Configure the Domain of Interpretation

All communications to and from a system that is configured with Trusted Extensions must follow the labeling rules of a single CIPSO Domain of Interpretation (DOI). The DOI that is used in each message is identified by an integer number in the CIPSO IP Option header. By default, the DOI in Trusted Extensions is 1.

If your DOI is not 1, you must add an entry to the /etc/system file and modify the doi value in the default security templates.

1. Type your DOI entry into the /etc/system file:

   set default_doi = n

   This positive, non-zero number must match the DOI number in the tnrhtp database for your node and for the systems that your node communicates with.

2. Before adding the tnrhtp database to your LDAP server, modify the doi value in the default entries and all entries for local addresses.

   Trusted Extensions provides two templates in the tnrhtp database, cipso and admin_low. If you have added entries for local addresses, also modify these entries.

   1. Open the tnrhtp database in the trusted editor.

      # /usr/dt/bin/trusted_edit /etc/security/tsol/tnrhtp

   2. Copy the cipso template entry to another line.

      cipso:host_type=cipso;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH cipso:host_type=cipso;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH

   3. Comment out one of the cipso entries.

      #cipso:host_type=cipso;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH cipso:host_type=cipso;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH

   4. Modify the doi value in the uncommented cipso entry.

      Make this value the same as the default_doi value in the /etc/system file.

      #cipso:host_type=cipso;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH cipso:host_type=cipso;doi=n;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH

   5. Change the doi value for the admin_low entry.

      #admin_low:host_type=unlabeled;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;doi=1;def_label=ADMIN_LOW admin_low:host_type=unlabeled;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;doi=n;def_label=ADMIN_LOW

   You are finished when every doi value in every entry in the tnrhtp database is the same.

Troubleshooting

If the /etc/system file sets a default_doi value other than 1, and a security template for this system sets a value that does not match this default_doi value, then messages similar to the following are displayed on the system console during interface configuration:

• NOTICE: er10 failed: 10.17.1.12 has wrong DOI 4 instead of 1

• Failed to configure IPv4 interface(s): er10

Interface configuration failure can result in login failure:

• Hostname: unknown

• unknown console login: root

• Oct 10 10:10:20 unknown login: pam_unix_cred: cannot load hostname Error 0

To correct the problem, boot the system into single-user mode and correct the security templates as described in this procedure.

See Also

For more information about the DOI, see Network Security Attributes in Trusted Extensions.

To change the doi value in the security templates that you create, see How to Construct a Remote Host Template.

To use the editor of your choice as the trusted editor, see How to Assign the Editor of Your Choice as the Trusted Editor.