A P P E N D I X A |
Solaris Trusted Extensions |
Note - There are several ways to configure Solaris Trusted extensions.
The configurations provided here for reference have been tested but are not meant to represent all possibilities. |
The latest, detailed instructions for installation and configuration of Solaris Trusted Extensions can be found on docs.sun.com/app/docs/coll/175.9.
Note - Before beginning installation, please see Solaris Trusted Extensions Patch Requirements. |
For Solaris Trusted extensions, each system should have a minimum of 1 GB of RAM, although 500 MB will work. Naturally, newer-model systems with sufficient capacity will provide faster installation.
To Install Solaris Trusted Extensions |
1. Install Solaris Trusted Extensions packages.
Install the required packages from the ExtraValue directory for the appropriate platform.
2. Run the Java wizard from the ExtraValue directory and make sure that all the following packages are installed.
To Configure a Shared Physical Interface |
1. Verify that the /etc/hosts file has the following entry:
2. Use the Solaris Management Console (SMC) Security Templates to assign the cipso template to this hostname.
a. Start the Solaris Management Console (SMC).
b. Make the following selections:
i. In the SMC, select Management Tools
->Select hostname:Scope=Files, Policy=TSOL.
ii. Select System Configuration->Computers and Networks
->Security Templates->cipso.
iii. From the menu bar, Select Action->Properties
->Hosts Assigned to Template.
iv. Select Host and enter the IP Address of the Sun Ray server.
v. Click Add to assign the cipso template to this host.
vi. Click OK to confirm the changes.
3. Verify that /etc/security/tsol/tnrhdb file has the following entries:
4. From the Application Manager->Trusted Extensions folder, run the
Share Physical Interface action.
5. Verify that the /etc/hostname.<interface_name> file has the following entries:
To Configure One IP Address Per Zone |
If you have an IP address for every labeled zone, follow this example procedure, which shows how to configure a zone called public. Repeat the procedure for all zones.
1. Configure an interface for each zone.
a. Update the /etc/hosts file.
If you have a separate /IP address for every labeled zone, add this IP address and a corresponding hostname to the /etc/hosts file. Use a standard naming convention, such as adding <zone-name> to the hostname.:
b. Update the /etc/hostname.<interface> file as follows:
c. Update the /etc/netmasks file as follows.:
As above, use the Solaris Management Console (SMC) Security Templates to assign the cipso template.
a. Start the Solaris Management Console (SMC).
b. Make the following selections:
i. In the SMC, select Management Tools
->Select hostname:Scope=Files, Policy=TSOL.
ii. Select System Configuration->Computers and Networks
->Security Templates->cipso.
iii. From the menu bar, Select Action->Properties
->Hosts Assigned to Template.
iv. Select Host and enter the IP Address of the Sun Ray host.
v. Click Add to assign the cipso template to this host.
vi. Click OK to confirm the changes.
vii. Select System Configuration -> Computers and Networks
->Security Templates -> zone_specific_template.
In this example, the zone_specific_template is named public.
viii. From the menu bar, Select *Action* -> *Properties
-> Hosts Assigned to Template.
ix. Select Wildcard, and enter the IP Address.
For example, IP Address 10.6.132.0
xi. Click OK to confirm the changes.
The /etc/security/tsol/tnrhdb file should now contain the following entries:
3. Assign an IP address to each zone.
After you have completed the procedures in Creating Zones below, repeat the following steps for each zone you have created.:
zonecfg -z public zonecfg:public> add net zonecfg:public:net> set physical=bge1 zonecfg:public:net> set address=10.6.132.112/24 zonecfg:public:net> end zonecfg:public> commit zonecfg:public> exit |
You can either create zones one by one or create a sample zone to serve as a template from which to clone other zones. The second method is more efficient.
In these instructions, the following zones are created:
To Specify Zone Names and Zone Labels |
1. From the Application Manager -> Trusted Extensions folder, run the Configure Zone action.
When the action prompts you for a name, give the zone the same name as the zone’s label. For example, the name of a zone whose label is PUBLIC would be public.
2. Repeat the Configure Zone action for every zone.
For example, the default label_encodings file contains the following labels:
3. For each zone, associate the appropriate label with a zone name.
a. In the SMC GUI, Under Management Tools
-> Select hostname:Scope=Files, Policy=TSOL option.
b. Select System Configuration -> Computers and Networks
-> Trusted Network Zones.
c. Select Action -> Add Zone Configuration Menu.
The dialog box displays the name of a zone that does not have an assigned label. Look at the zone name before clicking Edit.
d. In the Label builder, click the appropriate label for the zone name.
e. Click OK in the label builder and then OK in the Trusted Network Zone.
4. Repeat these steps for every zone.
To Create Security Templates |
1. In the SMC GUI, Under Management Tools
-> Select hostname:Scope=Files, Policy=TSOL option.
2. Select System Configuration -> Computers and Networks
-> Security Templates.
3. From the menu bar, Select Action -> Add Template.
4. Under Host Type, Select Edit... and in the Label builder click the appropriate label for the template and click OK.
For the default configuration, Security Templates can be created for the following labels:
5. Provide a Template Name and click OK.
To Create Zones One by One |
From the Application Manager->Trusted Extensions folder, run the Install Zone action.
2. Enter the labeled zone’s name, for example, public.
Wait for a completion message before proceeding.
3. Monitor the zone being configured.
From the Application Manager->Trusted Extensions folder, run the Zone Terminal Console to monitor the configuring.
a. From the Application Manager->Trusted Extensions folder, run Start Zone.
b. Provide the host name, of the labeled zone, for example, public.
As the zone is started, information is displayed in the Zone Terminal Console.
c. Provide the same hostname as mentioned in the /etc/hosts file.
5. Repeat these steps for the remaining zones.
To Clone Zones |
1. Create a ZFS pool (zpool) from disk device.
A single zpool will be used for all labeled zones.
2. Create a new file system for the zone.
For instance, for the public zone:
a. From the Application Manager->Trusted Extensions folder, run the Install Zone action.
b. Enter the labeled zone’s name, for example, public.
Wait for a completion message before proceeding (about five minutes).
4. Monitor the zone being configured.
From the Application Manager->Trusted Extensions folder, run the Zone Terminal Console to monitor the configuration process.
a. From the Application Manager->Trusted Extensions folder, run Start Zone, and provide the host name, for example, public, of the labeled zone.
b. As the zone is started, information is displayed in the Zone Terminal Console.
6. Provide the same hostname as mentioned in the /etc/hosts file.
a. View the public zone’s Console window to verify that the zone has been completely started.
b. If it has been started, shut down the zone by typing the following in the Console:
9. Through the global zone (that is, in a Terminal window), type:
10. Create a ZFS snapshot of the public zone.
11. Clone the remaining zones.
a. From the Application Manager->Trusted Extensions folder, run the Clone Zone action.
b. Provide the zone being cloned and the ZFS snapshot, for example:
Copyright © 2007, Sun Microsystems, Inc. All Rights Reserved.