Configure Solaris Trusted Extensions and run GlassFish Application Server

Blog_TX_GF



(From  Jagadesh Babu Munta  and Shaline Gowda)

About

Trusted Extensions software package is a layered product on top of the Solaris operating system.

Trusted Extensions provides special security features that enable an organization to define and implement a security policy on a Solaris system. A security policy is the set of rules and practices that help protect information and other resources, such as computer hardware, at your site. Typically, security rules handle such issues as who has access to which information or who is allowed to write data to removable media. Security practices are recommended procedures for performing tasks[1]. See the answers to the common questions on Trusted Extensions can be found at [2]. Currently the product is being evaluated for CCC [3].


GlassFish is a free, open source, production quality, enterprise application server which implements the newest features in the Java EE platform. It is the reference implementation fro the JavaEE standard from Sun [8].

Installing TX

The simplest way of getting TX is to install Solaris 10 U5 (Solaris 10 11/06) [5]. No need to install any additional TX related packages. TX packages are already installed when you install S10 U5.

However, one has to start up “labeld” process so it can be a TX system.

Run the command:

svcadm enable -s labeld

and must reboot. Note that at this time, you can only access the system through console (until remote access is enabled).

For all other OS cases, refer the document [6].


The next preparation step is to create zfs pool for zones. Creating zones using zfs cloning is the quickest method to create zones, but you may need to do extra steps to make sure the zones are stable.


Follow the steps:

  • Login as root user to global zone.

  • Comment out the /zone entry in /etc/vfstab file added by editing the jumpstart profile . Note the partition name for /zone, for example /dev/dsk/c1t0d0s0

  • Unmount /zones #umount /zone

  • Create zone pool


zpool create -f zone /dev/dsk/c1t0d0s0

  • Check the spool status, use the following commands:


zpool status -x zone

zpool list

Setup remote access to TX machine

The following 3 steps are good enough to enable the remote access [6].

Comment out CONSOLE from /etc/default/login file. Below is the snapshot from a TX system.


# If CONSOLE is set, root can only login on that device.

# Comment this line out to allow remote login by root.
#
#CONSOLE=/dev/console


Add the DNS name servers in /etc/resolv.conf file. Below is the snapshot from a TX system.

# cat /etc/resolv.conf
domain sfbay.sun.com
search sfbay.sun.com sun.com
options ndots:2 timeout:3 retrans:3 retry:1
nameserver 129.146.11.51 ; sfbay-dns-1.sfbay
nameserver 129.146.11.103 ; na-umpk11-01.sfbay
nameserver 129.145.155.226 ; sfbay-dns-2.sfbay

#




Edit /etc/pam.conf to allow remote user and from the non TX systems. Below is the snapshot from a TX system. Basically change the following line to have allow_remote and allow_unlabeled at the end.

# cat /etc/pam.conf | egrep allow
other account requisite pam_roles.so.1 allow_remote
other account required pam_tsol_account.so.1 allow_unlabeled
#

On Solaris 10 U5, open the netservices because by default disabled due to Secure By Default (SBD) feature. Run the following command to disable SBD:

netservices open

Setup Labeled Zones


Trusted Extensions uses solaris containers or zones for labeling. The global zone is an administrative zone, and is not available to users. Non-global zones are called labeled zones. Labeled zones are used by users. The global zone shares some system files with users. When these files are visible in a labeled zone, the label of these files is ADMIN_LOW. Network communication is restricted by label. By default, zones cannot communicate with each other because their labels are different. Therefore, one zone cannot write into another zone [1].


The simplest way to create and manage the labeled zones is to use “txzonemgr”, an easy to use GUI tool.


A typical states of a labled zone is as follows [7]:

Undefined --> Configured --> Installed --> Ready -->Running


Before start creating the labeld zones, check if the network interfaces shared by all zones are not. You can do this by doing “ifconfig -a” and look for “all-zones”.


If not, use txzonemgr to create the network interface for the non global zones. Run the tool, /usr/sbin/txzonemgr that creates networks interface and zones . Select Manage Networks Interface, then select the physical interface and share it.


In the labeled zones creation process, the first step is to create a labeled zone and configure it. Later create a snapshot and clone it for other labeled zones.


Follow the below steps from the /usr/sbin/txzonemgr GUI interface:-


  • Create first new labeled zone (say public) --> Select -->Install --> Zone console --> Boot --> Configure NFS and domain --> Running (public)

  • Running labeled zone (public) -->Halt --> Create snapshot

  • Create other new labeled zone (internal) --> Select -->Clone -->select the snapshot (public) --> Zone console --> Boot -->Running (internal)

  • Repeat above steps for all other labels such as needtoknow, restricted etc.




Some of the screen shots from txzonemgr are listed here for your checks.


Fig-1. List of all labeled zones from labled zone manager (txzonemgr)



Fig-2. Installed public zone (txzonemgr). Ready to Boot or Create Snapshot.






Fig-3. Installing a labled zone from a configured one. Clone from existing snapshot (txzonemgr)




Fig-4. List of options from an installed (public) zone (txzonemgr)




Fig-5. Available ZFS zone snapshot created from public zone (txzonemgr)



Fig-6. List of options available on a running labeled zone (txzonemgr)




Fig-7. List of network interfaces (txzonemgr)




To check the created zones, use the following command.

# zoneadm list -cv

ID NAME STATUS PATH BRAND IP

0 global running / native shared
10 internal running /zone/internal native shared
12 public running /zone/public native shared

...


To check the labels on the files, run the following commands:

# getlabel /
/: ADMIN_HIGH
#

To login to a public zone from global zone, use the following command.

#
# zlogin public
[Connected to zone 'public' pts/8]
Last login: Tue Jun 3 16:29:53 on pts/8
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
# getlabel /export
/export: PUBLIC
#


To login to a labeled zone, do the following alternatives.

#rlogin -l root <tx-system>

#zonelogin public
(or)
Run /usr/sbin/txzonemgr. 

Select the zone (public/internal), select OK and then select "Zone Console". Login using the root id and password. From there you can operate on that console.


Run GlassFish Application Server

Download and Install GlassFish [8]. Get the latest GF FCS version and is GFv2 UR2 from [10]. The installation instructions can be found at [10]. You could download on a different machine and copy to the required labeled zone.


There are sanity tests for GF called Quick Look (QL) tests and can be checked out the GF workspace. See the steps at [9].


    Run QL tests on the following 3 cases.

  • “public” zone only (run only public and halt internal zone)

  • “internal” zone only

  • simultaneously on both “public” and “internal” while both are running.


If you don't want to use maven, then do the following after setting the environment.


“ant all-pe”

Edit <as-install>/config/asadminenv.conf and change to “cluster” from “developer” profile.

“ant only-ee”


No issues found. All the sanity/QL tests passed. 

References

[1] Trusted Extensions User Guide - http://docs.sun.com/app/docs/doc/819-7313

[2] Solaris Trusted Extensions FAQ http://www.sun.com/bigadmin/sundocs/articles/txfaq.jsp

[3] Solaris Common Criteria Certification - http://www.sun.com/software/security/securitycert/#in-eval

[4] Trusted Extensions Developer Guide - http://docs.sun.com/app/docs/doc/819-7312

[5] Solaris Trusted Extensions Collection - http://docs.sun.com/app/docs/coll/175.12

[6] Trusted Extensions Installation and Configuration - http://docs.sun.com/app/docs/doc/819-7314

[7] Solaris Zones http://www.softpanorama.org/Solaris/Virtualization/zones.shtml

[8] GlassFish http://glassfish.dev.java.net

[9] GlassFish QL instructions - https://glassfish.dev.java.net/public/GuidelinesandConventions.html#Quicklook_Tests

[10] GFv2 UR2 download - https://glassfish.dev.java.net/downloads/v2ur2-b04.html

Acknowledgments

We would like to thank the following people are who provided guidance and information on TX and greatly helped in setting up the TX setup during this exercise with timely manner.

Satya Dodda 
Lokanath Das
Parameswaran Namboodiri 


Thats all.
Enjoy more security for your enterprise resources!




Comments:

"Trusted"???

How much would you trust something written by someone who calls himself Jagadesh Babu Munta?

Posted by Mayawati on June 05, 2008 at 09:01 PM PDT #

Post a Comment:
Comments are closed for this entry.
About

Jagadesh Babu Munta

Search

Archives
« March 2015
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today