| Skip Navigation Links | |
| Exit Print View | |
|
Solaris Trusted Extensions Reference Manual |
- manage entries in the zone configuration database for Trusted Extensions networking
/usr/sadm/bin/smtnzonecfg subcommand [auth_args] -- [subcommand_args]
The smtnzonecfg command adds, modifies, deletes, and lists entries in the tnzonecfg database.
smtnzonecfg subcommands are:
Adds a new entry to the tnzonecfg database. To add an entry, the administrator must have the solaris.network.host.write and solaris.network.security.write authorizations.
Modifies an entry in the tnzonecfg database. To modify an entry, the administrator must have the solaris.network.host.write and solaris.network.security.write authorizations.
Deletes an entry from the tnzonecfg database. To delete an entry, the administrator must have the solaris.network.host.write and solaris.network.security.write authorizations.
Lists entries in the tnzonecfg database. To list an entry, the administrator must have the solaris.network.host.read and solaris.network.security.read authorizations.
The smtnzonecfg authentication arguments, auth_args, are derived from the smc arg set and are the same regardless of which subcommand you use. The smtnzonecfg command requires the Solaris Management Console to be initialized for the command to succeed (see smc(1M)). After rebooting the Solaris Management Console server, the first smc connection can time out, so you might need to retry the command.
The subcommand-specific options, subcommand_args, must be preceded by the -- option.
The valid auth_args are -D, -H, -l, -p, -r, and -u; they are all optional. If no auth_args are specified, certain defaults will be assumed and the user can be prompted for additional information, such as a password for authentication purposes. These letter options can also be specified by their equivalent option words preceded by a double dash. For example, you can use either -D or --domain.
Specifies the default domain that you want to manage. The syntax of domain=type:/host_name/domain_name, where type is dns, ldap, or file; host_name is the name of the server; and domain_name is the name of the domain you want to manage.
If you do not specify this option, the Solaris Management Console assumes the file default domain on whatever server you choose to manage, meaning that changes are local to the server. Toolboxes can change the domain on a tool-by-tool basis. This option specifies the domain for all other tools.
Specifies the host_name and port to which you want to connect. If you do not specify a port, the system connects to the default port, 898. If you do not specify host_name:port, the Solaris Management Console connects to the local host on port 898.
Specifies the password for the role_name. If you specify a role_name but do not specify a role_password, the system prompts you to supply a role_password. Passwords specified on the command line can be seen by any user on the system, hence this option is considered insecure.
Specifies the password for the user_name. If you do not specify a password, the system prompts you for one. Passwords specified on the command line can be seen by any user on the system, hence this option is considered insecure.
Specifies a role name for authentication. If you do not specify this option, no role is assumed.
Specifies the user name for authentication. If you do not specify this option, the user identity running the console process is assumed.
This option is required and must always follow the preceding options. If you do not enter the preceding options, you must still enter the -- option.
Note: Descriptions and other arg options that contain white spaces must be enclosed in double quotes.
Displays the command's usage statement.
Specifies the zone name for the entry. This name is used when the zone is configured. zonename is case-sensitive. The specified zone name must be one of the configured zones on the system. The following command returns a list of configured zones:
/usr/sbin/zoneadm list -c
Specifies the label for the zone. This field is used to label the zone when the zone is booted.
Specifies the policy match level for non-transport traffic. Only values of 0 (match the label) or 1 (be within the label range of the zone) are accepted. See tnzonecfg(4) for more detail. This subcommand argument is optional. If not specified, it will have a default value of 0.
Specifies the multilevel port configuration entry for zone-specific IP addresses. Multiple port/protocol combinations are separated by a semi-colon. The empty string can be specified to remove all existing MLP zone values. This subcommand argument is optional.
Specifies the multilevel port configuration entry for shared IP addresses. Multiple port/protocol combinations are separated by a semi-colon. The empty string can be specified to remove all existing MLP shared values. This subcommand argument is optional.
One of the following sets of arguments must be specified for subcommand add:
-n zonename -l label [-x policymatch=policy-match-level \ -x mlpzone=port/protocol;.... | -x mlpshared=port/protocol;.... ] -h
One of the following sets of arguments must be specified for subcommand modify:
-n zonename [-l label] [-x policymatch=policy-match-level \ -x mlpzone=port/protocol;.... | -x mlpshared=port/protocol;.... ] -h
One of the following arguments must be specified for subcommand delete:
-n zonename | -h
The following argument can be specified for subcommand list:
-n zonename | -h
Example 1 Adding a New Entry to the Zone Configuration Database
The admin role creates a new zone entry, public, with a label of public, a policy match level of 1, and a shared MLP port and protocol of 666 and TCP. The administrator is prompted for the admin password.
$ /usr/sadm/bin/smtnzonecfg add -- -n public -l public \ -x policymatch=1 -x mlpshared=666/tcp
Example 2 Modifying an Entry in the Zone Configuration Database
The admin role changes the public entry in the tnzonecfg database to needtoknow. The administrator is prompted for the admin password.
$ /usr/sadm/bin/smtnzonecfg modify -- -n public -l needtoknow
Example 3 Listing the Zone Configuration Database
The admin role lists the entries in the tnzonecfg database. The administrator is prompted for the admin password.
$ /usr/sadm/bin/smtnzonecfg list --
The following exit values are returned:
Successful completion.
Invalid command syntax. A usage message displays.
An error occurred while executing the command. An error message displays.
The following files are used by the smtnzonecfg command:
Trusted zone configuration database. See tnzonecfg(4).
See attributes(5) for descriptions of the following attributes:
|
|