test

Trusted Solaris Installation and Configuration

Chapter 4 Configuring a System with No Name Service

This chapter covers how to configure a system without a name service. Administration is through local files.

Note -

Installation and configuration commands and actions are limited to particular roles and particular labels. Read each task for the administrative role that can perform it, and the label required.

Who Does What

Trusted Solaris software is designed to be installed and configured by an install team. Once the team has created users who can assume Trusted Solaris roles, and has rebooted the computer, the software enforces task division by role. If two-person installation is not a site security requirement, you can assign the administrative roles to one person.

No Name Service Configuration Tasks

A system that is administered using local files instead of a name service is configured much like a name server, except that only local files are used for administration rather than name service tables or maps.

If you are configuring the system to satisfy criteria for an evaluated configuration, read "Understanding Your Site's Security Policy" before continuing.

Task 

Description 

Initial Configuration -- from "Logging In and Launching a Terminal" through "Initializing the Solaris Management Console"

Covers how to protect the hardware, set up the labels, and initialize the administration tools. 

"(Optional) Configuring Routing"

Covers how to set up static routing. 

"Configuring Network Files"

Covers how to specify all hosts that can communicate with the system. 

"Creating Roles and Users"

Covers how to create administrative roles and users to those roles. 

"Verifying That Roles Work"

Covers how to test that the roles are effective. 

"Finishing Up Configuration"

Covers how to share and mount file systems, and how to delete the install user. Points you to auditing and further setup information, 

Logging In and Launching a Terminal

At most sites, two or more administrators, an install team, are present when configuring the system. "You", in the following procedures, refers to the install team.

Log In

The predefined user install logs in immediately after installation to configure the system.

  1. Enter install as the user name and press the Return key.

    The Password dialog box is displayed.

  2. Enter install for the password.

    The Enable Logins dialog offers four choices, as shown in the following figure:

    Figure 4-1 The Enable Logins Dialog Box

    Graphic

  3. Depending on site security requirements, enter 1 or 2, then click OK.

    The Message Of the Day (MOTD) dialog box is displayed; the label is ADMIN_LOW.

  4. Click OK to dismiss the MOTD dialog box.

    The Trusted Solaris screen appears briefly. Then you are in a CDE workspace, as shown in Figure 4-2. The trusted stripe below the front panel shows the window sensitivity label.

    Note -

    The install team must log off or utilize the lockscreen functionality before leaving a system unattended. Otherwise a person may have access to the system without having to pass identification and authentication, and that person would not be uniquely identified or accountable.

Assume the root Role

An administrative role configures the system, however, a role cannot log in. Users log in, and assume one or more of their assigned roles. The root role has been pre-assigned to the user install.

  1. Right click on the middle of the Front Panel.

  2. Select Assume root Role from the TP (Trusted Path) menu.

    Figure 4-2 A Trusted Solaris User Workspace

    Graphic

    After initial installation from a CD-ROM, only the root role will be displayed on the TP menu, since no other roles have been created.

  3. At the password prompt, enter the password for the root role.

    The password for the root role is the password that the install team entered for root when prompted during the installation program.

Launch a Terminal

    Right-click on the screen background and select Tools -> Terminal from the Workspace Menu.

    The terminal's Options menu enables you to customize the appearance of the terminal. Customizations for the install user are not saved.

Protecting the Machine

For more information on PROM values that you can set, see OpenBoot 2.x Command Reference Manual or OpenBoot 3.x Command Reference Manual.

SPARC: Protect Machine Hardware

    In the terminal, enter the PROM security mode. 


    # eeprom security-mode=command

Changing PROM password:
	New password: password
	Retype new password: password

    Choose the value command or full. See the eeprom(1M) man page for more details.

    If you are not prompted to enter a PROM password, the system already has a PROM password. To change the PROM password, run the command:


    # eeprom security-password=Return
Changing PROM password:
New password: password
Retype new password: password

    The new PROM security mode and password are in effect immediately, but are most likely to be noticed at the next boot.

    Caution - Caution -

    Do not forget this password. The hardware is unusable without it.

IA: Protect the BIOS

On Intel architecture, the equivalent to protecting the PROM is to protect the BIOS.

    Refer to your machine's manuals for how to protect the BIOS.

Setting Up Labels

Note -

The default label_encodings file is useful for demos, but it is not a good choice for use by a customer site. However, if you plan to use it, you can skip this step.

The Trusted Solaris label_encodings(4) file has been checked and is installed. Note that it must be compatible with any Trusted Solaris host with which you are communicating.

If you are familiar with label encodings files, you can use the following procedure. However, if you are not familiar with label encodings files, consult Trusted Solaris Label Administration for requirements, procedures, and examples.

You can edit the placeholder label_encodings(4) file that the Trusted Solaris installation program installed, or install your own. The security administrator is responsible for editing, checking, and maintaining the label_encodings file.

Caution - Caution -

You must successfully install labels before continuing or the installation will fail.

Create an Admin_High Workspace

The label_encodings file is protected at the label ADMIN_HIGH. For security, you copy, edit, check and install your label encodings file at ADMIN_HIGH.

  1. Click the right menu button over the root workspace switch to bring up the TP menu, and select Add Workspace.

    A second workspace, named root_1, is created and active.

  2. Click the right menu button over the root_1 workspace switch, and choose Change Workspace Label from the menu.

  3. Click the ADMIN_HIGH label in the Label Builder and click OK.

    The color of the workspace switch changes to the color associated with the label ADMIN_HIGH. Actions, terminals, commands and windows originating from this workspace run at the label ADMIN_HIGH.

Allocate the Appropriate Device

  1. In the ADMIN_HIGH workspace, click the left mouse button on the triangle above the Style Manager icon on the Front Panel.

    Its Tools subpanel includes the Device Allocation icon.

    Graphic

  2. Click the Device Allocation icon once.

  3. Double-click the device you want to allocate.

    floppy_0 indicates a diskette.

  4. Click Yes to mount the device.

    A File Manager pops up showing the mount point. If it does not pop up, open a File Manager from the Front Panel, navigate to /, and double-click floppy.

Check and Install Your Label Encodings File

  1. If you plan to tweak the label encodings file, make sure that the file itself is writable.

  2. In the ADMIN_HIGH workspace, open the Application Manager by clicking the right mouse button on the background to bring up the Workspace menu.

  3. Choose Applications -> Application Manager from the top of the menu.

  4. Double-click the System_Admin folder icon --

    Graphic

  5. Check the syntax of the new label encodings file by double-clicking the Check Encodings action.

    You can ignore any Trash Can Error dialog error messages.

  6. In the dialog box, enter the full path name to the file:


    /floppy/floppy0/label-encodings-filename

  7. Read the contents of the Check Encodings dialog box that is displayed.

    The chk_encodings(1M) command checks the syntax of the file.

  8. If the file passes the check, answer yes to overwrite the currently-installed label_encodings file.

    The Check Encodings action creates a backup copy (naming it label_encodings.orig), installs the checked version, then restarts the label daemon.

    CONTINUE

    Only if it reports no errors can you continue installing.

    RESOLVE ERRORS

    If it reports errors, they must be resolved before continuing with installation.

    Consult "Creating or Editing the Encodings File" in Trusted Solaris Label Administration for troubleshooting assistance.

    Caution - Caution -

    Your label encodings file must pass the Check Encodings test before you continue.

Deallocate the Device

  1. In the workspace where the Device Allocation action is displayed, double-click the device to be deallocated from the list of allocated devices.

  2. Remove the diskette and click OK in the Deallocation dialog box.

  3. Return to root's ADMIN_LOW workspace by clicking the root workspace switch.

Initializing the Solaris Management Console

Initialize the SMC Server

  1. In the root role in an ADMIN_LOW workspace, start the SMC server process in the terminal window. 


    # smc
    Note -

    The smc command initializes the SMC server. The first time the server is launched, it performs several registration tasks, which can take a few minutes.

  2. If toolbox icons do not appear in the Solaris Management Console,

    And the Navigation pane is not visible:

    1. In the Open Toolbox dialog that is displayed, click Load next to where this machine's name is listed under Server.

      If this machine does not have the recommended amount of memory and swap, it may take a few minutes for the toolboxes to display. See "Recommendations for the Trusted Solaris Environment".

    2. From the list of toolboxes, select Trusted Solaris Management Console, then click the Open button.

    And the Navigation pane is visible, but the toolbox icons are stop signs:

    1. Exit the SMC by choosing Exit from the Console pull-down men

    2. Restart the SMC


      # smc

    3. Open the Trusted Solaris Management Console toolboxes by choosing Open from the Console menu, then selecting Trusted Solaris Management Console. The following figure shows the Navigation Pane of the Solaris Management Console in the Files scope.

    Figure 4-3 Solaris Management Console Tools

    Graphic

(Optional) Save the Current Toolbox

Saving the toolbox preference enables the Trusted Solaris Management Console toolboxes to load by default. The preferences are saved per role, per host (SMC server).

  1. From the Console menu, choose Preferences.

  2. Click the Use Current Toolbox button, then click OK.

    If you are configuring the name service master, return to "(Optional) Configuring Routing" in Chapter 5, Configuring a Name Service Master. Otherwise, continue.

(Optional) Configuring Routing

Set up static routing only if the security administrator has planned for an open network and you do not plan to use dynamic routing. Dynamic routing is the default, and requires no setup.

See "Administering Trusted Networking" in Trusted Solaris Administration Overview for more information.

For static routing, do one of "Set Up Simple Static Routing" or "Set up Static Routing Using Extended Metrics".

Graphic
Set Up Simple Static Routing

For small networks, an /etc/defaultrouter file provides a simple routing method.

  1. Double-click the Set Default Routes action in the System_Admin folder.

    See "To Open a File that has a Defined Action" if you are unfamiliar with using trusted actions.

    An empty /etc/defaultrouter file appears in the trusted editor.

  2. Enter the name or the IP address of the defaultrouter. If there is more than one, enter them all, one per line, and then save the file.

    For example, if the hosts trustworthy and forwardho are routers, enter them, one per line:


    trustworthy
forwardho

Set up Static Routing Using Extended Metrics

If your host or site accesses a complex network of gateways, the /etc/tsolgateways file offers more routing options. See the tsolgateways(4) man page for examples.

  1. Double-click the Set TSOL Gateways action in the System_Admin folder.

    See "To Open a File that has a Defined Action" if you are unfamiliar with using trusted actions.

    An empty /etc/tsolgateways file appears in the trusted editor.

  2. Enter the IP address of the subnet, the name of the gateway and its metric. Repeat for every gateway and save the file.

    For example, if the hosts trustworthy and forwardho are gateways:


    192.168.15.0 trustworthy 1
192.168.8.0 forwardho 2
    Note -

    If the system has an /etc/defaultrouter file and an /etc/tsolgateways file, only the /etc/tsolgateways file is used for routing decisions.

Configuring Network Files

Add Hosts to the System's Known Network

  1. In the root role at the label ADMIN_LOW, return to the Solaris Management Console or re-open it if it is closed.


    # smc

  2. Click this-host: Scope=Files, Policy=TSOL under Trusted Solaris Management Console in the Navigation pane.

    See Figure 9-1 for what tools should display in the Navigation pane .

  3. Display the computers known to this host by clicking Trusted Solaris Configuration, then clicking Computers and Networks.

    Note -

    If toolbox icons display as red stop signs, the toolboxes will not load. To load them, see Step 2 in "Initialize the SMC Server".

  4. Provide a password when prompted., then double-click Computers.

    This computer should already be in the database. You should add every host that his system may contact, including static routers (if any), and any audit servers.

  5. Add a host that this computer may contact by choosing Add Computer from the Action menu.

  6. Click Apply to add the host, and click OK when the entries are complete.

(Optional) Remove the 0.0.0.0 Network

The network wildcard 0.0.0.0 may present a security risk. See "Modifying the Boot-time Trusted Network Databases" in Trusted Solaris Administrator's Procedures for more information.

    Follow the instructions in the "To Replace the 0.0.0.0 Entry in the Local Tnrhdb File" procedure under "Managing Trusted Networking (Tasks)" in Trusted Solaris Administrator's Procedures.

Add a Remote Host Template

If you used the Trusted Solaris label_encodings file, you can skip this step.

If this host is going to contact unlabeled hosts, the tnrhtp file must have an appropriate unlabeled template for those unlabeled hosts. See Table 1-3 in "Additional Planning for Open Networks" for host types and their associated templates provided by Trusted Solaris software.

The tnrhtp(4) file installed by the Trusted Solaris installation program contains examples of templates that match the label_encodings(4) file installed during Trusted Solaris installation. If you installed a site-specific label_encodings file, it is highly likely that the existing tnrhtp templates will not work with your file.

  1. In the root role at the label ADMIN_LOW, double-click Security Families under Computers and Networks in the Solaris Management Console.

    The existing templates are displayed in the View pane.

    Caution - Caution -

    Sites that install a site-specific label_encodings file must create templates that reflect the labels of machines and networks that the Trusted Solaris network can contact.

    You should have templates for:

    1. The Trusted Solaris hosts that this machine can contact.

    2. Any unlabeled hosts/networks that this machine can contact..

  2. To create a single-label template to assign to unlabeled hosts, choose Add Template from the Action menu.

    Consult the online help as you create the template.

    1. In the Basic Information tab, create a template named unlab_min-user-label, of host type Unlabeled, with an ADMIN_HIGH clearance and a process label of min-user-label.

      The default clearance must dominate the default label. The label ADMIN_HIGH dominates all labels.

    2. Click OK when the template is complete.

  3. Create any other templates your site needs before continuing.

Assign a Template to a Remote Host

The trusted network remote host database, tnrhdb, enables this host to communicate with remote hosts. The tnrhdb(4) man page describes the format of the entries, and suggests how to minimize the number of entries required.

Assign a remote host template to every host or network that this machine may contact. Include every host in the /etc/hosts file.

See Table 1-3 in "Additional Planning for Open Networks" for host types and their associated templates provided by Trusted Solaris software.

  1. In the root role at the label ADMIN_LOW, double-click Security Families under Computers and Networks in the Solaris Management Console.

  2. Double-click the Trusted Solaris security family, tsol.

  3. Choose Add Host(s) from the Action menu.

  4. In the Add Host(s) dialog box, click Add Wildcard to assign this template to all hosts on your Trusted Solaris subnet.

    1. Enter the subnet IP address and choose the template name.

      For example, enter 192.168.10.0 and tsol. The final zero signifies a subnet address; all hosts on that subnet are recognized as tsol hosts.

      Note -

      The number zero (0) is the wildcard. Do not use a star (*).

    2. Click OK.

  5. Choose Add Host(s) from the Action menu and click Add Host in the Add Host(s) dialog box to enter any exceptions to the subnet template assigment. Click OK to end the entry.

    For example, enter 192.168.10.3 and unlab_min-user-label. This host on the subnet is an unlabeled host, an exception to the tsol wildcard entry.

  6. Choose Add Host(s) from the Action menu and click Add Host to enter the IP address of every host in your /etc/defaultrouter or /etc/tsolgateways file, and assign to each an appropriate template name. Click OK to end each entry.

  7. Enter the details of other subnets and hosts.

    1. Enter the wildcard designation of each subnet and choose its appropriate template by choosing Add Host(s) -> Choose Wildcard.

    2. Individually assign a different template to any host that is an exception to its subnet's assigned template by choosing Add Host(s) -> Choose Host.

      Use the details provided by your system administrator, then choose the appropriate template name from the menu.

  8. Open a terminal to reload and verify the updated tnrhdb database.


    # tnctl -H /etc/security/tsol/tnrhdb
# tninfo -h

(Optional) Set Up DNS

Skip this procedure if the security administrator has planned a closed network. For detailed information about DNS, see the Solaris Naming Setup and Configuration Guide.

    If your system is going to use DNS, click the Set DNS Servers action in the System_Admin folder and enter the nameservers by IP address, one per line.

    The file looks something like:


    nameserver nnn.nnn.nnn.nnn
nameserver nnn.nnn.nnn.nnn

Creating Roles and Users

The install team creates the administrative roles (other than root) to be used at the site. The team assigns each role its rights profiles. Initial rights profiles are provided on the installation CD-ROM.

The appropriate toolbox scope for creating roles and users in a non-networked environment is this-host: Scope=Files, Policy=TSOL.

Create Administrative Roles

  1. In the root role at label ADMIN_LOW, start the Solaris Management Console if it is not running.

  2. Select the appropriate toolbox.

  3. Click Trusted Solaris Configuration, then click Users.

  4. When prompted, enter the root role password.

  5. Double-click Administrativ... (Administrative Roles).

  6. Choose Add Administrative Role from the Action menu.

    The Add Administrative Role wizard enables you to enter all values that are required for a role to work well. Values that you are not prompted to enter receive a default value. If you want to view or modify a role, double-click the role after creating it.

  7. Create the secadmin role to be the security administrator. Use the following table as a guide when creating the role.

    The secadmin password, and all passwords, should be one that is not easy to guess, thus reducing the chance of an adversary gaining unauthorized access by attempting to guess passwords.

    Note -

    For all administrative roles, make the account Always Available, and do not set password expiration dates.

    Table 4-1 secadmin Values in Add Role Dialog

    Tab 

    Role Field 

    (Recommended) Value 

    Role Name 

    Role name 

    secadmin 

    Full Name 

    Security Administrator 

     

    Description 

    No proprietary info here. 

     

    Role ID Number 

    >=100 

     

    Role shell 

    Administrator's Bourne (profile shell) 

     

    Create a role mailing list 

    checked 

    Password 

    Password and confirm 

    Assign a password of at least 6 alphanumeric characters. 

    Rights 

    Available and Granted 

    Information Security

    Rights Security 

    Home Directory 

    Server 

    home directory server

    Path 

    /mount_path

    Assign Users 

    Add and Delete 

    This will be automatically filled in when you assign a role to a user. 

  8. After creating the role, select it and double-click it to modify it. Use information from the following table as a guide.

    Table 4-2 secadmin Values in Properties/Modify Dialog

    Tab 

    Role Field 

    (Recommended) Value 

    Password 

    Set password by Type in or Choose from list 

    (Set in Table 4-1.)

     

    Update password by Choose from list or Type in 

     

    Group 

    Available Groups 

     

    Trusted Solaris Attributes 

    Minimum Label: Edit 

    Default value is correct. 

    Clearance: Edit 

    Default value is correct. 

    View: External or Internal 

    The default value is External. 

    Label: Show or Hide 

    If your site is a no-label site, choose Hide. 

     

    Lock account ... 

    Default value, No, is correct. 

    Audit 

    Excluded and Included 

    Set flags per site security policy 

  9. Using the preceding tables as a guide, create the following three roles. Give each role a unique ID, and assign to it the correct rights profile, as shown below:

    Role Name 

    Granted Rights 

    admin 

    System Administrator 

    primaryadmin 

    Primary Administrator 

    oper 

    Operator 

    Caution - Caution -

    You must create the administrative roles before you create the users, since you will assign a role to each user.

Create Users Who Will Assume Roles

The install team in the root role creates users to assume the roles secadmin, admin, and primaryadmin. Where site security policy permits, the team can choose to create one user who can assume more than one administrative role.

  1. Double-click User Accounts in the Solaris Management Console.

  2. Choose Add User -> Use Wizard from the Action menu.

    Caution - Caution -

    Role and user IDs come from the same pool of IDs. Do not use existing names or IDs for the users you add.

  3. Begin to create a user who can assume the secadmin role and use Table 4-3 to fill out the fields.

    The Add User -> Use Wizard dialog boxes create most aspects of a user.

  4. After creating the user, double-click the created user to modify some user properties.

    Use Table 4-4 as a guide.

  5. Read the (Recommended) Value columns for guidance.

    Parentheses enclose suggestions. Requirements or defaults are not enclosed in parentheses.

    Note -

    When the install team chooses a password, the team must select one that is not easy to guess, thus reducing the chance of an attacker gaining unauthorized access by attempting to guess passwords.

    Table 4-3 User Values in Add User Dialog

    Tab 

    User Field 

    (Recommended) Value 

    User Name 

    User name 

     

    Full name 

     

    Description 

    No proprietary info here. 

    User ID number 

    (1001 or higher) 

    Password 

    Set password by Type in or Choose from list 

    Assign a password of at least 6 alphanumeric characters. 

     

    Confirm 

    		 

    Group 

    Primary group 

    Staff 

    Home directory 

    Server 

    home directory server

    Path 

     

    Mail 

    Server 

     

    Path 

     

    For the user who can assume the secadmin role, select "Always Available" for "Account Availability" under General, below. Choose an appropriate account availability for other users.

    Table 4-4 User Values in Properties/Modify Dialog

    Tab 

    User Field 

    (Recommended) Value 

    General 

    Shell 

     

     

    Account Availability 

    Always Available 

    Password 

    Set password by Type in or Choose from list 

    (Set in Table 4-3.)

     

    Update password by Choose from list or Type in 

     

    Group 

    Additional Groups 

     

    Roles 

    Available Roles and Assigned Roles 

    secadmin 

    Trusted Solaris Attributes 

    Minimum Label: Edit 

    Default value is correct. 

    Clearance: Edit 

    Default value is correct. 

    View: External or Internal 

     

     

    Label: Show or Hide 

    If your site is a no-label site, choose Hide. 

    Account Usage 

    Idle time 

     

    Idle action 

     

     

    Lock account ... 

    No -- for any user who will assume a role. 

    Rights 

    Available and Granted 

    Enable Login ... and see Note below. 

    Audit 

    Excluded and Included 

    Set flags per site security policy 

    Note -

    Although Basic Solaris User does not appear in the Granted column, this right is assigned automatically to a user that is created using the Add User wizard. Do not assign the right explicitly.

  6. Create and modify another user, one who can assume the admin role.

  7. (Optional) Create and modify third and fourth users to assume the primaryadmin and oper roles, and provide them with unique IDs and appropriate Rights.

    These first users should each have at least the Enable Login right -- user can enable logins after a system reboot.

    After checking your site security policy, you may want to add the Convenient Authorizations right -- user can allocate devices, enable logins, print PostScript files, print without labels, remotely log in, and shut down the system.

    Note -

    Do not create any more users at this time. Setting up users is a two-role, trusted procedure.

    See "Managing User Accounts" in Trusted Solaris Administrator's Procedures and "Managing Users and Rights With SMC" in Trusted Solaris Administrator's Procedures for details on setting up users and user files.

    In a multilabel environment, users and roles are set up with a useful file, .link_files. See "Managing Initialization Files" in Trusted Solaris Administrator's Procedures for further discussion.

Verifying That Roles Work

Reboot the Computer

If you have not set up DNS or static routing, you can skip this step.

    Shut down the computer from the TP (Trusted Path) menu, and reboot it.

Verify that the Roles secadmin and admin Work

  1. For each role, log in as a user who can assume the role and assume it.

  2. In the role workspace, open the Solaris Management Console, select the Trusted Solaris Management Console with the appropriate scope for your site, and click Users.

  3. Provide the role password when prompted, then double-click User Accounts.

  4. Click a user.

    • The admin role should be able to modify fields under the tabs General, Home Directory, and Group.

    • The secadmin role should be able to modify fields under all tabs.

Verify that the Role primaryadmin Works

  1. Log in as a user who can assume the primaryadmin role and assume it.

  2. In the role workspace, open the Solaris Management Console, select the Trusted Solaris Management Console with the appropriate scope for your site, and click Users.

  3. Provide the role password when prompted, and double-click Rights.

  4. Creating a new right by choosing Add Right from the Action menu.

  5. Save the new right, then delete it before continuing.

Finishing Up Configuration

Set Up Auditing

The security administrator is responsible for auditing decisions.

    Configure or disable auditing by doing one of the following.

    Disable auditing--if site security does not require auditing. To disable auditing in the Trusted Solaris environment, follow the procedures described in Trusted Solaris Audit Administration.

    Configure auditing--by following the procedures in Trusted Solaris Audit Administration.

(Optional) Share File Systems

If a directory is being shared before the admin role is created, the install team performs the procedure in the root role.

Caution - Caution -

Do not use proprietary names for shared file systems. The names of shared file systems are visible to every user.

  1. In the admin role, (or root if the admin role does not exist), at label ADMIN_LOW, under Trusted Solaris Management Console, click this-host: Scope=Files, Policy=TSOL.

  2. Click Storage, and provide a password if prompted.

    .

  3. Double-click Mounts and Shares, and then double-click Shares

  4. Choose Add Shared Directory from the Action menu.

  5. Follow the online help to share the directory.

    The tool shares the directory and starts the NFS daemons,

  6. To modify the attributes of the shared directory, double-click the Properties tab and use the online help to guide you.

(Optional) Mount File Systems

In the Trusted Solaris environment, unlabeled and labeled hosts can be mounted on a Trusted Solaris labeled host.

Caution - Caution -

Do not use proprietary names for mounted file systems. The names of mounted file systems are visible to every user.

  1. In the admin role at label ADMIN_LOW, under Trusted Solaris Management Console, click this-host: Scope=Files, Policy=TSOL.

  2. Click Storage and provide a password if prompted.

  3. Double-click Mounts and Shares, and then double-click Mounts.

  4. Choose Add NFS Mount from the Action menu.

  5. Follow and answer the prompts to mount the file system.

    You are prompted to allow creation of the mount point if it does not exist. The tool adds an entry in the /etc/vfstab file, creates the mount point, and mounts the file system.

(Optional) Delete the User install

When a user is deleted from the system, the administrator must ensure that the user's home directory and any objects owned by that user are also deleted. As an alternative to deleting objects owned by the user, the administrator may change the ownership of these objects to another user who is defined on the system.

The administrator must also ensure that all batch jobs that are associated with the deleted user are also deleted. The administrator must ensure that there are no objects or processes belonging to a deleted user that remain on the system.

Note -

If you plan to use the tsolconvert utility, do not delete the install user until you have completed the required conversion steps on a Trusted Solaris 8 or Trusted Solaris 8 4/01 system. See "Saving and Restoring Trusted Solaris Databases" for more information on converting Trusted Solaris 7 to Trusted Solaris 8 4/01 databases.

  1. In the admin role at label ADMIN_LOW, in the Solaris Management Console, choose the this-host: Scope=Files, Policy=TSOL, and click Users.

  2. Provide a password if prompted, then double-click User Accounts.

    The user "install" is defined locally.

  3. Select the user to be deleted and click the Delete button.

    For the user install, you do not have mail files to delete. Other local users may have home directories and mail files to delete.

Other Setup

    See Trusted Solaris Administrator's Procedures for tasks such as handling mail, setting up printers, and protecting file systems.