Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: March 2019
 
 

How to Create a Multilevel Port for a Zone

You can add private and shared MLPs to labeled zones and the global zone.

This procedure is used when an application that runs in a labeled zone requires a multilevel port (MLP) to communicate with the zone. In this procedure, a web proxy communicates with the zone.

Before You Begin

You must be in the root role in the global zone. The system must have at least two IP addresses and the labeled zone is halted.

  1. Add the proxy host and the web services host to the /etc/hosts file.
    ## /etc/hosts file
    ...
    proxy-host-name  IP-address
    web-service-host-name IP-address
  2. Configure the zone.

    For example, configure the public zone to recognize packets that are explicitly labeled PUBLIC. For this configuration, the security template is named webprox.

    # tncfg -t webprox
    tncfg:public> set name=webprox
    tncfg:public> set host_type=cipso
    tncfg:public> set min_label=public
    tncfg:public> set max_label=public
    tncfg:public> add host=mywebproxy.oracle.comhost name associated with public zone
    tncfg:public> add host=10.1.2.3/16IP address of public zone
    tncfg:public> exit
  3. Configure the MLP.

    For example, the web proxy service might communicate with the PUBLIC zone over the 8080/tcp interface.

    # tncfg -z public add mlp_shared=8080/tcp
    # tncfg -z public add mlp_private=8080/tcp
  4. To add the MLPs to the kernel, boot the zone.
    # zoneadm -z zone-name boot
  5. In the global zone, add routes for the new addresses.

    To add routes, perform How to Add Default Routes.

Example 43  Configuring an MLP by Using the txzonemgr GUI

The administrator configures the web proxy service by opening the Labeled Zone Manager.

# txzonemgr &

The administrator double-clicks the PUBLIC zone, then double-clicks Configure Multilevel Ports. Then the administrator selects and double-clicks the Private interfaces line. The selection changes to an entry field similar to the following:

Private interfaces:111/tcp;111/udp

The administrator starts the web proxy entry with a semicolon separator.

Private interfaces:111/tcp;111/udp;8080/tcp

After completing the private entry, the administrator types the web proxy into the Shared interfaces field.

Shared interfaces:111/tcp;111/udp;8080/tcp

A popup message indicates that the multilevel ports for the public zone will be active at the next boot of the zone.

Example 44  Configuring a Private Multilevel Port for NFSv3 Over udp

In this example, the administrator enables NFSv3 read-down mounts over udp. The administrator has the option of using the tncfg command.

# tncfg -z global add mlp_private=2049/udp

The txzonemgr GUI provides another way to define the MLP.

In the Labeled Zone Manager, the administrator double-clicks the global zone, then double-clicks Configure Multilevel Ports. In the MLP menu, the administrator selects and double-clicks the Private interfaces line and adds the port/protocol.

Private interfaces:111/tcp;111/udp;8080/tcp

A popup message indicates that the multilevel ports for the global zone will be active at the next boot.

Example 45  Displaying Multilevel Ports on a System

In this example, a system is configured with several labeled zones. All zones share the same IP address. Some zones are also configured with zone-specific addresses. In this configuration, the TCP port for web browsing, port 8080, is an MLP on a shared interface in the public zone. The administrator has also set up telnet, TCP port 23, to be an MLP in the public zone. Because these two MLPs are on a shared interface, no other zone, including the global zone, can receive packets on the shared interface on ports 8080 and 23.

In addition, the TCP port for ssh, port 22, is a per-zone MLP in the public zone. The public zone's ssh service can receive any packets on its zone-specific address within the address's label range.

The following command shows the MLPs for the public zone:

# tninfo -m public
private: 22/tcp
shared:  23/tcp;8080/tcp

The following command shows the MLPs for the global zone. Note that ports 23 and 8080 cannot be MLPs in the global zone because the global zone shares the same address with the public zone:

# tninfo -m global
private: 111/tcp;111/udp;514/tcp;515/tcp;631/tcp;2049/tcp;
6000-6003/tcp;38672/tcp;60770/tcp;
shared:  6000-6003/tcp