Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Solaris Trusted Extensions Administrator's Procedures
Previous Next

Checklist for Configuring Trusted Extensions

The following list summarizes what is required to enable and configure Trusted Extensions at your site. Tasks that are covered elsewhere are cross-referenced.

  1. Read.

  2. Prepare.

    • Decide the root password.

    • Decide the PROM or BIOS security level.

    • Decide the PROM or BIOS password.

    • Decide if attached peripherals are permitted.

    • Decide if access to remote printers is permitted.

    • Decide if access to unlabeled networks is permitted.

    • Decide the zone creation method.

  3. Enable Trusted Extensions.

    1. Install the Solaris OS.

      • For remote administration, install the Developer Group or larger group of Solaris packages.

      • For the Clone Zone creation method, select Custom Install, then lay out a /zone partition.

    2. Enable svc:/system/labeld, the Trusted Extensions service.

  4. If using IPv6, enable IPv6 for Trusted Extensions.

  5. If using a DOI different from 1, set the DOI in the /etc/system and the /etc/security/tsol/tnrhtp files.

  6. (Optional) Create ZFS pool for cloning zones.

  7. Configure labels.

    1. Finalize your site's label_encodings file.

    2. Check and install the file.

    3. Reboot.

  8. Configure interfaces for the global zone and for labeled zones.

  9. Configure the Solaris Management Console.

  10. Configure the naming service.

    • Use the files naming service, which requires no configuration.

    • Or, configure LDAP

      1. Create either a Trusted Extensions proxy server or a Trusted Extensions LDAP server.

      2. Enable the Solaris Management Console server to accept network connections.

      3. Register the Solaris Management Console with LDAP.

      4. Create an LDAP toolbox for the Solaris Management Console.

  11. Configure network connections for LDAP.

    • Assign an LDAP server or proxy server to the cipso host type in a remote host template.

    • Assign the local system to the cipso host type in a remote host template.

    • Make the local system a client of the LDAP server.

  12. Create labeled zones.

    • OPTION 1: Use txzonemgr script.

    • OPTION 2: Use Trusted CDE actions.

      1. Configure labeled zones

        1. In the Solaris Management Console, associate zone names with particular labels.

        2. Run the Configure Zone action.

      2. Run the Install Zone action.

      3. Run the Initialize for LDAP action.

      4. Run the Start Zone action.

      5. Customize the running zone.

      6. Run the Shut Down Zone action.

      7. Customize the zone while the zone is shut down.

      8. (Optional) Create a ZFS snapshot.

      9. Create the remaining zones from scratch, or by using the Copy Zone or the Clone Zone action.

  13. Configure the network. See Configuring Trusted Network Databases (Task Map).

    • Identify single-label hosts and limited-range hosts.

    • Determine the labels to apply to incoming data from unlabeled hosts.

    • Customize the remote host templates.

    • Assign individual hosts to templates.

    • Assign subnets to templates.

  14. Establish static routing. See Configuring Routes and Checking Network Information in Trusted Extensions (Task Map).

  15. Configure local users and local administrative roles.

    • To enforce separation of duty, create customized rights profiles.

    • Create the Security Administrator role.

    • Create a local user who can assume the Security Administrator role.

    • Create other roles, and possibly other local users to assume these roles.

  16. Create home directories on the NFS server.

    • Create home directories for each user at every label that the user can access.

    • (Optional) Prevent users from reading their lower-level home directories.

  17. Configure printing. See Managing Printing in Trusted Extensions (Task Map).

  18. Configure devices. See Handling Devices in Trusted Extensions (Task Map).

    1. Assign the Device Management profile or the System Administrator profile to a role.

    2. To make devices usable, do one of the following:

      • Per system, make devices allocatable.

      • Assign the Allocate Device authorization to selected users and roles.

  19. Configure Solaris features.

Previous Next

 
 
  Published under the terms fo the Public Documentation License Version 1.01. Design by Interspire