test

SunScreen 3.2 Administrator's Overview

ssadm Subcommands

The following commands, which can be used as the subcommand argument to the ssadm command, are described in this section.

ssadm Subcommand Summary

The table below lists the SunScreen ssadm subcommands and their descriptions. Many ssadm subcommands duplicate the functions of the administration graphical user interface, while others provide a context for other subcommands.

Table B-3 Summary of SunScreen ssadm Subcommands

ssadm Subcommand

Description 

activate

Activates a policy on a Screen 

active

Lists information about the currently active policy 

algorithm

Lists algorithms supported by SKIP and IKE 

backup

Writes a SunScreen backup file to standard output 

certdb

Manages public key certificate databases 

certlocal

Manages private key database 

certrldb

Manages certificate revocation list database. 

configure

Runs the text-based utility for creating the Initial SunScreen configuration (formerly ss_install)

debug_level

Sets or clears the level of debugging output generated by a Screen 

edit

Runs the configuration editor. See "Configuration Editor".

ha

Configures the features of a high availability (HA) Screen 

lock

Examines or forces the removal of the protection lock that the configuration editor places on a policy file or the Registry file. 

log

Maintains the Screen log file 

logdump

Filters or displays log records, as retrieved by ssadm log get

login

Authenticates a user for administrative access through ssadm to a Screen from a remote Administration Station

logmacro

Expands a SunScreen logmacro object

logout

Terminates the session created by ssadm login

logstats

Prints information about the SunScreen log 

patch

Installs a patch, as needed 

policy

Creates, deletes, lists and renames Screen policies 

product

Prints a single-line description of SunScreen generic type 

restore

Reads a backup file from standard input 

sys_info

Prints a description of running SunScreen software 

traffic_stats

Reports summary information about the traffic flowing through the SunScreen, classified by interface 

ssadm activate

ssadm activate causes the Screen to begin "executing" a particular configuration that is formed when the named policy is combined with the common objects. After activation, the configuration controls the behavior of packet filtering, encryption and decryption, proxies, logging, and administrative access.

Usage:

ssadm activate [-n] [-l] policy

The table below describes the options for this command.

Table B-4 Options for activate Subcommand

Options 

Description  

-n

Verifies that configuration is valid; does not make it active 

-l

Does not send the configuration to other Screens in the centralized management group, only activates it on the local Screen. 

The named policy is combined with the common objects to form a configuration.

Note -

If you omit the policy argument, ssadm activate reads a configuration file from standard input. Since the format of a configuration file is undocumented and private to the SunScreen internal software, using ssadm activate in this way is not supported.

ssadm active

ssadm active prints a description of the configuration that is currently being executed by the Screen. When run with the -x option, the configuration file is extracted from the running system and can be saved for later examination.

Usage:

ssadm active

ssadm active -x policy

Without the -x option, ssadm active describes the active configuration with two lines of text. The first line lists the name of the Screen on which the configuration was originally stored, the name of the internal database in which it was stored (this name is always default), and the name of the policy, including its version number. The second line lists the date and time when the configuration was activated, and the user (either a Solaris user or SunScreen administration authorized user) who caused it to be activated.

For example: 


# ssadm active
Active configuration: greatwall default Initial.3
Activated by admin on 03/09/1999 02:58:36 PM PST

In this example, the Screen is currently running a configuration that came from the Screen named greatwall (which might be the current Screen or, if the Screen is a member of a centralized management group, the primary Screen of the centralized administration group). The configuration includes version 3 of the policy Initial.

With the -x option, ssadm active saves the active configuration into the named policy that can be examined using the edit command. The named policy must not already exist; ssadm active creates the policy. The -x option differs from a normal policy. A normal policy file contains only policy rules, which are combined with the currently-defined common objects. The policy saved by the -x option contains a full snapshot of all common objects, in addition to the policy rules.

Note -

If the -x option is specified and the policy argument is omitted, ssadm active writes a configuration file to standard output. Since the format of a configuration file is undocumented and private to the SunScreen internal software, using ssadm active in this way is not supported.

ssadm algorithm

ssadm algorithm lists the SKIP and IKE algorithms that are available for a specified algorithm type.

Usage:

ssadm algorithm [-i]alg_type[crypt_type]

OR

ssadm algorithm [-k]alg_type[crypt_type]

where alg_type must be one of key, data, mac, compression, encryption, or authentication, and crypt_type, if supplied, must be SKIP_VERSION_1, SKIP_VERSION_2, or IPSEC.

The following combinations are valid:

ssadm algorithm i/k-opt key SKIP_VERSION_1ssadm algorithm i/k-opt data SKIP_VERSION_1ssadm algorithm i/k-opt key SKIP_VERSION_2ssadm algorithm i/k-opt data SKIP_VERSION_2ssadm algorithm i/k-opt mac SKIP_VERSION_2ssadm algorithm i/k-opt compression SKIP_VERSION_2ssadm algorithm i/k-opt encryption [IPSEC]ssadm algorithm i/k-opt authentication [IPSEC]

The i/k-opt is either -i, or -k. Note that -i lists only algorithms (with the specified restrictions) that are currently installed on the Screen and that -k lists all possible (known) algorithms (with the specified restrictions). The default is -k.

As shown above, the default crypt_type for key, data, mac, and compression is SKIP_VERSION_2; the default crypt_type for encryption and authentication is IPSEC.

ssadm backup

ssadm backup writes a Screen backup file to standard output.

Usage:

ssadm backup [-v] > file

The backup file contains the complete configuration of SKIP and IKE, plus all currently defined common objects, policies, and, if the -v option is specified, all of the saved versions of the policies.

The backup file can be restored at a later time using the ssadm restore command.

Caution - Caution -

SECURITY WARNING. The file created by ssadm backup contains sensitive information (SKIP and IKE secret keys) that must be stored and disposed of appropriately to protect the integrity of the Screen.

ssadm certdb

ssadm certdb allows a user to manually administer the two databases of public key certificates used by IKE and SKIP. These databases store long term certificates so that they may be accessed by the key manager.

Usage:

ssadm certdb -[I|S] -[a|e|h|l|r] [action specific arguments]

where -I or -S instructs the command to access the IKE or SKIP database and a, e, h, l, and r represent add, extract, help, list, or remove. See the man page ssadm-certdb(1M) for details.

Note -

The semantics and applicability of the options may vary between IKE and SKIP usage. For SKIP options, see the skipdb man page

ssadm certlocal

ssadm certlocal is a utility for managing the two local identity databases used by IKE and SKIP on a system.

Usage:

ssadm certlocal -[I|S] -[a|e|h|k|l|r] [action specific arguments]

where -I or -S instructs the command to access the IKE or SKIP database and a, e, h, l, and r represent add, extract, help, generate key, list, or remove. See the man page ssadm-certlocal(1M) for details.

Note -

The semantics and applicability of the options may vary between IKE and SKIP usage. For SKIP options, see the skiplocal man page

ssadm certrldb

ssadm certrldb is a utility for managing the certificate revocations lists in the IKE certificate database.

Usage:

ssadm certrldb -[I] -[a|e|h|l|r] [action specific arguments]

where -I instructs the command to access the IKE database and a, e, h, l, and r represent add, extract, help, list, or remove. See the man page ssadm-certrldb(1M) for details.

ssadm configure

ssadm configure (formerly ss_install) is a text-based command-line utility that runs during SunScreen installation to create an initial configuration. ssadm configure, combined with pkgadd, is the command-line equivalent to the installation wizard graphical user interface on the CD-ROM.

ssadm configure interactively queries you with various configuration options. It then creates a configuration, stores it under the policy name Initial, and activates it.

After ssadm configure is complete, the Screen is ready to be administered using the administration GUI or the command-line configuration editor and other tools.

ssadm debug_level

ssadm debug_level controls the output of internal debugging information from the SunScreen kernel.

Usage:

ssadm debug_level [newlevel]

ssadm debug_level ?

With no arguments, ssadm debug_level prints out the current debug level in hexadecimal. With the newlevel argument, ssadm debug_level sets the debug level to newlevel. With the question mark argument (may need to be quoted in the Solaris shell), ssadm debug_level prints out a list of bit values and their meanings.

The debugging information, when enabled, is written through the kernel message mechanism and typically ends up on the system console or the kernel message logs. The format of the messages is not documented and is only used by Sun support personnel.

ssadm edit

ssadm edit runs the SunScreen configuration editor.

Usage:

ssadm edit policy

ssadm edit policy < file

ssadm edit policy -c commandstring

See "Configuration Editor" for information regarding commands supported by ssadm edit. The configuration editor can be used in any of three modes: interactive, batch, or "-c" mode. In interactive mode, the editor prints a prompt (edit>) before each command is read from your terminal. In batch mode, the editor silently reads commands from standard input. Commands are read until the editor receives end-of-file or a quit command.

If ssadm edit is run on an interactive terminal and its input and output are not redirected, it automatically enters interactive mode. If standard input is a pipe or a file, the configuration editor runs in batch mode.

If ssadm edit is run with the -c option, it executes the commandstring and then exits without reading any other commands. commandstring must be a single argument to the program, so in the Solaris shell it usually has to be quoted with single or double quotes.

ssadm ha

ssadm ha performs operations on a Screen in a high availability (HA) cluster.

Usage:

ssadm ha function parameters...

The table below describes the function parameters for this command.

Table B-5 Function Parameters for ha Subcommand

Functions 

Descriptions 

status

Displays status of the HA cluster.  

active_mode

Puts the Screen in active mode. 

passive_mode

Puts the Screen in passive mode. 

init_primary interface

Turns a standalone (non-HA) Screen into an HA primary Screen, thereby creating a new HA cluster containing one Screen. interface is the interface to be used for the HA heartbeat and synchronization. primaryIP is the IP address (on the HA network) of the primary machine in the cluster.

init_secondary interface primaryIP

Turns a standalone (non-HA) Screen into an HA secondary screen ready to join an existing HA cluster. interface is used for the HA heartbeat and synchronization, and primaryIP is the IP address (on the HA network) of the primary machine in the cluster.

add_secondary secondaryIP

Adds an initialized HA secondary Screen (see init_secondary above) into an existing HA cluster. This command is executed on the primary Screen in the HA cluster. secondaryIP is the IP address (on the HA network) of the secondary machine to be added.

ssadm lock

ssadm lock manipulates the lock that protects a policy from simultaneous modification by multiple administrators.

Usage:

ssadm lock -w policy

ssadm lock -c policy

ssadm lock -w prints a line of text describing the status of the lock.

ssadm lock -c forcibly breaks the lock and attempts to terminate (with a SIGHUP signal) the previous holder of the lock.

For example: 


# ssadm lock -w Initial
Lock held by admin@198.41.0.6 process id:8977
# ssadm lock -c Initial
# ssadm lock -w Initial
Lock available

ssadm log

ssadm log retrieves and clears the SunScreen log.

Usage:

ssadm log get filter_args...

ssadm log get_and_clear filter_args...

ssadm log clear

See Chapter 11, Logging for detailed information.

ssadm logdump

ssadm logdump is used to filter or display log records, as retrieved by ssadm log get.

Usage:

ssadm logdump parameters...

See Chapter 11, Logging for detailed information.

ssadm login

ssadm login authenticates a user for administrative access through ssadm to a Screen from a remote Administration Station.

Usage:

ssadm -r remotehost login username password

ssadm login creates a session on the remote Screen and provides a ticket that allows subsequent invocations of the ssadm command to access the remote Screen without using a password.

ssadm login is only available with the -r remotehost option.

The ticket is written to standard output. If a ticketfile is specified using the -F option to ssadm or the SSADM_TICKET_FILE environment variable, then ssadm login automatically stores the ticket in ticketfile in addition to writing it to standard output.

For example:


# SSADM_TICKET_FILE=$HOME/.ssadmticket
# export SSADM_TICKET_FILE
# touch $SSADM_TICKET_FILE
# chmod go= $SSADM_TICKET_FILE
# ssadm -r greatwall login admin password
WRITE access <E23B344150C702EC>
# ssadm -r greatwall activate Initial
Configuration activated successfully on greatwall.
# ssadm -r greatwall active
Active configuration: greatwall default Initial.3
Activated by admin on 03/09/1999 02:58:36 PM PST
# ssadm -r greatwall logout

The above example is for sh or ksh; other shells may require different commands. ssadm login is only available with the -r remotehost option.

When using the ssadm login command on multiuser Administration Stations, any other user can snoop the admin user and password using ps, then (because SKIP or IKE is enabled from that host) access the Screen as that user.

Caution - Caution -

Do not have a general-use Solaris system act as a remote Administration Station. Additionally, never use the ssadm login command on a Solaris system while other users are logged in

Screen administration is discouraged from non-Solaris platforms. Serious security holes with other operating systems can readily be exploited to compromise the network security infrastructure.

See the ssadm-login(1M) man page for more information on the login command.

ssadm logout

ssadm logout terminates the session created by ssadm login.

Usage:

ssadm -r remotehost logout

ssadm logout is only available with the -r remotehost option.

ssadm logmacro

ssadm logmacro expands a SunScreen logmacro object.

Usage:

ssadm logmacro expand macroname

logmacro add macrokey macrovalue

logmacro delete macrokey

logmacro print[,sortopt] [ macrokey ]

logmacro names[,sortopt]

where macrokey is of the form [ SYS=scrnname ] NAME=name macrovalue is of the form VALUE=macrobody sortopt is one of asc, desc, iasc

(For example, desc specifies a plaintext description string desc to be associated with the object.

See Chapter 11, Logging for detailed information.

ssadm logstats

ssadm logstats prints information about the SunScreen log.

Usage:

ssadm logstats

ssadm patch

ssadm patch installs a patch, as needed.

Usage:

For stealth-mode Screens from Remote Administration Stations, use:

ssadm [-r screen_name] patch Install [NOREBOOT] < patch.tar.Z

ssadm [-r screen_name] patch Backout [NOREBOOT] patchID

On routing-mode Screens, the standard Solaris patchadd and patchrm commands can be used.

If a SunScreen software patch is needed, detailed instructions are provided with the patch.

ssadm policy

ssadm policy creates, deletes, renames, or lists the defined policies.

Usage:

ssadm policy -a policies...

ssadm policy -c oldname newname

ssadm policy -d [-v] policies...

ssadm policy -l [-v] [policies...]

ssadm policy -r oldname newname

The table below describes the options for this command.

Table B-6 Options for policy Subcommand

Options 

Description 

-a

Creates policies with the specified names. The newly created policies contain no rules and reference the currently defined common objects. 

-c

Creates a policy named newname as a copy of the existing policy named oldname.

-d

Deletes the named policies. The specified policies can be either generic policy names, such as Initial, or specific versions, such as Initial.3. When a generic policy name is specified and the -v option is specified, ssadm policy -d deletes all of the versions of the policy. When a specific version is specified, only that version is deleted.

-l

Lists the named policies (or all policies available if no policies are given). The -v option also lists all of the saved versions of the policies.

-r

Renames the existing policy oldname to newname.

ssadm product

ssadm product prints out a single line of text describing the SunScreen product in use.

Usage:

ssadm product

ssadm restore

ssadm restore reads a backup file from standard input. The backup file must have been created using the backup command.

Usage:

ssadm restore < file

ssadm spf2efs

ssadm spf2efs converts a set of configuration data saved from a SunScreen SPF-200 Screen into SunScreen format.

Usage:

ssadm spf2efs < file

ssadm sys_info

ssadm sys_info prints a description of the running SunScreen software.

Usage:

ssadm sys_info

For example: 


# ssadm sys_info
Product:    SunScreen
Version:    Release 3.1, March 10 2000(v0310991418)
System Boot Time:    03/15/1999 03:51 PST
SunScreen Boot Time:    Mon Mar 13 03:51:56 PST 200

traffic_stats Subcommand

ssadm traffic_stats reports summary information about the traffic flowing through the Screen, classified by interface.

Usage:

ssadm traffic_statsinterfaces...]