This chapter describes how to set up labeled printing in the Trusted Solaris environment. This chapter contains the following procedures:
"To Enable Some Users to Print Without Banners and Trailer Pages "
"To Set Up Public Print Jobs from an Unlabeled Print Server"
Solaris print utilities and databases have been modified to meet Trusted Solaris requirements for:
Label-based control of access to printers and to information about queued print jobs
Automatic printing of labels and other handling information on printer output and on mandatory banner and trailer pages
The System Administrator role manages printers. The Security Administrator role manages printer security, including the handlings of labeled output. The administrators follow basic printer administration procedures described in the Solaris System Administration Guide, Volume 2. See especially the sections "Print Management (Overview)" and "Setting Up Printers (Tasks)".
The following table shows the tasks for configuring printers in a Trusted Solaris environment and the recommended roles and the tools that perform each task. The table provides links to procedures and other related documentation.
Table 11-1 Tasks for Configuring Printers
Role Rights Profile |
Task |
Tool |
Notes |
---|---|---|---|
System Administrator Device Management |
Configures printers |
Printer Administrator action |
See "To Configure an Attached Printer","To Configure a Network Printer for Labeled Output", and "To Add Access to a Remote Printer". See also "Starting Solaris Print Manager" and "Setting Up Printers (Tasks)" in the Solaris 8 System Administration Guide, Volume 2 and following for how to do the configuration. Note - Where the instructions tell you to become superuser, do the steps at |
Security Administrator Printer Security |
Specifies a restricted label range for a printer (optional). The default is |
The Set Printer Label Range action or the add_allocatable(1M) command | See "To Configure a Restricted Label Range for a Printer". |
Printer clients can only submit print requests at labels that are allowed by the trusted network database entries for the printer client computer and printer server.
By default, users cannot print PostScript files. This restriction exists because a knowledgeable PostScript programmer could create a PostScript file that modifies the labels on the printer output.
If desired, the Security Administrator role can assign the Print PostScript authorization to trustworthy users and role accounts. The Security Administrator role should do so only if the account can be trusted not to spoof the labels on printer output and if permitting the printing of PostScript files is consistent with the site's security policy.
A filter provided with the Trusted Solaris printing system converts text files to PostScript. Files converted to PostScript by any installed filter programs can be trusted to have authentic labels and banner and trailer page text because the filter's programs are trusted programs that are run by the printer daemon.
A site's System Administrator role can install additional filters, which then can be trusted to have authentic labels and banner and trailer pages. See the "Managing Character Sets, Filters, Forms, and Fonts (Tasks)" in System Administration Guide, Volume 2 for how to add filters.
PostScript printers are the only types of printers that support labels and other handling information on printer output and on mandatory banner and trailer pages. The following types of printers function correctly, but they do not support page labels or labeled banner and trailer pages.
Non-PostScript printers
Printers connected to a print server that is not running the Trusted Solaris release
Network printers that have not been configured from a Trusted Solaris computer
Jobs sent to a network printer print without labels and trailer pages if the network is not being managed by a Trusted Solaris print server. The network printer would have been configured in one of the two following ways:
Using the printer's own software supplied by the printer vendor to be a standalone node on the network
Using LP printer administration commands on a print server that is not running the Trusted Solaris release
If desired, the Trusted Solaris computer can be set up to send jobs to a printer connected to or managed by a computer (print server) that is not running Trusted Solaris software. Print servers connected to unlabeled servers can print jobs only at the single label that is specified for the print server in the trusted network databases on the Trusted Solaris computer. Jobs print without labels or trailer pages and without security information on banner pages.
Printing from unlabeled computers to a printer on a Trusted Solaris print server is supported.
A user submitting a job from a single-label computer to a Trusted Solaris print server cannot cancel that job and cannot remove the job from the print queue. When a user sends a job from a labeled computer, the trusted network provides the UID of the user sending the print request. For unlabeled computers, the UID of the sender of the job is not available, so the UID assigned to the print job does not match that of the submitting user.
Network printers can print labels on body pages and banner and trailer pages if the printer is managed by a Trusted Solaris computer. See "To Configure a Network Printer for Labeled Output" for how to set this up.
A network printer can print jobs only at the single label specified in the template that is assigned to the network printer's IP address.
The Security Administrator role can change the default for the printing of labels on body pages in the following ways:
Give users an authorization on the print server to allow them to print jobs without labels on the body pages or print jobs without banner or trailer pages.
See "To Enable Some Users to Print Without Banners and Trailer Pages ".
Redefine fields in the /usr/lib/lp/postscript/tsol_separator.ps file on the print server in one of the following ways:
Completely disable the printing of labels on body pages for all users, as described in "To Suppress the Printing of Page Labels on All Print Jobs".
Specify that another label or other wording is printed on body pages for all users.
By default, the Protect As classification is printed at the top and bottom of every body page. The "Protect As" classification is the dominant classification when the classification from the job's label is compared to the minimum protect as classification that is defined in the label_encodings file.
The label printed at the top and bottom of banner and trailer pages as shown in the following figure is specified by means of the /PageLabel definition.
The /HeadLabel definition can be changed to put a different value or string at the top and bottom of the banner trailer pages or to print nothing at all.
The following figures show a default banner page and the differences in the default trailer page. The names of the various sections are shown because they are needed when configuring what appears.
All the text and the labels and warnings that appear on print jobs are site-configurable. The text can also be replaced with text in another language for localization.
The following table shows aspects of trusted printing that the Security Administrator can change by assigning an authorization. For other printing-related authorizations see the Trusted Solaris Administration Overview.
Table 11-2 Modifiable Printing Features
What Can Be Changed |
Authorization Name |
How to Change |
---|---|---|
Whether individual users can print jobs without labels on body pages |
Print without Label |
Assign a rights profile with the Print without Label authorization to the user. |
Whether all users can print jobs without labels on body pages |
Print without Label |
Enter AUTHS_GRANTED= solaris.print.unlabeled in policy.conf file. |
Whether individual users can print jobs without banner or trailer pages |
Print without Banner |
Assign a rights profile with the Print without Banner authorization to the user. |
Whether all users can print jobs without banner or trailer pages |
Print without Banner |
Security administrator enters Enter AUTHS_GRANTED= solaris.print.nobanner in policy.conf file. |
The Security Administrator role can do the following to modify defaults that set labels and handling caveats on printer output:
Localize or customize the text on the banner and trailer pages.
Specify alternate labels to be printed in the various fields of the banner and trailer pages or at the top and bottom of body pages.
Change or omit any of the text or labels.
For how to do customizations or internationalization, see the comments in the tsol_separator.ps file.
Certain users, such as technical writers, need to produce publicly-readable documents that do not have labels printed on the top and bottom of the pages. If a printer connected to a Solaris print server is available, the Security Administrator role can set up the users' environments so that the publicly-readable jobs go to the printer connected to the Solaris computer while jobs at all other labels go to Trusted Solaris computers. See: "To Set Up Public Print Jobs from an Unlabeled Print Server". The procedure requires understanding of how to set up user accounts as described in Chapter 3, Managing User Accounts , and computer network entries as described in Chapter 8, Specifying Routing and Security for Remote Computers.
Users send print jobs to the single-label printer at the same label assigned to the print server.
Assume the Security Administrator role and go to an ADMIN_LOW
workspace.
Open the Solaris Management Console in the desired scope.
Click Trusted Solaris Management Console, then Computers and Networks. Provide a password when prompted.
Assign a template to the print server with the desired label.
The template is assigned to the IP address of the unlabeled print server.
See Chapter 8, Specifying Routing and Security for Remote Computers for how the Security Administrator assigns a single label to an unlabeled computer.
Assume the System Administrator role and go to an ADMIN_LOW
workspace.
In the System_Admin folder in the Application Manager, double-click the Printer Administrator action.
Choose files to update local files or choose either NIS, NIS+(xfn) or NIS+ for a naming service.
Connect the printer to a serial or parallel port on a print server using the appropriate cable, as described in the printer's installation guide.
Assume the System Administrator role on the print server, and go to an ADMIN_LOW
workspace.
If the printer is connected to a serial port, make sure the correct baud rate is set, using the Serial Port tool from the Solaris Management Console Devices and Hardware manager.
See the printer documentation for the correct baud rate. See also "Adjusting Printer Port Characteristics" in System Administration Guide, Volume 2.
Bring up the Printer Administrator tool as described in "To Launch the Printer Administrator Action".
Choose New Attached Printer from the Printer menu.
If needed, follow the procedure "How to Add a New Attached Printer With Solaris Print Manager" in the "Setting Up Printers (Tasks)" in System Administration Guide, Volume 2.
Do not change the Printer Type and File Contents settings from the default value of PostScript. If you do, printing will not work.
If the default printer label range of ADMIN_LOW
to ADMIN_HIGH
is acceptable, you are done.
To restrict the label range for the printer, go to "To Configure a Restricted Label Range for a Printer".
A network printer must be managed by a Trusted Solaris print server in order to print labeled output. A network printer prints only at a single-label assigned to it in a Security Families template.
Pick a printer name to be used as its host name, and assign the printer an IP address.
Set up the printer as described in the printer's documentation.
Assume the System Administrator role on the Trusted Solaris print server, and go to an ADMIN_LOW
workspace.
Add an entry for the printer using the Computers tool in the Solaris Management Console.
The scope of the toolbox that you load determines whether the entry is made in the local hosts file, NIS map or NIS+ table.
Create a new unlabeled tamplate assigning it the ADMIN_HIGH
label.
Double-click Trusted Solaris Configuration->Computers and Networks->Security Families.
In the Action menu, select Add->Template.
On the New Template dialog->Basic Information tab
Assign a Name.
Select Unlabeled from the Host Type menu and specify the Minimum Label and the Maximum Label as ADMIN_HIGH
.
Assign a Label and a Clearance of ADMIN_HIGH
, and click OK in the New Template dialog box.
Assign the new template to the host name or IP address of the printer by double-clicking the icon for the new template.
In the Action menu, select Add->Host.
In the New Remote Host Entry dialog, enter the Host Name and IP address, then click OK.
Configure the printer on the Trusted Solaris computer using the LP administration commands.
Complete the setup of the Network printer on the Trusted Solaris computer by following the procedure "How To Add A Network Printer Using LP Commands" in the "Setting Up Printers (Tasks)" in System Administration Guide, Volume 2.
Do this procedure only if you need to restrict the label range for a printer that is controlled by a Trusted Solaris print server. The default printer label range is ADMIN_LOW
to ADMIN_HIGH
.
Assume the Security Administrator role and go to an ADMIN_LOW
workspace.
See "To Log In and Assume a Role", if needed.
Bring up the Device Allocation Manager.
Either select the Allocate Device option from the Trusted Path menu or launch the Device Allocation Manager action from the Tools subpanel on the Front Panel.
Click the Device Administration button to display the Device Allocation: Administration dialog box.
Select the name of the new printer.
Click the Configure button to display the Device Allocation: Configuration dialog box, as shown in the following figure.
Change the label range as desired by clicking the Min Label and Max Label buttons and using the label builders that display to select the desired label.
Click the OK button on the Configuration dialog box to save the label changes, click the OK button on the Administration dialog box to close it, and then close the Device Allocation Manager.
If either NIS+ or NIS was specified as the naming service when the print server is configured, this procedure is not needed on any NIS+ or NIS clients in the domain.
On the local computer, access the Printer Administrator.
See "To Launch the Printer Administrator Action", if needed.
See How to Add Printer Access With Solaris Print Manager in "Setting Up Printers (Tasks)" in System Administration Guide, Volume 2.
If the Always Print Banner check box on the Printer Administrator dialog is checked, banner and trailer pages always print, even if the user has the solaris.print.nobanner
authorization and uses the -o nobanner option
to lp.
Bring up the Printer Administrator on the print server.
See "To Launch the Printer Administrator Action", if needed.
Make sure that the Always Print Banner check box is not checked.
Exit the Printer Administrator.
Make sure that the solaris.print.nobanner
authorization is in one of the profiles assigned to each user or role that is allowed to print without banner and trailer pages.
See "To Assign Printing-Related Authorization(s) to an Account", if needed.
Instruct the user or role to submit jobs using the lp command with the option -o nobanner.
trustworthy% lp -o nobanner staff.mtg.notes |
Assume the Security Administrator role and go to an ADMIN_LOW
workspace.
Bring up the User Accounts tool.
Make sure that the desired print-related authorization is contained in one of the user's rights profiles.
Assume the Security Administrator role and go to an ADMIN_LOW
workspace.
Use the Admin Editor action to edit the /usr/lib/lp/postscript/tsol_separator.ps file.
See "To Edit a Local File", if needed.
Find the following lines:
%% To eliminate page labels completely, change this line to %% set the page label to an empty string: /PageLabel () def /PageLabel Job_SL_Internal def |
The value of Job_PageLabel may have been changed at your site.
Replace the value of /PageLabel with an empty parentheses.
/PageLabel () def |
Make sure that the Print Without Label authorization is in one of the profiles assigned to each user or role that is allowed to print jobs without labels at the top and bottom of each page.
See "To Assign Printing-Related Authorization(s) to an Account", if needed.
Make sure that the user or role submits jobs using lp with the option -o nolabels.
trustworthy% lp -o nolabels staff.mtg.notes |
Doing this procedure enables an authorized user or role to print jobs without labels when working at any label.
Files that are available to the general public may be printed on an unlabeled printer.
In the tnrhdb/tnrhtp entries that define an unlabeled print server, assign to the print server the appropriate label.
For example, a site may label files that are available to the general public as PUBLIC or UNCLASSIFIED.
Do the following three steps for each user or role allowed to print publicly-readable files without page labels.
Make sure that the public label is in each account's personal label range.
Instruct each user to define the PRINTER variable in the appropriate shell initialization file in the user's publicly-labeled home directory SLD.
Go to the publicly-labeled home directory SLD.
Open the .login or .profile file (as appropriate) for editing.
Define the PRINTER
variable to be the name of the printer connected to the unlabeled print server.
When a printer named nolabels is connected to a single-label print server whose label is PUBLIC, the .login or .profile file in the PUBLIC SLD directory would have the following environment variable defined.
setenv PRINTER nolabels |
Write and quit the file.
Have each affected account log out and log in again to put the changed printer definitions in effect.
Have each affected account create and print jobs that need to be printed without labels from within the publicly-labeled SLD.