| Document Information Preface 1.  Security Planning for Trusted Extensions 2.  Installation and Configuration Roadmap for Trusted Extensions 3.  Installing Solaris Trusted Extensions Software  (Tasks) 4.  Configuring Trusted Extensions (Tasks) 5.  Configuring LDAP for Trusted Extensions (Tasks) 6.  Configuring a Headless System With Trusted Extensions (Tasks) A.  Site Security Policy B.  Using CDE Actions to Install Zones in Trusted Extensions Associating Network Interfaces With Zones by Using CDE Actions (Task Map) Specify Two IP Addresses for the System by Using a CDE Action Specify One IP Address for the System by Using a CDE Action Preparing to Create Zones by Using CDE Actions (Task Map) Specify Zone Names and Zone Labels by Using a CDE Action C.  Configuration Checklist for Trusted Extensions Glossary Index |       	 
             
Creating Labeled Zones by Using CDE Actions (Task Map)One zone can be created for every entry in the Trusted Network Zone
Configuration database. You made the entries in Specify Zone Names and Zone Labels by Using a CDE Action, by running the Configure Zone
action. The Trusted_Extensions folder in the Application Manager contains the following actions that create
labeled zones: Configure Zone – Creates a zone configuration file for every zone nameInstall Zone – Adds the correct packages and file systems to the zoneZone Terminal Console – Provides a window for viewing events in a zoneInitialize Zone for LDAP – Makes the zone an LDAP client and prepares the zone for bootingStart Zone – Boots the zone, then starts all the service management framework (SMF) servicesShut Down Zone – Changes the state of the zone from Started to Halted
 The tasks are completed in the following order. Install, Initialize, and Boot a Labeled Zone by Using CDE ActionsBecause zone creation involves copying an entire operating system, the process is time-consuming.
A faster process is to create one zone, make the zone a template
for other zones, and then copy or clone that zone template. Before You BeginYou have completed Specify Zone Names and Zone Labels by Using a CDE Action. If you are using LDAP as your naming service, you have completed
Make the Global Zone an LDAP Client in Trusted Extensions. If you are going to clone zones, you have completed Create ZFS Pool for Cloning Zones. In
the following procedure, you install the zone that you prepared. 
In the Trusted_Extensions folder, double-click the Install Zone action.
				 
Type the name of the zone that you are installing.This action creates a labeled virtual operating system. This step takes some time to
finish. Do not do other tasks on the system while Install Zone
is running. # zone-name: Install Zone
Preparing to install zone <zone-name>
Creating list of files to copy from the global zone
Copying <total> files to the zone
Initializing zone product registry
Determining zone package initialization order.
Preparing to initialize <subtotal> packages on the zone.
Initializing package <number> of <subtotal>: percent complete: percent
Initialized <subtotal> packages on zone.
Zone <zone-name> is initialized.
The file /zone/internal/root/var/sadm/system/logs/install_log 
contains a log of the zone installation.
*** Select Close or Exit from the window menu to close this window ***Open a console to monitor events in the installed zone.
Double-click the Zone Terminal Console action.Type the name of the zone that was just installed.Initialize the zone.
If you are using LDAP, double-click the Initialize Zone for LDAP action.Zone name:              Type the name of the installed zone
Host name for the zone: Type the host name for this zone For example, on a system with a shared logical interface, the values would
be similar to the following: Zone name:              public
Host name for the zone: machine1-zones This action makes the labeled zone an LDAP client of the same
LDAP server that serves the global zone. The action is complete when the
following information appears: zone-name zone will be  LDAP client of IP-address
zone-name is ready for booting
Zone label is LABEL
*** Select Close or Exit from the window menu to close this window ***If you are not using LDAP, initialize the zone manually by doing one
of the following steps.The manual procedure in Trusted Extensions is identical to the procedure for the
Solaris OS. If the system has at least one all-zones interface, then
the hostname for all the zones must match the global zone's hostname. In
general, the answers to the questions during zone initialization are the same as
the answers for the global zone. Supply the host information by doing one of the following:Double-click the Start Zone action.Answer the prompt. Zone name: Type the name of the zone that you are configuring This action boots the zone, then starts all the services that run
in the zone. For details about the services, see the smf(5) man page. The Zone Terminal Console tracks the progress of booting the zone. Messages that
are similar to the following appear in the console: [Connected to zone 'public' console]
[NOTICE: Zone booting up]
...
Hostname: zonename
Loading smf(5) service descriptions: number/total
Creating new rsa public/private host key pair
Creating new dsa public/private host key pair
rebooting system due to change(s) in /etc/default/init
[NOTICE: Zone rebooting]Monitor the console output.Before continuing with Customize a Booted Zone in Trusted Extensions, make sure that the zone has rebooted. The following
console login prompt indicates that the zone has rebooted. hostname console login: TroubleshootingFor Install Zone: If warnings that are similar to the following are displayed:
Installation of these packages generated errors: SUNWpkgname, read the install log and finish installing the packages. Customize a Booted Zone in Trusted ExtensionsIf you are going to clone zones, this procedure configures a zone
to be a template for other zones. In addition, this procedure configures the zone
for use. 
Ensure that the zone has been completely started.
				 
In the zone-name: Zone Terminal Console, log in as root.hostname console login: root
Password: Type root passwordCheck that the zone is running.The status running indicates that at least one process is running in
the zone. # zoneadm list -v
ID NAME        STATUS         PATH
 2 public      running        /Check that the zone can communicate with the global zone.The X server runs in the global zone. Each labeled zone must
be able to connect with the global zone to use this service. Therefore,
zone networking must work before the zone can be used. For assistance, see
Labeled Zone Is Unable to Access the X Server.In the Zone Terminal Console, disable services that are unnecessary in a labeled
zone.If you are copying or cloning this zone, the services that you disable
are disabled in the new zones. The services that are online on your
system depend on the service manifest for the zone. Use the netservices limited command
to turn off services that labeled zones do not need. 
				 
Remove many unnecessary services.# netservices limitedList the remaining services.# svcs
...
STATE        STIME      FMRI
online       13:05:00   svc:/application/graphical-login/cde-login:default
...Disable graphical login.# svcadm disable svc:/application/graphical-login/cde-login
# svcs cde-login
STATE        STIME      FMRI
disabled     13:06:22   svc:/application/graphical-login/cde-login:default For information about the service management framework, see the smf(5) man page.Shut down the zone.Choose one of the following ways: 
Run the Shut Down Zone action.Provide the name of the zone.In a terminal window in the global zone, use the zlogin command.# zlogin zone-name init 0 For more information, see the zlogin(1) man page.Verify that the zone is shut down.In the zone-name: Zone Terminal Console, the following message indicates that the zone
is shut down: [ NOTICE: Zone halted] If you are not copying or cloning this zone, create the remaining
zones in the way that you created this first zone.If you are using this zone as a template for other zones,
do the following:
				 
Remove the auto_home_zone-name file.In a terminal window in the global zone, remove this file from the
zone-name zone. cd /zone/zone-name/root/etc
# ls auto_home*
auto_home  auto_home_zone-name
# rm auto_home_zone-name For example, if the public zone were the basis for cloning other zones,
remove its auto_home file: # cd /zone/public/root/etc
# rm auto_home_public Next StepsUse the Copy Zone Method in Trusted ExtensionsBefore You Begin
For every zone that you want to create, double-click the Copy Zone action.Answer the prompts. New Zone Name:     Type name of target zone
From Zone Name:    Type name of source zone 
 Caution - Do not perform other tasks while this task is completing. 
When the zones are created, check the status of every zone.
				 
Double-click the Zone Terminal Console action.Log in to each zone.Complete Verify the Status of the Zone. Use the Clone Zone Method in Trusted ExtensionsBefore You Begin
Create a Solaris ZFS snapshot of the zone template.# cd /
# zfs snapshot zone/zone-name@snapshot You use this snapshot to clone the remaining zones. For a configured zone
that is named public, the snapshot command is the following: # zfs snapshot zone/public@snapshotFor every zone that you want to create, double-click the Clone Zone action.Answer the prompts. New Zone Name:      Type name of source zone
ZFS Snapshot:         Type name of snapshotRead the information in the dialog box.Zone label is <LABEL>
zone-name is ready for booting
*** Select Close or Exit from the window menu to close this window ***For each zone, run the Start Zone action.Start each zone before running the action for another zone.After the zones are created, check the status of every zone.
				 
Double-click the Zone Terminal Console action.Complete Verify the Status of the Zone. |