JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration and Administration     Oracle Solaris 11.1 Information Library
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)

4.  Configuring Trusted Extensions (Tasks)

Setting Up the Global Zone in Trusted Extensions

How to Check and Install Your Label Encodings File

How to Configure an IPv6 CIPSO Network in Trusted Extensions

How to Configure a Different Domain of Interpretation

Creating Labeled Zones

How to Create a Default Trusted Extensions System

How to Create Labeled Zones Interactively

How to Assign Labels to Two Zone Workspaces

Configuring the Network Interfaces in Trusted Extensions

How to Share a Single IP Address With All Zones

How to Add an IP Instance to a Labeled Zone

How to Add a Virtual Network Interface to a Labeled Zone

How to Connect a Trusted Extensions System to Other Trusted Extensions Systems

How to Configure a Separate Name Service for Each Labeled Zone

Creating Roles and Users in Trusted Extensions

How to Create the Security Administrator Role in Trusted Extensions

How to Create a System Administrator Role

How to Create Users Who Can Assume Roles in Trusted Extensions

How to Verify That the Trusted Extensions Roles Work

How to Enable Users to Log In to a Labeled Zone

Creating Centralized Home Directories in Trusted Extensions

How to Create the Home Directory Server in Trusted Extensions

How to Enable Users to Access Their Remote Home Directories at Every Label by Logging In to Each NFS Server

How to Enable Users to Access Their Remote Home Directories by Configuring the Automounter on Each Server

Troubleshooting Your Trusted Extensions Configuration

How to Move Desktop Panels to the Bottom of the Screen

Additional Trusted Extensions Configuration Tasks

How to Create a Secondary Labeled Zone

How to Create and Share a Multilevel Dataset

How to Copy Files to Portable Media in Trusted Extensions

How to Copy Files From Portable Media in Trusted Extensions

How to Remove Trusted Extensions From the System

5.  Configuring LDAP for Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

6.  Trusted Extensions Administration Concepts

7.  Trusted Extensions Administration Tools

8.  Security Requirements on a Trusted Extensions System (Overview)

9.  Performing Common Tasks in Trusted Extensions

10.  Users, Rights, and Roles in Trusted Extensions (Overview)

11.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

12.  Remote Administration in Trusted Extensions (Tasks)

13.  Managing Zones in Trusted Extensions

14.  Managing and Mounting Files in Trusted Extensions

15.  Trusted Networking (Overview)

16.  Managing Networks in Trusted Extensions (Tasks)

17.  Trusted Extensions and LDAP (Overview)

18.  Multilevel Mail in Trusted Extensions (Overview)

19.  Managing Labeled Printing (Tasks)

20.  Devices in Trusted Extensions (Overview)

21.  Managing Devices for Trusted Extensions (Tasks)

22.  Trusted Extensions Auditing (Overview)

23.  Software Management in Trusted Extensions

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Configuring the Network Interfaces in Trusted Extensions

Your Trusted Extensions system does not require a network to run a desktop with a directly connected bitmapped display, such as a laptop or workstation. However, network configuration is required to communicate with other systems. By using the txzonemgr GUI, you can easily configure the labeled zones and the global zone to connect to other systems. For a description of the configuration options for labeled zones, see Access to Labeled Zones. The following task map describes and links to network configuration tasks.

Task
Description
For Instructions
Configure a default system for regular users.
The system has one IP address and uses an all-zones interface to communicate between the labeled zones and the global zone. The same IP address is used to communicate with remote systems.
How to Share a Single IP Address With All Zones
Add an IP address to the global zone.
The system has more than one IP address and uses the global zone's exclusive IP address to reach a private subnet. The labeled zones cannot reach this subnet.
How to Share a Single IP Address With All Zones
Assign an IP address to every zone, where the zones share the IP stack.
The system has more than one IP address. In the simplest case, the zones share a physical interface.
How to Add an IP Instance to a Labeled Zone
Add an all-zones interface to the IP instance per zone.
The system can offer its labeled zones privileged services that are protected from remote attack.
How to Add an IP Instance to a Labeled Zone
Assign an IP address to every zone, where the IP stack is exclusive.
One IP address is assigned to every zone, including the global zone. A VNIC is created for each labeled zone.
How to Add a Virtual Network Interface to a Labeled Zone
Connect the zones to remote zones.
This task configures the network interfaces of the labeled zones and the global zone to reach remote systems at the same label.
How to Connect a Trusted Extensions System to Other Trusted Extensions Systems
Run a separate nscd daemon per zone.
In an environment where each subnet has its own name server, this task configures one nscd daemon per zone.
How to Configure a Separate Name Service for Each Labeled Zone

How to Share a Single IP Address With All Zones

This procedure enables every zone on the system to use one IP address, the IP address of the global zone, to reach other identically labeled zones or hosts. This configuration is the default. You must complete this procedure if you have configured the network interfaces differently, and want to return the system to the default network configuration.

Before You Begin

You must be in the root role in the global zone.

  1. Run the txzonemgr command without any options.
    # txzonemgr &

    The list of zones is displayed in the Labeled Zone Manager. For information about this GUI, see How to Create Labeled Zones Interactively.

  2. Double-click the global zone.
  3. Double-click Configure Network Interfaces.

    A list of interfaces is displayed. Look for an interface that is listed with the following characteristics:

    • Type of phys

    • IP address of your hostname

    • State of up

  4. Select the interface that corresponds to your hostname.
  5. From the list of commands, select Share with Shared-IP Zones.

    All zones can use this shared IP address to communicate with remote systems at their label.

  6. Click Cancel to return to the zone command list.

Next Steps

To configure the system's external network, go to How to Connect a Trusted Extensions System to Other Trusted Extensions Systems.

How to Add an IP Instance to a Labeled Zone

This procedure is required if you use a shared IP stack and per zone addresses, and you plan to connect the labeled zones to labeled zones on other systems on the network.

In this procedure, you create an IP instance, that is, a per zone address, for one or more labeled zones. The labeled zones use their per-zone address to communicate with identically labeled zones on the network.

Before You Begin

You must be in the root role in the global zone.

The list of zones is displayed in the Labeled Zone Manager. To open this GUI, see How to Create Labeled Zones Interactively. The labeled zone that you are configuring must be halted.

  1. In the Labeled Zone Manager, double-click a labeled zone to which to add an IP instance.
  2. Double-click Configure Network Interfaces.

    A list of configuration options is displayed.

  3. Select Add an IP instance.
  4. If your system has more than one IP address, choose the entry with the desired interface.
  5. For this labeled zone, supply an IP address and a prefix count.

    For example, type 192.168.1.2/24. If you do not append the prefix count, you are prompted for a netmask. The equivalent netmask for this example is 255.255.255.0.

  6. Click OK.
  7. To add a default router, double-click the entry that you just added.

    At the prompt, type the IP address of the router, and click OK.

    Note - To remove or modify the default router, remove the entry, then create the IP instance again.

  8. Click Cancel to return to the zone command list.

Next Steps

To configure the system's external network, go to How to Connect a Trusted Extensions System to Other Trusted Extensions Systems.

How to Add a Virtual Network Interface to a Labeled Zone

This procedure is required if you use an exclusive IP stack and per zone addresses, and you plan to connect the labeled zones to labeled zones on other systems on the network.

In this procedure, you create a VNIC and assign it to a labeled zone.

Before You Begin

You must be in the root role in the global zone.

The list of zones is displayed in the Labeled Zone Manager. To open this GUI, see How to Create Labeled Zones Interactively. The labeled zone that you are configuring must be halted.

  1. In the Labeled Zone Manager, double-click the labeled zone to which you want to add a virtual interface.
  2. Double-click Configure Network Interfaces.

    A list of configuration options is displayed.

  3. Double-click Add a virtual interface (VNIC).

    If your system has more than one VNIC card, more than one choice is displayed. Choose the entry with the desired interface.

  4. Assign a host name, or assign an IP address and a prefix count.

    For example, type 192.168.1.2/24. If you do not append the prefix count, you are prompted for a netmask. The equivalent netmask for this example is 255.255.255.0.

  5. To add a default router, double-click the entry that you just added.

    At the prompt, type the IP address of the router, and click OK.

    Note - To remove or modify the default router, remove the entry, then create the VNIC again.

  6. Click Cancel to return to the zone command list.

    The VNIC entry is displayed. The system assigns the name zonename_n, as in internal_0.

Next Steps

To configure the system's external network, go to How to Connect a Trusted Extensions System to Other Trusted Extensions Systems.

How to Connect a Trusted Extensions System to Other Trusted Extensions Systems

In this procedure, you define your Trusted Extensions network by adding remote hosts to which your Trusted Extensions system can connect.

Before You Begin

The Labeled Zone Manager is displayed. To open this GUI, see How to Create Labeled Zones Interactively. You are in the root role in the global zone.

  1. In the Labeled Zone Manager, double-click the global zone.
  2. Select Add Multilevel Access to Remote Host.
    1. Type the IP address of another Trusted Extensions system.
    2. Run the corresponding commands on the other Trusted Extensions system.
  3. Click Cancel to return to the zone command list.
  4. In the Labeled Zone Manager, double-click a labeled zone.
  5. Select Add Access to Remote Host.
    1. Type the IP address of the identically labeled zone on another Trusted Extensions system.
    2. Run the corresponding commands in the zone of the other Trusted Extensions system.

See Also

How to Configure a Separate Name Service for Each Labeled Zone

This procedure configures a separate name service daemon (nscd) in each labeled zone. This configuration supports environments where each zone is connected to a subnetwork that runs at the label of the zone, and the subnetwork has its own naming server for that label. In a labeled zone, if you plan to install packages that require a user account at that label, you might configure a separate name service per zone. For background information, see Applications That Are Restricted to a Labeled Zone and Decisions to Make Before Creating Users in Trusted Extensions.

Before You Begin

The Labeled Zone Manager is displayed. To open this GUI, see How to Create Labeled Zones Interactively. You are in the root role in the global zone.

  1. In the Labeled Zone Manager, select Configure per-zone name service, and click OK.

    Note - This option is intended to be used once, during initial system configuration.

  2. Configure each zone's nscd service.

    For assistance, see the nscd(1M) man page.

  3. Reboot the system.
    # /usr/sbin/reboot

    After the reboot, the account of the user who assumed the root role to run the Labeled Zone Manager in Step 1 is configured in each zone. Other accounts that are specific to a labeled zone must be manually added to the zone.

    Note - Accounts that are stored in the LDAP repository are still managed from the global zone.

  4. For every zone, verify the route and the name service daemon.
    1. In the Zone Console, list the nscd service.
      zone-name # svcs -x name-service/cache
svc:/system/name-service/cache:default (name service cache)
 State: online since September 10, 2012  10:10:12 AM PDT
   See: nscd(1M)
   See: /var/svc/log/system-name-service-cache:default.log
Impact: None.
    2. Verify the route to the subnetwork.
      zone-name # netstat -rn

Example 4-3 Removing a Name Service Cache From Each Labeled Zone

After testing one name service daemon per zone, the system administrator decides to remove the name service daemons from the labeled zones and run the daemon in the global zone only. To return the system to the default name service configuration, the administrator opens the txzonemgr GUI, selects the global zone, and selects Unconfigure per-zone name service, then OK. This selection removes the nscd daemon in every labeled zone. Then, the administrator reboots the system.

Next Steps

When configuring user and role accounts for each zone, you have three options.

Separately configuring a name service daemon in each labeled zone has password implications for all users. Users must authenticate themselves to gain access to any of their labeled zones, including the zone that corresponds to their default label. Furthermore, either the administrator must create accounts locally in each zone, or the accounts must exist in an LDAP directory where the zone is an LDAP client.

In the special case where an account in the global zone is running the Labeled Zone Manager, txzonemgr, the account's information is copied into the labeled zones so that at least that account is able to log in to each zone. By default, this account is the initial user account.

Copyright © 1992, 2012, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next