Skip Navigation Links | |
Exit Print View | |
Solaris Trusted Extensions Installation and Configuration for Solaris 10 11/06 and Solaris 10 8/07 Releases |
1. Security Planning for Trusted Extensions
2. Installation and Configuration Roadmap for Trusted Extensions
3. Installing Solaris Trusted Extensions Software (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
Configuring an LDAP Server on a Trusted Extensions Host (Task Map)
Configuring an LDAP Proxy Server on a Trusted Extensions Host (Task Map)
Configuring the Sun Java System Directory Server on a Trusted Extensions System
Collect Information for the Directory Server for LDAP
Install the Sun Java System Directory Server
Protect Access Logs for the Sun Java System Directory Server
Protect Error Logs for the Sun Java System Directory Server
Configure a Multilevel Port for the Sun Java System Directory Server
Creating a Trusted Extensions Proxy for an Existing Sun Java System Directory Server
Configuring the Solaris Management Console for LDAP (Task Map)
Register LDAP Credentials With the Solaris Management Console
Enable an LDAP Client to Administer LDAP
Edit the LDAP Toolbox in the Solaris Management Console
Verify That the Solaris Management Console Contains Trusted Extensions Information
6. Configuring a Headless System With Trusted Extensions (Tasks)
B. Using CDE Actions to Install Zones in Trusted Extensions
The LDAP naming service is the supported naming service for Trusted Extensions. If your site is not yet running the LDAP naming service, configure a Sun Java System Directory Server (Directory Server) on a system that is configured with Trusted Extensions. If your site is already running a Directory Server, then you need to add the Trusted Extensions databases to the server. To access the Directory Server, you then set up an LDAP proxy on a Trusted Extensions system.
Note - If you do not use this LDAP server as an NFS server or as a server for Sun Ray clients, then you do not need to install any labeled zones on this server.
The items are listed in the order of their appearance in the Sun Java Enterprise System Install Wizard.
|
The Directory Server packages are available from the Sun Software Gateway web site.
The FQDN is the Fully Qualified Domain Name. This name is a combination of the host name and the administration domain, as in:
192.168.5.5 myhost myhost.example-domain.com
Answer the questions by using the information from Collect Information for the Directory Server for LDAP.
In the following example, change the SERVER_ROOT and SERVER_INSTANCE variables to match your installation.
/etc/init.d/ldap.directory-myhost --------------------------------------- #!/sbin/sh SERVER_ROOT=/var/Sun/mps SERVER_INSTANCE=myhost case "$1" in start) ${SERVER_ROOT}/slapd-${SERVER_INSTANCE}/start-slapd ;; stop) ${SERVER_ROOT}/slapd-${SERVER_INSTANCE}/stop-slapd ;; *) echo "Usage: $0 { start | stop }" exit 1 esac exit 0
/usr/bin/ln \ /etc/init.d/ldap.directory-myhost \ /etc/rc2.d/S70ldap.directory-myhost
A subdirectory that is named slapd-server-hostname must exist.
# installation-directory/slapd-server-hostname/restart-slapd
# ps -ef | grep slapd ./ns-slapd -D installation-directory/slapd-server-instance -i installation-directory/slapd-server-instance/
For strategies to solve LDAP configuration problems, see Chapter 13, LDAP Troubleshooting (Reference), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
The LDIF script that this procedure creates sets up the following rules for access logs:
Log events at log level 256 and create buffered logs (default).
Rotate logs daily.
Keep a maximum of 100 log files, and each file is at most 500 MBytes.
Expire log files that are older than 3 months.
Delete oldest logs if less than 500 MBytes free disk space is available.
All log files use a maximum of 20,000 MBytes of disk space.
Create a /var/tmp/logs-access.ldif file with the following content:
dn: cn=config changetype: modify replace: nsslapd-accesslog-logging-enabled nsslapd-accesslog-logging-enabled: on - replace: nsslapd-accesslog-level nsslapd-accesslog-level: 256 - replace: nsslapd-accesslog-logbuffering nsslapd-accesslog-logbuffering: on - replace: nsslapd-accesslog-logrotationtime nsslapd-accesslog-logrotationtime: 1 - replace: nsslapd-accesslog-logrotationtimeunit nsslapd-accesslog-logrotationtimeunit: day - replace: nsslapd-accesslog-maxlogsize nsslapd-accesslog-maxlogsize: 500 - replace: nsslapd-accesslog-maxlogsperdir nsslapd-accesslog-maxlogsperdir: 100 - replace: nsslapd-accesslog-logexpirationtime nsslapd-accesslog-logexpirationtime: 3 - replace: nsslapd-accesslog-logexpirationtimeunit nsslapd-accesslog-logexpirationtimeunit: month - replace: nsslapd-accesslog-logmaxdiskspace nsslapd-accesslog-logmaxdiskspace: 20000 - replace: nsslapd-accesslog-logminfreediskspace nsslapd-accesslog-logminfreediskspace: 500
# ldapmodify -h localhost -D 'cn=directory manager' \ -f /var/tmp/logs-access.ldif
Enter bind password: Type the appropriate password modifying entry cn=config
The LDIF script that this procedure creates sets up the following rules for the error logs:
Rotate logs weekly.
Keep a maximum of 30 log files, and each file is at most 500 MBytes.
Expire log files that are older than 3 months.
Delete oldest logs if less than 500 MBytes free disk space is available.
All log files use a maximum of 20,000 MBytes of disk space.
Create a /var/tmp/logs-error.ldif file with the following content:
dn: cn=config changetype: modify replace: nsslapd-errorlog-logging-enabled nsslapd-errorlog-logging-enabled: on - replace: nsslapd-errorlog-logexpirationtime nsslapd-errorlog-logexpirationtime: 3 - replace: nsslapd-errorlog-logexpirationtimeunit nsslapd-errorlog-logexpirationtimeunit: month - replace: nsslapd-errorlog-logrotationtime nsslapd-errorlog-logrotationtime: 1 - replace: nsslapd-errorlog-logrotationtimeunit nsslapd-errorlog-logrotationtimeunit: week - replace: nsslapd-errorlog-maxlogsize nsslapd-errorlog-maxlogsize: 500 - replace: nsslapd-errorlog-maxlogsperdir nsslapd-errorlog-maxlogsperdir: 30 - replace: nsslapd-errorlog-logmaxdiskspace nsslapd-errorlog-logmaxdiskspace: 20000 - replace: nsslapd-errorlog-logminfreediskspace nsslapd-errorlog-logminfreediskspace: 500
# ldapmodify -h localhost -D 'cn=directory manager' -f /var/tmp/logs-error.ldif
Enter bind password: Type the appropriate password modifying entry cn=config
To work in Trusted Extensions, the server port of the Directory Server must be configured as a multilevel port (MLP) in the global zone.
# /usr/sbin/smc &
You are prompted for your password.
# tnctl -fz /etc/security/tsol/tnzonecfg
Several LDAP databases have been created or modified to hold Trusted Extensions data about label configuration, users, and remote systems. In this procedure, you populate the Directory Server databases with Trusted Extensions information.
# mkdir -p /setup/files
# cd /etc # cp aliases group hosts networks netmasks protocols /setup/files # cp rpc services auto_master /setup/files # cd /etc/security # cp auth_attr prof_attr exec_attr /setup/files/ # # cd /etc/security/tsol # cp tnrhdb tnrhtp /setup/files
If you are running the Solaris 10 11/06 release without patches, copy the ipnodes file.
# cd /etc/inet # cp ipnodes /setup/files
In the following list of automaps, the first of each pair of lines shows the name of the file. The second line of each pair shows the file contents. The zone names identify labels from the default label_encodings file that is included with the Trusted Extensions software.
Substitute your zone names for the zone names in these lines.
myNFSserver identifies the NFS server for the home directories.
/setup/files/auto_home_public * myNFSserver_FQDN:/zone/public/root/export/home/& /setup/files/auto_home_internal * myNFSserver_FQDN:/zone/internal/root/export/home/& /setup/files/auto_home_needtoknow * myNFSserver_FQDN:/zone/needtoknow/root/export/home/& /setup/files/auto_home_restricted * myNFSserver_FQDN:/zone/restricted/root/export/home/&
No wildcard mechanism can be used here. The IP address of every system to be contacted, including the IP addresses of labeled zones, must be in this file.
Labeled systems are of type cipso. Also, the name of the security template for labeled systems is cipso. Therefore, in the default configuration, a cipso entry is similar to the following:
192.168.25.2:cipso
Note - This list includes the IP addresses of global zones and labeled zones.
Unlabeled systems are of type unlabeled. The name of the security template for unlabeled systems is admin_low. Therefore, in the default configuration, an entry for an unlabeled system is similar to the following:
192.168.35.2:admin_low
# tnchkdb -h /setup/files/tnrhdb
# /usr/sbin/ldapaddent -D "cn=directory manager" \ -w dirmgr123 -a simple -f /setup/files/hosts hosts