test

Trusted Solaris Administrator's Procedures

To Replace the 0.0.0.0 Entry in the Local Tnrhdb File

The local tnrhdb(4) file on each computer is used to contact the network at boot time. For greater security, you can remove the 0.0.0.0 wildcard entry. However, you must replace it with every remote address that the host contacts at boot time.

  1. In the Security Administrator role, open the Security Families tool in the Files scope.

    See "To Open the Security Families Tool" for the steps in detail.

  2. Double-click ALL, then select 0.0.0.0.

  3. If you know all machines that this computer contacts, remove the wildcard entry by choosing Edit --> Delete.

  4. To replace the wildcard entry, the following entries must be in the /etc/hosts or /etc/inet/ipnodes file, and in the tnrhdb database.

    • An entry for this system, the name service master, and the loopback address, 127.0.0.1

      The install team added these entries during configuration.

    • An entry for every local IP address

      The install team should have added these entries during configuration.

    • One or more router entries

      If the name service client is a router, list all the routers with which it needs to communicate during boot. Include broadcast addresses.

      If the name service client is not a router, create a fallback network entry, such as 192.168.113.0.

    1. For a router, make the following entries by clicking Add --> Host(s).

      Make sure all network interfaces are in the file. For example,


      Host Name:  trusted-gw
IP Address: 192.168.112.111
Template: tsol


      Host Name:  trusted
IP Address: 192.168.113.111
Template: tsol

      Make an entry for every router that this host communicates with. This is most easily done when the network uses static routing. For example, 


      Host Name:  gateway-2
IP Address: 192.168.112.12
Template: unclassified


      Host Name:  gateway-3
IP Address: 192.168.113.12
Template: unclassified

      Make an entry for every broadcast and multicast address. For example, 


      Host Name:  broadcast
IP Address: 255.255.255.255
Template: admin_low


      Host Name:  multicast
IP Address: 224.0.0.2
Template: admin_low


      Host Name:  broadcast-112
IP Address: 192.168.112.255
Template: tsol


      Host Name:  broadcast-113
IP Address: 192.168.113.255
Template: tsol

      The following shows the local tnrhdb file with entries for a name service client with two interfaces. The client communicates with another network and routers.


      192.168.112.111:tsol  Interface 1 of this system
192.168.113.111:tsol  Interface 2
192.168.113.5:tsol    NIS+ master
192.168.113.6:tsol    Audit server
192.168.113.8:tsol    Mail server
192.168.112.255:tsol  Subnet broadcast address
192.168.113.255:tsol  Subnet broadcast address
127.0.0.1:tsol        Loopback address
192.168.117.0:tsol    Another Trusted Solaris network
192.168.112.12:unclassified  Specific network router
192.168.113.12:unclassified  Specific network router
224.0.0.2:unclassified       Multicast address
255.255.255.255:admin_low    Broadcast address

    2. If the host being configured is not a router, click Add --> Host(s) to create a fallback entry so that the host can find its router.

      For example,


      Click the Wildcard button
IP Address: 192.168.113.0
Template: tsol

      For example, for a non-router on a dynamically configured network, the entries might look like:


      192.168.113.99:tsol  This system
192.168.113.5:tsol     NIS+ master
192.168.113.0:tsol     Subnet wildcard address
127.0.0.1:tsol         Loopback address
192.168.117.0:tsol     Another Trusted Solaris network
224.0.0.2:unclassified       Multicast address
255.255.255.255:admin_low    Broadcast address
      Note -

      If a network that has Trusted Solaris hosts is assigned a wildcard template that is not a tsol template and the network has any tsol routers, then the administrator must assign the netmask entry the tsol template. For example, 


      192.168.112.98:tsol   This system
192.168.112.0:confidential   Subnet wildcard address
192.168.112.111:tsol   TSOL router
255.255.255.255:tsol   Broadcast address

Example -- Changing the Label of the 0.0.0.0 Tnrhdb Entry

You may want to give the 0.0.0.0 tnrhdb(4) entry a different unlabeled template, such as the unclassified template from the default set of templates. The system then recognizes any computer not otherwise listed in its tnrhdb file as an unlabeled machine at the label unclassified. Choose Action --> Properties from the menu when 0.0.0.0 is selected to change the assigned template.

Many sites create an unlabeled template specifically for gateways, and assign the gateway template to all gateway systems. The following is an unlabeled template specifically for gateways,


unlab_gateway:host_type=unlabeled;\
def_label=[0x00010000000000000000000000000000000000000000000000000000000000000000];\
def_cl=0x00010000000000000000000000000000000000000000000000000000000000000000;\
forced_privs=empty;\
min_sl=0x00000000000000000000000000000000000000000000000000000000000000000000;\
max_sl=0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff;\
doi=0;\
ip_label=none;\
ripso_label=empty;\
ripso_error=empty;

The backslashes above are for ease of reading. See "To Construct Templates for Hosts" for how to construct a template, and then assign it to the 0.0.0.0 wildcard.