JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration and Administration     Oracle Solaris 11 Information Library
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

6.  Trusted Extensions Administration Concepts

7.  Trusted Extensions Administration Tools

8.  Security Requirements on a Trusted Extensions System (Overview)

9.  Performing Common Tasks in Trusted Extensions (Tasks)

10.  Users, Rights, and Roles in Trusted Extensions (Overview)

11.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

12.  Remote Administration in Trusted Extensions (Tasks)

13.  Managing Zones in Trusted Extensions (Tasks)

14.  Managing and Mounting Files in Trusted Extensions (Tasks)

15.  Trusted Networking (Overview)

16.  Managing Networks in Trusted Extensions (Tasks)

17.  Trusted Extensions and LDAP (Overview)

18.  Multilevel Mail in Trusted Extensions (Overview)

19.  Managing Labeled Printing (Tasks)

Labels, Printers, and Printing

Restricting Access to Printers and Print Job Information in Trusted Extensions

Labeled Printer Output

PostScript Printing of Security Information

Configuring Labeled Printing (Task Map)

How to Configure a Zone As a Single-Level Print Server

How to Configure a Multilevel Print Server and Its Printers

How to Enable a Trusted Extensions Client to Access a Printer

How to Configure a Restricted Label Range for a Printer

Reducing Printing Restrictions in Trusted Extensions (Task Map)

How to Remove Labels From Printed Output

How to Assign a Label to an Unlabeled Print Server

How to Remove Page Labels From All Print Jobs

How to Enable Specific Users to Suppress Page Labels

How to Suppress Banner and Trailer Pages for Specific Users

How to Enable Users to Print PostScript Files in Trusted Extensions

20.  Devices in Trusted Extensions (Overview)

21.  Managing Devices for Trusted Extensions (Tasks)

22.  Trusted Extensions Auditing (Overview)

23.  Software Management in Trusted Extensions (Reference)

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Configuring Labeled Printing (Task Map)

The following task map describes common configuration procedures that are related to labeled printing. For more information, see Chapter 15, Setting Up and Administering Printers by Using CUPS (Tasks), in Oracle Solaris Administration: Common Tasks.

Note - Printer clients can only print jobs within the label range of the Trusted Extensions print server.

Task
Description
For Instructions
Configure printing from the global zone.
Creates a multilevel print server in the global zone.
How to Configure a Multilevel Print Server and Its Printers
Configure printing from a labeled zone.
Creates a single–label print server for a labeled zone.
How to Configure a Zone As a Single-Level Print Server
Configure a multilevel print client.
Connects a Trusted Extensions host to a printer.
How to Enable a Trusted Extensions Client to Access a Printer
Restrict the label range of a printer.
Limits a Trusted Extensions printer to a narrow label range.
How to Configure a Restricted Label Range for a Printer

How to Configure a Zone As a Single-Level Print Server

Before You Begin

The zone must not be sharing an IP address with the global zone. You must be in the System Administrator role in the global zone.

  1. Add a workspace.

    For details, see How to Add a Workspace at Your Minimum Label in Trusted Extensions User’s Guide.

  2. Change the label of the new workspace to the label of the zone that will be the print server for that label.

    For details, see How to Change the Label of a Workspace in Trusted Extensions User’s Guide.

  3. Define the characteristics of every connected printer.
    1. At the label of zone, edit the CUPS print server configuration file, /etc/cups/cupsd.conf.
  4. Assign the appropriate job sheet to each printer that is connected to the print server.

    For example, the following specifications create an appropriate labeled sheet:

    #CUPS-BANNER for INTERNAL print jobs
Show job-id job-name job-originating-user-name job-originating-host-name job-billing
Header CONFIDENTIAL : INTERNAL USE ONLY
Footer CONFIDENTIAL : INTERNAL USE ONLY
Image images/cups.png

    Use the following command:

    $ lpadmin -p printer -o job-sheets-default=labeled,labeled

    The attached printers can print jobs only at the label of the zone.

  5. Test the printer.

    Note - For security reasons, files with an administrative label, ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.

    As root and as a regular user, perform the following steps:

    1. Print plain files from the command line.
    2. Print files from your applications, such as Oracle Beehive, your browser, and your editor.
    3. Verify that labels print correctly.

See Also

How to Configure a Multilevel Print Server and Its Printers

Printers that are managed by a Trusted Extensions print server print labels on body pages, banner pages, and trailer pages. Such printers can print jobs within the label range of the print server. Any Trusted Extensions host that can reach the print server can use the printers that are connected to that server.

Before You Begin

Determine the print server for your Trusted Extensions network. You must be in the System Administrator role in the global zone on this print server.

  1. Enable multilevel printing by configuring the global zone with the print server port, 515/tcp.
    # tncfg -z global add mlp_shared=515/tcp
# tncfg -z global add mlp_private=515/tcp
  2. Define the characteristics of every connected printer.
    # lpadmin -p printer-name -v /dev/null \
-o protocol=tcp -o dest=printer-IP-address:9100 -T PS -I postscript
# accept printer-name
# enable printer-name
  3. Configure each printer that is connected to the print server with a labeled job sheet.
    $ lpadmin -p printer -o job-sheets-default=labeled,labeled

    If the default printer label range of ADMIN_LOW to ADMIN_HIGH is acceptable for every printer, then your label configuration is done.

  4. In every labeled zone where printing is allowed, configure the printer.

    Use the all-zones IP address for the global zone as the print server.

    1. Log in as root to the zone console of the labeled zone.
      # zlogin -C labeled-zone
    2. Create an /etc/cups/client.conf file in each labeled zone.

      This file connects to the cupsd daemon in the global zone for print service. Modify this file to include the print server name and its IP address. For information about the configuration file, see the client.conf(5) man page.

    3. (Optional) Set the printer as the default.
      # lpadmin -d printer-name
  5. In every labeled zone, test the printer.

    As root and as a regular user, perform the following steps:

    1. Print plain files from the command line.
    2. Print files from your applications, such as Oracle Beehive, your browser, and your editor.
    3. Verify that labels print correctly.

See Also

How to Enable a Trusted Extensions Client to Access a Printer

Initially, only the zone in which a print server was configured can print to the printers of that print server. The system administrator must explicitly add access to those printers for other zones and systems. The possibilities are as follows:

Before You Begin

A print server has been configured with a label range or a single label, and the printers that are connected to it have been configured. For details, see the following:

You must be in the System Administrator role in the global zone.

  1. Complete the procedures that enable your systems to access a printer.
    • Configure the global zone on a system that is not a print server to use another system's global zone for printer access.
      1. On the system that does not have printer access, assume the System Administrator role.
      2. Add access to the printer that is connected to the Trusted Extensions print server.
        $ lpadmin -s printer
    • Configure a labeled zone to use its global zone for printer access.
      1. Change the label of the role workspace to the label of the labeled zone.

        For details, see How to Change the Label of a Workspace in Trusted Extensions User’s Guide.

      2. Add access to the printer.
        $ lpadmin -s printer
    • Configure a labeled zone to use another system's labeled zone for printer access.

      The labels of the zones must be identical.

      1. On the system that does not have printer access, assume the System Administrator role.
      2. Change the label of the role workspace to the label of the labeled zone.
      3. Add access to the printer that is connected to the print server of the remote labeled zone.
        $ lpadmin -s printer
    • Configure a labeled zone to use an unlabeled print server for printer access.

      The label of the zone must be identical to the label of the print server.

      1. On the system that does not have printer access, assume the System Administrator role.
      2. Change the label of the role workspace to the label of the labeled zone.

        For details, see How to Change the Label of a Workspace in Trusted Extensions User’s Guide.

      3. Add access to the printer that is connected to the arbitrarily labeled print server.
        $ lpadmin -s printer
  2. Test the printers.

    Note - For security reasons, files with an administrative label, ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.

    On every client, test that printing works for root and roles in the global zone and for root, roles, and regular users in labeled zones.

    1. Print plain files from the command line.
    2. Print files from your applications, such as Oracle Beehive, your browser, and your editor.
    3. Verify that labels print correctly.

How to Configure a Restricted Label Range for a Printer

The default printer label range is ADMIN_LOW to ADMIN_HIGH. This procedure narrows the label range for a printer that is controlled by a Trusted Extensions print server.

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. Start the Device Manager.

    Choose the Allocate Device option from the Trusted Path menu.

  2. Click the Administration button to display the Device Administration dialog box.
  3. Type a name for the new printer.

    If the printer is attached to your system, find the name of the printer.

  4. Click the Configure button to display the Device Configuration dialog box.
  5. Change the printer's label range.
    1. Click the Min Label button to change the minimum label.

      Choose a label from the label builder. For information about the label builder, see Label Builder in Trusted Extensions.

    2. Click the Max Label button to change the maximum label.
  6. Save the changes.
    1. Click OK in the Configuration dialog box.
    2. Click OK in the Administration dialog box.
  7. Close the Device Manager.
Copyright © 1992, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next