Solaris 10 What's New

Security Enhancements

The following security features are new in the Solaris 10 1/06 release. To view security features that are new in the previous Solaris 10 3/05 release, see Security Enhancements.

Set SMTP to Use Transport Layer Security

This enhancement is new in the Solaris Express 8/05 release and in the Solaris 10 1/06 release.

The Simple Mail Transfer Protocol (SMTP) can use Transport Layer Security (TLS) in version 8.13 of sendmail. When enabled, this service to SMTP servers and clients provides private, authenticated communications over the Internet, as well as protection from eavesdroppers and attackers.

For more information, see the System Administration Guide: Network Services.

Metaslot in the Cryptographic Framework

This feature is new in the Solaris 10 1/06 release and in the Solaris Express 2/05 release. This feature is of interest to both system administrators and software developers.

The metaslot is a component of the Solaris cryptographic framework library, libpkcs11.so. With metaslot software, an application that needs encryption can specify its cryptographic needs. With these specifications, the most suitable cryptographic mechanism that is available on the system will be supplied. The metaslot serves as a single virtual slot with the combined capabilities of all tokens and slots that have been installed in the framework. Effectively, the metaslot enables an application to connect transparently with any available cryptographic service through a single slot.

The metaslot is automatically enabled. The system administrator can explicitly disable the metaslot if preferred.

When an application requests a cryptographic service, the metaslot points to the most appropriate slot, which simplifies the process of selecting a slot. In some cases, a different slot might be required, in which case the application must perform a separate search explicitly.

Further information about the cryptographic framework is provided in the Solaris Security for Developers Guide. See also the System Administration Guide: Security Services.

IKE Enhancements

These enhancements are new in the Solaris 10 1/06 release and in the Solaris Express 2/05 release.

IKE is fully compliant with NAT-Traversal support as described in RFC 3947 and RFC 3948. IKE operations use the PKCS #11 library from the cryptographic framework, which improves performance. The cryptographic framework provides a softtoken keystore for applications that use the metaslot. When IKE uses the metaslot, you have the option of storing the keys on an attached board or in the softtoken keystore.

For further information about IKE, see the System Administration Guide: IP Services.

New Command for embedded_su

This enhancement is new in the Solaris 10 1/06 release.

This release includes a new command, embedded_su. This command offers “su-like” features to programs. This command enables graphical user interfaces to prompt for authentication data and execute operations as another user. This command provides functionality exactly equivalent to the su command, and so poses no new security risks. System administrators who have used /etc/pam.conf to customize the behavior of the su command can choose to add /etc/pam.conf entries to control the embedded_su command.

For an example, see the embedded_su(1M) man page.