Chapter 3 Installing the Trusted Solaris Operating Environment

This chapter describes Trusted Solaris exceptions to the Solaris installation procedures and recommendations. It also describes Trusted Solaris requirements that are optional in a Solaris environment. For example, an evaluated configuration must collect auditing records. The partitions for those audit records are created during installation.

If you are planning to use data from Trusted Solaris 7 or Trusted Solaris 2.5.1 databases on your new Trusted Solaris 8 4/01 system, do not start installing. Follow the instructions in "Backing Up the System" before you install the Trusted Solaris 8 or Trusted Solaris 8 4/01 release.

Install Team Responsibilities

Trusted Solaris software is designed to be installed and configured by two people with distinct responsibilities. However, the installation program does not enforce two-role task division. Task division is enforced by users who can assume Trusted Solaris roles. Since roles and users are not created until after installation, we recommend that an install team of at least two persons be present during the installation of a system.

During Trusted Solaris installation, the team should:

• Partition the disks with security in mind: name the partitions so as not to disclose security information, and provide space for audit records.

• A root password is required. Type a root password when prompted.

Differences from the Solaris 8 Installation Program

In the Trusted Solaris 8 4/01 release, upgrade and patch analysis are not supported. Trusted Solaris software supports fewer locales than does Solaris software.

Recommendations for the Trusted Solaris Environment

On all systems, for audit records...

-- Create at least one audit partition named /etc/security/audit/system_name.

On a system that will run the Solaris Management Console to administer the site...

-- Provide at least 256 MBytes of memory. Provide swap space. Install the Developer or Entire cluster. Do not install the End User cluster.

On all systems, for users who can assume a role...

-- Create sufficient swap space. Swap space that is double the size of the system's memory is a good rule of thumb.

On a system that will be the home directory server...

-- Create an /export/home partition large enough for the users' home directories.

On a system that will not be a home directory server...

-- Create a small /export partition to hold some temporary configuration files. It also serves as a mount point.

Shutting Down the System to be Installed

For basic information on installation, see the Solaris 8 Start Here booklet and the platform-specific books described in "Installation Guides".

Shut Down a Trusted Solaris System

Trusted Solaris systems are shut down differently from Solaris systems.

1. Click the right mouse button over the middle of the Front Panel and select Shut Down from the TP (Trusted Path) menu.

2. If the screen displays the > prompt, type n and press Return to display the ok prompt.

   On a SPARC, if the PROM is protected, type login and when prompted, the root password.

Installing From a CD-ROM

See your hardware manual, such as the Solaris 8 Sun Hardware Platform Guide for full instructions. The following are examples.

Insert the First Trusted Solaris 8 4/01 CD and Boot

Installing the first two systems requires using the 2 Trusted Solaris 8 4/01 installation CDs. The following are examples of booting from a CD on a SPARC and on an Intel machine.

1. Insert the first of two (2) Trusted Solaris 8 4/01 Installation CDs and type the boot command.

   ---

   Example 3-1 SPARC: Typical Boot Command

   
   

   boot cdrom

   For more detail, see the Solaris 8 (SPARC Platform Edition) Installation Guide.

   ---

Example 3-2 IA: Typical Boot Procedure

1. Do one of the following:

   • OPTION 1: Enable the system to boot from a CD by using the system's BIOS setup tool.

   • OPTION 2: Insert the provided floppy, then insert the first CD.

2. For more detail, see the Solaris 8 (Intel Platform Edition) Installation Guide. Keep in mind that Solaris Web Start and upgrade are not supported, and that you are using Trusted Solaris CDs, not Solaris CDs.

Read Booting Messages

After you type the boot command, the system goes through a booting phase where hardware and system components are checked. The following screen provides an example of what you see. You may have to answer a language and a locale question.

Type b (boot), c (continue), or n (new command mode)
>n
Type help for more information
ok boot cdrom Rebooting with command: boot cdrom
Boot device: /pci@1f,0/pci@1,1/ide@3/cdrom@2,0:f    File and args:
SunOS Release 5.8 Version Trusted_Solaris_8 64-bit
Copyright 1983-2001, Sun Microsystems, Inc. All rights reserved.
Configuring /dev and /devices
Skipping interface hme0
Select a Language
Please make a choice (0-9): 0
Select a Locale
Please make a choice (0-47) or press ? or help: 45
Starting OpenWindows...

The booting phase will last for a few minutes. Then a Welcome to Trusted Solaris screen briefly appears, then the screen turns blue-gray and a Solaris Install Console is displayed in the upper left corner. Messages display in the Install Console during installation.

The Trusted Solaris installation program is running.

Answer Installation Questions

If you are installing from CD-ROM, the program guides you step by step through installing Trusted Solaris software. Online help is also available.

Use "Root NIS+ Master Installation Program Example" for guidance in answering the questions the first time that you install. In particular, note the following:

• When asked whether to use DHCP (Dynamic Host Configuration Protocol), choose No, unless you have a reason to select it.

• When installing the name service master, choose None when asked for the name service. The name service domain is configured after installing the first system.

• Implement the "Recommendations for the Trusted Solaris Environment" during installation.

For screenshots of the installation program questions, see "Using the Solaris 8 Interactive Installation Program" in Solaris 8 Advanced Installation Guide.

Enter a root Password

Users must not disclose their passwords to another person, as that person may then have access to the data of the user and will not be uniquely identified or accountable. Note that disclosure can be direct, through the user deliberately disclosing her/his password to another person, or indirect, for example, through writing it down, or choosing an insecure password. The Trusted Solaris software provides protection against insecure passwords, but cannot prevent a user disclosing her/his password or writing it down.

A Trusted Solaris system must have a root password in order for the root role to work. The root role is required for successful configuration.

1. Choose a root password by answering the password prompts.

   Root password: rootpassword Re-enter your root password: rootpassword

   ---

   Caution -

   Do not forget the root password. The software cannot be configured without it.

   ---

   System identification is completed.

2. When asked if you want the system to automatically shut down after 30 minutes of idle time, type y or n.

   The Web Start Launcher starts in command-line mode.

Insert the Second Trusted Solaris 8 4/01 CD

The second CD installs packages only; it does not contain installation questions.

1. When prompted, type 1 to continue installing using a CD.

   ---

   Note -

   The prompts are misleading. The installation program asks for Solaris 8 CD-ROM #2. You should insert Trusted Solaris 8 4/01 CD-ROM #2.

   ---

2. Insert the second Trusted Solaris 8 4/01 installation CD.

   Upon insertion, the CD prints out that it is a Solaris 8 CD-ROM. If you inserted a CD-ROM with the Trusted Solaris 8 4/01 Installation CD label, you inserted the correct CD.

   ---

   Note -

   The screen may display overwriting for the second CD. However, the packages are installing.

   ---

3. Answer yes to installing the software.

   Package installation is displayed in 25% increments:

   Installing Solaris Software 2 |-1%-----25%-----50%-----75%-----100%

4. Type 1 or 2 when prompted.

5. Remove the CD and press Return.

6. If you manually reboot your system, type:

   # halt ok boot disk

Read the Log

Before reboot, the install log is in the file /tmp/install_log. After reboot, the install log is in the file /var/sadm/system/logs/install_log.

Read the install log and check for successful package installatio.

Configure the Trusted Solaris System

Finish system setup by configuring the system. To work properly, a Trusted Solaris system requires machine, label, and network configuration after installation.

To configure the system, follow the instructions for the system you are installing:

A system that will be administered through its local files only

"No Name Service Configuration Tasks"

A system that will be the master server for a name service domain

"Name Service Master Configuration Tasks"

A system that will be a client on the name service domain

"Client Configuration Tasks"

Troubleshooting

Errors you encounter during installation are described and debugged in the Troubleshooting section of the Solaris 8 Advanced Installation Guide (see http://docs.sun.com/ab2/coll.241.7/SPARCINSTALL).

Installing Over the Network

The admin role is in charge of installing over a network. The secadmin role is called upon to modify or set up files or profiles to enable the admin role to complete software installation.

Boot Over the Network or with Custom Files

Prerequisite: The network and/or custom files are correctly set up.

See the Solaris 8 Advanced Installation Guide, 806-0957-10, which describes network installations. The Solaris network installation procedures apply to Trusted Solaris network installations, with the Trusted Solaris security protections described in "Trusted Solaris Modifications to Network Installation" and "Setting Up Custom JumpStart Installation".

1. Boot using the appropriate boot command on the system being installed.

   ---

   Example 3-3 SPARC: Boot command for a network installation

   
   

   boot net

   ---

   ---

   Example 3-4 SPARC: Boot command for a custom JumpStart installation

   
   

   boot net - install

   A space is required between the minus sign and install.

   After you type the boot command, the system checks hardware and system components, then connects with the install server. The following screen provides an example of what you see.

   Rebooting with command: boot net - install Boot device: /pci@1f,0/pci@1,1/ide@3/network@1,1 File and args: SunOS Release 5.8 Version Trusted_Solaris_8 64-bit Copyright 1983-2001, Sun Microsystems, Inc. All rights reserved. Configuring /dev and /devices Using RPC Bootparams for network configuration information. Configured interface hme0 Using sysid configuration file 192.168.114.1:/export/install/jumpstart/sysidcfg/siysidcfg Starting OpenWindows...

   ---

2. Answer any prompts that appear.

   For JumpStart installations--If you have set them up correctly, you are not prompted for information.

   For network installations--If you have set them up correctly, you are prompted for disk partitioning and other information after system identification is completed.

Finish Configuring Systems Installed Over the Network

Complete Trusted Solaris configuration.

For JumpStart installations--You must connect the client to the domain and initialize SMC, as described in "Connecting to the Name Server".

For network installations--You must do the procedures in "Client Configuration Tasks", except you do not have to add the client to the domain.