JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
man pages section 1M: System Administration Commands     Oracle Solaris 11 Express 11/10
search filter icon
search icon

Document Information

Preface

Introduction

System Administration Commands - Part 1

System Administration Commands - Part 2

makedbm(1M)

makemap(1M)

makeuuid(1M)

masfcnv(1M)

mdlogd(1M)

mdmonitord(1M)

mdnsd(1M)

medstat(1M)

metaclear(1M)

metadb(1M)

metadetach(1M)

metadevadm(1M)

metahs(1M)

metaimport(1M)

metainit(1M)

metaoffline(1M)

metaonline(1M)

metaparam(1M)

metarecover(1M)

metarename(1M)

metareplace(1M)

metaroot(1M)

metaset(1M)

metassist(1M)

metastat(1M)

metasync(1M)

metattach(1M)

mib2mof(1M)

mibiisa(1M)

mkbootmedia(1M)

mkdevalloc(1M)

mkdevmaps(1M)

mkfifo(1M)

mkfile(1M)

mkfs(1M)

mkfs_pcfs(1M)

mkfs_udfs(1M)

mkfs_ufs(1M)

mknod(1M)

mkntfs(1M)

mkpwdict(1M)

modinfo(1M)

modload(1M)

modunload(1M)

mofcomp(1M)

mofreg(1M)

monacct(1M)

monitor(1M)

mount(1M)

mountall(1M)

mount_cachefs(1M)

mountd(1M)

mount_hsfs(1M)

mount_nfs(1M)

mount_pcfs(1M)

mount_smbfs(1M)

mount_tmpfs(1M)

mount_udfs(1M)

mount_ufs(1M)

mpathadm(1M)

mpstat(1M)

msgid(1M)

mvdir(1M)

named(1M)

named-checkconf(1M)

named-checkzone(1M)

named-compilezone(1M)

ncaconfd(1M)

ncheck(1M)

ncheck_ufs(1M)

ndd(1M)

ndmpadm(1M)

ndmpd(1M)

ndmpstat(1M)

netcfgd(1M)

netservices(1M)

netstat(1M)

netstrategy(1M)

newaliases(1M)

newfs(1M)

newkey(1M)

nfs4cbd(1M)

nfsd(1M)

nfslogd(1M)

nfsmapid(1M)

nfsref(1M)

nfsstat(1M)

nlsadmin(1M)

nscadm(1M)

nscd(1M)

nslookup(1M)

nsupdate(1M)

ntfscat(1M)

ntfsclone(1M)

ntfscluster(1M)

ntfscmp(1M)

ntfscp(1M)

ntfsfix(1M)

ntfsinfo(1M)

ntfslabel(1M)

ntfsls(1M)

ntfsprogs(1M)

ntfsresize(1M)

ntfsundelete(1M)

nulladm(1M)

nwamadm(1M)

nwamcfg(1M)

nwamd(1M)

obpsym(1M)

oplhpd(1M)

parse_dynamic_clustertoc(1M)

parted(1M)

pbind(1M)

pcitool(1M)

pfinstall(1M)

pginfo(1M)

pgstat(1M)

pgxconfig(1M)

picld(1M)

ping(1M)

pkg2du(1M)

pkgadd(1M)

pkgadm(1M)

pkgask(1M)

pkgchk(1M)

pkgcond(1M)

pkgrm(1M)

plockstat(1M)

pmadm(1M)

pmconfig(1M)

pntadm(1M)

polkit-is-privileged(1M)

pooladm(1M)

poolbind(1M)

poolcfg(1M)

poold(1M)

poolstat(1M)

ports(1M)

powerd(1M)

poweroff(1M)

powertop(1M)

ppdmgr(1M)

pppd(1M)

pppoec(1M)

pppoed(1M)

pppstats(1M)

pprosetup(1M)

pprosvc(1M)

praudit(1M)

prctmp(1M)

prdaily(1M)

printmgr(1M)

print-service(1M)

privatepw(1M)

prodreg(1M)

projadd(1M)

projdel(1M)

projmod(1M)

prstat(1M)

prtacct(1M)

prtconf(1M)

prtdiag(1M)

prtdscp(1M)

prtfru(1M)

prtpicl(1M)

prtvtoc(1M)

psradm(1M)

psrinfo(1M)

psrset(1M)

putdev(1M)

putdgrp(1M)

pwck(1M)

pwconv(1M)

quot(1M)

quota(1M)

quotacheck(1M)

quotaoff(1M)

quotaon(1M)

raidctl(1M)

ramdiskadm(1M)

rarpd(1M)

rcapadm(1M)

rcapd(1M)

rctladm(1M)

rdate(1M)

rdisc(1M)

reboot(1M)

reject(1M)

rem_drv(1M)

remove_allocatable(1M)

removef(1M)

reparsed(1M)

repquota(1M)

re-preinstall(1M)

restricted_shell(1M)

rexd(1M)

rexecd(1M)

rlogind(1M)

rm_install_client(1M)

rmmount(1M)

rmt(1M)

rmvolmgr(1M)

rndc(1M)

rndc-confgen(1M)

roleadd(1M)

roledel(1M)

rolemod(1M)

root_archive(1M)

route(1M)

routeadm(1M)

routed(1M)

rpcbind(1M)

rpc.bootparamd(1M)

rpcinfo(1M)

rpc.mdcommd(1M)

rpc.metad(1M)

rpc.metamedd(1M)

rpc.metamhd(1M)

rpc.rexd(1M)

rpc.rstatd(1M)

rpc.rusersd(1M)

rpc.rwalld(1M)

rpc.smserverd(1M)

rpc.sprayd(1M)

rpc.yppasswdd(1M)

rpc.ypupdated(1M)

rquotad(1M)

rsh(1M)

rshd(1M)

rstatd(1M)

rtc(1M)

rtquery(1M)

runacct(1M)

rusersd(1M)

rwall(1M)

rwalld(1M)

rwhod(1M)

sa1(1M)

sa2(1M)

sac(1M)

sacadm(1M)

sadc(1M)

saf(1M)

sar(1M)

sasinfo(1M)

savecore(1M)

sbdadm(1M)

scadm(1M)

sckmd(1M)

scmadm(1M)

sconadm(1M)

sdpadm(1M)

sendmail(1M)

setuname(1M)

setup_install_server(1M)

sf880drd(1M)

sftp-server(1M)

share(1M)

shareall(1M)

sharectl(1M)

sharemgr(1M)

share_nfs(1M)

showmount(1M)

showrev(1M)

shutacct(1M)

shutdown(1M)

slpd(1M)

smattrpop(1M)

smbadm(1M)

smbd(1M)

smbiod(1M)

smbiod-svc(1M)

smbios(1M)

smbstat(1M)

smc(1M)

smccompile(1M)

smcconf(1M)

smcregister(1M)

smcron(1M)

smcwebserver(1M)

smdiskless(1M)

smexec(1M)

smgroup(1M)

smlog(1M)

smmaillist(1M)

smmultiuser(1M)

smosservice(1M)

smpatch(1M)

smprofile(1M)

smreg(1M)

smrole(1M)

smrsh(1M)

smserialport(1M)

smtnrhdb(1M)

smtnrhtp(1M)

smtnzonecfg(1M)

smtp-notify(1M)

smuser(1M)

sndradm(1M)

sndrd(1M)

sndrsyncd(1M)

snmpdx(1M)

snmp-notify(1M)

snmpXwbemd(1M)

snoop(1M)

soconfig(1M)

soladdapp(1M)

soldelapp(1M)

solstice(1M)

sppptun(1M)

spray(1M)

sprayd(1M)

srptadm(1M)

sshd(1M)

ssh-keysign(1M)

startup(1M)

statd(1M)

stclient(1M)

stmfadm(1M)

stmsboot(1M)

strace(1M)

strclean(1M)

strerr(1M)

sttydefs(1M)

su(1M)

sulogin(1M)

suninstall(1M)

SUNWafb_config(1M)

SUNWffb_config(1M)

SUNWgfb_config(1M)

SUNWifb_config(1M)

SUNWjfb_config(1M)

SUNWkfb_config(1M)

SUNWm64_config(1M)

SUNWnfb_config(1M)

SUNWpfb_config(1M)

SUNWzulu_config(1M)

svadm(1M)

svcadm(1M)

svccfg(1M)

svc.configd(1M)

svc.ipfd(1M)

svc.startd(1M)

swap(1M)

sync(1M)

syncinit(1M)

syncloop(1M)

syncstat(1M)

sysdef(1M)

syseventadm(1M)

syseventconfd(1M)

syseventd(1M)

sysidconfig(1M)

sysidkbd(1M)

sysidnet(1M)

sysidnfs4(1M)

sysidns(1M)

sysidpm(1M)

sysidroot(1M)

sysidsys(1M)

sysidtool(1M)

syslogd(1M)

sys-unconfig(1M)

talkd(1M)

tapes(1M)

tcxconfig(1M)

telinit(1M)

telnetd(1M)

tftpd(1M)

th_define(1M)

th_manage(1M)

tic(1M)

tnchkdb(1M)

tnctl(1M)

tnd(1M)

tninfo(1M)

tpmadm(1M)

traceroute(1M)

trapstat(1M)

TSIgfxp_config(1M)

ttyadm(1M)

ttymon(1M)

tunefs(1M)

turnacct(1M)

System Administration Commands - Part 3

smtnrhtp

- manage entries in the trusted network template database

Synopsis

/usr/sadm/bin/smtnrhtp subcommand [auth_args] -- [subcommand_args]

Description

The smtnrhtp command adds, modifies, deletes, and lists entries in the tnrhtp database.

smtnrhtp subcommands are:

add

Adds a new entry to the tnrhtp database. To add an entry, the administrator must have the solaris.network.security.read and solaris.network.security.write authorizations.

modify

Modifies an entry in the tnrhtp database. To modify an entry, the administrator must have the solaris.network.security.read and solaris.network.security.write authorizations.

delete

Deletes an entry from tnrhtp database. To delete an entry, the administrator must have the solaris.network.security.read and solaris.network.security.write authorizations.

list

Lists entries in the tnrhtp database. To list an entry, the administrator must have the solaris.network.security.read authorizations.

Options

The smtnrhtp authentication arguments, auth_args, are derived from the smc argument set and are the same regardless of which subcommand you use. The smtnrhtp command requires the Solaris Management Console to be initialized for the command to succeed (see smc(1M)). After rebooting the Solaris Management Console server, the first smc connection can time out, so you might need to retry the command.

The subcommand-specific options, subcommand_args, must be preceded by the -- option.

auth_args

The valid auth_args are -D, -H, -l, -p, -r, and -u; they are all optional. If no auth_args are specified, certain defaults will be assumed and the user might be prompted for additional information, such as a password for authentication purposes. These letter options can also be specified by their equivalent option words preceded by a double dash. For example, you can use either -D or --domain.

-D | --domain domain

Specifies the default domain that you want to manage. The syntax of domain=type:/host_name/domain_name, where type is dns, ldap, or file; host_name is the name of the server; and domain_name is the name of the domain you want to manage.

If you do not specify this option, the Solaris Management Console assumes the file default domain on whatever server you choose to manage, meaning that changes are local to the server. Toolboxes can change the domain on a tool-by-tool basis; this option specifies the domain for all other tools.

-H | --hostname host_name:port

Specifies the host_name and port to which you want to connect. If you do not specify a port, the system connects to the default port, 898. If you do not specify host_name:port, the Solaris Management Console connects to the local host on port 898.

-l | --rolepassword role_password

Specifies the password for the role_name. If you specify a role_name but do not specify a role_password, the system prompts you to supply a role_password. Passwords specified on the command line can be seen by any user on the system, hence this option is considered insecure.

-p | --password password

Specifies the password for the user_name. If you do not specify a password, the system prompts you for one. Passwords specified on the command line can be seen by any user on the system, hence this option is considered insecure.

-r | --rolename role_name

Specifies a role name for authentication. If you do not specify this option, no role is assumed.

-u | --username user_name

Specifies the user name for authentication. If you do not specify this option, the user identity running the console process is assumed.

--

This option is required and must always follow the preceding options. If you do not enter the preceding options, you must still enter the -- option.

subcommand_args

Descriptions and other argument options that contain white spaces must be enclosed in double quotes.

-h

Displays the command's usage statement.

-n templatename

Specifies the name of the template.

-t hosttype

Specifies the host type of the new host. Valid values are unlabeled and cipso. The cipso host type is for hosts that use CIPSO (Common IP Security Options - Tag Type 1 only) to label packets.

-x doi=doi-value

Specifies the DOI value (the domain of interpretation). In the case of the unlabeled host type, this is the domain of interpretation for the def_label.

The domain of interpretation defines the set of rules for translating between the external or internal representation of the security attributes and their network representation. When systems that are configured with Trusted Extensions software have the same doi, they share that set of rules. In the case of the unlabeled host type, these systems also share the same interpretation for the default attributes that are assigned to the unlabeled templates that have that same doi.

-x max=maximum-label

Specifies the maximum label. Together with min, this value specifies the label accreditation range for the remote hosts that use this template. Values can be a hex value or string (such as admin_high).

-x min=minimum-label

Specifies the minimum label. Together with max, this value specifies the label accreditation range for the remote hosts that use this template. For gateway systems, min and max define the default range for forwarding labeled packets. The label range for routes is typically set by using a route(1M) subcommand with the -secattr option. When the label range for routes is not specified, the min to max range in the security template is used. Values can be a hex value or string (such as admin_low).

-x label=default-label

Specifies the default label to be applied to incoming data from remote hosts that do not support these attributes. This option does not apply if hosttype is cipso. Values can be a hex value or string (such as admin_low).

-x slset=l1,l2,l3,l4

Specifies a set of sensitivity labels. For gateway systems, the labels in slset are used for forwarding labeled packets. slset is optional. You can specify up to four label values, separated by commas. Values can be a hex value or string (such as admin_low).

Examples

Example 1 Adding a New Entry to the Network Template Database

The admin role connects to port 898 of the LDAP server and creates the unlabeled_ntk entry in the tnrhtp database. The new template is assigned a host type of unlabeled, a domain of interpretation of 1, minimum label of public, maximum label of restricted, and a default label of needtoknow. The administrator is prompted for the admin password.

$ /usr/sadm/bin/smtnrhtp \
add -D ldap:directoryname -H servername:898 -- \
-n unlabeled_ntk -t unlabeled -x DOI=1 \
-x min=public -x max=restricted -x label="need to know"

Exit Status

The following exit values are returned:

0

Successful completion.

1

Invalid command syntax. A usage message displays.

2

An error occurred while executing the command. An error message displays.

Files

The following files are used by the smtnrhtp command:

/etc/security/tsol/tnrhtp

Trusted network remote-host templates.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
SUNWmgts
Interface Stability
Committed

See Also

smc(1M), attributes(5)

Notes

The functionality described on this manual page is available only if the system is configured with Trusted Extensions.

Warnings

Changing a template while the network is up can change the security view of an undetermined number of hosts.

Allowing unlabeled hosts onto a Solaris Trusted Extensions network is a security risk. To avoid compromising the rest of your network, such hosts must be trusted in the sense that the administrator is certain that these unlabeled hosts will not be used to compromise the distributed system. These hosts should also be physically protected to restrict access to authorized individuals. If you cannot guarantee that an unlabeled host is physically secure from tampering, it and similar hosts should be isolated on a separate branch of the network.

If the security template is modified while the network is up, the changes do not take effect immediately unless tnctl(1M) is used to update the template entries. Otherwise, the changes take effect when next polled by the trusted network daemon, tnd(1M). Administrators are allowed to add new templates and modify attributes of existing templates while the network is up.