Task Map: Configuring Trusted Extensions
For a secure configuration process, create roles early. The order of tasks when
roles configure the system is shown in the following task map.
The first column is also the header. This task map lists the tasks to begin configuring Trusted Extensions, and pointers to the tasks.
|
|
|
|
|
Protect machine hardware by requiring a password to change
hardware settings. |
|
Configure labels. Labels must be configured for your site. If you plan to
use the default label_encodings file, you can skip this task. |
|
If you are running
an IPv6 network, you modify the /etc/system file to enable IP to
recognize labeled packets. |
|
If the CIPSO Domain of Interpretation (DOI) of your network
nodes is different from 1, specify the DOI in the /etc/system file. |
|
If you
plan to use a Solaris ZFS snapshot to clone zones, create the ZFS
pool. |
|
Boot to activate a labeled environment. Upon login, you are in the
global zone. The system's label_encodings file enforces mandatory access control (MAC). |
|
Initialize the
Solaris Management Console. This GUI is used to label zones, among other
tasks. |
|
|
|
|
Skip the next set of tasks if you are using local files
to administer the system.
The first column is also the header. This task map lists the tasks to set up LDAP, and pointers to the tasks.
|
|
|
|
|
If you plan to use
files to administer Trusted Extensions, you can skip the following tasks. |
No configuration is
required for the files naming service. |
If you have an existing Sun Java
System Directory Server (LDAP server), add Trusted Extensions databases to the server.
Then make your first Trusted Extensions system a proxy of
the LDAP server. If you do not have an LDAP server, then configure
your first system as the server. |
|
Manually set up an LDAP toolbox for the
Solaris Management Console. The toolbox can be used to modify Trusted Extensions attributes
on network objects. |
|
For systems that are not the LDAP server or proxy
server, make them an LDAP client. |
|
|
|
|
The first column is also the header. This task map lists the tasks to set up labeled zones, and pointers to the tasks.
|
|
|
|
|
Run
the txzonemgr command. Follow the menus to configure the network interfaces,
then create and customize the first labeled zone. Then, copy or clone the
rest of the zones. |
|
Or, use Trusted CDE actions. |
|
(Optional) After all zones are
successfully customized, add zone-specific network addresses and default routing to the labeled zones. |
|
|
The following tasks might be necessary in your environment.
The first column is also the header. This task map lists the tasks to complete system setup, and pointers to the tasks.
|
|
|
|
|
Identify
additional remote hosts that require a label, one or more multilevel ports, or
a different control message policy. |
|
Create a multilevel home directory server, then automount
the installed zones. |
|
Configure auditing, mount file systems, and perform other tasks before enabling users
to log in to the system. |
|
Add users from an NIS environment to
your LDAP server. |
|
Add a host and its labeled zones to the LDAP
server. |
|
|