Trusted Solaris Installation and Configuration

Configuring the Network

Add Hosts to a Machine's Known Network

In the root role at the label ADMIN_LOW, return to the Solaris Management Console or re-open it if it is closed.
# smc

Click this-host: Scope=Files, Policy=TSOL under Trusted Solaris Management Console in the Navigation pane.

See Figure 9-1 for what tools should display in the Navigation pane .

Display the computers known to this host by clicking Trusted Solaris Configuration, then clicking Computers and Networks,

Provide a password if prompted, then double-click Computers.

Note -
If toolbox icons display as red stop signs, the toolboxes will not load. To load them, see Step 2 in "Initialize the SMC Server".

This computer should already be in the database. You should add the following hosts:
1. Name service master, if any.
2. Static routers, if any.
3. Audit servers for this host.

Add every host that this computer may contact during boot by choosing Add Computer from the Action menu.
1. Click Apply to add each host.
2. Click OK when the entries are complete.

(Optional) Remove the 0.0.0.0 Network

The network wildcard 0.0.0.0 may present a security risk. See "Modifying the Boot-time Trusted Network Databases" in Trusted Solaris Administrator's Procedures for more information.

Follow the instructions in the "To Replace the 0.0.0.0 Entry in the Local Tnrhdb File" procedure under "Managing Trusted Networking (Tasks)" in Trusted Solaris Administrator's Procedures.

Add a Remote Host Template

If you used the Trusted Solaris label_encodings file, you can skip this step.

If this host is going to contact unlabeled hosts, the tnrhtp file must have an appropriate unlabeled template for those unlabeled hosts. See Table 1-3 in "Additional Planning for Open Networks" for host types and their associated templates provided by Trusted Solaris software.

The tnrhtp(4) file installed by the Trusted Solaris installation program contains examples of templates that match the label_encodings(4) file installed during Trusted Solaris installation. If you installed a site-specific label_encodings file, it is highly likely that the existing tnrhtp templates will not work with your file.

In the root role at the label ADMIN_LOW, double-click Security Families under Computers and Networks in the Solaris Management Console.

The existing templates are displayed in the View pane.

Caution -
Sites that install a site-specific label_encodings file must create templates that reflect the labels of machines and networks that the Trusted Solaris network can contact.

You should have templates for:
1. The Trusted Solaris hosts that this machine can contact.
2. Any unlabeled hosts/networks that this machine can contact..

To create a single-label template to assign to unlabeled hosts, choose Add Template from the Action menu.

Consult the online help as you create the template.
1. In the Basic Information tab, create a template named unlab_min-user-label, of host type Unlabeled, with an ADMIN_HIGH clearance and a process label of min-user-label.
  
  The default clearance must dominate the default label. The label ADMIN_HIGH dominates all labels.
2. Click OK when the template is complete.

Create any other templates your site needs before continuing.

Assign a Template to a Remote Host

The trusted network remote host database, tnrhdb, enables this host to communicate with remote hosts. The tnrhdb(4) man page describes the format of the entries, and suggests how to minimize the number of entries required.

Assign a remote host template to every host or network that this machine may contact. Include every host in the /etc/hosts file.

See Table 1-3 in "Additional Planning for Open Networks" for host types and their associated templates provided by Trusted Solaris software.

In the root role at the label ADMIN_LOW, double-click Security Families under Computers and Networks in the Solaris Management Console.

Double-click the Trusted Solaris security family, tsol.

Choose Add Host(s) from the Action menu.

In the Add Host(s) dialog box, click Add Wildcard to assign this template to all hosts on your Trusted Solaris subnet.
1. Enter the subnet IP address and choose the template name.
  
  For example, enter 192.168.10.0 and tsol. The final zero signifies a subnet address; all hosts on that subnet are recognized as tsol hosts.
  
  Note -
  The number zero (0) is the wildcard. Do not use a star (*).
2. Click OK.

Choose Add Host(s) from the Action menu and click Add Host in the Add Host(s) dialog box to enter any exceptions to the subnet template assigment. Click OK to end the entry.

For example, enter 192.168.10.3 and unlab_min-user-label. This host on the subnet is an unlabeled host, an exception to the tsol wildcard entry.

Choose Add Host(s) from the Action menu and click Add Host to enter the IP address of every host in your /etc/defaultrouter or /etc/tsolgateways file, and assign to each an appropriate template name. Click OK to end each entry.

Enter the details of other subnets and hosts.
1. Enter the wildcard designation of each subnet and choose its appropriate template by choosing Add Host(s) -> Choose Wildcard.
2. Individually assign a different template to any host that is an exception to its subnet's assigned template by choosing Add Host(s) -> Choose Host.
  
  Use the details provided by your system administrator, then choose the appropriate template name from the menu.

Open a terminal to reload and verify the updated tnrhdb database.
# tnctl -H /etc/security/tsol/tnrhdb # tninfo -h

Trusted Network Summary

The tnrhdb database must have an IP address and template name for every host or subnet that the hosts in the Trusted Solaris domain can communicate with:

The master server (that is, this host)
Every client that will be in the Trusted Solaris domain, or its subnet wildcard mechanism nnn.nnn.nnn.0
Every static router (open network only)
Every other host with which the domain can communicate, or a wildcard address for its subnet (open network only)