icamd
Prev Kernun UTM Reference (8) Next

Name

icamd — Intra Cluster Accessibility Master Daemon

Synopsis

service icamd { start | stop | restart | reload | status | hash }

Description

This daemon allows one or more Kernun system (slaves) to be controlled from one Kernun system (master). Each slave starts the complementary daemon icasd(8). The relation is asymetric: the master can control the slave(s). If two systems should be able to control each other, each of them must start both master daemon (icamd) and slave daemon (icasd).

When running, the icamd daemon waits for slaves to connect. When a slave connects, a backward SSH connection to the slave is established, which can be used for controlling the slave. The slave remains accessible until the slave icasd daemon is stopped or the connection is interrupted. The icasd tries to reconnect after interruption.

The ssh rsa key pair is used for icamd authentication. The icamd private key is the part of the icamd configuration. The icamd public key is part of the slave(s) configuration. Use ssh-keygen(1) for creating the ssh key pair.

Each slave is given a name in the icamd configuration. The ssh_config file is provided which defines a host section for each configured slave. The ssh(1) can be used for connecting to the slave. For instance, for running the kat(8) the following command can be used: 

ssh -t slave-name kat

Kernun GUI takes advantage of the connected slaves. It is possible to controll all connected slaves.

kat(8) takes advantage of the connected slaves. It is possible to apply the configuration remotely through the established icamd/icasd connection. If the name of the system being applied equals to the name of a connected slave, that slave connection is used for applying the configuration.

Commands

service icamd start

Starts the daemon. The daemon listens for slave(s) connection from other systems according to the configuration.

service icamd stop

Stops the daemon. The connected slave(s) (icasd) are disconnected. The default behavior of the slave is to retry the connection periodically. Therefore, they eventually connect automatically, when the icamd becomes started again.

service icamd restart, service icamd reload

Stops and starts the icamd daemon.

service icamd status

Prints the status of the icamd daemon. If running, all the configured slaves are listed with the information whether they are currently connected or not.

service icamd hash

Prints the configuration hash.

Configuration

The icamd daemon is enabled in rc.conf with variable icamd_enable="YES".

The configuration of the icamd daemon is in /usr/local/kernun/etc/icamd.conf. The following variables can be set in the configuration file:

MASTER_PORT

The port for icamd to listen. This TCP port must be visible for the icasd slave for connection. The SSH protocol is used.

MASTER_ID_RSA, FN_MASTER_ID_RSA

The private SSH key of the icamd daemon. Either the contents of the file, or the file name.

WRITE_CFG_HASH

The file name where the hash should be written upon start (including restart, reload).

SLAVE_NAMES

The list of slaves (space separated). For each slave SL, the following variables define each icasd slave:

SLAVE_ID_RSA_PUB_SL, FN_SLAVE_ID_RSA_PUB_SL

The public SSH key of the icasd slave. When more than one isasd slave is configured for the master, they are distinguiseh by the SSH key each of them uses.

SLAVE_CFG_NAME_SL

Optional. Defines the name for the slave SL. Use this, if the icasd name should differ from SL (SL may not contaion hypens (-)).

See ica(5) for the high level configuration in CML Kernun configuration.

See Also

Kernun:

icasd(8), ica(5), cluster(7), configuration(7),

Authors

This man page is a part of Kernun Firewall.
Copyright © 2000–2023 Trusted Network Solutions, a. s.
All rights reserved.

Prev Up Next
http-proxy Home icap-server