
120*e3320f40Smarkfen		<!-- A user with this authorization can:
121*e3320f40Smarkfen
122*e3320f40Smarkfen			svcadm disable manual-key
123*e3320f40Smarkfen			svcadm enable manual-key
124*e3320f40Smarkfen
125*e3320f40Smarkfen		see auths(1) and user_attr(4)-->
126*e3320f40Smarkfen
127*e3320f40Smarkfen		<propval
128*e3320f40Smarkfen			name='value_authorization'
129*e3320f40Smarkfen			type='astring'
130*e3320f40Smarkfen			value='solaris.smf.manage.ipsec'
131*e3320f40Smarkfen		/>
132*e3320f40Smarkfen	</property_group>
133*e3320f40Smarkfen
134*e3320f40Smarkfen        <!-- The properties defined below can be changed by a user
135*e3320f40Smarkfen	with 'solaris.smf.value.ipsec' authorization using the
136*e3320f40Smarkfen	svccfg(1M) command.
137*e3320f40Smarkfen
138*e3320f40Smarkfen	EG:
139*e3320f40Smarkfen
140*e3320f40Smarkfen        svccfg -s manual-key setprop config/config_file = /new/config_file
141*e3320f40Smarkfen
142*e3320f40Smarkfen	The new configurations will be read on service refresh:
143*e3320f40Smarkfen
144*e3320f40Smarkfen	svcadm refresh ipsec/manual-key
145*e3320f40Smarkfen
146*e3320f40Smarkfen	Note: svcadm disable/enable does not use the new property
147*e3320f40Smarkfen	until after the service has been refreshed.
148*e3320f40Smarkfen
149*e3320f40Smarkfen        ***Do not edit this manifest to change these properties! -->
150*e3320f40Smarkfen
151*e3320f40Smarkfen        <property_group name='config' type='application'>
152*e3320f40Smarkfen                <propval
153*e3320f40Smarkfen                        name='config_file'
154*e3320f40Smarkfen                        type='astring'
155*e3320f40Smarkfen                        value='/etc/inet/secret/ipseckeys'
156*e3320f40Smarkfen                />
157*e3320f40Smarkfen		<propval
158*e3320f40Smarkfen			name='value_authorization'
159*e3320f40Smarkfen			type='astring'
160*e3320f40Smarkfen			value='solaris.smf.value.ipsec'
161*e3320f40Smarkfen		/>
162*e3320f40Smarkfen        </property_group>
163*e3320f40Smarkfen
164*e3320f40Smarkfen        <property_group name='startd' type='framework'>
165*e3320f40Smarkfen                <propval
166*e3320f40Smarkfen                        name='duration'
167*e3320f40Smarkfen                        type='astring'
168*e3320f40Smarkfen                        value='transient'
169*e3320f40Smarkfen                />
170*e3320f40Smarkfen        </property_group>
171*e3320f40Smarkfen
172*e3320f40Smarkfen        <stability value='Unstable' />
173*e3320f40Smarkfen
174*e3320f40Smarkfen        <template>
175*e3320f40Smarkfen                <common_name>
176*e3320f40Smarkfen                        <loctext xml:lang='C'>
177*e3320f40Smarkfen                                manually keyed IPsec startup
178*e3320f40Smarkfen                        </loctext>
179*e3320f40Smarkfen                </common_name>
180*e3320f40Smarkfen                <description>
181*e3320f40Smarkfen                        <loctext xml:lang='C'>
182*e3320f40Smarkfen                                Loads static security associations
183*e3320f40Smarkfen                        </loctext>
184*e3320f40Smarkfen                </description>
185*e3320f40Smarkfen                <documentation>
186*e3320f40Smarkfen                        <manpage title='ipseckey' section='1M'
187*e3320f40Smarkfen                                manpath='/usr/share/man' />
188*e3320f40Smarkfen                </documentation>
189*e3320f40Smarkfen        </template>
190*e3320f40Smarkfen</service>
191*e3320f40Smarkfen</service_bundle>
192*e3320f40Smarkfen
193