Skip Navigation Links | |
Exit Print View | |
Trusted Extensions Configuration and Administration Oracle Solaris 11 Information Library |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
6. Trusted Extensions Administration Concepts
7. Trusted Extensions Administration Tools
8. Security Requirements on a Trusted Extensions System (Overview)
9. Performing Common Tasks in Trusted Extensions (Tasks)
10. Users, Rights, and Roles in Trusted Extensions (Overview)
11. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
12. Remote Administration in Trusted Extensions (Tasks)
13. Managing Zones in Trusted Extensions (Tasks)
14. Managing and Mounting Files in Trusted Extensions (Tasks)
15. Trusted Networking (Overview)
16. Managing Networks in Trusted Extensions (Tasks)
17. Trusted Extensions and LDAP (Overview)
18. Multilevel Mail in Trusted Extensions (Overview)
19. Managing Labeled Printing (Tasks)
Labels, Printers, and Printing
Restricting Access to Printers and Print Job Information in Trusted Extensions
PostScript Printing of Security Information
Configuring Labeled Printing (Task Map)
How to Configure a Zone As a Single-Level Print Server
How to Configure a Multilevel Print Server and Its Printers
How to Enable a Trusted Extensions Client to Access a Printer
Reducing Printing Restrictions in Trusted Extensions (Task Map)
How to Remove Labels From Printed Output
How to Assign a Label to an Unlabeled Print Server
How to Remove Page Labels From All Print Jobs
How to Enable Specific Users to Suppress Page Labels
How to Suppress Banner and Trailer Pages for Specific Users
How to Enable Users to Print PostScript Files in Trusted Extensions
20. Devices in Trusted Extensions (Overview)
21. Managing Devices for Trusted Extensions (Tasks)
22. Trusted Extensions Auditing (Overview)
23. Software Management in Trusted Extensions (Reference)
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
The following task map describes common configuration procedures that are related to labeled printing. For more information, see Chapter 15, Setting Up and Administering Printers by Using CUPS (Tasks), in Oracle Solaris Administration: Common Tasks.
Note - Printer clients can only print jobs within the label range of the Trusted Extensions print server.
|
Before You Begin
The zone must not be sharing an IP address with the global zone. You must be in the System Administrator role in the global zone.
For details, see How to Add a Workspace at Your Minimum Label in Trusted Extensions User’s Guide.
For details, see How to Change the Label of a Workspace in Trusted Extensions User’s Guide.
For example, the following specifications create an appropriate labeled sheet:
#CUPS-BANNER for INTERNAL print jobs Show job-id job-name job-originating-user-name job-originating-host-name job-billing Header CONFIDENTIAL : INTERNAL USE ONLY Footer CONFIDENTIAL : INTERNAL USE ONLY Image images/cups.png
Use the following command:
$ lpadmin -p printer -o job-sheets-default=labeled,labeled
The attached printers can print jobs only at the label of the zone.
Note - For security reasons, files with an administrative label, ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.
As root and as a regular user, perform the following steps:
See Also
Prevent labeled output – Reducing Printing Restrictions in Trusted Extensions (Task Map)
Use this zone as a print server – How to Enable a Trusted Extensions Client to Access a Printer
Printers that are managed by a Trusted Extensions print server print labels on body pages, banner pages, and trailer pages. Such printers can print jobs within the label range of the print server. Any Trusted Extensions host that can reach the print server can use the printers that are connected to that server.
Before You Begin
Determine the print server for your Trusted Extensions network. You must be in the System Administrator role in the global zone on this print server.
# tncfg -z global add mlp_shared=515/tcp # tncfg -z global add mlp_private=515/tcp
# lpadmin -p printer-name -v /dev/null \ -o protocol=tcp -o dest=printer-IP-address:9100 -T PS -I postscript # accept printer-name # enable printer-name
$ lpadmin -p printer -o job-sheets-default=labeled,labeled
If the default printer label range of ADMIN_LOW to ADMIN_HIGH is acceptable for every printer, then your label configuration is done.
Use the all-zones IP address for the global zone as the print server.
# zlogin -C labeled-zone
This file connects to the cupsd daemon in the global zone for print service. Modify this file to include the print server name and its IP address. For information about the configuration file, see the client.conf(5) man page.
# lpadmin -d printer-name
As root and as a regular user, perform the following steps:
See Also
Limit printer label range – How to Configure a Restricted Label Range for a Printer
Prevent labeled output – Reducing Printing Restrictions in Trusted Extensions (Task Map)
Use this zone as a print server – How to Enable a Trusted Extensions Client to Access a Printer
Initially, only the zone in which a print server was configured can print to the printers of that print server. The system administrator must explicitly add access to those printers for other zones and systems. The possibilities are as follows:
For a global zone, add access to the printers that are connected to a global zone on a different system.
For a labeled zone, add access to the printers that are connected to the global zone of its system.
For a labeled zone, add access to a printer that a remote zone at the same label is configured for.
For a labeled zone, add access to the printers that are connected to a global zone on a different system.
Before You Begin
A print server has been configured with a label range or a single label, and the printers that are connected to it have been configured. For details, see the following:
You must be in the System Administrator role in the global zone.
$ lpadmin -s printer
For details, see How to Change the Label of a Workspace in Trusted Extensions User’s Guide.
$ lpadmin -s printer
The labels of the zones must be identical.
$ lpadmin -s printer
The label of the zone must be identical to the label of the print server.
For details, see How to Change the Label of a Workspace in Trusted Extensions User’s Guide.
$ lpadmin -s printer
Note - For security reasons, files with an administrative label, ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.
On every client, test that printing works for root and roles in the global zone and for root, roles, and regular users in labeled zones.
The default printer label range is ADMIN_LOW to ADMIN_HIGH. This procedure narrows the label range for a printer that is controlled by a Trusted Extensions print server.
Before You Begin
You must be in the Security Administrator role in the global zone.
Choose the Allocate Device option from the Trusted Path menu.
If the printer is attached to your system, find the name of the printer.
Choose a label from the label builder. For information about the label builder, see Label Builder in Trusted Extensions.