Installing or Upgrading the Solaris OS for Trusted Extensions
The choice of Solaris installation options can affect the use and security of
Install a Solaris System to Support Trusted Extensions
This task applies to fresh installations of the Solaris OS. If you
are upgrading, see Prepare an Installed Solaris System for Trusted Extensions.
Prepare an Installed Solaris System for Trusted Extensions
This task applies to Solaris systems that have been in use, and on
which you plan to run Trusted Extensions. Also, to run Trusted Extensions on an upgraded
Solaris system, follow this procedure. Other tasks that might modify an installed Solaris
system can be done during Trusted Extensions configuration.
Before You Begin
Trusted Extensions cannot be enabled in some Solaris environments:
If your system is part of a cluster, Trusted Extensions cannot be enabled on the system.
The enabling of Trusted Extensions in an alternate boot environment (BE) is not supported. Trusted Extensions can only be enabled in the current boot environment.
- If non-global zones are installed on your system, remove them.
Or, you can re-install the Solaris OS. If you are going to
re-install the Solaris OS, follow the instructions in Install a Solaris System to Support Trusted Extensions.
- If your system does not have a root password, create one.
Administration tools in Trusted Extensions require passwords. If the root user does not
have a password, then root cannot configure the system.
Use the default crypt_unix password encryption method for the root user. For details,
see Managing Password Information in System Administration Guide: Security Services.
Note - Users must not disclose their passwords to another person, as that person might
then have access to the data of the user and will not be
uniquely identified or accountable. Note that disclosure can be direct, through the user
deliberately disclosing her/his password to another person, or indirect, for example, through writing
it down, or choosing an insecure password. The Solaris OS provides protection against insecure
passwords, but cannot prevent a user from disclosing her or his password, or
from writing it down.
- If you plan to administer the site from this system, add the
Solaris packages for the Solaris Management Console.
Trusted Extensions uses the Solaris Management Console to administer the network. If your
system was installed with the End User group or a smaller group, the
system does not have the packages for the Solaris Management Console.
- If you have created an xorg.conf file, you need to modify it.
Add the following line to the end of the Module section in the
Note - By default, the xorg.conf file does not exist. Do nothing if this file
does not exist.
- If you plan to clone zones, create a partition for the ZFS
To decide on your zone creation method, see Planning for Zones in Trusted Extensions.
- If you plan to install labeled zones on this system, check that your
partitions have sufficient disk space for zones.
Most systems that are configured with Trusted Extensions install labeled zones. Labeled zones can
require more disk space than the installed system has set aside.
However, some Trusted Extensions systems do not require that labeled zones be installed.
For example, a multilevel printing server, a multilevel LDAP server, or a multilevel
LDAP proxy server do not require labeled zones to be installed. These systems
might not need the extra disk space.
- (Optional) Add extra swap space for roles.
Roles administer Trusted Extensions. Consider adding extra swap for role processes.
- (Optional) Dedicate a partition for audit files.
Trusted Extensions enables auditing by default. For audit files, best practice is to
create a dedicated partition.
- (Optional) To run a hardened configuration, run the netservices limited command before you enable Trusted Extensions.
# netservices limited