1smtnrhtp(1M) System Administration Commands smtnrhtp(1M)
2
3
4
6 smtnrhtp - manage entries in the trusted network template database
7
9 /usr/sadm/bin/smtnrhtp subcommand [auth_args] -- [subcommand_args]
10
11
13 The smtnrhtp command adds, modifies, deletes, and lists entries in the
14 tnrhtp database.
15
16
17 smtnrhtp subcommands are:
18
19 add Adds a new entry to the tnrhtp database. To add an entry, the
20 administrator must have the solaris.network.security.read and
21 solaris.network.security.write authorizations.
22
23
24 modify Modifies an entry in the tnrhtp database. To modify an entry,
25 the administrator must have the solaris.network.security.read
26 and solaris.network.security.write authorizations.
27
28
29 delete Deletes an entry from tnrhtp database. To delete an entry,
30 the administrator must have the solaris.network.security.read
31 and solaris.network.security.write authorizations.
32
33
34 list Lists entries in the tnrhtp database. To list an entry, the
35 administrator must have the solaris.network.security.read
36 authorizations.
37
38
40 The smtnrhtp authentication arguments, auth_args, are derived from the
41 smc argument set and are the same regardless of which subcommand you
42 use. The smtnrhtp command requires the Solaris Management Console to be
43 initialized for the command to succeed (see smc(1M)). After rebooting
44 the Solaris Management Console server, the first smc connection can
45 time out, so you might need to retry the command.
46
47
48 The subcommand-specific options, subcommand_args, must be preceded by
49 the -- option.
50
51 auth_args
52 The valid auth_args are -D, -H, -l, -p, -r, and -u; they are all
53 optional. If no auth_args are specified, certain defaults will be
54 assumed and the user might be prompted for additional information, such
55 as a password for authentication purposes. These letter options can
56 also be specified by their equivalent option words preceded by a double
57 dash. For example, you can use either -D or --domain.
58
59 -D | --domain domain
60
61 Specifies the default domain that you want to manage. The syntax of
62 domain=type:/host_name/domain_name, where type is dns, ldap, or
63 file; host_name is the name of the server; and domain_name is the
64 name of the domain you want to manage.
65
66 If you do not specify this option, the Solaris Management Console
67 assumes the file default domain on whatever server you choose to
68 manage, meaning that changes are local to the server. Toolboxes can
69 change the domain on a tool-by-tool basis; this option specifies
70 the domain for all other tools.
71
72
73 -H | --hostname host_name:port
74
75 Specifies the host_name and port to which you want to connect. If
76 you do not specify a port, the system connects to the default port,
77 898. If you do not specify host_name:port, the Solaris Management
78 Console connects to the local host on port 898.
79
80
81 -l | --rolepassword role_password
82
83 Specifies the password for the role_name. If you specify a
84 role_name but do not specify a role_password, the system prompts
85 you to supply a role_password. Passwords specified on the command
86 line can be seen by any user on the system, hence this option is
87 considered insecure.
88
89
90 -p | --password password
91
92 Specifies the password for the user_name. If you do not specify a
93 password, the system prompts you for one. Passwords specified on
94 the command line can be seen by any user on the system, hence this
95 option is considered insecure.
96
97
98 -r | --rolename role_name
99
100 Specifies a role name for authentication. If you do not specify
101 this option, no role is assumed.
102
103
104 -u | --username user_name
105
106 Specifies the user name for authentication. If you do not specify
107 this option, the user identity running the console process is
108 assumed.
109
110
111 --
112
113 This option is required and must always follow the preceding
114 options. If you do not enter the preceding options, you must still
115 enter the -- option.
116
117
118 subcommand_args
119 Descriptions and other argument options that contain white spaces must
120 be enclosed in double quotes.
121
122 -h Displays the command's usage statement.
123
124
125 -n templatename Specifies the name of the template.
126
127
128 -t hosttype Specifies the host type of the new host.
129 Valid values are unlabeled and cipso. The
130 cipso host type is for hosts that use CIPSO
131 (Common IP Security Options - Tag Type 1
132 only) to label packets.
133
134
135 -x doi=doi-value Specifies the DOI value (the domain of inter‐
136 pretation). In the case of the unlabeled host
137 type, this is the domain of interpretation
138 for the def_label.
139
140 The domain of interpretation defines the set
141 of rules for translating between the external
142 or internal representation of the security
143 attributes and their network representation.
144 When systems that are configured with Trusted
145 Extensions software have the same doi, they
146 share that set of rules. In the case of the
147 unlabeled host type, these systems also share
148 the same interpretation for the default
149 attributes that are assigned to the unlabeled
150 templates that have that same doi.
151
152
153 -x max=maximum-label Specifies the maximum label. Together with
154 min, this value specifies the label accredi‐
155 tation range for the remote hosts that use
156 this template. Values can be a hex value or
157 string (such as admin_high).
158
159
160 -x min=minimum-label Specifies the minimum label. Together with
161 max, this value specifies the label accredi‐
162 tation range for the remote hosts that use
163 this template. For gateway systems, min and
164 max define the default range for forwarding
165 labeled packets. The label range for routes
166 is typically set by using a route(1M) subcom‐
167 mand with the -secattr option. When the label
168 range for routes is not specified, the min to
169 max range in the security template is used.
170 Values can be a hex value or string (such as
171 admin_low).
172
173
174 -x label=default-label Specifies the default label to be applied to
175 incoming data from remote hosts that do not
176 support these attributes. This option does
177 not apply if hosttype is cipso. Values can be
178 a hex value or string (such as admin_low).
179
180
181 -x slset=l1,l2,l3,l4 Specifies a set of sensitivity labels. For
182 gateway systems, the labels in slset are used
183 for forwarding labeled packets. slset is
184 optional. You can specify up to four label
185 values, separated by commas. Values can be a
186 hex value or string (such as admin_low).
187
188
189 o One of the following sets of arguments must be specified for
190 subcommand add:
191
192 -n template name (
193
194
195
196 o -t cipso [ -x doi=doi-value -x min=minimum-label -x
197 max=maximum-label -x slset=l1,l2,l3,l4 ] |
198
199 o -t unlabeled [ -x doi=doi-value -x min=minimum-label -x
200 max=maximum-label -x label=default-label -x
201 slset=l1,l2,l3,l4 ] |
202
203 o -h
204
205 )
206
207
208
209 o One of the following sets of arguments must be specified for
210 subcommand modify:
211
212 -n template name (
213
214
215
216 o -t cipso [ -x doi=doi-value -x min=minimum-label -x
217 max=maximum-label -x slset=l1,l2,l3,l4 ] |
218
219 o -t unlabeled [ -x doi=doi-value -x min=minimum-label -x
220 max=maximum-label -x label=default-label-x
221 slset=l1,l2,l3,l4 ] |
222
223 o -h
224
225 )
226
227
228 If the host type is changed, all options for the new host type must
229 be specified.
230
231 o One of the following sets of arguments must be specified for
232 subcommand delete:
233
234 -n templatename |
235 -h
236
237
238
239 o The following argument can be specified for subcommand list:
240
241 -n templatename |
242 -h
243
244
245
247 Example 1 Adding a New Entry to the Network Template Database
248
249
250 The admin role connects to port 898 of the LDAP server and creates the
251 unlabeled_ntk entry in the tnrhtp database. The new template is
252 assigned a host type of unlabeled, a domain of interpretation of 1,
253 minimum label of public, maximum label of restricted, and a default
254 label of needtoknow. The administrator is prompted for the admin pass‐
255 word.
256
257
258 $ /usr/sadm/bin/smtnrhtp \
259 add -D ldap:directoryname -H servername:898 -- \
260 -n unlabeled_ntk -t unlabeled -x DOI=1 \
261 -x min=public -x max=restricted -x label="need to know"
262
263
264
266 The following exit values are returned:
267
268 0 Successful completion.
269
270
271 1 Invalid command syntax. A usage message displays.
272
273
274 2 An error occurred while executing the command. An error message
275 displays.
276
277
279 The following files are used by the smtnrhtp command:
280
281 /etc/security/tsol/tnrhtp Trusted network remote-host templates.
282
283
285 See attributes(5) for descriptions of the following attributes:
286
287
288
289
290 ┌─────────────────────────────┬─────────────────────────────┐
291 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
292 ├─────────────────────────────┼─────────────────────────────┤
293 │Availability │SUNWmgts │
294 ├─────────────────────────────┼─────────────────────────────┤
295 │Interface Stability │Committed │
296 └─────────────────────────────┴─────────────────────────────┘
297
299 smc(1M), attributes(5)
300
302 The functionality described on this manual page is available only if
303 the system is configured with Trusted Extensions.
304
306 Changing a template while the network is up can change the security
307 view of an undetermined number of hosts.
308
309
310 Allowing unlabeled hosts onto a Solaris Trusted Extensions network is a
311 security risk. To avoid compromising the rest of your network, such
312 hosts must be trusted in the sense that the administrator is certain
313 that these unlabeled hosts will not be used to compromise the distrib‐
314 uted system. These hosts should also be physically protected to
315 restrict access to authorized individuals. If you cannot guarantee that
316 an unlabeled host is physically secure from tampering, it and similar
317 hosts should be isolated on a separate branch of the network.
318
319
320 If the security template is modified while the network is up, the
321 changes do not take effect immediately unless tnctl(1M) is used to
322 update the template entries. Otherwise, the changes take effect when
323 next polled by the trusted network daemon, tnd(1M). Administrators are
324 allowed to add new templates and modify attributes of existing tem‐
325 plates while the network is up.
326
327
328
329SunOS 5.11 31 Oct 2007 smtnrhtp(1M)