When the kernel has not been updated with trusted network database information, you have several ways to update the kernel cache. The Solaris Management Console runs this command automatically when you use the Security Templates tool or the Trusted Network Zones tool.
You must be in the Security Administrator role in the global zone.
To synchronize the kernel cache with network databases, run one of the following commands:
Restart the tnctl service.
Do not use this method on systems that obtain their trusted network database information from an LDAP server. The local database information would overwrite the information that is obtained from the LDAP server.
$ svcadm restart svc:/network/tnctl |
This command reads all information from the local trusted network databases into the kernel.
Update the kernel cache for your recently added entries.
$ tnctl -h hostname |
This command reads only the information from the chosen option into the kernel. For details about the options, see Example 19–17 and the tnctl(1M) man page.
Change the tnd polling interval.
This does not update the kernel cache. However, you can shorten the polling interval to update the kernel cache more frequently. For details, see the example in the tnd(1M) man page.
Refresh the tnd.
This Service Management Facility (SMF) command triggers an immediate update of the kernel with recent changes to trusted network databases.
$ svcadm refresh svc:/network/tnd |
Restart the tnd by using SMF.
$ svcadm restart svc:/network/tnd |
Avoid running the tnd command to restart the tnd. This command can interrupt communications that are currently succeeding.
In this example, the administrator has added three addresses to the local tnrhdb database. First, the administrator removed the 0.0.0.0 wildcard entry.
$ tnctl -d -h 0.0.0.0:admin_low |
Then, the administrator views the format of the final three entries in the /etc/security/tsol/tnrhdb database:
$ tail /etc/security/tsol/tnrhdb #\:\:0:admin_low 127.0.0.1:cipso #\:\:1:cipso 192.168.103.5:admin_low 192.168.103.0:cipso 0.0.0.0/32:admin_low |
Then, the administrator updates the kernel cache:
$ tnctl -h 192.168.103.5 tnctl -h 192.168.103.0 tnctl -h 0.0.0.0/32 |
Finally, the administrator verifies that the kernel cache is updated. The output for the first entry is similar to the following:
$ tninfo -h 192.168.103.5 IP Address: 192.168.103.5 Template: admin_low |
In this example, the administrator updates the trusted network with a public print server, and then checks that the kernel settings are correct.
$ tnctl -h public-print-server $ tninfo -h public-print-server IP Address: 192.168.103.55 Template: PublicOnly $ tninfo -t PublicOnly ================================== Remote Host Template Table Entries ---------------------------------- template: PublicOnly host_type: CIPSO doi: 1 min_sl: PUBLIC hex: 0x0002-08-08 max_sl: PUBLIC hex: 0x0002-08-08 |