Solaris Trusted Extensions

A P P E N D I X B

Note - There are several ways to configure Solaris Trusted extensions.
The configurations provided here for reference have been tested but are not
meant to represent all possibilities. The latest, detailed instructions for installation and configuration of Solaris Trusted Extensions can be found on docs.sun.com/app/docs/coll/175.9.

Installation and Configuration

Note - Before beginning installation, please see Solaris Trusted Extensions Patch Requirements and Creating Zones.

For Solaris Trusted extensions, each system should have a minimum of 1 GB of RAM, although 500 MB will work. Naturally, newer-model systems with sufficient capacity will provide faster installation.

To Enable Solaris Trusted Extensions

Use the svcadm command to enable Solaris Trusted Extensions:

# svcadm enable -s labeld

To Configure a Shared Physical Interface

1. Verify that the /etc/hosts file has the following entry:

x.x.x.x     hostname

2. Use the Solaris Management Console (SMC) Security Templates to assign the cipso template to this hostname.

a. Start the Solaris Management Console (SMC).

# smc &

b. Make the following selections:

i. In the SMC, select Management Tools
->Select hostname:Scope=Files, Policy=TSOL.

ii. Select System Configuration->Computers and Networks
->Security Templates->cipso.

iii. From the menu bar, Select Action->Properties
->Hosts Assigned to Template.

iv. Select Host and enter the IP Address of the Sun Ray server.

v. Click Add to assign the cipso template to this host.

vi. Click OK to confirm the changes.

3. Verify that /etc/security/tsol/tnrhdb file has the following entries:

x.x.x.x:cipso

4. From the CDE Workspace Menu, go to Applications->Application Manager
->Trusted Extensions, and run the Share Physical Interface action.

5. Verify that the /etc/hostname.<interface_name> file has the following entries:

hostname   all-zones

6. Reboot the system.

# /usr/sbin/reboot

To Configure One IP Address Per Zone

If you have an IP address for every labeled zone, follow this example procedure, which shows how to configure a zone called public. Repeat the procedure for all zones.

1. Configure an interface for each zone.

a. Update the /etc/hosts file.

If you have a separate IP address for every labeled zone, add this IP address and a corresponding hostname to the /etc/hosts file. Use a standard naming convention, such as adding <zone-name> to the hostname.:

10.6.132.111 srsstx-132
10.6.132.112 srsstx-132-zone_name

b. Update the /etc/hostname.<interface> file as follows:

srsstx-132

c. Update the /etc/netmasks file as follows.:

10.6.132.0 255.255.255.0

2. Assign a network template.

As above, use the Solaris Management Console (SMC) Security Templates to assign the cipso template.

a. Start the Solaris Management Console (SMC).

# smc &

b. Make the following selections:

i. In the SMC, select Management Tools
->Select hostname:Scope=Files, Policy=TSOL.

ii. Select System Configuration->Computers and Networks
->Security Templates->cipso.

iii. From the menu bar, Select Action->Properties
->Hosts Assigned to Template.

iv. Select Host and enter the IP Address of the Sun Ray host.

v. Click Add to assign the cipso template to this host.

vi. Click OK to confirm the changes.

vii. Select System Configuration -> Computers and Networks
->Security Templates -> zone_specific_template.

In this example, the zone_specific_template is named public.

viii. From the menu bar, Select Action->Properties
-> Hosts Assigned to Template.

ix. Select Wildcard, and enter the IP Address.

For example, IP Address 10.6.132.0

x. Click Add.

xi. Click OK to confirm the changes.

The /etc/security/tsol/tnrhdb file should now contain the following entries:

10.6.132.111:cipso
10.6.132.112:cipso
10.6.132.0:public

3. Assign an IP address to each zone.

After you have completed the procedures in Creating Zones below, repeat the following steps for each zone you have created.:

zonecfg -z public
zonecfg:public> add net
zonecfg:public:net> set physical=bge1
zonecfg:public:net> set address=10.6.132.112/24 zonecfg:public:net> end
zonecfg:public> commit
zonecfg:public> exit

4. Verify the results.

# ifconfig -a
    lo0:
    flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu
    8232 index 1
       inet 127.0.0.1 netmask ff000000
    lo0:1:
    flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu
    8232 index 1
       zone public
       inet 127.0.0.1 netmask ff000000
    bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu
    1500 index 2
       inet 10.6.133.156 netmask ffffff00 broadcast 10.6.133.255
       ether 0:3:ba:27:f0:8b
    bge1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu
    1500 index 3
       inet 10.6.132.111 netmask ffffff00 broadcast 10.6.132.255
       ether 0:3:ba:27:f0:8c
    bge1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu
    1500 index 3
       zone public
       inet 10.6.132.112 netmask ffffff00 broadcast 10.6.132.255

5. Reboot the system:

# /usr/sbin/reboot

Creating Zones

You can either create zones one by one or create a sample zone to serve as a template from which to clone other zones. The second method is more efficient.

In these instructions, the following zones are created:

public

internal

needtoknow

restricted

To Specify Zone Names and Zone Labels

1. From the Application Manager -> Trusted Extensions folder, run the Configure Zone action.

When the action prompts you for a name, give the zone the same name as the zone’s label. For example, the name of a zone whose label is PUBLIC would be public.

2. Repeat the Configure Zone action for every zone.

For example, the default label_encodings file contains the following labels:

PUBLIC
CONFIDENTIAL: INTERNAL USE ONLY
CONFIDENTIAL: NEED TO KNOW
CONFIDENTIAL: RESTRICTED

3. For each zone, associate the appropriate label with a zone name.

a. In the SMC GUI, Under Management Tools
-> Select hostname:Scope=Files, Policy=TSOL option.

b. Select System Configuration -> Computers and Networks
-> Trusted Network Zones.

c. Select Action -> Add Zone Configuration Menu.

The dialog box displays the name of a zone that does not have an assigned label. Look at the zone name before clicking Edit.

d. In the Label builder, click the appropriate label for the zone name.

e. Click OK in the label builder and then OK in the Trusted Network Zone.

4. Repeat these steps for every zone.

To Create Security Templates

1. In the SMC GUI, Under Management Tools
-> Select hostname:Scope=Files, Policy=TSOL option.

2. Select System Configuration -> Computers and Networks
-> Security Templates.

3. From the menu bar, Select Action -> Add Template.

4. Under Host Type, Select Edit... and in the Label builder click the appropriate label for the template and click OK.

For the default configuration, Security Templates can be created for the following labels:

PUBLIC
CONFIDENTIAL: INTERNAL USE ONLY
CONFIDENTIAL: NEED TO KNOW
CONFIDENTIAL: RESTRICTED

5. Provide a Template Name and click OK.

To Create Zones One by One

1. Install Zones.

From the Application Manager->Trusted Extensions folder, run the Install Zone action.

2. Enter the labeled zone’s name, for example, public.

Wait for a completion message before proceeding.

3. Monitor the zone being configured.

From the Application Manager->Trusted Extensions folder, run the Zone Terminal Console to monitor the configuring.

4. Start the zone.

a. From the Application Manager->Trusted Extensions folder, run Start Zone.

b. Provide the host name, of the labeled zone, for example, public.

As the zone is started, information is displayed in the Zone Terminal Console.

c. Provide the same hostname as mentioned in the /etc/hosts file.

5. Repeat these steps for the remaining zones.

To Clone Zones

1. Create a ZFS pool (zpool) from disk device.

A single zpool will be used for all labeled zones.

# zpool create -f zone /dev/dsk/c0t0d0s5

2. Create a new file system for the zone.

For instance, for the public zone:

# zfs create zone/public
# chmod 0700 /zone/public

3. Install the first zone.

a. From the Application Manager->Trusted Extensions folder, run the Install Zone action.

b. Enter the labeled zone’s name, for example, public.

Wait for a completion message before proceeding (about five minutes).

4. Monitor the zone being configured.

From the Application Manager->Trusted Extensions folder, run the Zone Terminal Console to monitor the configuration process.

5. Start the zone.

a. From the Application Manager->Trusted Extensions folder, run Start Zone, and provide the host name, for example, public, of the labeled zone.

b. As the zone is started, information is displayed in the Zone Terminal Console.

6. Provide the same hostname as mentioned in the /etc/hosts file.

7. Shut down the zone.

a. View the public zone’s Console window to verify that the zone has been completely started.

b. If it has been started, shut down the zone by typing the following in the Console:

# init 0

8. Exit the Console.

9. Through the global zone (that is, in a Terminal window), type:

# rm /zone/public/root/etc/auto_home_public

10. Create a ZFS snapshot of the public zone.

# zfs snapshot zone/public@snapshot

11. Clone the remaining zones.

a. From the Application Manager->Trusted Extensions folder, run the Clone Zone action.

b. Provide the zone being cloned and the ZFS snapshot, for example:

Enter Zone Name: internal
ZFS Snapshot: zone/public@snapshot

12. Reboot the system:

# /usr/sbin/reboot