Solaris Trusted Extensions Administrator's Procedures

ProcedurePopulate the Sun Java System Directory Server

Several LDAP databases have been created or modified to hold Trusted Extensions data about label configuration, users, and remote systems. In this procedure, you populate the Directory Server databases with Trusted Extensions information.

Before You Begin

If site security requires separation of duty, complete the following before populating the Directory server:

  1. Create a staging area for files that you plan to use to populate the naming service databases.


    # mkdir -p /setup/files
    
  2. Copy the sample /etc files into the staging area.


    # cd /etc
    # cp aliases group networks netmasks protocols /setup/files
    # cp rpc services auto_master /setup/files
    
    # cd /etc/security
    # cp auth_attr prof_attr exec_attr /setup/files/
    #
    # cd /etc/security/tsol
    # cp tnrhdb tnrhtp /setup/files
    

    # cd /etc/inet
    # cp ipnodes /setup/files
    
  3. Remove the +auto_master entry from the /setup/files/auto_master file.

  4. Remove the ?:::::? entry from the /setup/files/auth_attr file.

  5. Remove the :::: entry from the /setup/files/prof_attr file.

  6. Create the zone automaps in the staging area.

    In the following list of automaps, the first of each pair of lines shows the name of the file. The second line of each pair shows the file contents. The zone names identify labels from the default label_encodings file that is included with the Trusted Extensions software.

    • Substitute your zone names for the zone names in these lines.

    • myNFSserver identifies the NFS server for the home directories.


    /setup/files/auto_home_public
     * myNFSserver_FQDN:/zone/public/root/export/home/&
    
    /setup/files/auto_home_internal
     * myNFSserver_FQDN:/zone/internal/root/export/home/&
    
    /setup/files/auto_home_needtoknow
     * myNFSserver_FQDN:/zone/needtoknow/root/export/home/&
    
    /setup/files/auto_home_restricted
     * myNFSserver_FQDN:/zone/restricted/root/export/home/&
  7. Add every system on the network to the /setup/files/tnrhdb file.

    No wildcard mechanism can be used here. The IP address of every system to be contacted, including the IP addresses of labeled zones, must be in this file.

    1. Open the trusted editor and edit /setup/files/tnrhdb.

    2. Add every IP address on a labeled system in the Trusted Extensions domain.

      Labeled systems are of type cipso. Also, the name of the security template for labeled systems is cipso. Therefore, in the default configuration, a cipso entry is similar to the following:


      192.168.25.2:cipso

      Note –

      This list includes the IP addresses of global zones and labeled zones.


    3. Add every unlabeled system with which the domain can communicate.

      Unlabeled systems are of type unlabeled. The name of the security template for unlabeled systems is admin_low. Therefore, in the default configuration, an entry for an unlabeled system is similar to the following:


      192.168.35.2:admin_low
    4. Save the file, and exit the editor.

    5. Check the syntax of the file.


      # tnchkdb -h /setup/files/tnrhdb
      
    6. Fix any errors before continuing.

  8. Copy the /setup/files/tnrhdb file to the /etc/security/tsol/tnrhdb file.

  9. Use the ldapaddent command to populate every file in the staging area.


    # /usr/sbin/ldapaddent -D "cn=directory manager" \
    -w dirmgr123 -a simple -f /setup/files/hosts hosts