smtnzonecfg(1M) System Administration Commands smtnzonecfg(1M)NAMEsmtnzonecfg - manage entries in the zone configuration database for
Trusted Extensions networking
SYNOPSIS
/usr/sadm/bin/smtnzonecfg subcommand [auth_args] -- [subcommand_args]
DESCRIPTION
The smtnzonecfg command adds, modifies, deletes, and lists entries in
the tnzonecfg database.
smtnzonecfg subcommands are:
add Adds a new entry to the tnzonecfg database. To add an entry,
the administrator must have the solaris.network.host.write
and solaris.network.security.write authorizations.
modify Modifies an entry in the tnzonecfg database. To modify an
entry, the administrator must have the solaris.net‐
work.host.write and solaris.network.security.write authoriza‐
tions.
delete Deletes an entry from the tnzonecfg database. To delete an
entry, the administrator must have the solaris.net‐
work.host.write and solaris.network.security.write authoriza‐
tions.
list Lists entries in the tnzonecfg database. To list an entry,
the administrator must have the solaris.network.host.read and
solaris.network.security.read authorizations.
OPTIONS
The smtnzonecfg authentication arguments, auth_args, are derived from
the smc argument set and are the same regardless of which subcommand
you use. The smtnzonecfg command requires the Solaris Management Con‐
sole to be initialized for the command to succeed (see smc(1M)). After
rebooting the Solaris Management Console server, the first smc connec‐
tion can time out, so you might need to retry the command.
The subcommand-specific options, subcommand_args, must be preceded by
the -- option.
auth_args
The valid auth_args are -D, -H, -l, -p, -r, and -u; they are all
optional. If no auth_args are specified, certain defaults will be
assumed and the user can be prompted for additional information, such
as a password for authentication purposes. These letter options can
also be specified by their equivalent option words preceded by a double
dash. For example, you can use either -D or --domain.
-D | --domain domain
Specifies the default domain that you want to manage. The syntax of
domain=type:/host_name/domain_name, where type is dns, ldap, or
file; host_name is the name of the server; and domain_name is the
name of the domain you want to manage.
If you do not specify this option, the Solaris Management Console
assumes the file default domain on whatever server you choose to
manage, meaning that changes are local to the server. Toolboxes can
change the domain on a tool-by-tool basis. This option specifies
the domain for all other tools.
-H | --hostname host_name:port
Specifies the host_name and port to which you want to connect. If
you do not specify a port, the system connects to the default port,
898. If you do not specify host_name:port, the Solaris Management
Console connects to the local host on port 898.
-l | --rolepassword role_password
Specifies the password for the role_name. If you specify a
role_name but do not specify a role_password, the system prompts
you to supply a role_password. Passwords specified on the command
line can be seen by any user on the system, hence this option is
considered insecure.
-p | --password password
Specifies the password for the user_name. If you do not specify a
password, the system prompts you for one. Passwords specified on
the command line can be seen by any user on the system, hence this
option is considered insecure.
-r | --rolename role_name
Specifies a role name for authentication. If you do not specify
this option, no role is assumed.
-u | --username user_name
Specifies the user name for authentication. If you do not specify
this option, the user identity running the console process is
assumed.
--
This option is required and must always follow the preceding
options. If you do not enter the preceding options, you must still
enter the -- option.
subcommand_args
Descriptions and other argument options that contain white spaces must
be enclosed in double quotes.
-h
Displays the command's usage statement.
-n zonename
Specifies the zone name for the entry. This name is used when the
zone is configured. See zonecfg(1M), under the -z zonename option,
for the constraints on zone names. The specified zone name must be
one of the configured zones on the system. The following command
returns a list of configured zones:
/usr/sbin/zoneadm list -c
-l label
Specifies the label for the zone. This field is used to label the
zone when the zone is booted. Each zone must have a unique label.
-x policymatch=0|1
Specifies the policy match level for non-transport traffic. Only
values of 0 (match the label) or 1 (be within the label range of
the zone) are accepted.
ICMP packets that are received on the global zone IP address are
accepted based on the label range of the global zone's security
template if the global zone's policymatch field is set to 1. When
this field is set to 0 for a zone, the zone will not respond to an
ICMP echo request from a host with a different label.
This subcommand argument is optional. If not specified, it will
have a default value of 0.
-x mlpzone=""|port/protocol
Specifies the multilevel port configuration entry for zone-specific
IP addresses. Multiple port/protocol combinations are separated by
a semi-colon. The empty string can be specified to remove all
existing MLP zone values. This subcommand argument is optional.
An MLP is used to provide multilevel service in the global zone as
well as in non-global zones. As an example of how a non-global zone
can use an MLP, consider setting up two labeled zones, internal and
public. The internal zone can access company networks; the public
zone can access public internet but not the company's internal net‐
works. For safe browsing, when a user in the internal zone wants to
browse the Internet, the internal zone browser forwards the URL to
the public zone, and the web content is then displayed in a public
zone web browser. That way, if the download in public zone compro‐
mises the web browser, it cannot affect the company's internal net‐
work. To set this up, TCP port 8080 in the public zone is an MLP
(8080/tcp), and the security template for the public zone has a
label range from PUBLIC to INTERNAL.
-x mlpshared=""|port/protocol
Specifies the multilevel port configuration entry for shared IP
addresses. Multiple port/protocol combinations are separated by a
semi-colon. The empty string can be specified to remove all exist‐
ing MLP shared values. This subcommand argument is optional.
A shared IP address can reduce the total number of IP addresses
that are needed on the system, especially when configuring a large
number of zones. Unlike the case of the zone-specific IP address,
when MLPs are declared on shared IP addresses, only the global zone
can receive the incoming network traffic that is destined for the
MLP.
o One of the following sets of arguments must be specified for
subcommand add:
-n zonename -l label [-x policymatch=policy-match-level \
-x mlpzone=port/protocol;.... | \
-x mlpshared=port/protocol;.... ]
-h
o One of the following sets of arguments must be specified for
subcommand modify:
-n zonename [-l label] [-x policymatch=policy-match-level \
-x mlpzone=port/protocol;.... |\
-x mlpshared=port/protocol;.... ]
-h
o One of the following arguments must be specified for subcom‐
mand delete:
-n zonename |
-h
o The following argument can be specified for subcommand list:
-n zonename |
-h
EXAMPLES
Example 1 Adding a New Entry to the Zone Configuration Database
The admin role creates a new zone entry, public, with a label of pub‐
lic, a policy match level of 1, and a shared MLP port and protocol of
666 and TCP. The administrator is prompted for the admin password.
$ /usr/sadm/bin/smtnzonecfg add -- -n public -l public \
-x policymatch=1 -x mlpshared=666/tcp
Example 2 Modifying an Entry in the Zone Configuration Database
The admin role changes the public entry in the tnzonecfg database to
needtoknow. The administrator is prompted for the admin password.
$ /usr/sadm/bin/smtnzonecfg modify -- -n public -l needtoknow
Example 3 Listing the Zone Configuration Database
The admin role lists the entries in the tnzonecfg database. The admin‐
istrator is prompted for the admin password.
$ /usr/sadm/bin/smtnzonecfg list --
EXIT STATUS
The following exit values are returned:
0 Successful completion.
1 Invalid command syntax. A usage message displays.
2 An error occurred while executing the command. An error message
displays.
FILES
The following files are used by the smtnzonecfg command:
/etc/security/tsol/tnzonecfg
Trusted zone configuration database.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWmgts │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Committed │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOsmc(1M), attributes(5)NOTES
The functionality described on this manual page is available only if
the system is configured with Trusted Extensions.
SunOS 5.11 31 Oct 2007 smtnzonecfg(1M)