smtnzonecfg(1M) 					  System Administration Commands					   smtnzonecfg(1M)

NAME

       smtnzonecfg - manage entries in the zone configuration database for Trusted Extensions networking

SYNOPSIS

       /usr/sadm/bin/smtnzonecfg subcommand [auth_args] -- [subcommand_args]

DESCRIPTION

       The smtnzonecfg command adds, modifies, deletes, and lists entries in the tnzonecfg database.

       smtnzonecfg subcommands are:

       add	 Adds  a  new  entry  to  the  tnzonecfg database. To add an entry, the administrator must have the solaris.network.host.write and
		 solaris.network.security.write authorizations.

       modify	 Modifies an entry in the tnzonecfg database. To modify an entry, the administrator must have the  solaris.network.host.write  and
		 solaris.network.security.write authorizations.

       delete	 Deletes  an entry from the tnzonecfg database. To delete an entry, the administrator must have the solaris.network.host.write and
		 solaris.network.security.write authorizations.

       list	 Lists entries in the tnzonecfg database. To list  an  entry,  the  administrator  must  have  the  solaris.network.host.read  and
		 solaris.network.security.read authorizations.

OPTIONS

       The  smtnzonecfg authentication arguments, auth_args, are derived from the smc argument set and are the same regardless of which subcommand
       you use. The smtnzonecfg command requires the Solaris Management Console to be initialized for the command to succeed (see smc(1M)).  After
       rebooting the Solaris Management Console server, the first smc connection can time out, so you might need to retry the command.

       The subcommand-specific options, subcommand_args, must be preceded by the -- option.

   auth_args
       The  valid auth_args are -D, -H, -l, -p, -r, and -u; they are all optional. If no auth_args are specified, certain defaults will be assumed
       and the user can be prompted for additional information, such as a password for authentication purposes. These letter options can  also	be
       specified by their equivalent option words preceded by a double dash. For example, you can use either -D or --domain.

       -D | --domain domain

	   Specifies  the  default  domain  that you want to manage. The syntax of domain=type:/host_name/domain_name, where type is dns, ldap, or
	   file; host_name is the name of the server; and domain_name is the name of the domain you want to manage.

	   If you do not specify this option, the Solaris Management Console assumes the file default domain on whatever server you choose to man-
	   age,  meaning  that changes are local to the server. Toolboxes can change the domain on a tool-by-tool basis. This option specifies the
	   domain for all other tools.

       -H | --hostname host_name:port

	   Specifies the host_name and port to which you want to connect. If you do not specify a port, the system connects to the  default  port,
	   898. If you do not specify host_name:port, the Solaris Management Console connects to the local host on port 898.

       -l | --rolepassword role_password

	   Specifies the password for the role_name. If you specify a role_name but do not specify a role_password, the system prompts you to sup-
	   ply a role_password. Passwords specified on the command line can be seen by any user on the system, hence  this  option  is	considered
	   insecure.

       -p | --password password

	   Specifies  the password for the user_name. If you do not specify a password, the system prompts you for one. Passwords specified on the
	   command line can be seen by any user on the system, hence this option is considered insecure.

       -r | --rolename role_name

	   Specifies a role name for authentication. If you do not specify this option, no role is assumed.

       -u | --username user_name

	   Specifies the user name for authentication. If you do not specify this option,  the	user  identity	running  the  console  process	is
	   assumed.

       --

	   This  option  is required and must always follow the preceding options. If you do not enter the preceding options, you must still enter
	   the -- option.

   subcommand_args
       Descriptions and other argument options that contain white spaces must be enclosed in double quotes.

       -h

	   Displays the command's usage statement.

       -n zonename

	   Specifies the zone name for the entry. This name is used when the zone is configured. See zonecfg(1M), under the  -z  zonename  option,
	   for	the  constraints  on  zone names. The specified zone name must be one of the configured zones on the system. The following command
	   returns a list of configured zones:

	     /usr/sbin/zoneadm list -c

       -l label

	   Specifies the label for the zone. This field is used to label the zone when the zone is booted. Each zone must have a unique label.

       -x policymatch=0|1

	   Specifies the policy match level for non-transport traffic. Only values of 0 (match the label) or 1 (be within the label range  of  the
	   zone) are accepted.

	   ICMP  packets  that are received on the global zone IP address are accepted based on the label range of the global zone's security tem-
	   plate if the global zone's policymatch field is set to 1. When this field is set to 0 for a zone, the zone will not respond to an  ICMP
	   echo request from a host with a different label.

	   This subcommand argument is optional. If not specified, it will have a default value of 0.

       -x mlpzone=""|port/protocol

	   Specifies  the multilevel port configuration entry for zone-specific IP addresses. Multiple port/protocol combinations are separated by
	   a semi-colon. The empty string can be specified to remove all existing MLP zone values. This subcommand argument is optional.

	   An MLP is used to provide multilevel service in the global zone as well as in non-global zones. As an example of how a non-global  zone
	   can	use  an MLP, consider setting up two labeled zones, internal and public. The internal zone can access company networks; the public
	   zone can access public internet but not the company's internal networks. For safe browsing, when a user in the internal zone  wants	to
	   browse  the	Internet, the internal zone browser forwards the URL to the public zone, and the web content is then displayed in a public
	   zone web browser. That way, if the download in public zone compromises the web browser, it cannot affect the  company's  internal  net-
	   work.  To set this up, TCP port 8080 in the public zone is an MLP (8080/tcp), and the security template for the public zone has a label
	   range from PUBLIC to INTERNAL.

       -x mlpshared=""|port/protocol

	   Specifies the multilevel port configuration entry for shared IP addresses. Multiple port/protocol combinations are separated by a semi-
	   colon. The empty string can be specified to remove all existing MLP shared values. This subcommand argument is optional.

	   A shared IP address can reduce the total number of IP addresses that are needed on the system, especially when configuring a large num-
	   ber of zones. Unlike the case of the zone-specific IP address, when MLPs are declared on shared IP addresses, only the global zone  can
	   receive the incoming network traffic that is destined for the MLP.

	   o	  One of the following sets of arguments must be specified for subcommand add:

		    -n zonename -l label [-x policymatch=policy-match-level 
		    -x mlpzone=port/protocol;.... | 
		    -x mlpshared=port/protocol;.... ]
		    -h

	   o	  One of the following sets of arguments must be specified for subcommand modify:

		    -n zonename [-l label] [-x policymatch=policy-match-level 
		    -x mlpzone=port/protocol;.... |
		    -x mlpshared=port/protocol;.... ]
		    -h

	   o	  One of the following arguments must be specified for subcommand delete:

		    -n zonename |
		    -h

	   o	  The following argument can be specified for subcommand list:

		    -n zonename |
		    -h

EXAMPLES

       Example 1 Adding a New Entry to the Zone Configuration Database

       The  admin  role creates a new zone entry, public, with a label of public, a policy match level of 1, and a shared MLP port and protocol of
       666 and TCP. The administrator is prompted for the admin password.

	 $ /usr/sadm/bin/smtnzonecfg add -- -n public -l public 
	 -x policymatch=1 -x mlpshared=666/tcp

       Example 2 Modifying an Entry in the Zone Configuration Database

       The admin role changes the public entry in the tnzonecfg database to needtoknow. The administrator is prompted for the admin password.

	 $ /usr/sadm/bin/smtnzonecfg modify -- -n public -l needtoknow

       Example 3 Listing the Zone Configuration Database

       The admin role lists the entries in the tnzonecfg database. The administrator is prompted for the admin password.

	 $ /usr/sadm/bin/smtnzonecfg list --

EXIT STATUS

       The following exit values are returned:

       0    Successful completion.

       1    Invalid command syntax. A usage message displays.

       2    An error occurred while executing the command. An error message displays.

FILES

       The following files are used by the smtnzonecfg command:

       /etc/security/tsol/tnzonecfg

	   Trusted zone configuration database.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWmgts			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Committed 		   |
       +-----------------------------+-----------------------------+

SEE ALSO

       smc(1M), attributes(5)

NOTES

       The functionality described on this manual page is available only if the system is configured with Trusted Extensions.

SunOS 5.11							    31 Oct 2007 						   smtnzonecfg(1M)