Task Map: Configuring Trusted Extensions
For a secure installation, create roles early in the configuration process. The order
of tasks when roles configure the system is shown in the following task
map.
|
|
|
|
|
Protect machine hardware by requiring a password
to change hardware settings. |
|
Configure labels. Labels must be configured for your site. If you
plan to use the default label_encodings file, you can skip this task. |
|
If you
are running an IPv6 network, you modify the /etc/system file to enable
IP to recognize labeled packets. |
|
If you plan to use a Solaris ZFS
snapshot to clone zones, create the ZFS pool. ZFS is derived from and
an acronym for “zettabyte file system”. |
|
Boot to activate a labeled environment. Upon login,
you are in the global zone. The system's label_encodings file enforces
mandatory access control (MAC). |
|
Initialize the Solaris Management Console. This GUI is used to
label zones, among other tasks. |
|
|
|
|
Skip the next set of tasks if you are using local files
administer the system.
|
|
|
|
|
If you plan to use files
to administer Trusted Extensions, you can skip the following tasks. |
No configuration is required
for the files naming service. |
If you have an existing Sun Java System
Directory Server (LDAP server), add Trusted Extensions databases to the server. Then
make your first Trusted Extensions system a proxy of the LDAP
server. If you do not have an LDAP server, then configure your
first system as the server. |
|
Manually set up an LDAP toolbox for the Solaris
Management Console. The toolbox can be used to modify Trusted Extensions attributes on
network objects. |
|
For systems that are not the LDAP server or proxy server,
make them an LDAP client. |
|
|
|
|
|
|
|
|
|
Run the
txzonemgr command. Follow the menus to configure the network interfaces, then
create and customize the first labeled zone. After all zones are successfully customized, you
can add zone-specific network addresses to the labeled zones. |
|
Or, use Trusted CDE
actions. |
|
|
Many of the next set of tasks are described in Solaris Trusted Extensions Administrator’s Procedures.
|
|
|
|
|
Identify additional remote hosts that require a label, one or
more multilevel ports, or a different control message policy. |
|
Create a multilevel home directory
server, then automount the installed zones. |
|
Configure auditing, mount file systems, and perform other
tasks before enabling users to log in to the system. |
|
Add users from an
NIS environment to your LDAP server. |
|
Add a host and its labeled zones
to the LDAP server. |
|
|