Preparing to Create Zones by Using CDE Actions (Task Map)

The following task map describes the tasks for preparing the system for zone creation. For a discussion of zone creation methods, see Planning for Zones in Trusted Extensions.

Task	Description	For Instructions
1. Name each zone, and link the zone name to the zone label.	Name each labeled zone with a version of its label, then associate the name with the label in the Solaris Management Console.	Specify Zone Names and Zone Labels by Using a CDE Action
2. Configure the network before creating the zones.	Assign a label to the network interface on every host, and do further configuration.	Configuring Trusted Network Databases (Task Map)

Specify Zone Names and Zone Labels by Using a CDE Action

You do not have to create a zone for every label in your label_encodings file, but you can. The tnzonecfg database enumerates the labels that can have zones created for them on this system.

Navigate to the Trusted_Extensions folder.
1. Click mouse button 3 on the background.
2. From the Workspace menu, choose Applications → Application Manager.
3. Double-click the Trusted_Extensions folder icon.
For every zone, name the zone.
1. Double-click the Configure Zone action.
2. At the prompt, provide a name.
  Tip - Give the zone a similar name to the zone's label. For example, the name of a zone whose label is CONFIDENTIAL : INTERNAL USE ONLY would be internal.
Repeat the Configure Zone action for every zone.
For example, the default label_encodings file contains the following labels:
```
PUBLIC
CONFIDENTIAL: INTERNAL USE ONLY
CONFIDENTIAL: NEED TO KNOW
CONFIDENTIAL: RESTRICTED
SANDBOX: PLAYGROUND
MAX LABEL
```
Although you could run the Configure Zone action six times to create one zone per label, consider creating the following zones:
- On a system for all users, create one zone for the PUBLIC label and three zones for the CONFIDENTIAL labels.
- On a system for developers, create a zone for the SANDBOX: PLAYGROUND label. Because SANDBOX: PLAYGROUND is defined as a disjoint label for developers, only systems that developers use need a zone for this label.
- Do not create a zone for the MAX LABEL label, which is defined to be a clearance.
Open the Trusted Network Zones tool.
The tools in the Solaris Management Console are designed to prevent user error. These tools check for syntax errors and automatically run commands in the correct order to update databases.
1. Start the Solaris Management Console.
```
# /usr/sbin/smc &
```
2. Open the Trusted Extensions toolbox for the local system.
  1. Choose Console → Open Toolbox.
  2. Select the toolbox that is named This Computer (this-host: Scope=Files, Policy=TSOL).
  3. Click Open.
3. Under System Configuration, navigate to Computers and Networks.
  Provide a password when prompted.
4. Double-click the Trusted Network Zones tool.
For each zone, associate the appropriate label with a zone name.
1. Choose Action → Add Zone Configuration.
  The dialog box displays the name of a zone that does not have an assigned label.
2. Look at the zone name, then click Edit.
3. In the Label Builder, click the appropriate label for the zone name.
  If you click the wrong label, click the label again to deselect it, then click the correct label.
4. Save the assignment.
  Click OK in the Label Builder, then click OK in the Trusted Network Zones Properties dialog box.
You are finished when every zone that you want is listed in the panel, or the Add Zone Configuration menu item opens a dialog box that does not have a value for Zone Name.

Troubleshooting

If the Trusted Network Zones Properties dialog box does not prompt for a zone that you want to create, either the zone network configuration file does not exist, or you have already created the file.

Check that the zone network configuration file does not already exist. Look in the panel for the name.
If the file does not exist, run the Configure Zone action to supply the zone name. Then, repeat Step 5 to create the file.

Specify Labels for Network Interfaces by Using the Solaris Management Console

You turn your host and other already-defined hosts into labeled hosts. These hosts are defined as sending and receiving labeled CIPSO packets. You only need to add systems that are not known by your LDAP server.

Display the computers that are known by the system.
In the Solaris Management Console, navigate to Computers.
This tool is in the Computers and Networks tool set.
In the panel, double-click your host.
Copy the IP address.
Open Security Templates, then cipso.
Explicitly assign the host to the cipso template
1. Click the Hosts Assigned to Template tab.
  If you completed Make the Global Zone an LDAP Client in Trusted Extensions, the LDAP server is assigned to the cipso security template.
2. Paste the host's IP address into the IP Address field.
3. Type the host name into the Hostname field.
4. Click the Add button.
5. Click OK.
Repeat Step 1 to Step 5 for every host.
In the default configuration, every host that is not explicitly labeled is defined as an unlabeled host. Every unlabeled host can be contacted at boot at the label ADMIN_LOW. This is not a secure configuration. To modify the default configuration, see How to Limit the Hosts That Can Be Contacted on the Trusted Network.

Next Steps

Creating Labeled Zones by Using CDE Actions (Task Map)