Using the Solaris Management Console

The Solaris Management Console administers users, computers, and networks in the Trusted Solaris environment. See “To Initialize the SMC Server” in Trusted Solaris Installation and Configuration for the details of using the SMC and its administration tools.

The Solaris Management Console can be modified to enable users to assume roles from untrusted machines, as described in the following procedure.

To Enable Users to Assume Roles from Untrusted Clients

By default, the Trusted Solaris environment does not permit role assumption outside of the Trusted Path, but the policy can be changed by editing the startup script for the Trusted Solaris SMC server. The -u option allows untrusted clients to assume a role via the SMC login dialog.

Prerequisite: The task “To Edit Name Service Toolbox Definitions” in Trusted Solaris Installation and Configuration has been completed on the untrusted client.

1. Log in as a user who can assume the role secadmin and assume the role.

2. Edit the file /usr/sadm/lib/smc/bin/smcwbemserver in the Admin Editor.

3. Add the -u option to the line com.sun.management.viperimpl.server.ViperWbemServer "$@" |&:

   com.sun.management.viperimpl.server.ViperWbemServer -u "$@" |&

4. Write the file and quit the editor.

5. Restart the SMC server.

   $ /etc/init.d/init.wbem stop $ /etc/init.d/init.wbem start

   This procedure only applies to untrusted SMC clients connecting to Trusted Solaris servers and assuming a role. If the -u option is specified, the user, once authenticated, is presented with a list of authorized roles which are available on the server. The user may choose a role, enter the password, and select the Login as Role button. Without the -u option, the list of roles will not be displayed, so only a normal login is allowed.