Configure Solaris Trusted Extensions and run GlassFish Application Server
By Jagadesh Babu Munta on Jun 05, 2008
(From Jagadesh Babu Munta and Shaline Gowda)
Trusted Extensions software package is a layered product on top of the Solaris operating system.
Trusted Extensions provides special security features that enable an organization to define and implement a security policy on a Solaris system. A security policy is the set of rules and practices that help protect information and other resources, such as computer hardware, at your site. Typically, security rules handle such issues as who has access to which information or who is allowed to write data to removable media. Security practices are recommended procedures for performing tasks. See the answers to the common questions on Trusted Extensions can be found at . Currently the product is being evaluated for CCC .
GlassFish is a free, open source, production quality, enterprise application server which implements the newest features in the Java EE platform. It is the reference implementation fro the JavaEE standard from Sun .
The simplest way of getting TX is to install Solaris 10 U5 (Solaris 10 11/06) . No need to install any additional TX related packages. TX packages are already installed when you install S10 U5.
However, one has to start up “labeld” process so it can be a TX system.
Run the command:
svcadm enable -s labeld
and must reboot. Note that at this time, you can only access the system through console (until remote access is enabled).
For all other OS cases, refer the document .
The next preparation step is to create zfs pool for zones. Creating zones using zfs cloning is the quickest method to create zones, but you may need to do extra steps to make sure the zones are stable.
Follow the steps:
Login as root user to global zone.
Comment out the /zone entry in /etc/vfstab file added by editing the jumpstart profile . Note the partition name for /zone, for example /dev/dsk/c1t0d0s0
Unmount /zones #umount /zone
Create zone pool
zpool create -f zone /dev/dsk/c1t0d0s0
Check the spool status, use the following commands:
zpool status -x zone
Setup remote access to TX machine
The following 3 steps are good enough to enable the remote access .
Comment out CONSOLE from /etc/default/login file. Below is the snapshot from a TX system.
# If CONSOLE is set, root can only login on that device.
line out to allow remote login by root.
Add the DNS name servers in /etc/resolv.conf file. Below is the snapshot from a TX system.
Edit /etc/pam.conf to allow remote user and from the non TX systems. Below is the snapshot from a TX system. Basically change the following line to have allow_remote and allow_unlabeled at the end.
/etc/pam.conf | egrep allow
On Solaris 10 U5, open the netservices because by default disabled due to Secure By Default (SBD) feature. Run the following command to disable SBD:
Setup Labeled Zones
Trusted Extensions uses solaris containers or zones for labeling. The global zone is an administrative zone, and is not available to users. Non-global zones are called labeled zones. Labeled zones are used by users. The global zone shares some system files with users. When these files are visible in a labeled zone, the label of these files is ADMIN_LOW. Network communication is restricted by label. By default, zones cannot communicate with each other because their labels are different. Therefore, one zone cannot write into another zone .
The simplest way to create and manage the labeled zones is to use “txzonemgr”, an easy to use GUI tool.
A typical states of a labled zone is as follows :
Undefined --> Configured --> Installed --> Ready -->Running
Before start creating the labeld zones, check if the network interfaces shared by all zones are not. You can do this by doing “ifconfig -a” and look for “all-zones”.
If not, use txzonemgr to create the network interface for the non global zones. Run the tool, /usr/sbin/txzonemgr that creates networks interface and zones . Select Manage Networks Interface, then select the physical interface and share it.
In the labeled zones creation process, the first step is to create a labeled zone and configure it. Later create a snapshot and clone it for other labeled zones.
Follow the below steps from the /usr/sbin/txzonemgr GUI interface:-
Create first new labeled zone (say public) --> Select -->Install --> Zone console --> Boot --> Configure NFS and domain --> Running (public)
Running labeled zone (public) -->Halt --> Create snapshot
Create other new labeled zone (internal) --> Select -->Clone -->select the snapshot (public) --> Zone console --> Boot -->Running (internal)
Repeat above steps for all other labels such as needtoknow, restricted etc.
Some of the screen shots from txzonemgr are listed here for your checks.
Fig-1. List of all labeled zones from labled zone manager (txzonemgr)
Fig-2. Installed public zone (txzonemgr). Ready to Boot or Create Snapshot.
Fig-3. Installing a labled zone from a configured one. Clone from existing snapshot (txzonemgr)
Fig-4. List of options from an installed (public) zone (txzonemgr)
Fig-5. Available ZFS zone snapshot created from public zone (txzonemgr)
Fig-6. List of options available on a running labeled zone (txzonemgr)
Fig-7. List of network interfaces (txzonemgr)
To check the created zones, use the following command.
# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / native shared
To check the labels on the files, run the following commands:
To login to a public zone from global zone, use the following command.
To login to a labeled zone, do the following alternatives.
#rlogin -l root <tx-system>
Select the zone (public/internal), select OK and then select "Zone Console". Login using the root id and password. From there you can operate on that console.
Run GlassFish Application Server
Download and Install GlassFish . Get the latest GF FCS version and is GFv2 UR2 from . The installation instructions can be found at . You could download on a different machine and copy to the required labeled zone.
There are sanity tests for GF called Quick Look (QL) tests and can be checked out the GF workspace. See the steps at .
Run QL tests on the following 3 cases.
“public” zone only (run only public and halt internal zone)
“internal” zone only
simultaneously on both “public” and “internal” while both are running.
If you don't want to use maven, then do the following after setting the environment.
Edit <as-install>/config/asadminenv.conf and change to “cluster” from “developer” profile.
No issues found. All the sanity/QL tests passed.
 Trusted Extensions User Guide - http://docs.sun.com/app/docs/doc/819-7313
 Solaris Trusted Extensions FAQ http://www.sun.com/bigadmin/sundocs/articles/txfaq.jsp
 Solaris Common Criteria Certification - http://www.sun.com/software/security/securitycert/#in-eval
 Trusted Extensions Developer Guide - http://docs.sun.com/app/docs/doc/819-7312
 Solaris Trusted Extensions Collection - http://docs.sun.com/app/docs/coll/175.12
 Trusted Extensions Installation and Configuration - http://docs.sun.com/app/docs/doc/819-7314
 Solaris Zones http://www.softpanorama.org/Solaris/Virtualization/zones.shtml
 GlassFish http://glassfish.dev.java.net
 GlassFish QL instructions - https://glassfish.dev.java.net/public/GuidelinesandConventions.html#Quicklook_Tests
 GFv2 UR2 download - https://glassfish.dev.java.net/downloads/v2ur2-b04.html
would like to thank the following people are who provided guidance and
information on TX and greatly helped in setting up the TX setup during
this exercise with timely manner.
Enjoy more security for your enterprise resources!