1smtnzonecfg(1M) System Administration Commands smtnzonecfg(1M)
2
3
4
6 smtnzonecfg - manage entries in the zone configuration database for
7 Trusted Extensions networking
8
10 /usr/sadm/bin/smtnzonecfg subcommand [auth_args] -- [subcommand_args]
11
12
14 The smtnzonecfg command adds, modifies, deletes, and lists entries in
15 the tnzonecfg database.
16
17
18 smtnzonecfg subcommands are:
19
20 add Adds a new entry to the tnzonecfg database. To add an entry,
21 the administrator must have the solaris.network.host.write
22 and solaris.network.security.write authorizations.
23
24
25 modify Modifies an entry in the tnzonecfg database. To modify an
26 entry, the administrator must have the solaris.net‐
27 work.host.write and solaris.network.security.write authoriza‐
28 tions.
29
30
31 delete Deletes an entry from the tnzonecfg database. To delete an
32 entry, the administrator must have the solaris.net‐
33 work.host.write and solaris.network.security.write authoriza‐
34 tions.
35
36
37 list Lists entries in the tnzonecfg database. To list an entry,
38 the administrator must have the solaris.network.host.read and
39 solaris.network.security.read authorizations.
40
41
43 The smtnzonecfg authentication arguments, auth_args, are derived from
44 the smc argument set and are the same regardless of which subcommand
45 you use. The smtnzonecfg command requires the Solaris Management Con‐
46 sole to be initialized for the command to succeed (see smc(1M)). After
47 rebooting the Solaris Management Console server, the first smc connec‐
48 tion can time out, so you might need to retry the command.
49
50
51 The subcommand-specific options, subcommand_args, must be preceded by
52 the -- option.
53
54 auth_args
55 The valid auth_args are -D, -H, -l, -p, -r, and -u; they are all
56 optional. If no auth_args are specified, certain defaults will be
57 assumed and the user can be prompted for additional information, such
58 as a password for authentication purposes. These letter options can
59 also be specified by their equivalent option words preceded by a double
60 dash. For example, you can use either -D or --domain.
61
62 -D | --domain domain
63
64 Specifies the default domain that you want to manage. The syntax of
65 domain=type:/host_name/domain_name, where type is dns, ldap, or
66 file; host_name is the name of the server; and domain_name is the
67 name of the domain you want to manage.
68
69 If you do not specify this option, the Solaris Management Console
70 assumes the file default domain on whatever server you choose to
71 manage, meaning that changes are local to the server. Toolboxes can
72 change the domain on a tool-by-tool basis. This option specifies
73 the domain for all other tools.
74
75
76 -H | --hostname host_name:port
77
78 Specifies the host_name and port to which you want to connect. If
79 you do not specify a port, the system connects to the default port,
80 898. If you do not specify host_name:port, the Solaris Management
81 Console connects to the local host on port 898.
82
83
84 -l | --rolepassword role_password
85
86 Specifies the password for the role_name. If you specify a
87 role_name but do not specify a role_password, the system prompts
88 you to supply a role_password. Passwords specified on the command
89 line can be seen by any user on the system, hence this option is
90 considered insecure.
91
92
93 -p | --password password
94
95 Specifies the password for the user_name. If you do not specify a
96 password, the system prompts you for one. Passwords specified on
97 the command line can be seen by any user on the system, hence this
98 option is considered insecure.
99
100
101 -r | --rolename role_name
102
103 Specifies a role name for authentication. If you do not specify
104 this option, no role is assumed.
105
106
107 -u | --username user_name
108
109 Specifies the user name for authentication. If you do not specify
110 this option, the user identity running the console process is
111 assumed.
112
113
114 --
115
116 This option is required and must always follow the preceding
117 options. If you do not enter the preceding options, you must still
118 enter the -- option.
119
120
121 subcommand_args
122 Descriptions and other argument options that contain white spaces must
123 be enclosed in double quotes.
124
125 -h
126
127 Displays the command's usage statement.
128
129
130 -n zonename
131
132 Specifies the zone name for the entry. This name is used when the
133 zone is configured. See zonecfg(1M), under the -z zonename option,
134 for the constraints on zone names. The specified zone name must be
135 one of the configured zones on the system. The following command
136 returns a list of configured zones:
137
138 /usr/sbin/zoneadm list -c
139
140
141
142
143 -l label
144
145 Specifies the label for the zone. This field is used to label the
146 zone when the zone is booted. Each zone must have a unique label.
147
148
149 -x policymatch=0|1
150
151 Specifies the policy match level for non-transport traffic. Only
152 values of 0 (match the label) or 1 (be within the label range of
153 the zone) are accepted.
154
155 ICMP packets that are received on the global zone IP address are
156 accepted based on the label range of the global zone's security
157 template if the global zone's policymatch field is set to 1. When
158 this field is set to 0 for a zone, the zone will not respond to an
159 ICMP echo request from a host with a different label.
160
161 This subcommand argument is optional. If not specified, it will
162 have a default value of 0.
163
164
165 -x mlpzone=""|port/protocol
166
167 Specifies the multilevel port configuration entry for zone-specific
168 IP addresses. Multiple port/protocol combinations are separated by
169 a semi-colon. The empty string can be specified to remove all
170 existing MLP zone values. This subcommand argument is optional.
171
172 An MLP is used to provide multilevel service in the global zone as
173 well as in non-global zones. As an example of how a non-global zone
174 can use an MLP, consider setting up two labeled zones, internal and
175 public. The internal zone can access company networks; the public
176 zone can access public internet but not the company's internal net‐
177 works. For safe browsing, when a user in the internal zone wants to
178 browse the Internet, the internal zone browser forwards the URL to
179 the public zone, and the web content is then displayed in a public
180 zone web browser. That way, if the download in public zone compro‐
181 mises the web browser, it cannot affect the company's internal net‐
182 work. To set this up, TCP port 8080 in the public zone is an MLP
183 (8080/tcp), and the security template for the public zone has a
184 label range from PUBLIC to INTERNAL.
185
186
187 -x mlpshared=""|port/protocol
188
189 Specifies the multilevel port configuration entry for shared IP
190 addresses. Multiple port/protocol combinations are separated by a
191 semi-colon. The empty string can be specified to remove all exist‐
192 ing MLP shared values. This subcommand argument is optional.
193
194 A shared IP address can reduce the total number of IP addresses
195 that are needed on the system, especially when configuring a large
196 number of zones. Unlike the case of the zone-specific IP address,
197 when MLPs are declared on shared IP addresses, only the global zone
198 can receive the incoming network traffic that is destined for the
199 MLP.
200
201
202 o One of the following sets of arguments must be specified for
203 subcommand add:
204
205 -n zonename -l label [-x policymatch=policy-match-level \
206 -x mlpzone=port/protocol;.... | \
207 -x mlpshared=port/protocol;.... ]
208 -h
209
210
211
212 o One of the following sets of arguments must be specified for
213 subcommand modify:
214
215 -n zonename [-l label] [-x policymatch=policy-match-level \
216 -x mlpzone=port/protocol;.... |\
217 -x mlpshared=port/protocol;.... ]
218 -h
219
220
221
222 o One of the following arguments must be specified for subcom‐
223 mand delete:
224
225 -n zonename |
226 -h
227
228
229
230 o The following argument can be specified for subcommand list:
231
232 -n zonename |
233 -h
234
235
236
238 Example 1 Adding a New Entry to the Zone Configuration Database
239
240
241 The admin role creates a new zone entry, public, with a label of pub‐
242 lic, a policy match level of 1, and a shared MLP port and protocol of
243 666 and TCP. The administrator is prompted for the admin password.
244
245
246 $ /usr/sadm/bin/smtnzonecfg add -- -n public -l public \
247 -x policymatch=1 -x mlpshared=666/tcp
248
249
250
251 Example 2 Modifying an Entry in the Zone Configuration Database
252
253
254 The admin role changes the public entry in the tnzonecfg database to
255 needtoknow. The administrator is prompted for the admin password.
256
257
258 $ /usr/sadm/bin/smtnzonecfg modify -- -n public -l needtoknow
259
260
261
262 Example 3 Listing the Zone Configuration Database
263
264
265 The admin role lists the entries in the tnzonecfg database. The admin‐
266 istrator is prompted for the admin password.
267
268
269 $ /usr/sadm/bin/smtnzonecfg list --
270
271
272
274 The following exit values are returned:
275
276 0 Successful completion.
277
278
279 1 Invalid command syntax. A usage message displays.
280
281
282 2 An error occurred while executing the command. An error message
283 displays.
284
285
287 The following files are used by the smtnzonecfg command:
288
289 /etc/security/tsol/tnzonecfg
290
291 Trusted zone configuration database.
292
293
295 See attributes(5) for descriptions of the following attributes:
296
297
298
299
300 ┌─────────────────────────────┬─────────────────────────────┐
301 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
302 ├─────────────────────────────┼─────────────────────────────┤
303 │Availability │SUNWmgts │
304 ├─────────────────────────────┼─────────────────────────────┤
305 │Interface Stability │Committed │
306 └─────────────────────────────┴─────────────────────────────┘
307
309 smc(1M), attributes(5)
310
312 The functionality described on this manual page is available only if
313 the system is configured with Trusted Extensions.
314
315
316
317SunOS 5.11 31 Oct 2007 smtnzonecfg(1M)