test

Trusted Solaris Installation and Configuration

Chapter 8 Configuring a Headless Trusted Solaris System

Configuring and administering Trusted Solaris software on headless systems like the NetraTM series require different procedures than the same tasks on systems that have monitors. The Trusted Solaris operating environment divides administrative responsibilities into roles, which cannot be assumed remotely. The software also provides an administrative tool GUI. The GUI does not display on a serial line.

Note -

If you are configuring a site for an evaluated configuration, please read "Understanding Your Site's Security Policy". The configuration methods dictated by headless systems do not satisfy the criteria for an evaluated configuration.

Headless System Configuration Tasks

On headless sytems, a console is connected via a serial line to a terminal emulator window. The line is typically secured by the tip command. Depending on what type of second system is available, you can use one of four methods. The methods are listed from most desirable to least desirable in the following table.

Methods 

Where Described 

Choose a configuration and administration method. The choice is based on available hardware and software on a second system that communicates with the headless system. The choices are listed in descending order of ease and security. 

If you have a desktop system that is running the Trusted Solaris 8 4/01 environment, go to "To Set Up Remote CDE Login to a Headless System".

If you have a desktop system that is running SMC 2.0 client software, go to "To Set Up Remote SMC Login to a Headless System".

If you do not have a desktop system, and must use serial login to configure and administer the headless system, go to "To Set Up Administration by Serial Login" .

If you are logging in remotely using the telnet or rlogin command, go to "To Set Up Administration by Remote Login".

2. Set up the communicating systems. 

Use one of the methods above. 

3. Configure the headless system. 

See "Client Configuration Tasks", and use the methods possible given your login method.

4. Administer the headless system. 

See Trusted Solaris Administrator's Procedures, and use the methods possible given your login method.

To Set Up Remote CDE Login to a Headless System

If you are connecting to a headless system from a Trusted Solaris host, the serial port must be allocated before it can be used. See the serial login procedure in "Managing Devices (Tasks)" in Trusted Solaris Administrator's Procedures.

  1. After the headless system is installed, boot it into single-user mode.

  2. Use the vi command to add the Trusted Solaris desktop system to the /etc/hosts file on the headless system.

    For example, if a Trusted Solaris desktop system named admindesktop1 is going to be the configuring system, enter its name and IP address in the hosts file, as in:


    192.168.168.5 admindesktop1

  3. Use the vi command to add the Trusted Solaris desktop system to the /etc/security/tsol/tnrhdb file on the headless system.

    For example, 


    192.168.168.5:tsol

  4. On the headless system, add the entries to the kernel cache with the tnctl command.


    # tnctl -H

  5. On the Trusted Solaris desktop system, in an administrative role, use the Solaris Management Console Security Families tool to enter the headless system's information in the local hosts and trnrhdb files.

    For example, if the headless system is named headless1 with an IP address of 192.168.168.111, the entries would look like:


    192.168.168.111 headless1   # entry in the hosts file
192.168.168.111:tsol   # entry in the tnrhdb file

  6. On the Trusted Solaris desktop system, add the entries to the kernel cache with the tnctl command.


    $ tnctl -H

  7. On the headless system, exit single-user mode and let the system complete the boot process.

  8. Log out of the Trusted Solaris desktop system, then on the Login Screen choose Options --> Remote Login.

  9. Type in the name of the headless system, and the screen displays "Welcome to headless-system.

    For example, if you are connecting to a system named headless1, the screen displays "Welcome to headless1".

  10. Type install for the user name, and type the password for install when prompted.

  11. When the install user's workspace appears, assume the root role.

  12. See "Client Configuration Tasks" for how to configure a Trusted Solaris system, and Trusted Solaris Administrator's Procedures for how to administer a Trusted Solaris system.

To Set Up Remote SMC Login to a Headless System

For this procedure to work, one of the following systems must be available:

  1. After installation, boot the headless system into single-user mode.

  2. Add the Solaris 8 4/01 desktop machine with the SMC version 2.0 running on it, to the headless system's /etc/hosts file.

    For example, 


    192.168.168.77   soldesktop77

  3. On the Windows client or Solaris desktop system, add the headless system's address to the c:\windows\system\hosts or /etc/hosts file, respectively.

    For example, 


    192.168.168.111  headless1

  4. Modify the /usr/sadm/lib/smc/bin/smcwbemserver file on the headless system to include the -u option.

    Follow the procedure, "To Enable Remote Role Assumption From Untrusted Systems" under "Managing Roles (Tasks)" in Trusted Solaris Administrator's Procedures, then return here.

  5. On the headless system, exit single-user mode and let the system complete the boot process.

  6. On the Windows client or Solaris desktop system, start the SMC server process.


    # smc &

  7. In the SMC Console menu, select the Preferences dialog box.

  8. Click the Authentication tab, and click Enable advanced login, then OK.

  9. Open the Files toolbox of the headless system, and log in specifying the install user and the root role. Provide passwords for both.

  10. Bring up a Terminal or the Application Manager window from the Legacy tools set in the Navigation Pane.

  11. Configure the headless system.

To Set Up Administration by Serial Login

Follow this procedure only if you do not have a desktop system with which to configure the headless system. This procedure is not secure.

  1. In single user mode on the headless system, modify the /etc/passwd entry for the install user. Change the install user's shell from /bin/false to /bin/pfsh.

  2. Modify the /etc/inittab file to spawn a console login on the serial console. Use the vi command to change the last line of /etc/inittab to:


    co:234:respawn:/usr/lib/saf/ttymon -g -h -p "`uname -n` console login: " \
 -T sun -d  /dev/console -l console -m ldterm,ttcompat

    The line above is broken with a backslash for printing convenience. You should not break the line in the /etc/inittab file.

  3. On the headless system, modify the /etc/security/user_attr entry for the install user to include the Primary Administrator profile.


    install...;profiles=...,Primary Administrator;

    The Primary Administrator profile includes privileged shells. The install user can now run privileged commands.

To Set Up Administration by Remote Login

Follow this procedure only if you do not have a desktop system with which to configure the headless system and you plan to administer the headless system via rlogin or telnet. This procedure is not secure.

  1. Follow the steps for "To Set Up Administration by Serial Login".

  2. On the headless system, modify the /etc/security/user_attr entry for the install user to include the profile Convenient Authorizations.


    install...;profiles=...Primary Administrator,Convenient Authorizations;

    The Convenient Authorizations profile enables the install user to log in remotely.

  3. On the headless system, lock the install account when it is no longer needed by editing the /etc/shadow file.


    install:*LK*:6445::::::