Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1m‎ > ‎

smtnzonecfg


NAME
     smtnzonecfg - manage entries in the zone configuration data-
     base for Trusted Extensions networking

SYNOPSIS
     /usr/sadm/bin/smtnzonecfg subcommand [auth_args] -- [subcommand_args]


DESCRIPTION
     The smtnzonecfg command adds, modifies, deletes,  and  lists
     entries in the tnzonecfg database.


     smtnzonecfg subcommands are:

     add       Adds a new entry to the tnzonecfg database. To add
               an   entry,   the   administrator  must  have  the
               solaris.network.host.write                     and
               solaris.network.security.write authorizations.


     modify    Modifies an entry in the  tnzonecfg  database.  To
               modify  an  entry, the administrator must have the
               solaris.network.host.write                     and
               solaris.network.security.write authorizations.


     delete    Deletes an entry from the tnzonecfg  database.  To
               delete  an  entry, the administrator must have the
               solaris.network.host.write                     and
               solaris.network.security.write authorizations.


     list      Lists entries in the tnzonecfg database.  To  list
               an   entry,   the   administrator  must  have  the
               solaris.network.host.read                      and
               solaris.network.security.read authorizations.


OPTIONS
     The smtnzonecfg  authentication  arguments,  auth_args,  are
     derived  from  the smc argument set and are the same regard-
     less of which subcommand you use.  The  smtnzonecfg  command
     requires  the  Solaris  Management Console to be initialized
     for the command to succeed (see  smc(1M)).  After  rebooting
     the Solaris Management Console server, the first smc connec-
     tion can time out, so you might need to retry the command.


     The subcommand-specific options,  subcommand_args,  must  be
     preceded by the -- option.

  auth_args
     The valid auth_args are -D, -H, -l, -p, -r, and -u; they are
     all   optional.  If  no  auth_args  are  specified,  certain
     defaults will be assumed and the user can  be  prompted  for
     additional  information,  such as a password for authentica-
     tion purposes. These letter options can also be specified by
     their equivalent option words preceded by a double dash. For
     example, you can use either -D or --domain.

     -D | --domain domain

         Specifies the default domain that you  want  to  manage.
         The  syntax of domain=type:/host_name/domain_name, where
         type is dns, ldap, or file; host_name is the name of the
         server;  and  domain_name  is the name of the domain you
         want to manage.

         If you do not specify this option, the  Solaris  Manage-
         ment Console assumes the file default domain on whatever
         server you choose to manage, meaning  that  changes  are
         local  to the server. Toolboxes can change the domain on
         a tool-by-tool basis. This option specifies  the  domain
         for all other tools.


     -H | --hostname host_name:port

         Specifies the host_name and port to which  you  want  to
         connect.  If  you do not specify a port, the system con-
         nects to the default port, 898. If you  do  not  specify
         host_name:port,  the Solaris Management Console connects
         to the local host on port 898.


     -l | --rolepassword role_password

         Specifies the password for the role_name. If you specify
         a role_name but do not specify a role_password, the sys-
         tem prompts you to  supply  a  role_password.  Passwords
         specified on the command line can be seen by any user on
         the system, hence this option is considered insecure.


     -p | --password password

         Specifies the password for the user_name. If you do  not
         specify  a  password,  the  system  prompts you for one.
         Passwords specified on the command line can be  seen  by
         any  user on the system, hence this option is considered
         insecure.


     -r | --rolename role_name

         Specifies a role name for authentication. If you do  not
         specify this option, no role is assumed.


     -u | --username user_name

         Specifies the user name for authentication.  If  you  do
         not  specify  this option, the user identity running the
         console process is assumed.


     --

         This option is  required  and  must  always  follow  the
         preceding  options.  If  you  do not enter the preceding
         options, you must still enter the -- option.


  subcommand_args
     Descriptions and other argument options that  contain  white
     spaces must be enclosed in double quotes.

     -h

         Displays the command's usage statement.


     -n zonename

         Specifies the zone name for the entry. This name is used
         when  the zone is configured. See zonecfg(1M), under the
         -z zonename option, for the constraints on  zone  names.
         The  specified  zone  name must be one of the configured
         zones on the system. The  following  command  returns  a
         list of configured zones:

           /usr/sbin/zoneadm list -c




     -l label

         Specifies the label for the zone. This field is used  to
         label  the  zone when the zone is booted. Each zone must
         have a unique label.


     -x policymatch=0|1

         Specifies  the  policy  match  level  for  non-transport
         traffic.  Only  values  of  0 (match the label) or 1 (be
         within the label range of the zone) are accepted.

         ICMP packets that are received on  the  global  zone  IP
         address  are  accepted  based  on the label range of the
         global zone's security template  if  the  global  zone's
         policymatch field is set to 1. When this field is set to
         0 for a zone, the zone will not respond to an ICMP  echo
         request from a host with a different label.

         This subcommand argument is optional. If not  specified,
         it will have a default value of 0.


     -x mlpzone=""|port/protocol

         Specifies the multilevel port  configuration  entry  for
         zone-specific  IP addresses. Multiple port/protocol com-
         binations are  separated  by  a  semi-colon.  The  empty
         string  can be specified to remove all existing MLP zone
         values. This subcommand argument is optional.

         An MLP is used to provide multilevel service in the glo-
         bal  zone  as well as in non-global zones. As an example
         of how a non-global zone can use an MLP,  consider  set-
         ting  up  two  labeled  zones,  internal and public. The
         internal zone can access company  networks;  the  public
         zone  can  access  public internet but not the company's
         internal networks. For safe browsing, when a user in the
         internal zone wants to browse the Internet, the internal
         zone browser forwards the URL to the  public  zone,  and
         the  web  content is then displayed in a public zone web
         browser. That  way,  if  the  download  in  public  zone
         compromises  the  web  browser,  it  cannot  affect  the
         company's internal network. To set  this  up,  TCP  port
         8080  in  the  public zone is an MLP (8080/tcp), and the
         security template for the public zone has a label  range
         from PUBLIC to INTERNAL.


     -x mlpshared=""|port/protocol

         Specifies the multilevel port  configuration  entry  for
         shared IP addresses. Multiple port/protocol combinations
         are separated by a semi-colon. The empty string  can  be
         specified to remove all existing MLP shared values. This
         subcommand argument is optional.

         A shared IP address can reduce the total  number  of  IP
         addresses that are needed on the system, especially when
         configuring a large number of zones. Unlike the case  of
         the  zone-specific IP address, when MLPs are declared on
         shared IP addresses, only the global  zone  can  receive
         the  incoming  network  traffic that is destined for the
         MLP.


         o    One of the following  sets  of  arguments  must  be
              specified for subcommand add:

                -n zonename -l label [-x policymatch=policy-match-level \
                -x mlpzone=port/protocol;.... | \
                -x mlpshared=port/protocol;.... ]
                -h



         o    One of the following  sets  of  arguments  must  be
              specified for subcommand modify:

                -n zonename [-l label] [-x policymatch=policy-match-level \
                -x mlpzone=port/protocol;.... |\
                -x mlpshared=port/protocol;.... ]
                -h



         o    One of the following arguments  must  be  specified
              for subcommand delete:

                -n zonename |
                -h



         o    The following argument can be specified for subcom-
              mand list:

                -n zonename |
                -h



EXAMPLES
     Example 1 Adding a New Entry to the Zone Configuration Data-
     base


     The admin role creates a new  zone  entry,  public,  with  a
     label of public, a policy match level of 1, and a shared MLP
     port and protocol of  666  and  TCP.  The  administrator  is
     prompted for the admin password.

       $ /usr/sadm/bin/smtnzonecfg add -- -n public -l public \
       -x policymatch=1 -x mlpshared=666/tcp



     Example 2 Modifying an Entry in the Zone Configuration Data-
     base


     The admin role changes the public  entry  in  the  tnzonecfg
     database  to  needtoknow.  The administrator is prompted for
     the admin password.


       $ /usr/sadm/bin/smtnzonecfg modify -- -n public -l needtoknow



     Example 3 Listing the Zone Configuration Database


     The admin role lists the entries in the tnzonecfg  database.
     The administrator is prompted for the admin password.


       $ /usr/sadm/bin/smtnzonecfg list --



EXIT STATUS
     The following exit values are returned:

     0    Successful completion.


     1    Invalid command syntax. A usage message displays.


     2    An error occurred while executing the command. An error
          message displays.


FILES
     The following files are used by the smtnzonecfg command:

     /etc/security/tsol/tnzonecfg

         Trusted zone configuration database.


ATTRIBUTES

     See attributes(5) for descriptions of the  following  attri-
     butes:



     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWmgts                    |
    |_____________________________|_____________________________|
    | Interface Stability         | Committed                   |
    |_____________________________|_____________________________|


SEE ALSO
     smc(1M), attributes(5)

NOTES
     The functionality described on this manual page is available
     only if the system is configured with Trusted Extensions.










Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.
Comments