System Administration Commands smtnrhtp(1M)
NAME
smtnrhtp - manage entries in the trusted network template
database
SYNOPSIS
/usr/sadm/bin/smtnrhtp subcommand [authargs] -- [subcommandargs]
DESCRIPTION
The smtnrhtp command adds, modifies, deletes, and lists
entries in the tnrhtp database.
smtnrhtp subcommands are:
add Adds a new entry to the tnrhtp database. To add an
entry, the administrator must have the
solaris.network.security.read and
solaris.network.security.write authorizations.
modify Modifies an entry in the tnrhtp database. To
modify an entry, the administrator must have the
solaris.network.security.read and
solaris.network.security.write authorizations.
delete Deletes an entry from tnrhtp database. To delete
an entry, the administrator must have the
solaris.network.security.read and
solaris.network.security.write authorizations.
list Lists entries in the tnrhtp database. To list an
entry, the administrator must have the
solaris.network.security.read authorizations.
OPTIONS
The smtnrhtp authentication arguments, authargs, are
derived from the smc argument set and are the same regard-
less of which subcommand you use. The smtnrhtp command
requires the Solaris Management Console to be initialized
for the command to succeed (see smc(1M)). After rebooting
the Solaris Management Console server, the first smc connec-
tion can time out, so you might need to retry the command.
The subcommand-specific options, subcommandargs, must be
preceded by the -- option.
SunOS 5.11 Last change: 31 Oct 2007 1
System Administration Commands smtnrhtp(1M)
authargs
The valid authargs are -D, -H, -l, -p, -r, and -u; they are
all optional. If no authargs are specified, certain
defaults will be assumed and the user might be prompted for
additional information, such as a password for authentica-
tion purposes. These letter options can also be specified by
their equivalent option words preceded by a double dash. For
example, you can use either -D or --domain.
-D --domain domain
Specifies the default domain that you want to manage.
The syntax of domain=type:/hostname/domainname, where
type is dns, ldap, or file; hostname is the name of the
server; and domainname is the name of the domain you
want to manage.
If you do not specify this option, the Solaris Manage-
ment Console assumes the file default domain on whatever
server you choose to manage, meaning that changes are
local to the server. Toolboxes can change the domain on
a tool-by-tool basis; this option specifies the domain
for all other tools.
-H --hostname hostname:port
Specifies the hostname and port to which you want to
connect. If you do not specify a port, the system con-
nects to the default port, 898. If you do not specify
hostname:port, the Solaris Management Console connects
to the local host on port 898.
-l --rolepassword rolepassword
Specifies the password for the rolename. If you specify
a rolename but do not specify a rolepassword, the sys-
tem prompts you to supply a rolepassword. Passwords
specified on the command line can be seen by any user on
the system, hence this option is considered insecure.
-p --password password
Specifies the password for the username. If you do not
specify a password, the system prompts you for one.
Passwords specified on the command line can be seen by
any user on the system, hence this option is considered
insecure.
SunOS 5.11 Last change: 31 Oct 2007 2
System Administration Commands smtnrhtp(1M)
-r --rolename rolename
Specifies a role name for authentication. If you do not
specify this option, no role is assumed.
-u --username username
Specifies the user name for authentication. If you do
not specify this option, the user identity running the
console process is assumed.
--
This option is required and must always follow the
preceding options. If you do not enter the preceding
options, you must still enter the -- option.
subcommandargs
Descriptions and other argument options that contain white
spaces must be enclosed in double quotes.
-h Displays the command's usage
statement.
-n templatename Specifies the name of the tem-
plate.
-t hosttype Specifies the host type of the new
host. Valid values are unlabeled
and cipso. The cipso host type is
for hosts that use CIPSO (Common
IP Security Options - Tag Type 1
only) to label packets.
-x doi=doi-value Specifies the DOI value (the
domain of interpretation). In the
case of the unlabeled host type,
this is the domain of interpreta-
tion for the deflabel.
The domain of interpretation
defines the set of rules for
translating between the external
or internal representation of the
security attributes and their net-
work representation. When systems
SunOS 5.11 Last change: 31 Oct 2007 3
System Administration Commands smtnrhtp(1M)
that are configured with Trusted
Extensions software have the same
doi, they share that set of rules.
In the case of the unlabeled host
type, these systems also share the
same interpretation for the
default attributes that are
assigned to the unlabeled tem-
plates that have that same doi.
-x max=maximum-label Specifies the maximum label.
Together with min, this value
specifies the label accreditation
range for the remote hosts that
use this template. Values can be a
hex value or string (such as
adminhigh).
-x min=minimum-label Specifies the minimum label.
Together with max, this value
specifies the label accreditation
range for the remote hosts that
use this template. For gateway
systems, min and max define the
default range for forwarding
labeled packets. The label range
for routes is typically set by
using a route(1M) subcommand with
the -secattr option. When the
label range for routes is not
specified, the min to max range in
the security template is used.
Values can be a hex value or
string (such as adminlow).
-x label=default-label Specifies the default label to be
applied to incoming data from
remote hosts that do not support
these attributes. This option does
not apply if hosttype is cipso.
Values can be a hex value or
string (such as adminlow).
-x slset=l1,l2,l3,l4 Specifies a set of sensitivity
labels. For gateway systems, the
labels in slset are used for for-
warding labeled packets. slset is
optional. You can specify up to
SunOS 5.11 Last change: 31 Oct 2007 4
System Administration Commands smtnrhtp(1M)
four label values, separated by
commas. Values can be a hex value
or string (such as adminlow).
o One of the following sets of arguments must be
specified for subcommand add:
-n template name (
o -t cipso [ -x doi=doi-value -x min=minimum-
label -x max=maximum-label -x slset=l1,l2,l3,l4
]
o -t unlabeled [ -x doi=doi-value -x
min=minimum-label -x max=maximum-label -x
label=default-label -x slset=l1,l2,l3,l4 ]
o -h
)
o One of the following sets of arguments must be
specified for subcommand modify:
-n template name (
o -t cipso [ -x doi=doi-value -x min=minimum-
label -x max=maximum-label -x slset=l1,l2,l3,l4
]
o -t unlabeled [ -x doi=doi-value -x
min=minimum-label -x max=maximum-label -x
label=default-label-x slset=l1,l2,l3,l4 ]
o -h
)
If the host type is changed, all options for the new
host type must be specified.
o One of the following sets of arguments must be
specified for subcommand delete:
SunOS 5.11 Last change: 31 Oct 2007 5
System Administration Commands smtnrhtp(1M)
-n templatename
-h
o The following argument can be specified for subcom-
mand list:
-n templatename
-h
EXAMPLES
Example 1 Adding a New Entry to the Network Template Data-
base
The admin role connects to port 898 of the LDAP server and
creates the unlabeledntk entry in the tnrhtp database. The
new template is assigned a host type of unlabeled, a domain
of interpretation of 1, minimum label of public, maximum
label of restricted, and a default label of needtoknow. The
administrator is prompted for the admin password.
$ /usr/sadm/bin/smtnrhtp \
add -D ldap:directoryname -H servername:898 -- \
-n unlabeledntk -t unlabeled -x DOI=1 \
-x min=public -x max=restricted -x label="need to know"
EXIT STATUS
The following exit values are returned:
0 Successful completion.
1 Invalid command syntax. A usage message displays.
2 An error occurred while executing the command. An error
message displays.
FILES
The following files are used by the smtnrhtp command:
/etc/security/tsol/tnrhtp Trusted network remote-host
templates.
SunOS 5.11 Last change: 31 Oct 2007 6
System Administration Commands smtnrhtp(1M)
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWmgts
Interface Stability Committed
SEE ALSO
smc(1M), attributes(5)
NOTES
The functionality described on this manual page is available
only if the system is configured with Trusted Extensions.
WARNINGS
Changing a template while the network is up can change the
security view of an undetermined number of hosts.
Allowing unlabeled hosts onto a Solaris Trusted Extensions
network is a security risk. To avoid compromising the rest
of your network, such hosts must be trusted in the sense
that the administrator is certain that these unlabeled hosts
will not be used to compromise the distributed system. These
hosts should also be physically protected to restrict access
to authorized individuals. If you cannot guarantee that an
unlabeled host is physically secure from tampering, it and
similar hosts should be isolated on a separate branch of the
network.
If the security template is modified while the network is
up, the changes do not take effect immediately unless
tnctl(1M) is used to update the template entries. Otherwise,
the changes take effect when next polled by the trusted net-
work daemon, tnd(1M). Administrators are allowed to add new
templates and modify attributes of existing templates while
the network is up.
SunOS 5.11 Last change: 31 Oct 2007 7
|
