Configuration Editor
The configuration editor is the primary command-line tool for creating and manipulating the objects that control the operation of a Screen.
Configuration Editor Data Model
The table below lists the data types that compose the Data Model as maintained by the configuration editor (ssadm edit) and the ssadm policy command.
Table B-8 Configuration Editor Object Type Names|
Object Type Name |
Storage |
Access Method |
Description |
|---|---|---|---|
|
address |
common |
named |
Addresses of network elements |
|
screen |
common |
named |
Screen objects and their relationships |
|
state engine |
common (read only) |
named |
Filtering capabilities of packet filter engine. |
|
service |
common |
named |
Network services that can be filtered |
|
interface |
common |
named |
Network interfaces of a Screen. |
|
certificate |
common |
named |
Certificate used for SKIP or IKE connections |
|
key |
common |
named |
Manual encryption keys for IPsec manual mode and pre-shared keys for IKE usage |
|
time |
common |
named |
Time intervals for time-dependent rules |
|
authuser |
external |
named |
Users for administration and/or proxy access |
|
proxyuser |
external |
named |
Users for proxy access |
|
jar_hash |
external |
named |
Java archive hash (for HTTP proxy applet filtering) |
|
jar_sig |
external |
named |
Java archive signature (for HTTP proxy applet filtering) |
|
logmacro |
external |
named |
Log filtering macro definitions |
|
mail_relay |
external |
named |
Mail relays (for SMTP proxy mail filtering) |
|
mail_spam |
external |
named |
Spam domains (for SMTP proxy mail filtering) |
|
policy |
policy list |
named |
Multiple named polices for storing different configurations |
|
filter rule |
policy |
ordered |
Network traffic filtering/control/logging |
|
nat rule |
policy |
ordered |
NAT translations |
|
local access rule |
policy |
ordered |
Who can access the Screen for local administration and what they can do |
|
remote access rule |
policy |
ordered |
Who can access the Screen for remote administration and what they can do |
|
vars |
external |
named |
General environment-like configuration variables |
|
VPN gateway |
policy |
ordered |
Define which hosts (addresses) are protected by which Screens, and the encryption mechanisms to be employed |
|
VPN |
|
|
All vpngateway objects with the same name constitute / define (virtually) any given VPN. That name is used in filter rules, causing the VPN to use the encryption mechanisms of the vpngateway |
Object types marked as having common storage in the table are normally stored in the common objects registry that is not part of any individual policy. These objects are used by all policies, so changes to the common objects can affect the behavior of multiple policies. To edit the common objects, specify a policy name when starting the configuration editor even if you are not modifying any policy objects.
Object types marked as having policy storage in Table B-8 are stored as part of a policy. Policy objects often refer to common objects and, therefore, can behave differently depending on the value of common objects. For example, a policy can contain a rule object that allows address A to communicate with address B. The address objects A and B are defined in the common objects.
Object types marked as having external storage in the table are almost equivalent to common objects, but they are stored in a separate database that is not affected by the quit, reload, or save commands. Changes to these objects are always stored immediately, and persist even if the savecommand is not used.
Object types marked as having policy list storage in Table B-8 represent the names of the policies themselves. A policy currently being edited can be saved or cloned (or portions of it) into a new policy. Other policy requests, such as add, delete, and rename are provided by the ssadm policy command.
Configuration Editor Subcommands
The ssadm edit commands are used when running the configuration editor, which is responsible for maintaining the SunScreen configuration database.
The table below lists the SunScreen configuration editor ssadm edit subcommands and their descriptions. Many subcommands duplicate administration GUI functions, while others provide a context for other subcommands.
Table B-9 SunScreen Configuration Editor ssadm edit Subcommands|
edit Subcommand |
Description |
|---|---|
|
add |
Create or redefine an entry |
|
add_member |
Add member to an Address, Certificate, Key, or Service group |
|
authuser |
Manipulate the list of authorized users |
|
del[ete] |
Delete the specified entry of the given TYPE |
|
del[ete]_member |
Delete a member from an Address, Certificate, Key, or Service group |
|
insert |
Insert a new object of one of the ordered (indexed) types in a specified position in the corresponding list |
|
jar_hash |
Manipulate the list of JAR hashes used by the HTTP proxy |
|
jar_sig |
Manipulate the list of JAR signatures used by the HTTP proxy |
|
list |
Display all data for all entries or a specific entry of a given TYPE |
|
list_name |
Display the set of unique basenames and subtypes of all of a given TYPE |
|
load |
Load a policy into the configuration editor |
|
lock |
Lock the Registry and policy in anticipation of performing edits |
|
lock_status |
Return the status of the lock relative to this editor |
|
mail_relay |
Manipulate the list of mail relays used by the SMTP proxy |
|
mail_spam |
Manipulate the list of spam domains used by the SMTP proxy |
|
move |
Move an indexed entry from its current location in the ordered list to the new location |
|
proxyuser |
Manipulate the list of proxy users |
|
refer |
Determine if a named object of a given TYPE is referred to in the Registry or the current policy |
|
referlist |
Display a list of all entries in the Registry or the current policy that refer to a specified named-object of a given TYPE |
|
reload |
Discard any and all edits, if made, and reload the data into the editor from the database. |
|
rename |
Rename a specified named-object of a given TYPE |
|
renamereference |
Rename all references to a specified named-object of a given TYPE |
|
replace |
Replace an object at a specified index |
|
save |
Save all current edits to the Registry and policy |
|
saveas |
Save the data currently in the editor under new name |
|
search |
Search the Registry for objects that match specified criteria |
|
vars |
Manipulate general configuration variables |
|
verify |
Takes no arguments and verifies the currently loaded policy |
|
quit |
Cause the editor to terminate if there are no unsaved changes |
|
QUIT |
Cause the editor to terminate even if there are unsaved changes |
In the following command descriptions, name_TYPE indicates that it requires the name of an object of a particular TYPE. A pound sign (#) indicates that it needs an index. <KEYWORD> now indicates a keyword that previous SunScreen releases required and that now is optional.
add
Creates or redefines an entry.
Usage:
add TYPE parameters...
If a named-type is specified and an entry with that name already exists, it is replaced with the new entry. If it does not exist, one is created with the new name. All of the following have a similar request of add_nocheck, which does not perform consistency checking.
add address
add address "name_ADDRESS" <HOST> #.#.#.#
add address "name_ADDRESS" <RANGE> #.#.#.# #.#.#.#
add address "name_ADDRESS" #.#.#.# - #.#.#.#
add address "name_ADDRESS" #.#.#.#/#.#.#.#
add address "name_ADDRESS" #.#.#.#/#bits
add address "add address "name_ADDRESS" <GROUP> { "name_ADDRESS" ... } { "name_ADDRESS" ... }
The following fields are optional and can be specified in any order after the address keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
Note -
The addresses * and localhost are reserved and cannot be edited.
add screen
add screen "name_SCREEN"
The following fields are optional and can be specified in any order after the screen keyword:
MASTER "name_SCREEN"
HA_PRIMARY
HA_SECONDARY
TIMEOUT #
SNMP #.#.#.# ... (list can be empty; not output if empty list)
SNMP_TIMER # (if SNMP is set)
CDP {"on" if present, "off" otherwise}
RIP {"on" if present, "off" otherwise}
DNS {"on" if present, "off" otherwise}
NIS {"on" if present, "off" otherwise}
LOGSIZE # {default is 100 MBytes if not present}
DEST_CHECK {destination address checking}
STEALTH_NET #.#.#.# #.#.#.# {Network and Netmask for stealth type Interfaces}
STEALTH_NET #.#.#.#/#.#.#.#
STEALTH_NET #.#.#.#/#bits
HA_IP #.#.#.# (required if HA_PRIMARY is set)
HA_ETHER xx:xx:xx:xx:xx:xx (required if HA_PRIMARY is set)
COMMENT "comment string"
If the Screen is to be a CMG slave Screen, the following SKIP and/or IKE fields must be specified as well. They can be specified in any order after the SCREEN keyword. The SKIP fields are:
ADMIN_IP #.#.#.# or name_ADDRESS
ADMIN_CERTIFICATE "name_CERTIFICATE"
KEY "name_key_algorithm"
DATA "name_data_algorithm"
MAC "name_mac_algorithm"
COMPRESSION "name_compression_algorithm"
TUNNEL "name_address"
The IKE fields are:
ADMIN_IP #.#.#.# or "name_ADDRESS"
AH( "name_auth_algorithm" )
ESP( "name_encr_algorithm" )
ESP( "name_encr_algorithm", "name_auth_algorithm" )
Note -
At least one of the above must be present. At most, one of the ESP forms can be present.
IKE( "name_encr_algorithm", "name_auth_algorithm", "oakley_group_#", name_auth_method", name_CERTIFICATE" )
Note -
If both SKIP and IKE CMG are in use, only one instance of ADMIN_IP is allowed (or needed).
If the Screen is to be a CMG master Screen, the following SKIP and/or IKE fields must be specified as well. They can be specified in any order after the SCREEN keyword. The SKIP fields are:
ADMIN_IP #.#.#.# or "name_ADDRESS"
ADMIN_CERTIFICATE "name_CERTIFICATE"
The IKE fields are:
ADMIN_IP #.#.#.# or "name_ADDRESS"
IKE( "name_CERTIFICATE" )
Note -
If both SKIP and IKE CMG are in use, only one instance of ADMIN_IP is allowed (or needed).
The screen * is reserved and cannot be edited.
add service
add service "name_SERVICE" <SINGLE> filter ...
add service "name_SERVICE" GROUP "name_SERVICE" ...
For SINGLE services, a list of Filters follows the SINGLE keyword. The list must not be empty. Each Discriminator list also must not be empty. A Filter is of the form:
FORWARD "name_STATEENGINE" discriminator ...
REVERSE "name_STATEENGINE" discriminator ...
An individual discriminator is as follows:
PORT #
PORT #-# (No space is allowed before or after the - character)
BROADCAST #
BROADCAST #-#
An optional parameter for discriminators, which appears immediately after discriminator number or range it modifies, is:
PARAMETERS space-separated list of #
For GROUP services, a space-separated list of "name_SERVICE" entries follows the GROUP keyword.
The following fields are optional and can be specified in any order after the service keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
The service * is reserved and cannot be edited.
add interface
add interface "name_INTERFACE" type "name_ADDRESS"
type must be one of ADMIN, DISABLED, ROUTING, HA, or STEALTH.
The following fields are optional for stealth interface types and can be specified in any order after the interface keyword. Up to fiveROUTERs per stealth interface can be specified. More can be specified, but only five are used by the system. The system may use the five stealth interfaces randomly in any order
ROUTER #.#.#.#
The following fields are optional for all interface types and can be specified in any order after the "interface" keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
The following fields are optional for all interface types except DISABLED and can be specified in any order after the interface keyword.
LOG NONE {default if no LOG is specified}
LOG SUMMARY
LOG DETAIL
ICMP NONE
ICMP NET_UNREACHABLE
ICMP HOST_UNREACHABLE
ICMP PORT_UNREACHABLE
ICMP NET_FORBIDDEN
ICMP HOST_FORBIDDEN
SNMP {"on" if present, "off" otherwise}
add certificate
add certificate "name_CERTIFICATE" SINGLE NSID # MKID "#"
add certificate "name_CERTIFICATE" SINGLE IKE "ike certspec" ...
add certificate "name_CERTIFICATE" GROUP "name_CERTIFICATE" ...
add certificate "name_CERTIFICATE" { "name_CERTIFICATE" ... }
add certificate "name_CERTIFICATE" { "name_CERTIFICATE" ... } " { "name_CERTIFICATE" }
For GROUP certificates, a space-separated list of name_CERTIFICATE entries is given in the first pair of braces (or after the GROUP keyword).
For IKE certificate groups, a list of name_CERTIFICATE entries may also be given in the second pair of braces. Like the Address object, this second list represents certificates (or criteria) which are to be excluded. Unlike Address group objects, only a top-level Certificate group may have a non-empty exclusion list.
Note -
Groups which intermix SKIP and IKE Certificates are not allowed.
The following field is optional for SINGLE entries and may be specified in any order after the certificate keyword:
LOCAL "name_SCREEN"
The following fields are optional and can be specified in any order after the certificate keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
add key
add key "name_KEY" SINGLE hexadecimal key value
Note -
Key objects exist in the same namespace as Certificate objects. Therefore, you cannot use the same name for both. Keys can also have SCREEN and COMMENT option fields.
add time
add time "name_TIME"
The following fields are optional and can be specified in any order after the time keyword:
EVERYDAY
SUNDAY
MONDAY
TUESDAY
WEDNESDAY
THURSDAY
FRIDAY
SATURDAY
SCREEN "name_SCREEN"
COMMENT "comment string"
The time object * cannot be modified.
Following any of the *DAY keywords can be a time of day specification in the form {timespec ...} . timespec is a time range in the form:
Start Hour:Start Minute Stop Hour:Stop Minute
Examples are: { 1:00 2:30 } and { 1:00 2:30 4:00 6:00 }. Twenty-four-hour time format is used, so the valid times are 0:00 (starting at midnight) through 24:00 (ending at midnight).
add rule
add rule "name_SERVICE" name_ADDRESS
Appends the rule to the end of the list of rules in the policy. insert rule should be used to position a new rule into an existing policy.
The following fields are optional and can be specified in any order after the rule keyword:
ALLOW {default if no ACTION specified}
DENY
LOG NONE {also LOG_NONE, default if no LOG is specified}
LOG SUMMARY {also LOG_SUMMARY}
LOG DETAIL {also LOG_DETAIL}
LOG SESSION {also LOG_SESSION, only valid for ALLOW rules, will be error for DENY}
SNMP {"on" if present, "off" otherwise}
USER "name_USER" {required only if PROXY_FTP or PROXY_Telnet set below; optional if 'PROXY_HTTP' set below; otherwise not allowed}
TIME "name_TIME"
SCREEN "name_SCREEN"
COMMENT "comment string"
Any one of the following combo-fields is optional and only valid in a rule that has ALLOW specified. It can be specified anywhere after the rule keyword:
SKIP_VERSION_1 "name_CERTIFICATE" "name_CERTIFICATE" "name_KEY_ALGORITHM" "name_DATA_ALGORITHM"
SKIP_VERSION_2 "name_CERTIFICATE" "name_CERTIFICATE" "name_KEY_ALGORITHM" "name_DATA_ALGORITHM" "name_MAC_ALGORITHM" "name_COMPRESSION_ALGORITHM"
IPSEC SYMMETRIC AH(ah_spi_value, "name_AUTHENTICATION_ALGORITHM", "name_KEY")
IPSEC SYMMETRIC AH(ah_spi_value "name_AUTHENTICATION_ALGORITHM", "name_KEY") ESP( esp_spi_value, "name_ENCRYPTION_ALGORITHM", "name_KEY")
IPSEC SYMMETRIC ESP(esp_spi_value, "name_ENCRYPTION_ALGORITHM", "name_KEY",name_AUTHENTICATION_ALGORITHM", "name_KEY")
IPSEC FORWARD AH(ah_spi_value, "name_AUTHENTICATION_ALGORITHM", "name_KEY") ESP( esp_spi_value, "name_ENCRYPTION_ALGORITHM", "name_KEY") REVERSE AH(ah_spi_value, "name_AUTHENTICATION_ALGORITHM", "name_KEY") ESP( esp_spi_value, "name_ENCRYPTION_ALGORITHM", "name_KEY")
IPSEC IKE( "name_ENCRYPTION_ALGORITHM", name_AUTHENTICATION_ALGORITHM", OAKLEY_GROUP, "name_AUTHENTICATION_METHOD", "name_CERTIFICATE", name_CERTIFICATE")
IPSEC IKE( "name_ENCRYPTION_ALGORITHM", name_AUTHENTICATION_ALGORITHM", OAKLEY_GROUP, PRE-SHARED, "name_KEY")
The first three IPsec symmetric forms (those with SPI values) specify manual keying. The asymmetric manual key form uses forward and reverse directions with AH and ESP specified separately for each direction. The last two IPsec forms utilize Internet Key Exchange (IKE) keying. Of those, the first form uses certificates, the last uses pre-shared keying. For either of the IKE forms, one of the following three data security parameter options (phase 2 transforms) must be specified. It may be issued after the IPSEC keyword:
AH( "name_AUTHENTICATION_ALGORITHM" )
AH( "name_AUTHENTICATION_ALGORITHM" ) ESP( "name_ENCRYPTION_ALGORITHM" )
ESP( "name_ENCRYPTION_ALGORITHM",name_AUTHENTICATION_ALGORITHM" )
The following fields are optional and only valid within a SKIP_VERSION_1, SKIP_VERSION_2, or IPSEC combo-field. They can be specified in any order after the combo-field:
SOURCE_TUNNEL "name_ADDRESS"
DESTINATION_TUNNEL "name_ADDRESS"
One or both of the following fields must be specified in conjunction with either IPsec manual keying or IKE pre-shared keying. They indicate to the SunScreen compiler the (encryption) role being played by a given Screen. They can be specified in any order after the IPSEC combo-field. Tip: when in doubt, completely specify both Screen roles:
SOURCE_SCREEN name_SCREEN
DESTINATION_SCREEN name_SCREEN
For IKE with certified keying material, the Screen roles are determined automatically, by determining which certificate (source or destination) is local to the Screen for which a policy is being compiled. If both source and destination certificates are (or contain) local entities, the *_SCREEN option may be used to disambiguate roles.
The following field is optional and only valid in a rule that has DENY specified. It can be specified anywhere after the rule keyword:
ICMP NONE {also ICMP_NONE, default if nothing is specified}
ICMP NET_UNREACHABLE {also ICMP_NET_UNREACHABLE}
ICMP HOST_UNREACHABLE {also ICMP_HOST_UNREACHABLE}
ICMP PORT_UNREACHABLE {also ICMP_PORT_UNREACHABLE}
ICMP NET_FORBIDDEN {also ICMP_NET_FORBIDDEN}
ICMP HOST_FORBIDDEN {also ICMP_HOST_FORBIDDEN}
The following field is optional and only valid in a rule that has ALLOW specified and no SKIP, IKE, IPsec, or proxy information. It can be specified anywhere after the rule keyword:
VPN "name_VPN"
The following fields are optional and only valid in a rule that has not specified any SKIP, IKE, or IPsec information and no VPN. They can be specified anywhere after the rule keyword. Only one of them can be specified in a given rule.
PROXY_FTP
PROXY_HTTP
PROXY_SMTP
PROXY_Telnet
The following fields are optional and only valid in a rule that has specified PROXY_FTP. They can be specified anywhere after the PROXY_FTP keyword:
FTP_GET
NO_FTP_GET {default if FTP_GET not specified}
FTP_PUT
NO_FTP_PUT (default if FTP_PUT not specified}
FTP_CHDIR
NO_FTP_CHDIR {default if FTP_CHDIR not specified}
FTP_MKDIR
NO_FTP_MKDIR {default if FTP_MKDIR not specified}
FTP_RENAME
NO_FTP_RENAME {default if FTP_RENAME not specified}
FTP_REMOVE_DIR
NO_FTP_REMOVE_DIR {default if FTP_REMOVE_DIR not specified}
FTP_DELETE
NO_FTP_DELETE {default if FTP_DELETE not specified}
FTP_ALL {same as FTP_GET FTP_PUT FTP_CHDIR FTP_MKDIR FTP_RENAME FTP_REMOVE_DIR FTP_DELETE}
NO_FTP_ALL {default if no FTP options are present}
The following fields are optional and only valid in a rule that has specified PROXY_HTTP. They can be specified anywhere after the PROXY_HTTP keyword:
COOKIES
NO_COOKIES {default if COOKIES not specified}
ACTIVE_X
NO_ACTIVE_X {default if ACTIVE_X not specified}
SSL
NO_SSL {default if SSL not specified}
JAVA_SIGNATURE
JAVA_HASH
JAVA_SIGNATURE_HASH
JAVA
NO_JAVA {default if no other JAVA setting is specified}
HTTP_ALL {same as ACTIVE_X COOKIES JAVA SSL}
NO_HTTP_ALL {default if no HTTP options are present}
The following fields are optional and only valid in a rule that has specified PROXY_SMTP. They can be specified anywhere after the PROXY_SMTP keyword: RELAY
NO_RELAY {default if RELAY not specified}
add nat
In the following two subcommands, name_ADDRESS has four different meanings: the first is source, the second is destination, the third is translated source, and the fourth is translated destination.
add nat STATIC "name_ADDRESS" "name_ADDRESS" "name_ADDRESS" "name_ADDRESS"
add nat DYNAMIC "name_ADDRESS" "name_ADDRESS" "name_ADDRESS" "name_ADDRESS"
The following fields are optional and can be specified in any order after the nat keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
add accesslocal
add accesslocal USER "name_USER"
The following fields are optional and can be specified in any order after the accesslocal keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
add accessremote
add accessremote USER "name_USER""name_ADDRESS" SKIP_VERSION_1 "name_CERTIFICATE""name_KEY_ALGORITHM""name_DATA_ALGORITHM"
add accessremote USER "name_USER""name_ADDRESS" SKIP_VERSION_2 "name_CERTIFICATE""name_KEY_ALGORITHM" "name_DATA_ALGORITHM" "name_MAC_ALGORITHM""name_COMPRESSION_ALGORITHM"
add accessremote USER "name_USER""name_ADDRESS"IPSEC IKE( "name_ENCRYPTION_ALGORITHM", "name_AUTHENTICATION_ALGORITHM", OAKLEY_GROUP, "name_AUTHENTICATION_METHOD", "name_CERTIFICATE" )
For the IKE form, one of the following three data security parameter options (phase 2 transforms) must be specified. It may be issued after the IPSEC keyword:
AH( "name_AUTHENTICATION_ALGORITHM" )
AH( "name_AUTHENTICATION_ALGORITHM" ) ESP( "name_ENCRYPTION_ALGORITHM" )
ESP( "name_ENCRYPTION_ALGORITHM",name_AUTHENTICATION_ALGORITHM" )
The following field is optional for accessremote entries. It can be specified in any order after the accessremote keyword:
TUNNEL "name_ADDRESS" { if the remote machine is using tunneling }
The following fields are optional and can be specified in any order after the accesslocal/accessremote keyword:
PERMISSION ALL
PERMISSION WRITE
PERMISSION READ
PERMISSION STATUS
PERMISSION NONE { default if no PERMISSION is specified }
SCREEN "name_SCREEN"
COMMENT "comment string"
add vpngateway
add vpngateway "name_VPN" "name_ADDRESS" SKIP "name_CERTIFICATE"
add vpngateway "name_VPN" "name_ADDRESS" IPSEC IKE( "name_ENCRYPTION_ALGORITHM", name_AUTHENTICATION_ALGORITHM", OAKLEY_GROUP, "name_AUTHENTICATION_METHOD", "name_CERTIFICATE" )
For the IKE form, one of the following three data security parameter options (phase 2 transforms) must be specified. It may be issued after the IPSEC keyword:
AH( "name_AUTHENTICATION_ALGORITHM" )
AH( "name_AUTHENTICATION_ALGORITHM" ) ESP( "name_ENCRYPTION_ALGORITHM" )
ESP( "name_ENCRYPTION_ALGORITHM",name_AUTHENTICATION_ALGORITHM" )
For the SKIP form the following fields are required and can be specified in any order after the vpngateway keyword:
KEY "name_KEY_ALGORITHM"
DATA "name_DATA_ALGORITHM"
MAC "name_MAC_ALGORITHM"
COMPRESSION "name_COMPRESSION_ALGORITHM"
All vpngateway entries with the same name should have exactly the same encryption parameter settings, except for name_CERTIFICATE.
The following fields are optional and can be specified in any order after the vpngateway keyword:
TUNNEL "name_ADDRESS"
COMMENT "comment string"
add_member
Adds a member to a group or list.
Usage:
add_member address "name_ADDRESS" "name_ADDRESS"* { add to include list }
add_member address "name_ADDRESS" EXCLUDE "name_ADDRESS"* { add to exclude list }
add_member service "name_SERVICE""name_SERVICE"*
add_member certificate "name_CERTIFICATE""name_CERTIFICATE"* { add to include list }
add_member certificate "name_CERTIFICATEEXCLUDE "name_CERTIFICATE"* { add to exclude list; certificate groups can have exclude lists, which behave syntactically like address groups}
Note -
The * denotes that multiple space-separated names can be specified in a single request.
The following field may be necessary to uniquely identify an entry. If so, you can specify it after the TYPE keyword:
SCREEN "name_SCREEN"
authuser
Manipulates the list of authorized users.
Usage:
authuser add name parameters...
authuser delete name
authuser print
authuser names
See "Authorized User" for detailed information.
delete
Deletes the specified entry of the given TYPE.
Usage:
del[ete] address "name_ADDRESS"
*del[ete] screen "name_SUNSCREEN"
del[ete] service "name_SERVICE"
del[ete] interface "name_INTERFACE"
del[ete] certificate "name_CERTIFICATE"
del[ete] time "name_TIME"
*del[ete] rule #
*del[ete] nat #
*del[ete] accesslocal #
*del[ete] accessremote #
*del[ete] vpngateway #
*del[ete] key name_KEY
The following field may be necessary to uniquely identify an entry. If so it can be specified after the TYPE keyword, except for the entries preceded by an * above:
SCREEN "name_SCREEN"
delete_member
Deletes a member from a group or list.
Usage:
del[ete]_member address "name_ADDRESS" "name_ADDRESS"* { from include list }
del[ete]_member address "name_ADDRESS" EXCLUDE "name_ADDRESS"* { from exclude list }
del[ete]_member service "name_SERVICE""name_SERVICE"*
del[ete]_member certificate "name_CERTIFICATE""name_CERTIFICATE"* { from include list }
del[ete]_member certificate "name_CERTIFICATE" EXCLUDE"name_CERTIFICATE" { from exclude list }
Note -
* denotes that multiple space-separated names can be specified in a single request.
The following field may be necessary to uniquely identify an entry. If so it can be specified after the TYPE keyword:
SCREEN "name_SCREEN"
insert
Inserts a new object of one of the ordered (indexed) types in a specified position in the corresponding list.
Usage:
insert rule # parameters...
insert nat # parameters...
insert accesslocal # parameters...
insert accessremote # parameters...
insert vpngateway # parameters...
Index indicates the position the new entry holds in the list after it is inserted. The same syntax used for add is used for insert, with the index coming immediately after the TYPE keyword.
jar_hash
Manipulates the list of JAR hashes used by the HTTP proxy.
Usage:
jar_hash add name hash
jar_hash del name
jar_hash rename oldname newname
jar_hash list
jar_hash list_names
Te table below describes the functions for this command.
Table B-10 Functions for jar_hash Subcommand|
Functions |
Description |
|---|---|
|
add |
Adds an entry to the jar_hash database. |
|
del |
Deletes an entry from the jar_hash database. |
|
list |
Lists the entries in the jar_hash database. |
|
list_names |
Lists the names of the entries in the jar_hash database |
|
rename |
Rename an entry in the jar_hash database |
jar_sig
Manipulates the list of JAR signatures used by the HTTP proxy.
Usage:
jar_sig add name sig-hash
jar_sig del name
jar_sig rename oldname newname
jar_sig list
jar_sig list_names
The table below describes the functions for this command.
Table B-11 Functions for jar_sig Subcommand|
Functions |
Description |
|---|---|
|
add |
Adds an entry to the jar_sig database. |
|
del |
Deletes an entry from the jar_sig database. |
|
list |
Lists the entries in the jar_sig database. |
|
list_names |
Lists the names of the entries in the jar_sig database |
|
rename |
Renames an entry in the jar_sig database |
list
Displays all data for all entries or a specific entry of a given TYPE. The format of the output is the same as the syntax of the corresponding Add TYPE request.
Usage:
*list address
list address "name_ADDRESS"
*list key
list keyname_KEY
*list screen
*list screen "name_SCREEN"
*list service
list service "name_SERVICE"
*list stateengine
*list stateengine "name_STATEENGINE"
*list interface
list interface "name_INTERFACE"
*list certificate
list certificate "name_CERTIFICATE"
*list time
list time "name_TIME"
*list rule
*list rule #
*list nat
*list nat #
*list accesslocal
*list accesslocal #
*list accessremote
*list accessremote #
*list vpngateway
*list vpngateway #
The SCREEN "name_SCREEN" field is optional and can be specified after the TYPE keyword in any of the above requests except those that are preceded by an asterisk ( * ).
If no SCREEN option is present, only entries not associated with a specific SCREEN are listed. If the SCREEN option value is * , then all entries that otherwise match are displayed. Requests that do not specify a name always display all entries of the given type.
list_name
Displays the set of unique basenames and subtype of all of a given TYPE. These are the values that can be used when another object refers to an object of the specified TYPE.
Usage:
list_name TYPE
TYPE can be any of address, screen, service, state engine, interface, certificate, key, time, or vpngateway.
load
Loads a policy into the configuration editor.
Usage:
load "name_POLICY"
Any edits to the current policy must be saved or discarded before this operation will succeed.
lock
M
Manipulates the lock that protects a policy from simultaneous modification by multiple administrators.
Usage:
ssadm lock -w policy
ssadm lock -c policy
ssadm lock -w prints a line of text describing the status of the lock.
ssadm lock -c forcibly breaks the lock and attempts to terminate (with a SIGHUP signal) the previous holder of the lock.
For example:
# ssadm lock -w Initial Lock held by admin@198.41.0.6 process id:8977 # ssadm lock -c Initial # ssadm lock -w Initial Lock available |
lock_status
Returns the status of the lock relative to this editor. If this editor holds a lock, the type of lock is returned. If it does not hold a lock, another process acquired a WRITE lock. If that WRITE lock is still in effect, information about that WRITER is presented. If that WRITE lock is no longer in effect, then lock available is returned.
Usage:
lock_status
search
Searches the registry for objects that match specified criteria.
Usage:
search TYPE [SCREEN "name_SCREEN"] [ SUBTYPE subtype ] <EXACT> Substring...
TYPE can be any of address, screen, service, state engine, interface, certificate, key, or time. SUBTYPE values depend upon the TYPE being searched according to the table below..
Table B-12 Search TYPE|
TYPE |
SUBTYPE |
|---|---|
|
address |
HOST, RANGE, GROUP |
|
certificate |
SINGLE, GROUP |
|
key | |
|
certificate |
SINGLE, GROUP |
|
interface |
ADMIN, DISABLED, ROUTING, HA, STEALTH |
|
screen |
|
|
service |
SINGLE, GROUP |
|
stateengine |
|
|
time |
|
The EXACT keyword requires a substring be specified and will only match entries whose name is an exact match.
move
Moves an indexed entry from its current location in the ordered list to the new location.
Usage:
move rule # #
move nat # #
move accesslocal # #
move accessremote # #
move vpngateway # #
replace
Replaces an object at a specified index.
Usage:
replace rule # parameters...
replace nat # parameters...
replace accesslocal # parameters...
replace accessremote # parameters...
replace vpngateway # parameters...
replace is similar to insert, except it replaces the entry at the specified index. It is shorthand for an insert n / del n+1 pair of requests. The same syntax used for add is used for replace, with the index coming immediately after the TYPE keyword.
refer
Determines if a named object of a given TYPE is referred to in the common data or the current policy.
Usage:
refer address "name_ADDRESS"
refer key "name_KEY"
refer screen "name_SCREEN"
refer service "name_SERVICE"
refer stateengine "name_STATEENGINE"
refer certificate "name_CERTIFICATE"
refer time "name_TIME"
refer vpn "name_VPN"
referlist
Displays a list of all entries in the common objects and/or the current policy that refer to a specified named-object of a given TYPE.
Usage:
referlist address "name_ADDRESS"
referlist screen "name_SCREEN"
referlist key "name_KEY"
referlist service "name_SERVICE"
referlist stateengine "name_STATEENGINE"
referlist certificate "name_CERTIFICATE"
referlist time "name_TIME"
referlist vpn "name_VPN"
rename
Renames a specified named object of a given TYPE.
Usage:
rename address "name_ADDRESS""name_ADDRESS"
rename key "name_KEY""name_KEY"
*rename screen "name_SCREEN""name_SCREEN"
rename service "name_SERVICE""name_SERVICE"
rename interface "name_INTERFACE" "name_INTERFACE"
rename certificate "name_CERTIFICATE""name_CERTIFICATE"
rename time "name_TIME" "name_TIME"
The following field may be necessary to uniquely identify an entry. If so it can be specified after the TYPE keyword except for the entries preceded by an * above:
SCREEN "name_SCREEN"
If an entry already exists with the new name, it is replaced by this operation.
renamereference
Renames all references to a specified named object of a given TYPE.
Usage:
renamereference address "name_ADDRESS" "name_ADDRESS"
renamereference key "name_KEY" "name_KEY"
renamereference screen "name_SCREEN" "name_SCREEN"
renamereference service "name_SERVICE" "name_SERVICE"
renamereference certificate "name_CERTIFICATE" "name_CERTIFICATE"
renamereference time "name_TIME" "name_TIME"
renamereference vpn "name_VPN" "name_VPN"
save
Saves any current edits. It also creates a new version of the policy.
Usage:
save
save "name_POLICY"
If a name is specified, the current policy is written to the new name, but it remains the policy in the editor until you activate the policy written to the new name.
saveas
Saves the data currently in the editor under a new name.
Usage:
saveas policy "name_POLICY"
saveas policy "name_POLICY" registry Registry
saveas policy "name_POLICY" registry "name_POLICY"
saveas policy registry Registry
These are the only supported legal requests. The first saves the current policy data under the new name with a reference to the current common objects. The second saves the policy data under the new name and overwrites the current common objects with whatever is currently in the editor. This may affect other policies and should be done with caution. The third saves the contents of the editor, policy objects and common objects into a single self-contained policy file of the specified name. The last saves the common objects currently in the editor as the current common objects. This may affect other policies and should be done with caution.
reload
Discards any and all edits (if any were made) and reloads the data into the editor from the database. If another process has performed edits and saved them since the current editor process loaded its data, those edits will be lost if a reload is not performed before the current editor process makes further edits.
Usage:
reload
verify
Takes no arguments and verifies the currently loaded policy.
Usage:
verify
mail_relay
Manipulates the list of allowed and disallowed destination domains used by the SMTP proxy.
Usage:
mail_relay add relay_domain
mail_relay add !relay_domain
mail_relay del relay_domain
mail_relay del !relay_domain
mail_relay list
add adds a domain suffix string to be allowed (or disallowed, if preceded by a !) in recipients of mail messages.. del deletes a domain suffix string. list produces a list of the current set of relay domain suffixes.
mail_spam
Manipulates the list of "spam" domains or addresses used by the SMTP proxy.
Usage:
mail_spam add spam_domain
mail_spam add IPaddress
mail_spam add IPstartaddress..IPendaddress
mail_spam del spam_domain
mail_spam del IPaddress
mail_spam del IPstartaddress..IPendaddress
mail_spam list
add adds a domain suffix string to be blocked as an origin of incoming mail messages. add can also be configured to use an IP address or range of addresses; this blocks incoming messages from the addressed hosts lacking registered domain names. del removes a spam_domain suffix or IP address spam restrictor. list produces a list of the current set of spam restrictors.
proxyuser
Manipulates the list of proxy users.
Usage:
proxyuser add name parameters...
proxyuser delete name
proxyuser print
See "Proxy Users" for detailed information.
vars
Manipulates general-purpose SunScreen variable objects.
Usage:
vars add varkey varvalue
vars del varkey
vars print [,sortopt] [varkey]
vars names [,sortopt]
varkey is of the form:
[ SYS=scrnname ]
[ PRG=prgname [ PGRP=pgrpname ] ]
NAME=name
quit
Causes the editor to terminate if there are no unsaved changes.
Usage:
quit
When the editor is used interactively, typing quit twice consecutively causes the editor to terminate even if there are unsaved changes.
QUIT
QUIT (typed in upper case) causes the editor to terminate even if there are unsaved changes.
Usage:
QUIT
- © 2010, Oracle Corporation and/or its affiliates