JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Trusted Extensions Administrator's Procedures
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

1.  Trusted Extensions Administration Concepts

2.  Trusted Extensions Administration Tools

3.  Getting Started as a Trusted Extensions Administrator (Tasks)

4.  Security Requirements on a Trusted Extensions System (Overview)

5.  Administering Security Requirements in Trusted Extensions (Tasks)

6.  Users, Rights, and Roles in Trusted Extensions (Overview)

7.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

8.  Remote Administration in Trusted Extensions (Tasks)

9.  Trusted Extensions and LDAP (Overview)

10.  Managing Zones in Trusted Extensions (Tasks)

11.  Managing and Mounting Files in Trusted Extensions (Tasks)

12.  Trusted Networking (Overview)

13.  Managing Networks in Trusted Extensions (Tasks)

14.  Multilevel Mail in Trusted Extensions (Overview)

15.  Managing Labeled Printing (Tasks)

Labels, Printers, and Printing

Restricting Access to Printers and Print Job Information in Trusted Extensions

Labeled Printer Output

Labeled Body Pages

Labeled Banner and Trailer Pages

PostScript Printing of Security Information

Printer Model Scripts

Additional Conversion Filters

Interoperability of Trusted Extensions With Trusted Solaris 8 Printing

Trusted Extensions Print Interfaces (Reference)

Managing Printing in Trusted Extensions (Task Map)

Configuring Labeled Printing (Task Map)

How to Configure a Multilevel Print Server and Its Printers

How to Configure a Network Printer for Sun Ray Clients

How to Configure Cascade Printing on a Labeled System

How to Configure a Zone for Single-Label Printing

How to Enable a Trusted Extensions Client to Access a Printer

How to Configure a Restricted Label Range for a Printer

Reducing Printing Restrictions in Trusted Extensions (Task Map)

How to Remove Labels From Printed Output

How to Assign a Label to an Unlabeled Print Server

How to Remove Page Labels From All Print Jobs

How to Enable Specific Users to Suppress Page Labels

How to Suppress Banner and Trailer Pages for Specific Users

How to Enable Users to Print PostScript Files in Trusted Extensions

16.  Devices in Trusted Extensions (Overview)

17.  Managing Devices for Trusted Extensions (Tasks)

18.  Trusted Extensions Auditing (Overview)

19.  Software Management in Trusted Extensions (Tasks)

A.  Quick Reference to Trusted Extensions Administration

B.  List of Trusted Extensions Man Pages

Index

Configuring Labeled Printing (Task Map)

The following task map describes common configuration procedures that are related to labeled printing.

Note - Printer clients can only print jobs within the label range of the Trusted Extensions print server.

Task
Description
For Instructions
Configure printing from the global zone.
Creates a multilevel print server in the global zone.
How to Configure a Multilevel Print Server and Its Printers
Configure printing for a network of systems.
Creates a multilevel print server in the global zone and enables labeled zones to use the printer.
How to Configure a Network Printer for Sun Ray Clients
Configure printing for unlabeled systems in the same subnet as labeled systems.
Enable unlabeled systems to use the network printer.
How to Configure Cascade Printing on a Labeled System
Configure printing from a labeled zone.
Creates a single–label print server for a labeled zone.
How to Configure a Zone for Single-Label Printing
Configure a multilevel print client.
Connects a Trusted Extensions host to a printer.
How to Enable a Trusted Extensions Client to Access a Printer
Restrict the label range of a printer.
Limits a Trusted Extensions printer to a narrow label range.
How to Configure a Restricted Label Range for a Printer

How to Configure a Multilevel Print Server and Its Printers

Printers that are managed by a Trusted Extensions print server print labels on body pages, banner pages, and trailer pages. Such printers can print jobs within the label range of the print server. Any Trusted Extensions host that can reach the print server can use the printers that are connected to that server.

Before You Begin

Determine the print server for your Trusted Extensions network. You must be in the System Administrator role in the global zone on this print server.

  1. Start the Solaris Management Console.

    For details, see How to Administer the Local System With the Solaris Management Console.

  2. Choose the Files toolbox.

    The title of the toolbox includes Scope=Files, Policy=TSOL.

  3. Enable multilevel printing by configuring the global zone with the print server port, 515/tcp.

    Create a multilevel port (MLP) for the print server by adding the port to the global zone.

    1. Navigate to the Trusted Network Zones tool.
    2. In the Multilevel Ports for Zone's IP Addresses, add 515/tcp.
    3. Click OK.
  4. Define the characteristics of every connected printer.

    Use the command line. The Print Manager GUI does not work in the global zone.

    # lpadmin -p printer-name -v /dev/null \
-o protocol=tcp -o dest=printer-IP-address:9100 -T PS -I postscript
# accept printer-name
# enable printer-name
  5. Assign a printer model script to each printer that is connected to the print server.

    The model script activates the banner and trailer pages for the specified printer.

    For a description of the scripts, see Printer Model Scripts. If the driver name for the printer starts with Foomatic, then specify one of the foomatic model scripts. On one line, use the following command:

    $ lpadmin -p printer \
 -m { tsol_standard | tsol_netstandard | 
      tsol_standard_foomatic | tsol_netstandard_foomatic }

    If the default printer label range of ADMIN_LOW to ADMIN_HIGH is acceptable for every printer, then your label configuration is done.

  6. In every labeled zone where printing is allowed, configure the printer.

    Use the all-zones IP address for the global zone as the print server.

    1. Log in as root to the zone console of the labeled zone.
      # zlogin -C labeled-zone
    2. Add the printer to the zone.
      # lpadmin -p printer-name -s all-zones-IP-address
    3. (Optional) Set the printer as the default.
      # lpadmin -d printer-name
  7. In every zone, test the printer.

    Note - Starting in the Solaris 10 7/10 release, files with an administrative label, either ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.

    As root and as a regular user, perform the following steps:

    1. Print plain files from the command line.
    2. Print files from your applications, such as StarOffice, your browser, and your editor.
    3. Verify that banner pages, trailer pages, and security banners print correctly.
See Also

How to Configure a Network Printer for Sun Ray Clients

This procedure configures a PostScript printer on a Sun Ray server that has a single all-zones interface. The printer is made available to all users of Sun Ray clients of this server. Initial configuration happens in the global zone. After the global zone is configured, each labeled zone is configured to use the printer.

Before You Begin

You must be logged in to a multilevel session in Trusted CDE.

  1. In the global zone, assign an IP address to the network printer.

    For instructions, see Chapter 5, Setting Up Printers by Using LP Print Commands (Tasks), in System Administration Guide: Printing.

  2. Start the Solaris Management Console.
  3. Assign the printer to the admin_low template.
    1. In the Computers and Networks tool, double-click Security Templates.
    2. Double-click admin_low.
    3. In the Hosts Assigned to Template tab, add the printer's IP address.

      For more information, read the online help in the left pane.

  4. Add the printer port to the shared interface of the global zone.
    1. In the Computers and Networks tool, double-click Trusted Network Zones.
    2. Double-click global.
    3. To the Multilevel Ports for Shared IP Addresses list, add port 515, protocol tcp.
  5. Verify that the Solaris Management Console assignments are in the kernel.
    # tninfo -h printer-IP-address
   IP address= printer-IP-address
   Template = admin_low
    # tninfo -m global
   private: 111/tcp;111/udp;513/tcp;515/tcp;631/tcp;2049/tcp;6000-6050/tcp;
7007/tcp;7010/tcp;7014/tcp;7015/tcp;32771/tcp;32776/ip
   shared: 515/tcp;6000-6050/tcp;7007/tcp;7010/tcp;7014/tcp;7015/tcp

    Note - The additional private and shared multilevel ports (MLPs) such as 6055 and 7007 support Sun Ray requirements.

  6. Ensure that printing services are enabled in the global zone.
    # svcadm enable print/server
# svcadm enable rfc1179
  7. If your system was installed with netservices limited, enable the printer to reach the network.

    The rfc1179 service must listen on addresses other than localhost. The LP service listens only on a named pipe.

    # inetadm -m svc:/application/print/rfc1179:default bind_addr=''
# svcadm refresh rfc1179

    Note - If you are running netservices open, the preceding command generates the following error: Error: "inetd" property group missing.

  8. Enable all users to print PostScript.

    In the Trusted Editor, create the /etc/default/print file and add this line:

    PRINT_POSTSCRIPT=1

    Applications such as StarOffice and gedit create PostScript output.

  9. Add all LP filters to the printing service.

    In the global zone, run this C-Shell script:

    csh
    cd /etc/lp/fd/
    foreach a (*.fd)
        lpfilter -f $a:r -F $a
    end
  10. Add a printer in the global zone.

    Use the command line. The Print Manager GUI does not work in the global zone.

    # lpadmin -p printer-name -v /dev/null -m tsol_netstandard \
-o protocol=tcp -o dest=printer-IP-address:9100 -T PS -I postscript
# accept printer-name
# enable printer-name
  11. (Optional) Set the printer as the default.
    # lpadmin -d printer-name
  12. In every labeled zone, configure the printer.

    Use the all-zones IP address for the global zone as the print server. If your all-zones NIC is a virtual network interface (vni), use the IP address for the vni as the argument to the -s option.

    1. Log in as root to the zone console of the labeled zone.
      # zlogin -C labeled-zonename
    2. Add the printer to the zone.
      # lpadmin -p printer-name -s global-zone-shared-IP-address
    3. (Optional) Set the printer as the default.
      # lpadmin -d printer-name
  13. In every zone, test the printer.

    Note - Starting in the Solaris 10 7/10 release, files with an administrative label, either ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.

    As root and as a regular user, perform the following steps:

    1. Print plain files from the command line.
    2. Print files from your applications, such as StarOffice, your browser, and your editor.
    3. Verify that banner pages, trailer pages, and security banners print correctly.

Example 15-1 Determining Printer Status for a Network Printer

In this example, the administrator verifies the network printer's status from the global zone and from a labeled zone.

global # lpstat -t
    scheduler is running
    system default destination: math-printer
    system for _default: trusted1 (as printer math-printer)
    device for math-printer: /dev/null
    character set
    default accepting requests since Feb 28 00:00 2008
    lex accepting requests since Feb 28 00:00 2008
    printer math-printer is idle. enabled since Feb 28 00:00 2008. available.
Solaris1# lpstat -t
   scheduler is not running
   system default destination: math-printer
   system for _default: 192.168.4.17 (as printer math-printer)
   system for math-printer: 192.168.4.17
   default accepting requests since Feb 28 00:00 2008
   math-printer accepting requests since Feb 28 00:00 2008
   printer _default is idle. enabled since Feb 28 00:00 2008. available.
   printer math-printer is idle. enabled since Feb 28 00:00 2008. available.

How to Configure Cascade Printing on a Labeled System

Cascade printing provides the ability to print from a Windows desktop session to a Trusted Extensions labeled zone interface, where the zone IP address of the physical interface acts as the print spooler. The multilevel port (MLP) listener that is on the zone IP address of the physical interface talks to the Trusted Extensions printing subsystem and prints the file with the appropriate labeled header and trailer sheets.

This procedure enables unlabeled systems that are in the same subnet as labeled systems to use the labeled network printer. The rfc1179 service handles cascade printing. You must perform this procedure in every labeled zone from which you permit cascade printing.

Before You Begin

You have completed How to Configure a Network Printer for Sun Ray Clients.

  1. Log in as root to the zone console of the labeled zone.
    # zlogin -C labeled-zonename
  2. Remove the rfc1179 service's dependency on the print/server service.
    labeled-zone # cat <<EOF | svccfg
      select application/print/rfc1179
      delpg lpsched
      end
   EOF
    labeled-zone # svcadm refresh application/print/rfc1179
  3. Ensure that the rfc1179 service is enabled.
    labeled-zone # svcadm enable rfc1179
  4. If the labeled zone was installed with netservices limited, enable the printer to reach the network.

    The rfc1179 service must listen on addresses other than localhost. The LP service listens only on a named pipe.

    # inetadm -m svc:/application/print/rfc1179:default bind_addr=''
# svcadm refresh rfc1179

    Note - If you are running netservices open, the preceding command generates the following message: Error: "inetd" property group missing.

  5. Configure cascade printing from the labeled zone.
    labeled-zone # lpset -n system -a spooling-type=cascade printer-name

    This command updates the zone's /etc/printers.conf file.

  6. Test an Oracle Solaris system that is on the same subnet as this labeled zone.

    For example, test the Solaris1 system. This system is on the same subnet as the internal zone. The configuration parameters are the following:

    • math-printer IP address is 192.168.4.6

    • Solaris1 IP address is 192.168.4.12

    • internal zone IP address is 192.168.4.17

    Solaris1# uname -a
SunOS Solaris1 Generic_120011-11 sun4u sparc SUNW,Sun-Blade-1000
Solaris1# lpadmin -p math-printer -s 192.168.4.17
Solaris1# lpadmin -d math-printer

Solaris1# lpstat -t
   scheduler is not running
   system default destination: math-printer
   system for _default: 192.168.4.17 (as printer math-printer)
   system for math-printer: 192.168.4.17
   default accepting requests since Feb 28 00:00 2008
   math-printer accepting requests since Feb 28 00:00 2008
   printer _default is idle. enabled since Feb 28 00:00 2008. available.
   printer math-printer is idle. enabled since Feb 28 00:00 2008. available.
    • Test the lp command.
      Solaris1# lp /etc/hosts
   request id is math-printer-1 (1 file)
    • Test printing from applications such as StarOffice and the browser.
  7. Test a Windows 2003 server that is on the same subnet as this labeled zone.
    1. Set up the printer on the Windows server.

      Use the Start Menu->Settings->Printers & Faxes GUI.

      Specify the following printer configuration:

      • Add A Printer

      • Local Printer attached to this computer

      • Create a new port – Standard TCP/IP Port

      • Printer Name or IP Address – 192.168.4.17, that is, the IP address of the labeled zone

      • Port Name – Accept default

      • Additional Port Information Required – Accept default

        • Device Type = Custom

        • Settings – Protocol = LPR

        • LPR Settings – Queue Name = math-printer, that is, the UNIX Queue Name

        • LPR Byte Counting Enabled

      Finish the printer prompts by specifying the manufacturer, model, driver and other printer parameters.

  8. Test the printer by selecting the printer from an application.

    For example, test the winserver system that is on the same subnet as the internal zone. The configuration parameters are the following:

    • math-printer IP address is 192.168.4.6

    • winserver IP address is 192.168.4.200

    • internal zone IP address is 192.168.4.17

    winserver C:/> ipconfig
Windows IP Configuration
   Ethernet adapter TP-NIC:
      Connection-specific DNS Suffix  . :
      IP Address. . . . . . . . . . . . : 192.168.4.200
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : 192.168.4.17

How to Configure a Zone for Single-Label Printing

Before You Begin

The zone must not be sharing an IP address with the global zone. You must be in the System Administrator role in the global zone.

  1. Add a workspace.

    For details, see How to Add a Workspace at a Particular Label in Oracle Solaris Trusted Extensions User’s Guide.

  2. Change the label of the new workspace to the label of the zone that will be the print server for that label.

    For details, see How to Change the Label of a Workspace in Oracle Solaris Trusted Extensions User’s Guide.

  3. Define the characteristics of the connected printers.
    1. At the label of zone, start the Print Manager.

      By default, the “Use PPD” checkbox is selected. The system finds the appropriate driver for the printer.

    2. (Optional) To specify a different printer driver, do the following:
      1. Remove the check from “Use PPD”.
      2. Define the make and model of the printer that uses a different driver.

        In the Print Manager, you supply the values for the first two fields, then the Print Manager supplies the driver name. 

        Printer Make   manufacturer
Printer Model  manufacturer-part-number
Printer Driver automatically filled in
  4. Assign a printer model script to each printer that is connected to the zone.

    The model script activates the banner and trailer pages for the specified printer.

    For your choices of scripts, see Printer Model Scripts. If the driver name for the printer starts with Foomatic, then specify one of the foomatic model scripts. Use the following command:

    $ lpadmin -p printer -m model

    The attached printers can print jobs only at the label of the zone.

  5. Test the printer.

    Note - Starting in the Solaris 10 7/10 release, files with an administrative label, either ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.

    As root and as a regular user, perform the following steps:

    1. Print plain files from the command line.
    2. Print files from your applications, such as StarOffice, your browser, and your editor.
    3. Verify that banner pages, trailer pages, and security banners print correctly.
See Also

Prevent labeled output – Reducing Printing Restrictions in Trusted Extensions (Task Map)

How to Enable a Trusted Extensions Client to Access a Printer

Initially, only the zone in which a print server was configured can print to the printers of that print server. The system administrator must explicitly add access to those printers for other zones and systems. The possibilities are as follows:

Before You Begin

A print server has been configured with a label range or a single label, and the printers that are connected to it have been configured. For details, see the following:

You must be in the System Administrator role in the global zone, or be able to assume the role.

  1. Complete the procedures that enable your systems to access a printer.
    • Configure the global zone on a system that is not a print server to use another system's global zone for printer access.
      1. On the system that does not have printer access, assume the System Administrator role.
      2. Add access to the printer that is connected to the Trusted Extensions print server.
        $ lpadmin -s printer
    • Configure a labeled zone to use its global zone for printer access.
      1. Change the label of the role workspace to the label of the labeled zone.

        For details, see How to Change the Label of a Workspace in Oracle Solaris Trusted Extensions User’s Guide.

      2. Add access to the printer.
        $ lpadmin -s printer
    • Configure a labeled zone to use another system's labeled zone for printer access.

      The labels of the zones must be identical.

      1. On the system that does not have printer access, assume the System Administrator role.
      2. Change the label of the role workspace to the label of the labeled zone.

        For details, see How to Change the Label of a Workspace in Oracle Solaris Trusted Extensions User’s Guide.

      3. Add access to the printer that is connected to the print server of the remote labeled zone.
        $ lpadmin -s printer
    • Configure a labeled zone to use an unlabeled print server for printer access.

      The label of the zone must be identical to the label of the print server.

      1. On the system that does not have printer access, assume the System Administrator role.
      2. Change the label of the role workspace to the label of the labeled zone.

        For details, see How to Change the Label of a Workspace in Oracle Solaris Trusted Extensions User’s Guide.

      3. Add access to the printer that is connected to the arbitrarily labeled print server.
        $ lpadmin -s printer
  2. Test the printers.

    Starting in the Solaris 10 7/10 release, files with an administrative label, either ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.

    On every client, test that printing works for root and roles in the global zone and for root, roles, and regular users in labeled zones.

    1. Print plain files from the command line.
    2. Print files from your applications, such as StarOffice, your browser, and your editor.
    3. Verify that banner pages, trailer pages, and security banners print correctly.

How to Configure a Restricted Label Range for a Printer

The default printer label range is ADMIN_LOW to ADMIN_HIGH. This procedure narrows the label range for a printer that is controlled by a Trusted Extensions print server.

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. Start the Device Allocation Manager.
    • Choose the Allocate Device option from the Trusted Path menu.
    • In Trusted CDE, launch the Device Allocation Manager action from the Tools subpanel on the Front Panel.
  2. Click the Device Administration button to display the Device Allocation: Administration dialog box.
  3. Type a name for the new printer.

    If the printer is attached to your system, find the name of the printer.

  4. Click the Configure button to display the Device Allocation: Configuration dialog box.
  5. Change the printer's label range.
    1. Click the Min Label button to change the minimum label.

      Choose a label from the label builder. For information about the label builder, see Label Builder in Trusted Extensions.

    2. Click the Max Label button to change the maximum label.
  6. Save the changes.
    1. Click OK in the Configuration dialog box.
    2. Click OK in the Administration dialog box.
  7. Close the Device Allocation Manager.
Copyright © 1992, 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next