1smtnzonecfg(1M) System Administration Commands smtnzonecfg(1M)
2
6 smtnzonecfg - manage entries in the zone configuration database for
7 Trusted Extensions networking
8
10 /usr/sadm/bin/smtnzonecfg subcommand [auth_args] -- [subcommand_args]
11
14 The smtnzonecfg command adds, modifies, deletes, and lists entries in
15 the tnzonecfg database.
16 smtnzonecfg subcommands are:
19 add Adds a new entry to the tnzonecfg database. To add an entry,
21 the administrator must have the solaris.network.host.write
22 and solaris.network.security.write authorizations.
23 modify Modifies an entry in the tnzonecfg database. To modify an
26 entry, the administrator must have the solaris.net‐
27 work.host.write and solaris.network.security.write authoriza‐
28 tions.
29 delete Deletes an entry from the tnzonecfg database. To delete an
32 entry, the administrator must have the solaris.net‐
33 work.host.write and solaris.network.security.write authoriza‐
34 tions.
35 list Lists entries in the tnzonecfg database. To list an entry,
38 the administrator must have the solaris.network.host.read and
39 solaris.network.security.read authorizations.
40
43 The smtnzonecfg authentication arguments, auth_args, are derived from
44 the smc argument set and are the same regardless of which subcommand
45 you use. The smtnzonecfg command requires the Solaris Management Con‐
46 sole to be initialized for the command to succeed (see smc(1M)). After
47 rebooting the Solaris Management Console server, the first smc connec‐
48 tion can time out, so you might need to retry the command.
49 The subcommand-specific options, subcommand_args, must be preceded by
52 the -- option.
53 auth_args
55 The valid auth_args are -D, -H, -l, -p, -r, and -u; they are all
56 optional. If no auth_args are specified, certain defaults will be
57 assumed and the user can be prompted for additional information, such
58 as a password for authentication purposes. These letter options can
59 also be specified by their equivalent option words preceded by a double
60 dash. For example, you can use either -D or --domain.
61 -D | --domain domain
63 Specifies the default domain that you want to manage. The syntax of
65 domain=type:/host_name/domain_name, where type is dns, ldap, or
66 file; host_name is the name of the server; and domain_name is the
67 name of the domain you want to manage.
68 If you do not specify this option, the Solaris Management Console
70 assumes the file default domain on whatever server you choose to
71 manage, meaning that changes are local to the server. Toolboxes can
72 change the domain on a tool-by-tool basis. This option specifies
73 the domain for all other tools.
74 -H | --hostname host_name:port
77 Specifies the host_name and port to which you want to connect. If
79 you do not specify a port, the system connects to the default port,
80 898. If you do not specify host_name:port, the Solaris Management
81 Console connects to the local host on port 898.
82 -l | --rolepassword role_password
85 Specifies the password for the role_name. If you specify a
87 role_name but do not specify a role_password, the system prompts
88 you to supply a role_password. Passwords specified on the command
89 line can be seen by any user on the system, hence this option is
90 considered insecure.
91 -p | --password password
94 Specifies the password for the user_name. If you do not specify a
96 password, the system prompts you for one. Passwords specified on
97 the command line can be seen by any user on the system, hence this
98 option is considered insecure.
99 -r | --rolename role_name
102 Specifies a role name for authentication. If you do not specify
104 this option, no role is assumed.
105 -u | --username user_name
108 Specifies the user name for authentication. If you do not specify
110 this option, the user identity running the console process is
111 assumed.
112 --
115 This option is required and must always follow the preceding
117 options. If you do not enter the preceding options, you must still
118 enter the -- option.
119 subcommand_args
122 Descriptions and other argument options that contain white spaces must
123 be enclosed in double quotes.
124 -h
126 Displays the command's usage statement.
128 -n zonename
131 Specifies the zone name for the entry. This name is used when the
133 zone is configured. See zonecfg(1M), under the -z zonename option,
134 for the constraints on zone names. The specified zone name must be
135 one of the configured zones on the system. The following command
136 returns a list of configured zones:
137 /usr/sbin/zoneadm list -c
139 -l label
144 Specifies the label for the zone. This field is used to label the
146 zone when the zone is booted. Each zone must have a unique label.
147 -x policymatch=0|1
150 Specifies the policy match level for non-transport traffic. Only
152 values of 0 (match the label) or 1 (be within the label range of
153 the zone) are accepted.
154 ICMP packets that are received on the global zone IP address are
156 accepted based on the label range of the global zone's security
157 template if the global zone's policymatch field is set to 1. When
158 this field is set to 0 for a zone, the zone will not respond to an
159 ICMP echo request from a host with a different label.
160 This subcommand argument is optional. If not specified, it will
162 have a default value of 0.
163 -x mlpzone=""|port/protocol
166 Specifies the multilevel port configuration entry for zone-specific
168 IP addresses. Multiple port/protocol combinations are separated by
169 a semi-colon. The empty string can be specified to remove all
170 existing MLP zone values. This subcommand argument is optional.
171 An MLP is used to provide multilevel service in the global zone as
173 well as in non-global zones. As an example of how a non-global zone
174 can use an MLP, consider setting up two labeled zones, internal and
175 public. The internal zone can access company networks; the public
176 zone can access public internet but not the company's internal net‐
177 works. For safe browsing, when a user in the internal zone wants to
178 browse the Internet, the internal zone browser forwards the URL to
179 the public zone, and the web content is then displayed in a public
180 zone web browser. That way, if the download in public zone compro‐
181 mises the web browser, it cannot affect the company's internal net‐
182 work. To set this up, TCP port 8080 in the public zone is an MLP
183 (8080/tcp), and the security template for the public zone has a
184 label range from PUBLIC to INTERNAL.
185 -x mlpshared=""|port/protocol
188 Specifies the multilevel port configuration entry for shared IP
190 addresses. Multiple port/protocol combinations are separated by a
191 semi-colon. The empty string can be specified to remove all exist‐
192 ing MLP shared values. This subcommand argument is optional.
193 A shared IP address can reduce the total number of IP addresses
195 that are needed on the system, especially when configuring a large
196 number of zones. Unlike the case of the zone-specific IP address,
197 when MLPs are declared on shared IP addresses, only the global zone
198 can receive the incoming network traffic that is destined for the
199 MLP.
200 o One of the following sets of arguments must be specified for
203 subcommand add:
204 -n zonename -l label [-x policymatch=policy-match-level \
206 -x mlpzone=port/protocol;.... | \
207 -x mlpshared=port/protocol;.... ]
208 -h
209 o One of the following sets of arguments must be specified for
213 subcommand modify:
214 -n zonename [-l label] [-x policymatch=policy-match-level \
216 -x mlpzone=port/protocol;.... |\
217 -x mlpshared=port/protocol;.... ]
218 -h
219 o One of the following arguments must be specified for subcom‐
223 mand delete:
224 -n zonename |
226 -h
227 o The following argument can be specified for subcommand list:
231 -n zonename |
233 -h
234
238 Example 1 Adding a New Entry to the Zone Configuration Database
239 The admin role creates a new zone entry, public, with a label of pub‐
242 lic, a policy match level of 1, and a shared MLP port and protocol of
243 666 and TCP. The administrator is prompted for the admin password.
244 $ /usr/sadm/bin/smtnzonecfg add -- -n public -l public \
247 -x policymatch=1 -x mlpshared=666/tcp
248 Example 2 Modifying an Entry in the Zone Configuration Database
252 The admin role changes the public entry in the tnzonecfg database to
255 needtoknow. The administrator is prompted for the admin password.
256 $ /usr/sadm/bin/smtnzonecfg modify -- -n public -l needtoknow
259 Example 3 Listing the Zone Configuration Database
263 The admin role lists the entries in the tnzonecfg database. The admin‐
266 istrator is prompted for the admin password.
267 $ /usr/sadm/bin/smtnzonecfg list --
270
274 The following exit values are returned:
275 0 Successful completion.
277 1 Invalid command syntax. A usage message displays.
280 2 An error occurred while executing the command. An error message
283 displays.
284
287 The following files are used by the smtnzonecfg command:
288 /etc/security/tsol/tnzonecfg
290 Trusted zone configuration database.
292
295 See attributes(5) for descriptions of the following attributes:
296 ┌─────────────────────────────┬─────────────────────────────┐
301 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
302 ├─────────────────────────────┼─────────────────────────────┤
303 │Availability │SUNWmgts │
304 ├─────────────────────────────┼─────────────────────────────┤
305 │Interface Stability │Committed │
306 └─────────────────────────────┴─────────────────────────────┘
307
309 smc(1M), attributes(5)
310
312 The functionality described on this manual page is available only if
313 the system is configured with Trusted Extensions.
314SunOS 5.11 31 Oct 2007 smtnzonecfg(1M)