Trusted Extensions adds the following commands to administer trusted networking:
tncfg – This command creates, modifies, and displays the configuration of your Trusted Extensions network. The tncfg -t command is used to view, create, or modify a specified security template. The tncfg -z command is used to view or modify the network properties of a specified zone. For details, see the tncfg(1M) man page.
tnchkdb – This command is used to verify the correctness of the trusted network databases. The tnchkdb command is called whenever you change a security template (tnrhtp), a security template assignment (tnrhdb), or the configuration of a zone (tnzonecfg) by using the txzonemgr or the tncfg command. For details, see the tnchkdb(1M) man page.
tnctl – This command can be used to update the trusted network information in the kernel. tnctl is also a system service. A restart with the command svcadm restart /network/tnctl refreshes the kernel cache from the trusted network databases on the local system. For details, see the tnctl(1M) man page.
tnd – This daemon pulls tnrhdb and tnrhtp information from the LDAP directory and local files. The order of search is dictated by the name-service/switch SMF service. The tnd daemon is started at boot time by the svc:/network/tnd service. This service is dependent on the svc:/network/ldap/client.
In an LDAP network, the tnd command also can be used for debugging and for changing the polling interval. For details, see the tnd(1M) man page.
tninfo – This command displays the details of the current state of the trusted network kernel cache. The output can be filtered by host name, zone, or security template. For details, see the tninfo(1M) man page.
Trusted Extensions adds options to the following Oracle Solaris network commands:
ipadm – The –all-zones address property makes the specified interface available to every zone on the system. The appropriate zone to deliver data to is determined by the label that is associated with the data. For details, see the ipadm(1M) man page.
netstat – The –R option extends Oracle Solaris netstat usage to display Trusted Extensions-specific information, such as security attributes for multilevel sockets and routing table entries. The extended security attributes include the label of the peer, and whether the socket is specific to a zone, or available to several zones. For details, see the netstat(1M) man page.
route – The –secattr option extends Oracle Solaris route usage to display the security attributes of the route. The value of the option has the following format:
min_sl=label,max_sl=label,doi=integer,cipso
The cipso keyword is optional and set by default. For details, see the route(1M) man page.
snoop – As in Oracle Solaris, the –v option to this command can be used to display the IP headers in detail. In Trusted Extensions, the headers contain label information.
ipseckey – In Trusted Extensions, the following extensions are available to label IPsec-protected packets: label label, outer-label label, and implicit-label label. For details, see the ipseckey(1M) man page.