'\" te
.\" Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved.
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH SMTNZONECFG 1M "Oct 31, 2007"
.SH NAME
smtnzonecfg \- manage entries in the zone configuration database for Trusted
Extensions networking
.SH SYNOPSIS
.LP
.nf
\fB/usr/sadm/bin/smtnzonecfg\fR \fIsubcommand\fR [\fIauth_args\fR] \fB--\fR [\fIsubcommand_args\fR]
.fi

.SH DESCRIPTION
.sp
.LP
The \fBsmtnzonecfg\fR command adds, modifies, deletes, and lists entries in the
\fBtnzonecfg\fR database.
.sp
.LP
\fBsmtnzonecfg\fR \fIsubcommand\fRs are:
.sp
.ne 2
.na
\fB\fBadd\fR\fR
.ad
.RS 10n
Adds a new entry to the \fBtnzonecfg\fR database. To add an entry, the
administrator must have the \fBsolaris.network.host.write\fR and
\fBsolaris.network.security.write\fR authorizations.
.RE

.sp
.ne 2
.na
\fB\fBmodify\fR\fR
.ad
.RS 10n
Modifies an entry in the \fBtnzonecfg\fR database. To modify an entry, the
administrator must have the \fBsolaris.network.host.write\fR and
\fBsolaris.network.security.write\fR authorizations.
.RE

.sp
.ne 2
.na
\fB\fBdelete\fR\fR
.ad
.RS 10n
Deletes an entry from the \fBtnzonecfg\fR database. To delete an entry, the
administrator must have the \fBsolaris.network.host.write\fR and
\fBsolaris.network.security.write\fR authorizations.
.RE

.sp
.ne 2
.na
\fB\fBlist\fR\fR
.ad
.RS 10n
Lists entries in the \fBtnzonecfg\fR database. To list an entry, the
administrator must have the \fBsolaris.network.host.read\fR and
\fBsolaris.network.security.read\fR authorizations.
.RE

.SH OPTIONS
.sp
.LP
The \fBsmtnzonecfg\fR authentication arguments, \fIauth_args\fR, are derived
from the \fBsmc\fR argument set and are the same regardless of which subcommand
you use. The \fBsmtnzonecfg\fR command requires the Solaris Management Console
to be initialized for the command to succeed (see \fBsmc\fR(1M)). After
rebooting the Solaris Management Console server, the first smc connection can
time out, so you might need to retry the command.
.sp
.LP
The subcommand-specific options, \fIsubcommand_args\fR, must be \fBpreceded\fR
by the \fB--\fR option.
.SS "\fIauth_args\fR"
.sp
.LP
The valid \fIauth_args\fR are \fB-D\fR, \fB-H\fR, \fB-l\fR, \fB-p\fR, \fB-r\fR,
and \fB-u\fR; they are all optional. If no \fIauth_args\fR are specified,
certain defaults will be assumed and the user can be prompted for additional
information, such as a password for authentication purposes. These letter
options can also be specified by their equivalent option words preceded by a
double dash. For example, you can use either \fB-D\fR or \fB--domain\fR.
.sp
.ne 2
.na
\fB\fB-D\fR | \fB--domain\fR \fIdomain\fR\fR
.ad
.sp .6
.RS 4n
Specifies the default domain that you want to manage. The syntax of
\fIdomain\fR=\fItype\fR:/\fIhost_name\fR/\fIdomain_name\fR, where \fItype\fR is
\fBdns\fR, \fBldap\fR, or \fBfile\fR; \fIhost_name\fR is the name of the
server; and \fIdomain_name\fR is the name of the domain you want to manage.
.sp
If you do not specify this option, the Solaris Management Console assumes the
\fBfile\fR default domain on whatever server you choose to manage, meaning that
changes are local to the server. Toolboxes can change the domain on a
tool-by-tool basis. This option specifies the domain for all other tools.
.RE

.sp
.ne 2
.na
\fB\fB-H\fR | \fB--hostname\fR \fIhost_name:port\fR\fR
.ad
.sp .6
.RS 4n
Specifies the \fIhost_name\fR and \fIport\fR to which you want to connect. If
you do not specify a \fIport\fR, the system connects to the default port,
\fB898\fR. If you do not specify \fIhost_name:port\fR, the Solaris Management
Console connects to the local host on port \fB898\fR.
.RE

.sp
.ne 2
.na
\fB\fB-l\fR | \fB--rolepassword\fR \fIrole_password\fR\fR
.ad
.sp .6
.RS 4n
Specifies the password for the \fIrole_name\fR. If you specify a
\fIrole_name\fR but do not specify a \fIrole_password\fR, the system prompts
you to supply a \fIrole_password\fR. Passwords specified on the command line
can be seen by any user on the system, hence this option is considered
insecure.
.RE

.sp
.ne 2
.na
\fB\fB-p\fR | \fB--password\fR \fIpassword\fR\fR
.ad
.sp .6
.RS 4n
Specifies the password for the \fIuser_name\fR. If you do not specify a
password, the system prompts you for one. Passwords specified on the command
line can be seen by any user on the system, hence this option is considered
insecure.
.RE

.sp
.ne 2
.na
\fB\fB-r\fR | \fB--rolename\fR \fIrole_name\fR\fR
.ad
.sp .6
.RS 4n
Specifies a role name for authentication. If you do not specify this option, no
role is assumed.
.RE

.sp
.ne 2
.na
\fB\fB-u\fR | \fB--username\fR \fIuser_name\fR\fR
.ad
.sp .6
.RS 4n
Specifies the user name for authentication. If you do not specify this option,
the user identity running the console process is assumed.
.RE

.sp
.ne 2
.na
\fB\fB--\fR\fR
.ad
.sp .6
.RS 4n
This option is required and must always follow the preceding options. If you do
not enter the preceding options, you must still enter the \fB--\fR option.
.RE

.SS "\fIsubcommand_args\fR"
.sp
.LP
Descriptions and other argument options that contain white spaces must be
enclosed in double quotes.
.sp
.ne 2
.na
\fB\fB-h\fR\fR
.ad
.sp .6
.RS 4n
Displays the command's usage statement.
.RE

.sp
.ne 2
.na
\fB\fB-n\fR \fIzonename\fR\fR
.ad
.sp .6
.RS 4n
Specifies the zone name for the entry. This name is used when the zone is
configured. See \fBzonecfg\fR(1M), under the \fB-z zonename\fR option, for the
constraints on zone names. The specified zone name must be one of the
configured zones on the system. The following command returns a list of
configured zones:
.sp
.in +2
.nf
/usr/sbin/zoneadm list -c
.fi
.in -2
.sp

.RE

.sp
.ne 2
.na
\fB\fB-l\fR \fIlabel\fR\fR
.ad
.sp .6
.RS 4n
Specifies the label for the zone. This field is used to label the zone when the
zone is booted. Each zone must have a unique label.
.RE

.sp
.ne 2
.na
\fB\fB-x policymatch\fR=\fB0\fR|\fB1\fR\fR
.ad
.sp .6
.RS 4n
Specifies the policy match level for non-transport traffic. Only values of
\fB0\fR (match the label) or \fB1\fR (be within the label range of the zone)
are accepted.
.sp
ICMP packets that are received on the global zone IP address are accepted based
on the label range of the global zone's security template if the global zone's
\fIpolicymatch\fR field is set to 1. When this field is set to 0 for a zone,
the zone will not respond to an ICMP echo request from a host with a different
label.
.sp
This subcommand argument is optional. If not specified, it will have a default
value of 0.
.RE

.sp
.ne 2
.na
\fB\fB-x mlpzone\fR=""|\fIport/protocol\fR\fR
.ad
.sp .6
.RS 4n
Specifies the multilevel port configuration entry for zone-specific IP
addresses. Multiple \fIport/protocol\fR combinations are separated by a
semi-colon. The empty string can be specified to remove all existing MLP zone
values. This subcommand argument is optional.
.sp
An MLP is used to provide multilevel service in the global zone as well as in
non-global zones. As an example of how a non-global zone can use an MLP,
consider setting up two labeled zones, \fBinternal\fR and \fBpublic\fR. The
\fBinternal\fR zone can access company networks; the \fBpublic\fR zone can
access public internet but not the company's internal networks. For safe
browsing, when a user in the \fBinternal\fR zone wants to browse the Internet,
the \fBinternal\fR zone browser forwards the URL to the \fBpublic\fR zone, and
the web content is then displayed in a \fBpublic\fR zone web browser. That way,
if the download in \fBpublic\fR zone compromises the web browser, it cannot
affect the company's internal network. To set this up, TCP port \fB8080\fR in
the \fBpublic\fR zone is an MLP (\fB8080/tcp\fR), and the security template for
the \fBpublic\fR zone has a label range from \fBPUBLIC\fR to \fBINTERNAL\fR.
.RE

.sp
.ne 2
.na
\fB\fB-x mlpshared\fR=""|\fIport/protocol\fR\fR
.ad
.sp .6
.RS 4n
Specifies the multilevel port configuration entry for shared IP addresses.
Multiple \fIport/protocol\fR combinations are separated by a semi-colon. The
empty string can be specified to remove all existing MLP shared values. This
subcommand argument is optional.
.sp
A shared IP address can reduce the total number of IP addresses that are needed
on the system, especially when configuring a large number of zones. Unlike the
case of the zone-specific IP address, when MLPs are declared on shared IP
addresses, only the global zone can receive the incoming network traffic that
is destined for the MLP.
.RE

.RS +4
.TP
.ie t \(bu
.el o
One of the following sets of arguments must be specified for subcommand
\fBadd\fR:
.sp
.in +2
.nf
\fB-n\fR \fIzonename\fR \fB-l\fR \fIlabel\fR [\fB-x\fR policymatch=\fIpolicy-match-level\fR \e
\fB-x\fR mlpzone=\fIport/protocol\fR;.... | \e
\fB-x\fR mlpshared=\fIport/protocol\fR;.... ]
\fB-h\fR
.fi
.in -2
.sp

.RE
.RS +4
.TP
.ie t \(bu
.el o
One of the following sets of arguments must be specified for subcommand
\fBmodify\fR:
.sp
.in +2
.nf
\fB-n\fR \fIzonename\fR [\fB-l\fR \fIlabel\fR] [\fB-x\fR policymatch=\fIpolicy-match-level\fR \e
\fB-x\fR mlpzone=\fIport/protocol\fR;.... |\e
\fB-x\fR mlpshared=\fIport/protocol\fR;.... ]
\fB-h\fR
.fi
.in -2
.sp

.RE
.RS +4
.TP
.ie t \(bu
.el o
One of the following arguments must be specified for subcommand \fBdelete\fR:
.sp
.in +2
.nf
\fB-n\fR \fIzonename\fR |
\fB-h\fR
.fi
.in -2
.sp

.RE
.RS +4
.TP
.ie t \(bu
.el o
The following argument can be specified for subcommand \fBlist\fR:
.sp
.in +2
.nf
\fB-n\fR \fIzonename\fR |
\fB-h\fR
.fi
.in -2
.sp

.RE
.SH EXAMPLES
.LP
\fBExample 1 \fRAdding a New Entry to the Zone Configuration Database
.sp
.LP
The admin role creates a new zone entry, \fBpublic\fR, with a label of
\fBpublic\fR, a policy match level of 1, and a shared MLP port and protocol of
666 and TCP. The administrator is prompted for the admin password.

.sp
.in +2
.nf
$ \fB/usr/sadm/bin/smtnzonecfg add -- -n public -l public \e
-x policymatch=1 -x mlpshared=666/tcp\fR
.fi
.in -2
.sp

.LP
\fBExample 2 \fRModifying an Entry in the Zone Configuration Database
.sp
.LP
The admin role changes the \fBpublic\fR entry in the \fBtnzonecfg\fR database
to \fBneedtoknow\fR. The administrator is prompted for the admin password.

.sp
.in +2
.nf
$ \fB/usr/sadm/bin/smtnzonecfg modify -- -n public -l needtoknow\fR
.fi
.in -2
.sp

.LP
\fBExample 3 \fRListing the Zone Configuration Database
.sp
.LP
The admin role lists the entries in the \fBtnzonecfg\fR database. The
administrator is prompted for the admin password.

.sp
.in +2
.nf
$ \fB/usr/sadm/bin/smtnzonecfg list --\fR
.fi
.in -2
.sp

.SH EXIT STATUS
.sp
.LP
The following exit values are returned:
.sp
.ne 2
.na
\fB\fB0\fR\fR
.ad
.RS 5n
Successful completion.
.RE

.sp
.ne 2
.na
\fB\fB1\fR\fR
.ad
.RS 5n
Invalid command syntax. A usage message displays.
.RE

.sp
.ne 2
.na
\fB\fB2\fR\fR
.ad
.RS 5n
An error occurred while executing the command. An error message displays.
.RE

.SH FILES
.sp
.LP
The following files are used by the \fBsmtnzonecfg\fR command:
.sp
.ne 2
.na
\fB\fB/etc/security/tsol/tnzonecfg\fR\fR
.ad
.sp .6
.RS 4n
Trusted zone configuration database.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE	ATTRIBUTE VALUE
_
Interface Stability	Committed
.TE

.SH SEE ALSO
.sp
.LP
\fBsmc\fR(1M), \fBattributes\fR(5)
.SH NOTES
.sp
.LP
The functionality described on this manual page is available only if the system
is configured with Trusted Extensions.