1tnctl(1M)               System Administration Commands               tnctl(1M)
2
3
4

NAME

6       tnctl - configure Trusted Extensions network parameters
7

SYNOPSIS

9       /usr/sbin/tnctl [-dfv] [-h host [/prefix] [:template]]
10            [-m zone:mlp:shared-mlp][-t template [:key=val [;key=val]]]
11            [-HTz] file]
12
13

DESCRIPTION

15       tnctl provides an interface to manipulate trusted network parameters in
16       the Solaris kernel.
17
18
19       As part of Solaris Trusted Extensions initialization, tnctl is  run  in
20       the  global zone by an smf(5) script during system boot. The tnctl com‐
21       mand is not intended to be used during  normal  system  administration.
22       Instead,  if a local trusted networking database file is modified with‐
23       out using the  Solaris  Management  Console,  the  administrator  first
24       issues  tnchkdb(1M)  to check the syntax, and then refreshes the kernel
25       copy with this command:
26
27         # svcadm restart svc:/network/tnctl
28
29
30
31
32       See WARNINGS about the risks  of  changing  remote  host  and  template
33       information on a running system.
34

OPTIONS

36       -d
37
38           Delete  matching entries from the kernel. The default is to add new
39           entries.
40
41           When deleting MLPs, the MLP range  must  match  exactly.  MLPs  are
42           specified in the form:
43
44             port[-port]/protocol
45
46
47           Where  port  can  be a number in the range 1 to 65535. or any known
48           service (see services(4)), and protocol can  be  a  number  in  the
49           range 1 to 255, or any known protocol (see protocols(4)).
50
51
52       -f
53
54           Flush all kernel entries before loading the entries that are speci‐
55           fied on the command line. The flush does not take place  unless  at
56           least one entry parsed successfully.
57
58
59       -v
60
61           Turn on verbose mode.
62
63
64       -h host[/prefix][:template]
65
66           Update  the  kernel  remote-host  cache  on the local host for  the
67           specified host or, if a template name is given, change the kernel's
68           cache  to  use  the specified template. If prefix is not specified,
69           then an implied prefix length is determined according to the  rules
70           used  for  interpreting the tnrhdb. If -d is specified, then a tem‐
71           plate name cannot be specified.
72
73
74       -m zone:mlp:shared-mlp
75
76           Modify the kernel's multilevel port (MLP) configuration  cache  for
77           the  specified zone. zone specifies the zone to be updated. mlp and
78           shared-mlp specify the MLPs for the  zone-specific  and  shared  IP
79           addresses.  The  shared-mlp  field  is effective in the global zone
80           only.
81
82
83       -t template[key=val[;key=val]]
84
85           Update the kernel template cache for template  or,  if  a  list  of
86           key=val pairs is given, change the kernel's cache to use the speci‐
87           fied entry. If -d is specified, then key=val pairs cannot be speci‐
88           fied.
89
90
91       -T file
92
93           Load all template entries in file into the kernel cache.
94
95
96       -H file
97
98           Load all remote host entries in file into the kernel cache.
99
100
101       -z file
102
103           Load  just  the global zone's MLPs from file into the kernel cache.
104           To reload MLPs for a non-global zone, reboot the zone:
105
106             # zoneadm -z non-global zone reboot
107
108
109
110

ATTRIBUTES

112       See attributes(5) for descriptions of the following attributes:
113
114
115
116
117       ┌─────────────────────────────┬─────────────────────────────┐
118       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
119       ├─────────────────────────────┼─────────────────────────────┤
120       │Availability                 │SUNWtsu                      │
121       ├─────────────────────────────┼─────────────────────────────┤
122       │Interface Stability          │Uncommitted                  │
123       └─────────────────────────────┴─────────────────────────────┘
124

FILES

126       /etc/security/tsol/tnrhdb
127
128           Trusted network remote-host database
129
130
131       /etc/security/tsol/tnrhtp
132
133           Trusted network remote-host templates
134
135
136       /etc/security/tsol/tnzonecfg
137
138           Trusted zone configuration database
139
140
141       /etc/nsswitch.conf
142
143           Configuration file for the name service switch
144
145

SEE ALSO

147       svcs(1), svcadm(1M),  tninfo(1M),  tnd(1M),  tnchkdb(1M),  zoneadm(1M),
148       nsswitch.conf(4), protocols(4), services(4), attributes(5), smf(5)
149
150
151       How  to  Synchronize  Kernel  Cache  With  Network Databases in Solaris
152       Trusted Extensions Administrator's Procedures
153

WARNINGS

155       Changing a template while the network is up  can  change  the  security
156       view of an undetermined number of hosts.
157

NOTES

159       The  functionality  described  on this manual page is available only if
160       the system is configured with Trusted Extensions.
161
162
163       The tnctl service  is  managed  by  the  service  management  facility,
164       smf(5), under the service identifier:
165
166         svc:/network/tnctl
167
168
169
170
171       The  service's  status  can be queried by using svcs(1). Administrative
172       actions on this service, such as refreshing the kernel  cache,  can  be
173       performed using svcadm(1M), as in:
174
175         svcadm restart svc:/network/tnctl
176
177
178
179
180
181SunOS 5.11                        6 Mar 2008                         tnctl(1M)
Impressum