System Administration Commands smtnzonecfg(1M)
NAME
smtnzonecfg - manage entries in the zone configuration data-
base for Trusted Extensions networkingSYNOPSIS
/usr/sadm/bin/smtnzonecfg subcommand [auth_args] -- [subcommand_args]
DESCRIPTION
The smtnzonecfg command adds, modifies, deletes, and lists
entries in the tnzonecfg database.smtnzonecfg subcommands are:
add Adds a new entry to the tnzonecfg database. To add an entry, the administrator must have the solaris.network.host.write and solaris.network.security.write authorizations. modify Modifies an entry in the tnzonecfg database. To modify an entry, the administrator must have the solaris.network.host.write and solaris.network.security.write authorizations. delete Deletes an entry from the tnzonecfg database. To delete an entry, the administrator must have the solaris.network.host.write and solaris.network.security.write authorizations. list Lists entries in the tnzonecfg database. To list an entry, the administrator must have the solaris.network.host.read and solaris.network.security.read authorizations. OPTIONSThe smtnzonecfg authentication arguments, auth_args, are
derived from the smc argument set and are the same regard-
less of which subcommand you use. The smtnzonecfg command
requires the Solaris Management Console to be initialized for the command to succeed (see smc(1M)). After rebootingthe Solaris Management Console server, the first smc connec-
tion can time out, so you might need to retry the command.The subcommand-specific options, subcommand_args, must be
preceded by the -- option.
SunOS 5.11 Last change: 31 Oct 2007 1
System Administration Commands smtnzonecfg(1M)
auth_args
The valid auth_args are -D, -H, -l, -p, -r, and -u; they are
all optional. If no auth_args are specified, certain
defaults will be assumed and the user can be prompted foradditional information, such as a password for authentica-
tion purposes. These letter options can also be specified by their equivalent option words preceded by a double dash. Forexample, you can use either -D or --domain.
-D | --domain domain
Specifies the default domain that you want to manage.The syntax of domain=type:/host_name/domain_name, where
type is dns, ldap, or file; host_name is the name of the
server; and domain_name is the name of the domain you
want to manage.If you do not specify this option, the Solaris Manage-
ment Console assumes the file default domain on whatever server you choose to manage, meaning that changes are local to the server. Toolboxes can change the domain ona tool-by-tool basis. This option specifies the domain
for all other tools.-H | --hostname host_name:port
Specifies the host_name and port to which you want to
connect. If you do not specify a port, the system con-
nects to the default port, 898. If you do not specifyhost_name:port, the Solaris Management Console connects
to the local host on port 898.-l | --rolepassword role_password
Specifies the password for the role_name. If you specify
a role_name but do not specify a role_password, the sys-
tem prompts you to supply a role_password. Passwords
specified on the command line can be seen by any user on the system, hence this option is considered insecure.-p | --password password
Specifies the password for the user_name. If you do not
specify a password, the system prompts you for one. Passwords specified on the command line can be seen by any user on the system, hence this option is considered insecure.SunOS 5.11 Last change: 31 Oct 2007 2
System Administration Commands smtnzonecfg(1M)
-r | --rolename role_name
Specifies a role name for authentication. If you do not specify this option, no role is assumed.-u | --username user_name
Specifies the user name for authentication. If you do not specify this option, the user identity running the console process is assumed.--
This option is required and must always follow the preceding options. If you do not enter the precedingoptions, you must still enter the -- option.
subcommand_args
Descriptions and other argument options that contain white spaces must be enclosed in double quotes.-h
Displays the command's usage statement.-n zonename
Specifies the zone name for the entry. This name is used when the zone is configured. See zonecfg(1M), under the-z zonename option, for the constraints on zone names.
The specified zone name must be one of the configured zones on the system. The following command returns a list of configured zones:/usr/sbin/zoneadm list -c
-l label
Specifies the label for the zone. This field is used to label the zone when the zone is booted. Each zone must have a unique label.-x policymatch=0|1
SunOS 5.11 Last change: 31 Oct 2007 3
System Administration Commands smtnzonecfg(1M)
Specifies the policy match level for non-transport
traffic. Only values of 0 (match the label) or 1 (be within the label range of the zone) are accepted. ICMP packets that are received on the global zone IP address are accepted based on the label range of the global zone's security template if the global zone's policymatch field is set to 1. When this field is set to 0 for a zone, the zone will not respond to an ICMP echo request from a host with a different label. This subcommand argument is optional. If not specified, it will have a default value of 0.-x mlpzone=""|port/protocol
Specifies the multilevel port configuration entry forzone-specific IP addresses. Multiple port/protocol com-
binations are separated by a semi-colon. The empty
string can be specified to remove all existing MLP zone values. This subcommand argument is optional.An MLP is used to provide multilevel service in the glo-
bal zone as well as in non-global zones. As an example
of how a non-global zone can use an MLP, consider set-
ting up two labeled zones, internal and public. The internal zone can access company networks; the public zone can access public internet but not the company's internal networks. For safe browsing, when a user in the internal zone wants to browse the Internet, the internal zone browser forwards the URL to the public zone, and the web content is then displayed in a public zone web browser. That way, if the download in public zone compromises the web browser, it cannot affect the company's internal network. To set this up, TCP port 8080 in the public zone is an MLP (8080/tcp), and the security template for the public zone has a label range from PUBLIC to INTERNAL.-x mlpshared=""|port/protocol
Specifies the multilevel port configuration entry for shared IP addresses. Multiple port/protocol combinationsare separated by a semi-colon. The empty string can be
specified to remove all existing MLP shared values. This subcommand argument is optional. A shared IP address can reduce the total number of IP addresses that are needed on the system, especially when configuring a large number of zones. Unlike the case ofSunOS 5.11 Last change: 31 Oct 2007 4
System Administration Commands smtnzonecfg(1M)
the zone-specific IP address, when MLPs are declared on
shared IP addresses, only the global zone can receive the incoming network traffic that is destined for the MLP. o One of the following sets of arguments must be specified for subcommand add:-n zonename -l label [-x policymatch=policy-match-level \
-x mlpzone=port/protocol;.... | \
-x mlpshared=port/protocol;.... ]
-h
o One of the following sets of arguments must be specified for subcommand modify:-n zonename [-l label] [-x policymatch=policy-match-level \
-x mlpzone=port/protocol;.... |\
-x mlpshared=port/protocol;.... ]
-h
o One of the following arguments must be specified for subcommand delete:-n zonename |
-h
o The following argument can be specified for subcom-
mand list:-n zonename |
-h
EXAMPLES
Example 1 Adding a New Entry to the Zone Configuration Data-
base The admin role creates a new zone entry, public, with a label of public, a policy match level of 1, and a shared MLP port and protocol of 666 and TCP. The administrator is prompted for the admin password.SunOS 5.11 Last change: 31 Oct 2007 5
System Administration Commands smtnzonecfg(1M)
$ /usr/sadm/bin/smtnzonecfg add -- -n public -l public \
-x policymatch=1 -x mlpshared=666/tcp
Example 2 Modifying an Entry in the Zone Configuration Data-
base The admin role changes the public entry in the tnzonecfg database to needtoknow. The administrator is prompted for the admin password.$ /usr/sadm/bin/smtnzonecfg modify -- -n public -l needtoknow
Example 3 Listing the Zone Configuration Database The admin role lists the entries in the tnzonecfg database. The administrator is prompted for the admin password.$ /usr/sadm/bin/smtnzonecfg list --
EXIT STATUS The following exit values are returned: 0 Successful completion. 1 Invalid command syntax. A usage message displays. 2 An error occurred while executing the command. An error message displays. FILESThe following files are used by the smtnzonecfg command:
/etc/security/tsol/tnzonecfg Trusted zone configuration database.ATTRIBUTES
SunOS 5.11 Last change: 31 Oct 2007 6
System Administration Commands smtnzonecfg(1M)
See attributes(5) for descriptions of the following attri-
butes:____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWmgts ||_____________________________|_____________________________|
| Interface Stability | Committed ||_____________________________|_____________________________|
SEE ALSO
smc(1M), attributes(5) NOTES The functionality described on this manual page is available only if the system is configured with Trusted Extensions.SunOS 5.11 Last change: 31 Oct 2007 7