A host that is administered using local files instead of a name service is configured much like a NIS+ root master, except that /etc files are used for administration rather than NIS+ tables.
Other setup tasks, such as protecting file systems, handling mail, and setting up printing are covered in Trusted Solaris Administrator's Procedures.
If you are configuring the workstation to satisfy criteria for an evaluated configuration, please read "Understand Your Site's Security Policy"
Depending on how you set up the workstation, some procedures can be omitted.
Log on to the workstation as the user install.
See "How to Log In" if you have not logged in before.
Assume the root role.
See "How to Assume a Role" if you have not assumed a role before.
You are in a new workspace named root, designed for the root role. The session label is still ADMIN_LOW
, but the root role has more powers than the user install.
Launch a terminal.
See "How to Launch a Terminal" if you are unfamiliar with launching a terminal in the Solaris or Trusted Solaris environment. The terminal contains a profile shell that is specific to the root role.
Protect the PROM or the BIOS.
See "How to Protect Machine Hardware" if you are unfamiliar with the steps.
The Trusted Solaris label_encodings(4) file has been checked and is installed. Note that it must be compatible with any Trusted Solaris host with which you are communicating.
The default label_encodings file is useful for demos, but it is not a good choice for use by a customer site. However, if you plan to use it, you can skip this step.
If you are familiar with label encodings files, you can use the following procedure. However, if you are not familiar with label encodings files, read the requirements and follow the procedures in Trusted Solaris Label Administration.
Follow the procedure in "How to Install a Label Encodings File".
You must successfully complete this step before continuing or the installation will fail.
Follow the procedure "To Initialize the SMC Server".
Perform these tasks only if the security administrator has planned for an open network, you do not plan to use dynamic routing (the default), and you plan to access other workstations without using a name service.
To set up static routing, complete one of the following procedures: "To Set Up Simple Static Routing" or "To Set Up Complex Static Routing".
If your workstation is going to use DNS, click the Set DNS Servers action in the System_Admin folder and enter the nameservers.
For a detailed list of steps, see "Set Up DNS", except do not edit the nsswitch.conf file.
If your workstation is going to contact other hosts, enter them in the /etc/hosts file.
Follow the procedure "How to Add Hosts".
If this host is going to contact unlabeled hosts, the tnrhtp must have an appropriate unlabeled template for those unlabeled hosts. See "How to Add a Remote Host Template" for the explanation and procedure.
Follow the procedure "How to Assign a Remote Host Template".
Assign a remote host template to every host or network that this machine may contact. Include every host in the /etc/hosts file.
The administrative roles must be created before the users are created.
Follow the steps in "How to Create Administrative Roles".
The install team in the root role creates at least two users, to assume the roles secadmin and admin. It is also useful to create one or two users to assume the primaryadmin and oper roles. Where site security permits, a user can be assigned more than one administrative role.
Prerequisite: The secadmin and admin administrative roles have been created.
Still in the root role, follow the steps in "To Create a User", and select the this_host: Scope=Files, Policy=TSOL toolbox.
This step is required only if you have set up static routing or DNS.
Shut down the workstation from the TP (Trusted Path) menu, as described in "To Reboot the Workstation".
Log in as a user, assume an administrative role, and test the role for effectiveness.
Using the this_host: Scope=Files, Policy=TSOL toolbox, follow the procedures in "How to Verify that Users and Roles Work" to ensure that every role is working.
Perform this task only if the security administrator has planned for an open network, and you plan to access a file server without using a name service.
Use the SMC Mounts tool to mount the file system, as described in "How to Mount a File System".
Perform this task only if others are permitted to access directories on this workstation.
To share file systems that other workstations may access, use the SMC Shares tool as described in "How to Share a File System".
The user install is useful for installing and initially configuring a workstation. Where site security requires, remove the user.
See "How to Delete a Local User" if you have not deleted a local user in the Trusted Solaris system before.