The following Unix (shell) commands are available at your shell prompt when /opt/SUNWicg/SunScreen/bin is included in your $PATH.
ss_install
screenInstaller
adminInstaller
ssadm
ss_client
Commands used by the skiptool GUI can be found in the SunScreen SKIP 1.5 User's Guide.
The following table lists the SunScreen EFS 3.0 Unix (shell) commands and their descriptions. Many of these commands duplicate administration GUI functions, while others provide a context for other commands.
Table B-1 SunScreen EFS 3.0 Unix (shell) Command Summary
Unix Command |
Description |
---|---|
ss_install |
Run the text-based utility for creating the Initial SunScreen configuration. When combined with pkgadd, it is equivalent to using the installation-wizard graphical user interface. |
screenInstaller |
Run the graphical user interface for installing the SunScreen EFS 3.0 software on the Screen and for setting up an initial policy. |
adminInstaller |
Run the graphical user interface for installing the SunScreen EFS 3.0 software on the Administration Station. It is a quick way to add packages for the remote Administration Station. |
ss_client |
Provide communication between an Administration Station and a Screen that is running an earlier SunScreen firewall product release. ss_client is provided only for the purpose of remotely administering such products using the SunScreen EFS 3.0 system as a remote Administration Station. |
ssadm |
Primary command-line tool for SunScreen EFS 3.0 administration. ssadm sub-commands perform various operations such as editing and activating a SunScreen configuration, and examining the status of a Screen. |
A text-based command-line utility run during SunScreen EFS 3.0 installation to create an initial configuration. ss_install, combined with pkgadd, is the command-line equivalent to the installation-wizard graphical user interface.
Usage: ss_install
ss_install interactively queries you with various configuration options, creates a configuration, stores it under the policy name "Initial", and activates it.
After ss_install is complete, the Screen is ready to be administered using the administration GUI or the command-line configuration editor and other tools.
Runs the installation wizard that installs the SunScreen EFS 3.0 software on the Screen and creates the Initial configuration.
Usage: ScreenInstaller
Runs the installation wizard that installs the SunScreen EFS 3.0 software on the Administration Station. It is also a quick way to add packages for the remote Administration Station.
Usage: adminInstaller
ss_client is equivalent to the command of the same name provided with earlier SunScreen firewall products, such as SunScreen EFS, Release 2.0, or SunScreen SPF-200. ss_client is provided only for the purpose of remotely administering such products using the SunScreen EFS 3.0 system as a remote Administration Station.
Usage: ss_client hostname command
For information on how to use ss_client to administer an earlier SunScreen firewall product, see the documentation for that product.
ssadm is the primary command-line tool for SunScreen EFS 3.0 administration. ssadm has a number of sub-commands that perform various operations such as editing and activating a configuration, and examining the status of a Screen.
The Unix command ssadm provides character-set translation between embedded strings and the local character set of the Solaris system on which it runs.
ssadm runs directly on a locally administered Screen, or indirectly from a remote Administration Station that is using SunScreen SKIP to encrypt IP network communications passing between them. See the SunScreen SKIP User's Guide for more information regarding SKIP encryption.
Usage:
ssadm [-b] [-n] sub-command [parameters...]
ssadm [-b] [-n] -r remotehost [-F ticketfile] sub-command [parameters...]
Options:
-b -- Allow binary data (instead of text) in standard input and output.
-n -- Do not read any input from standard input.
-r remotehost -- Access remote Screen using address or hostname remotehost.
-F ticketfile -- Use authorization ticket stored in ticketfile.
The available ssadm sub-commands are each described in the ssadm Sub-Command section of this document.
The -b option normally is not needed since those commands that process binary data automatically enable the binary mode. For example, ssadm backup, ssadm restore, ssadm log, ssadm logdump, and ssadm patch handle binary data even if -b is not specified.
When ssadm is executed locally on the Screen (that is, without the -r option) no login or authentication is required, but you must be superuser to have any effect.
When ssadm is used with the -r option to access a remote Screen, login authentication is required. You must use the ssadm login command to get a ticket that is used by subsequent invocations of ssadm to allow access to the remote Screen. Normally, the ticket is stored in a ticketfile, the name of which can be specified using the -F option, or through the SSADM_TICKET_FILE environment variable. See the ssadm login command for information about ticket files and remote administration using ssadm.
You can configure a local Screen by typing the commands listed in this appendix using the Screen's keyboard. For example, to activate a policy called "Initial," you would type:
# ssadm activate Initial |
where ssadm is the command you want to execute, activate is the name of the ssadm subcommand, and Initial is the name of the policy you want to activate.
The ssadm command resides in the /opt/SUNWicg/SunScreen/bin directory. Include this directory in your directory search path to have access to the commands on the local Screen.
You can configure a Screen from a remote Administration Station by preceding the commands listed in this appendix with ssadm -r and the name of the Screen you want to administer. For example, to activate the policy "Initial" on a remote Screen called SunScreen1, you would type:
# ssadm -r SunScreen1 activate Initial |
where ssadm -r indicates that you want to execute a command on a remote Screen called SunScreen1, activate is the name of the ssadm sub-command, and Initial is the name of the policy you want to activate.
A local ssadm command can be turned into a remote ssadm command by adding -r remote_screen_name immediately after ssadm.
When ssadm is used with the -r option to access a remote Screen, the name of the ticketfile can be specified using the -F option, or through the SSADM_TICKET_FILE environment.