test

Solaris Trusted Extensions Developer's Guide

Configuring Trusted Networking

The restricted and webservice zones are assigned a private IP address in addition to the IP address that they already share. Each private IP address has a multilevel port configured and is associated with a restricted label set.

The following table shows the network configuration for each of the labeled zones.

Zone Name 

Zone Label 

Local IP Address 

Host Name 

Multilevel Port 

Security Label Set 

restricted

CONFIDENTIAL : RESTRICTED

10.4.5.6

proxy

8080/tcp

PUBLIC

webservice

WEB GUARD SERVICE

10.1.2.3

webservice

80/tcp

CONFIDENTIAL : RESTRICTED

webcontent

WEB GUARD CONTENT

None 

 

 

 

First, you must create the new zones. You can clone an existing zone, such as the public zone. After these zones are created, use the zonecfg command to add a network (with the address specified in the table) and your local interface name.

For example, the following command associates the 10.4.5.6 IP address and the bge0 interface with the restricted zone:


# zonecfg -z restricted
add net
set address=10.4.5.6
set physical=bge0
end
exit

After you specify the IP address and network interface for each labeled zone, you use the Solaris Management Console to configure the remaining values in the table. When using this tool, make sure that you select the tool box with Scope=Files and Policy=TSOL.

    Follow these steps to finish the zone configuration:

  1. Start the Solaris Management Console as superuser.


    # smc &

  2. From the Navigation panel, select This Computer, and then click the System Configuration icon.

  3. Click the Computers and Network icon.

  4. Click the Computers icon, and then choose Add Computer from the Action menu.

  5. Add the host names and IP addresses for the proxy host and the webeservice host.

  6. From the Navigation panel, select Trusted Network Zones.

    You might need to expand the columns. If the zone names do not appear in the list, choose Add Zone Configuration from the Action menu.

  7. Assign each zone its label and specify the appropriate port and protocol in the MLP Configuration for Local IP Addresses field.

  8. From the Navigation panel, click the Security Families icon and choose Add Template from the Action menu.

    Add templates for the proxy host name and the webservices host name based on the information in the table.

    1. Specify the corresponding host name for the template name.

    2. Specify CIPSO in the Host Type field.

    3. Specify the corresponding zone label in the Minimum Label and Maximum Label fields.

    4. Specify the corresponding security label in the Security Label Set field.

    5. Click the Hosts Explicitly Assigned tab.

    6. In the Add an Entry section, add the corresponding local IP address to each template.

  9. Exit the Solaris Management Console.

After you exit the Solaris Management Console, start or restart the affected zones. In the global zone, add routes for the new addresses, where shared-IP-addr is the shared IP address.


# route add proxy shared-IP-addr
# route add webservice shared-IP-addr