3.4. Configuring Oracle Solaris 10 Trusted Extensions
Prev Chapter 3. Installing and Configuring Next

3.4. Configuring Oracle Solaris 10 Trusted Extensions

3.4.1. How to Configure a Private Network on Oracle Solaris 10 Trusted Extensions
3.4.2. How to Configure Shared Multilevel Ports (MLP) for Sun Ray Services
3.4.3. How to Increase the Number of X Server Ports
3.4.4. How to Configure the Windows Connector on Oracle Solaris Trusted Extensions

This section provides all the procedures that may need to be done when using Sun Ray Software on Oracle Solaris 10 Trusted Extensions. For more information, refer to the Oracle Solaris 10 8/11 Trusted Extensions Administrator's Procedures.

Oracle Solaris 10 uses zones to permit multiple virtualized operating system environments to coexist in a single instance of Oracle Solaris, allowing processes to run in isolation from other activity on the system for added security and control. Sun Ray Software is supported only in the global zone.

Based on your Sun Ray environment, perform the following procedures as root from ADMIN_LOW (global zone).

3.4.1. How to Configure a Private Network on Oracle Solaris 10 Trusted Extensions

This procedure is required if your Sun Ray server is configured on a private network. See Chapter 19, Alternate Network Configurations for more information.

Use the Solaris Management Console (SMC) Security Templates to assign the cipso template to the Sun Ray server. Assign all other Sun Ray devices on the network an admin_low label. The admin_low template is assigned to the range of IP addresses you are planning to use in the utadm command.

The /etc/security/tsol/tnrhdb file should contain the following entries when you finish: 

192.168.128.1:cipso
192.168.128.0:admin_low

  1. Become root from ADMIN_LOW (global zone).

  2. Start the Solaris Management Console (SMC). 

    # smc &

  3. Make the following selections:

    1. In the SMC, select Management Tools > Select hostname:Scope=Files, Policy=TSOL.

    2. Select System Configuration > Computers and Networks > Security Templates > cipso.

    3. From the menu bar, choose Action > Properties > Hosts Assigned to Template.

    4. Select Host and type the IP Address of the Sun Ray interconnect (for example, 192.168.128.1).

    5. Click Add and then OK.

    6. Select System Configuration > Computers and Networks > Security Families > admin_low.

    7. From the menu bar, choose Action > Properties > Hosts Assigned to Template.

    8. Select Wildcard.

    9. Type the IP Address of the Sun Ray Interconnect Network (192.168.128.0).

    10. Click Add and then OK.

  4. Assign all Sun Ray servers in the failover group a cipso label.

    1. Select System Configuration > Computers and Networks > Security Families > cipso.

    2. From the menu bar, choose Action > Properties > Hosts Assigned to Template.

    3. Select Host and type the IP Address of the other Sun Ray server.

    4. Click Add and then OK.

  5. Reboot the Sun Ray server. 

    # /usr/sbin/reboot

3.4.2. How to Configure Shared Multilevel Ports (MLP) for Sun Ray Services

A shared multilevel port has to be added to the global zone for Sun Ray services in order to have access from a labeled zone.

  1. Become root from ADMIN_LOW (global zone).

  2. Start the Solaris Management Console (SMC). 

    # smc &

  3. Go to Management Tools.

  4. Select hostname:Scope=Files, Policy=TSOL.

  5. Select System Configuration > Computers and Networks > Trusted Network Zones > global.

  6. From the menu bar, choose Action > Properties.

  7. Click Add under Multilevel Ports for Shared IP Addresses.

  8. Add 7007 as Port Number, select TCP as Protocol, and click OK.

  9. Repeat the previous step for ports 4120, 7010, and 7015.

  10. Restart network services by running the following command: 

    # svcadm restart svc:/network/tnctl

  11. Verify that these ports are listed as shared ports by running the following command: 

    # /usr/sbin/tninfo -m global

  12. Reboot the Sun Ray server. 

    # /usr/sbin/reboot

3.4.3. How to Increase the Number of X Server Ports

The default entry in /etc/security/tsol/tnzonecfg makes three displays available (6001-6003). Increase the number of available X server ports per requirements.

  1. Become root from ADMIN_LOW (global zone).

  2. Start the Solaris Management Console (SMC). 

    # smc &

  3. Go to Management Tools.

  4. Select hostname:Scope=Files, Policy=TSOL option.

  5. Select System Configuration > Computers and Networks > Trusted Network Zones > global.

  6. From the menu bar, choose Action > Properties.

  7. Under Multilevel Ports for Zone's IP Addresses, select 6000-6003/tcp.

  8. Click Remove.

  9. Choose Add > Enable Specify A Port Range.

  10. Type 6000 in Begin Port Range Number and 6050 (for 50 displays) in End Port Range Number.

  11. Select TCP as the Protocol.

  12. Click OK.

  13. Reboot the Sun Ray server. 

    # /usr/sbin/reboot

3.4.4. How to Configure the Windows Connector on Oracle Solaris Trusted Extensions

This procedure describes how to configure the Windows connector on Oracle Solaris Trusted Extensions.

For the Windows connector to function properly on a Oracle Solaris Trusted Extensions server, the Windows terminal server must be made available at the desired level.

  1. As superuser, open a shell window on the Sun Ray server.

    To avoid errors that can occur if user environment settings are carried forward, use the following command: 

    % su - root

  2. Make a Windows system available to the public template.

    1. Start the Solaris Management Console. 

      # smc &

    2. Make the following selections under Management Tools:

      1. Select hostname:Scope=Files, Policy=TSOL.

      2. Select System Configuration > Computers and Networks > Security Templates > public.

    3. Choose Action > Properties > Hosts Assigned to Template.

    4. Select Host.

    5. Type the IP Address of the Windows system, for example, 10.6.100.100.

    6. Click Add.

    7. Click OK.

  3. Configure port 7014 as a shared multilevel port for the uttscpd daemon.

    1. If the Solaris Management Console is not already running, start it: 

      # smc &

    2. Select hostname:Scope=Files, Policy=TSOL.

    3. Select System Configuration > Computers and Networks > Trusted Network Zones > global.

    4. Choose Action > Properties.

    5. Enable ports by clicking Add under Multilevel Ports for Shared IP Addresses.

    6. Add 7014 as Port Number, select TCP as the Protocol, and click OK.

    7. Restart network services. 

      # svcadm restart svc:/network/tnctl

    8. Verify that this port is listed as a shared port. 

      # /usr/sbin/tninfo -m global

  4. Create entries for the uttscpd daemon in each local zone.

    The /etc/services file entry for the SRWC proxy daemon is created automatically in the global zone at configuration time. Corresponding entries need to be created in the local zones.

    These entries can be created manually or by loopback-mounting the global zone /etc/services file into the local zones for read access.

    To create this entry manually, insert the following entry in the local zone file. 

    uttscpd 7014/tcp # SRWC proxy daemon

  5. Loopback mount the /etc/opt/SUNWuttsc directory in each local zone. The following example shows how to do this for the local zone named public. 

    # zoneadm -z public halt
# zonecfg -z public

zonecfg:public> add fs
zonecfg:public:fs> set dir=/etc/opt/SUNWuttsc
zonecfg:public:fs> set special=/etc/opt/SUNWuttsc
zonecfg:public:fs> set type=lofs
zonecfg:public:fs> end

# zoneadm -z public boot

  6. (Optional) For TLS peer verification to work, make sure the CA certificates to be trusted are available under the /etc/sfw/openssl/certs folder in each local zone.

  7. Reboot the Sun Ray server. 

    # /usr/sbin/reboot
Prev Up Next
3.3. Configuring Oracle Solaris 11 Trusted Extensions Home 3.5. Upgrading
Oracle logo

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices