1. Trusted Extensions Administration Concepts
2. Trusted Extensions Administration Tools
3. Getting Started as a Trusted Extensions Administrator (Tasks)
4. Security Requirements on a Trusted Extensions System (Overview)
5. Administering Security Requirements in Trusted Extensions (Tasks)
6. Users, Rights, and Roles in Trusted Extensions (Overview)
7. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
8. Remote Administration in Trusted Extensions (Tasks)
9. Trusted Extensions and LDAP (Overview)
10. Managing Zones in Trusted Extensions (Tasks)
11. Managing and Mounting Files in Trusted Extensions (Tasks)
12. Trusted Networking (Overview)
13. Managing Networks in Trusted Extensions (Tasks)
14. Multilevel Mail in Trusted Extensions (Overview)
15. Managing Labeled Printing (Tasks)
Labels, Printers, and Printing
Restricting Access to Printers and Print Job Information in Trusted Extensions
Labeled Banner and Trailer Pages
PostScript Printing of Security Information
Interoperability of Trusted Extensions With Trusted Solaris 8 Printing
Trusted Extensions Print Interfaces (Reference)
Managing Printing in Trusted Extensions (Task Map)
Configuring Labeled Printing (Task Map)
How to Configure a Multilevel Print Server and Its Printers
How to Configure a Network Printer for Sun Ray Clients
How to Configure Cascade Printing on a Labeled System
How to Configure a Zone for Single-Label Printing
How to Enable a Trusted Extensions Client to Access a Printer
Reducing Printing Restrictions in Trusted Extensions (Task Map)
How to Remove Labels From Printed Output
How to Assign a Label to an Unlabeled Print Server
How to Remove Page Labels From All Print Jobs
How to Enable Specific Users to Suppress Page Labels
How to Suppress Banner and Trailer Pages for Specific Users
How to Enable Users to Print PostScript Files in Trusted Extensions
16. Devices in Trusted Extensions (Overview)
17. Managing Devices for Trusted Extensions (Tasks)
18. Trusted Extensions Auditing (Overview)
19. Software Management in Trusted Extensions (Tasks)
A. Quick Reference to Trusted Extensions Administration
The following task map describes common configuration procedures that are related to labeled printing.
Note - Printer clients can only print jobs within the label range of the Trusted Extensions print server.
|
Printers that are managed by a Trusted Extensions print server print labels on body pages, banner pages, and trailer pages. Such printers can print jobs within the label range of the print server. Any Trusted Extensions host that can reach the print server can use the printers that are connected to that server.
Determine the print server for your Trusted Extensions network. You must be in the System Administrator role in the global zone on this print server.
For details, see How to Administer the Local System With the Solaris Management Console.
The title of the toolbox includes Scope=Files, Policy=TSOL.
Create a multilevel port (MLP) for the print server by adding the port to the global zone.
Use the command line. The Print Manager GUI does not work in the global zone.
# lpadmin -p printer-name -v /dev/null \ -o protocol=tcp -o dest=printer-IP-address:9100 -T PS -I postscript # accept printer-name # enable printer-name
The model script activates the banner and trailer pages for the specified printer.
For a description of the scripts, see Printer Model Scripts. If the driver name for the printer starts with Foomatic, then specify one of the foomatic model scripts. On one line, use the following command:
$ lpadmin -p printer \ -m { tsol_standard | tsol_netstandard | tsol_standard_foomatic | tsol_netstandard_foomatic }
If the default printer label range of ADMIN_LOW to ADMIN_HIGH is acceptable for every printer, then your label configuration is done.
Use the all-zones IP address for the global zone as the print server.
# zlogin -C labeled-zone
# lpadmin -p printer-name -s all-zones-IP-address
# lpadmin -d printer-name
Note - Starting in the Solaris 10 7/10 release, files with an administrative label, either ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.
As root and as a regular user, perform the following steps:
Limit printer label range – How to Configure a Restricted Label Range for a Printer
Prevent labeled output – Reducing Printing Restrictions in Trusted Extensions (Task Map)
Use this zone as a print server – How to Enable a Trusted Extensions Client to Access a Printer
This procedure configures a PostScript printer on a Sun Ray server that has a single all-zones interface. The printer is made available to all users of Sun Ray clients of this server. Initial configuration happens in the global zone. After the global zone is configured, each labeled zone is configured to use the printer.
You must be logged in to a multilevel session in Trusted CDE.
For instructions, see Chapter 5, Setting Up Printers by Using LP Print Commands (Tasks), in System Administration Guide: Printing.
For instructions, see Initialize the Solaris Management Console Server in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide.
Select the Scope=Files, Policy=TSOL toolbox and log in.
For more information, read the online help in the left pane.
# tninfo -h printer-IP-address IP address= printer-IP-address Template = admin_low
# tninfo -m global private: 111/tcp;111/udp;513/tcp;515/tcp;631/tcp;2049/tcp;6000-6050/tcp; 7007/tcp;7010/tcp;7014/tcp;7015/tcp;32771/tcp;32776/ip shared: 515/tcp;6000-6050/tcp;7007/tcp;7010/tcp;7014/tcp;7015/tcp
Note - The additional private and shared multilevel ports (MLPs) such as 6055 and 7007 support Sun Ray requirements.
# svcadm enable print/server # svcadm enable rfc1179
The rfc1179 service must listen on addresses other than localhost. The LP service listens only on a named pipe.
# inetadm -m svc:/application/print/rfc1179:default bind_addr='' # svcadm refresh rfc1179
Note - If you are running netservices open, the preceding command generates the following error: Error: "inetd" property group missing.
In the Trusted Editor, create the /etc/default/print file and add this line:
PRINT_POSTSCRIPT=1
Applications such as StarOffice and gedit create PostScript output.
In the global zone, run this C-Shell script:
csh cd /etc/lp/fd/ foreach a (*.fd) lpfilter -f $a:r -F $a end
Use the command line. The Print Manager GUI does not work in the global zone.
# lpadmin -p printer-name -v /dev/null -m tsol_netstandard \ -o protocol=tcp -o dest=printer-IP-address:9100 -T PS -I postscript # accept printer-name # enable printer-name
# lpadmin -d printer-name
Use the all-zones IP address for the global zone as the print server. If your all-zones NIC is a virtual network interface (vni), use the IP address for the vni as the argument to the -s option.
# zlogin -C labeled-zonename
# lpadmin -p printer-name -s global-zone-shared-IP-address
# lpadmin -d printer-name
Note - Starting in the Solaris 10 7/10 release, files with an administrative label, either ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.
As root and as a regular user, perform the following steps:
Example 15-1 Determining Printer Status for a Network Printer
In this example, the administrator verifies the network printer's status from the global zone and from a labeled zone.
global # lpstat -t scheduler is running system default destination: math-printer system for _default: trusted1 (as printer math-printer) device for math-printer: /dev/null character set default accepting requests since Feb 28 00:00 2008 lex accepting requests since Feb 28 00:00 2008 printer math-printer is idle. enabled since Feb 28 00:00 2008. available.
Solaris1# lpstat -t scheduler is not running system default destination: math-printer system for _default: 192.168.4.17 (as printer math-printer) system for math-printer: 192.168.4.17 default accepting requests since Feb 28 00:00 2008 math-printer accepting requests since Feb 28 00:00 2008 printer _default is idle. enabled since Feb 28 00:00 2008. available. printer math-printer is idle. enabled since Feb 28 00:00 2008. available.
Cascade printing provides the ability to print from a Windows desktop session to a Trusted Extensions labeled zone interface, where the zone IP address of the physical interface acts as the print spooler. The multilevel port (MLP) listener that is on the zone IP address of the physical interface talks to the Trusted Extensions printing subsystem and prints the file with the appropriate labeled header and trailer sheets.
This procedure enables unlabeled systems that are in the same subnet as labeled systems to use the labeled network printer. The rfc1179 service handles cascade printing. You must perform this procedure in every labeled zone from which you permit cascade printing.
You have completed How to Configure a Network Printer for Sun Ray Clients.
# zlogin -C labeled-zonename
labeled-zone # cat <<EOF | svccfg select application/print/rfc1179 delpg lpsched end EOF
labeled-zone # svcadm refresh application/print/rfc1179
labeled-zone # svcadm enable rfc1179
The rfc1179 service must listen on addresses other than localhost. The LP service listens only on a named pipe.
# inetadm -m svc:/application/print/rfc1179:default bind_addr='' # svcadm refresh rfc1179
Note - If you are running netservices open, the preceding command generates the following message: Error: "inetd" property group missing.
labeled-zone # lpset -n system -a spooling-type=cascade printer-name
This command updates the zone's /etc/printers.conf file.
For example, test the Solaris1 system. This system is on the same subnet as the internal zone. The configuration parameters are the following:
math-printer IP address is 192.168.4.6
Solaris1 IP address is 192.168.4.12
internal zone IP address is 192.168.4.17
Solaris1# uname -a SunOS Solaris1 Generic_120011-11 sun4u sparc SUNW,Sun-Blade-1000 Solaris1# lpadmin -p math-printer -s 192.168.4.17 Solaris1# lpadmin -d math-printer Solaris1# lpstat -t scheduler is not running system default destination: math-printer system for _default: 192.168.4.17 (as printer math-printer) system for math-printer: 192.168.4.17 default accepting requests since Feb 28 00:00 2008 math-printer accepting requests since Feb 28 00:00 2008 printer _default is idle. enabled since Feb 28 00:00 2008. available. printer math-printer is idle. enabled since Feb 28 00:00 2008. available.
Solaris1# lp /etc/hosts request id is math-printer-1 (1 file)
Use the Start Menu->Settings->Printers & Faxes GUI.
Specify the following printer configuration:
Add A Printer
Local Printer attached to this computer
Create a new port – Standard TCP/IP Port
Printer Name or IP Address – 192.168.4.17, that is, the IP address of the labeled zone
Port Name – Accept default
Additional Port Information Required – Accept default
Device Type = Custom
Settings – Protocol = LPR
LPR Settings – Queue Name = math-printer, that is, the UNIX Queue Name
LPR Byte Counting Enabled
Finish the printer prompts by specifying the manufacturer, model, driver and other printer parameters.
For example, test the winserver system that is on the same subnet as the internal zone. The configuration parameters are the following:
math-printer IP address is 192.168.4.6
winserver IP address is 192.168.4.200
internal zone IP address is 192.168.4.17
winserver C:/> ipconfig Windows IP Configuration Ethernet adapter TP-NIC: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.4.200 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.4.17
The zone must not be sharing an IP address with the global zone. You must be in the System Administrator role in the global zone.
For details, see How to Add a Workspace at a Particular Label in Oracle Solaris Trusted Extensions User’s Guide.
For details, see How to Change the Label of a Workspace in Oracle Solaris Trusted Extensions User’s Guide.
By default, the “Use PPD” checkbox is selected. The system finds the appropriate driver for the printer.
In the Print Manager, you supply the values for the first two fields, then the Print Manager supplies the driver name.
Printer Make manufacturer Printer Model manufacturer-part-number Printer Driver automatically filled in
The model script activates the banner and trailer pages for the specified printer.
For your choices of scripts, see Printer Model Scripts. If the driver name for the printer starts with Foomatic, then specify one of the foomatic model scripts. Use the following command:
$ lpadmin -p printer -m model
The attached printers can print jobs only at the label of the zone.
Note - Starting in the Solaris 10 7/10 release, files with an administrative label, either ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.
As root and as a regular user, perform the following steps:
Prevent labeled output – Reducing Printing Restrictions in Trusted Extensions (Task Map)
Initially, only the zone in which a print server was configured can print to the printers of that print server. The system administrator must explicitly add access to those printers for other zones and systems. The possibilities are as follows:
For a global zone, add access to the printers that are connected to a global zone on a different system.
For a labeled zone, add access to the printers that are connected to the global zone of its system.
For a labeled zone, add access to a printer that a remote zone at the same label is configured for.
For a labeled zone, add access to the printers that are connected to a global zone on a different system.
A print server has been configured with a label range or a single label, and the printers that are connected to it have been configured. For details, see the following:
You must be in the System Administrator role in the global zone, or be able to assume the role.
$ lpadmin -s printer
For details, see How to Change the Label of a Workspace in Oracle Solaris Trusted Extensions User’s Guide.
$ lpadmin -s printer
The labels of the zones must be identical.
For details, see How to Change the Label of a Workspace in Oracle Solaris Trusted Extensions User’s Guide.
$ lpadmin -s printer
The label of the zone must be identical to the label of the print server.
For details, see How to Change the Label of a Workspace in Oracle Solaris Trusted Extensions User’s Guide.
$ lpadmin -s printer
Starting in the Solaris 10 7/10 release, files with an administrative label, either ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.
On every client, test that printing works for root and roles in the global zone and for root, roles, and regular users in labeled zones.
The default printer label range is ADMIN_LOW to ADMIN_HIGH. This procedure narrows the label range for a printer that is controlled by a Trusted Extensions print server.
You must be in the Security Administrator role in the global zone.
If the printer is attached to your system, find the name of the printer.
Choose a label from the label builder. For information about the label builder, see Label Builder in Trusted Extensions.