Trusted Solaris Installation and Configuration

How to Run Administrative Actions

The Application Manager contains a folder that holds administrative applications for the local machine, System_Admin and an action, Solaris Management Console, for administering local and distributed databases.

How To Use System_Admin Actions

The System_Admin folder contains CDE actions for administering the local workstation. See the following table for a list of actions used during installation and configuration. For a full list of System_Admin actions, read the CDE online help.

Table 3-1 Trusted Solaris Actions in the System_Admin Folder


Action Name	Action Behavior
Add Allocatable Device	Edit `/etc/security/device_maps`
Admin Editor	Create or edit any file
Audit Classes	Edit `/etc/security/audit_class`
Audit Control	Edit `/etc/security/audit_control`
Audit Events	Edit `/etc/security/audit_event`
Audit Startup	Edit `/etc/security/audit_startup`
Audit Users	Edit `/etc/security/audit_user`
Check Encodings	Check syntax (and install) a label encodings file
Check TN Files	Check local `tnrhdb` and `tnrhtp` files
Check TN NIS+ Tables	Check NIS+ `tnrhdb` and `tnrhtp` databases
Create NIS Client	Make this host a NIS client
Create NIS+ Client	Make this host a NIS+ client
Create NIS Server	Establish a NIS server with NIS maps
Create NIS+ Server	Establish a NIS+ domain
Configure Selection ...	Edit `/usr/dt/config/sel_config`
Edit Encodings	Edit a label encodings file
Name Service Switch	Edit `/etc/nsswitch.conf`
Populate NIS+ Tables	Populate NIS+ tables from a files directory
Set Default Routes	Edit `/etc/defaultrouter`
Set DNS Servers	Edit `/etc/resolv.conf`
Set Mount Attributes	Edit `/etc/security/tsol/vfstab_adjunct`
Set Mount Points	Edit `/etc/vfstab`
Set TSOL Gateways	Edit `/etc/tsolgateways`
Share Filesystems	Edit `/etc/dfs/dfstab`

To Run a System_Admin Action

In an administrative role, open the Application Manager by right-clicking the background to bring up the Workspace menu. Choose Applications > Application Manager from the top of the menu.

Double-click the System_Admin folder icon --

Double-click the appropriate action. For more details, see "To Create or Open a File from the Trusted Editor", "To Open a File that has a Defined Action" and "To Run a Script from the System_Admin Folder".

To Create or Open a File from the Trusted Editor

To create or open a file that does not have its own action, double-click the Admin Editor action.

A prompt appears for you to specify the file to be opened.

Enter the name of the file to be opened.

If the file exists, it is opened. If the file does not exist, it is created. You can create an empty file (touch) by exiting the editor.

Note -
You cannot save a file to a different name from the trusted editor.

Return to the procedure and chapter you are working from.

To Open a File that has a Defined Action

To open a file that has its own action, double-click its action in the System_Admin folder.

The file associated with the action appears in the trusted editor.

Enter the required information, write the file, and exit the editor.

Return to the procedure and chapter you are working from.

To Run a Script from the System_Admin Folder

To run a script that has its own action, double-click the action in the System_Admin folder.

When the script requires input, the prompts are displayed.

Follow the instructions.

The script is finished when all prompt windows have been dismissed.

Return to the procedure and chapter you are working from.

How to Use the Solaris Management Console

The Solaris Management Console action in the Application Manager folder invokes a Java-based administrative GUI for configuring and maintaining a Trusted Solaris environment. The GUI lists toolboxes in a Navigation pane.

The following can be configured through the Solaris Management Console, using the Trusted Solaris Management Console > Trusted Solaris Configuration toolboxes in the Navigation pane:

User Accounts: Part of the Users tool, for administering users.
Administrative Roles: Part of the Users tool, for administering roles.
Rights: Part of the Users tool, for constructing rights profiles. A user account is not usable until the user's Rights have been assigned.
Mailing Lists: Part of the Users tool, for administering mail aliases.
Computers and Networks: For setting up networks.
Computers: Part of the Computers and Networks tool, for setting up hosts (the hosts database).
Security Families: Part of the Computers and Networks tool, for creating and assigning remote host templates (the tnrhtp(4) and tnrhdb(4) databases).
Interface Manager: For securing network interfaces (the tnidb(4) database). Accessible only when Scope=Files.

The following are configured through the Solaris Management Console, using Trusted Solaris Management Console toolboxes:

Mounts: Part of the Storage tool, for mounting file systems. Accessible only when Scope=Files.
Shares: Part of the Storage tool, for sharing file systems. Accessible only when Scope=Files.

To Initialize the SMC Server

In the root role, open the Application Manager by right-clicking the background to bring up the Workspace menu. Choose Applications > Application Manager from the top of the menu.

Double-click the Solaris Management Console action.

Note -
The Solaris Management Console action initiates the SMC server. The first time the server is launched, it performs several registration tasks, which can take from 5 to 10 minutes. The following message may appear briefly: "There is no Solaris Management Console server ...". The message goes away, and can be ignored.

If the Navigation Pane is not visible and no toolboxes are displayed, do the following:
1. In the Open Toolbox dialog that is displayed, click Load next to where this machine's name is listed under Server.
  
  If this machine does not have the recommended amount of memory and swap, it may take a few minutes for the toolboxes to display. See "Recommendations for the Trusted Solaris Environment".
2. From the list of toolboxes, select Trusted Solaris Management Console, then click the Open button.
3. Before continuing, save the current setting as described in "To Save the Current Toolbox".

If the Navigation pane is visible, but the toolbox icons are stop signs, do the following:
1. Select the Trusted Solaris Management Console toolbox.
2. Click the Open Toolbox button.
3. Click Load next to Server: this_machine_name.
4. From the list of toolboxes, select Trusted Solaris Management Console, then click the Open button.
5. Before continuing, save the current setting as described in "To Save the Current Toolbox".

To Save the Current Toolbox

Save the toolbox preference to provide the Trusted Solaris Management Console toolboxes by default. The preferences are saved per role, per host (SMC server).

From the Console menu, choose Preferences.

Click the Use Current Toolbox button, then OK.

Return to the procedure and chapter you are working from.

To Select a Toolbox of the Appropriate Scope

Prerequisite: The Solaris Management Console (SMC) server has been initialized on this computer, the Trusted Solaris Management Console toolboxes have been saved as the current toolbox, and they are displayed in the Navigation pane.

Select the toolbox of the appropriate scope:

OPTION 1: Select this_host: Scope=Files, Policy=TSOL if you plan to administer each machine locally, or are administering files that can only be administered locally, such as local users (like root or install), the tnidb(4) database, or the local tnrhdb(4) database before the name service has been established.
OPTION 2: Select name_server: Scope=name_service, Policy=TSOL if you are administering name service maps or tables, and have established the name service domain and have edited the toolbox with the name of the server and the domain on this client machine (see "To Edit Name Service Toolbox Definitions").

To Locate a Solaris Management Console Tool

Scope=Files and Scope=name_service contain different tools.

To find aand use a tool in this_host: Scope=Files, Policy=TSOL in the Navigation pane:
- Click the System Status key to view the Processes and Log Viewer tools.
  - To manage and monitor system processes, double-click Processes.
  - To see the logs monitored by WBEM, double-click Log Viewer.
- Click the Trusted Solaris Configuration key to view the Users, Computers and Networks, and Interface Manager tools.
  - To add or modify a user, a role, a right, a group, or a mailing list on this machine, double-click Users.
  - To add or modify a remote host definition for this machine, double-click Computers and Networks.
    - To add or modify a host, double-click Computers, select a computer, then choose an item from the Action menu.
    - To add or modify a remote host template, double-click Security Families, then choose an item from the Action menu.
    - To add or modify a remote host template assignment, double-click Security Families, double-click a template name, then choose Add Host(s) from the Action menu.
  - To modify the security attributes of a network interface, double-click Interface Manager.
- Click the Services key to view the SMC Server and the Scheduled Jobs tools.
  - The SMC Server tool is not fully implemented.
  - To see this machine's scheduled jobs, double-click Scheduled Jobs.
- Click the Storage key to view the Mounts and Shares and Disks tools.
  - To mount a remote file system, double-click Mounts and Shares, then Mounts.
  - To share a file system, double-click Mounts and Shares, then Shares.
  - To view and format disks, double-click Disks.
- Click the Devices and Hardware key to view the Serial Ports tool. Double-click Serial Ports to configure and manage existing serial ports.

To find and use a tool in the name_server: Scope=name_service, Policy=TSOL toolbox in the Navigation pane, click the Trusted Solaris Configuration key to view the Users and the Computers and Networks tools:
- To add or modify a user, a role, a right, a group, or a mailing list on the domain, double-click Users.
- To add or modify a remote host definition on the domain, double-click Computers and Networks.

When prompted, enter the role password in the Role Login prompt.

Read and follow the online help for assistance with each tool.

Return to the procedure and chapter you are working from.

To Edit Name Service Toolbox Definitions

If you are running a NIS or NIS+ name service, the tsol_nis.tbx or tsol_nisplus.tbx file must be edited on the name service master before it can be used on the domain.

If administrators plan to administer the name service's tables or maps from a client machine, this procedure must be done on the client.

Note -

Administrators who want to administer a name service using SMC must do this procedure on every machine that will be used to administer the name service.

In the root role at the label ADMIN_LOW, change to the toolboxes directory and list the toolboxes.
# cd /var/sadm/smc/toolboxes # ls tsol*/*tbx tsol_files/tsol_files.tbx tsol_nis/tsol_nis.tbx tsol_smc/tsol_smc.tbx tsol_nisplus/tsol_nisplus.tbx
- If you are running the NIS+ name service, your toolbox file is tsol_nisplus/tsol_nisplus.tbx
- If you are running the NIS name service, your toolbox file is tsol_nis/tsol_nis.tbx

Invoke the Admin Editor, as described in "To Create or Open a File from the Trusted Editor".

Copy and paste the full pathname to the toolbox into the dialog, as in: /var/sadm/smc/toolboxes/tsol_nisplus/tsol_nisplus.tbx

In the editor, replace each instance of <?server ?> with either the name of the master server or the name of the domain.

In the line beginning with <Scope>, replace the first instance of <?server ?> with the name service master, and the second with the fully-qualified domain name, as in:
<Scope>nisplus:/toucan/aviary.eco.org</Scope>

Replace every other instance of <?server?> or <?server ?> with the name service master, as in:

<Name>  toucan: Scope=NIS+, Policy=TSOL</Name>
services and configuration of toucan.</Description>
and configuring toucan.</Description>
<ServerName>toucan</ServerName>
<ServerName>toucan</ServerName

Write (:wq!) and quit the editor.

Return to the procedure and chapter you are working from.