Solaris Trusted Extensions Installation and Configuration for Solaris 10 11/06 and Solaris 10 8/07 Releases

Chapter 3 Installing Solaris Trusted Extensions Software (Tasks)

This chapter describes how to prepare the Solaris OS for Solaris Trusted Extensions installation. This chapter also describes the information you need before installing the Trusted Extensions packages. Instructions on how to install the packages are also provided.

Install Team Responsibilities

Trusted Extensions software is designed to be installed and configured by two people with distinct responsibilities. However, the installation program does not enforce this two-role task division. Instead, task division is enforced by roles. Because roles and users are not created until after installation, it is a good practice to have an install team of at least two people present to install Trusted Extensions software.

Installing or Upgrading the Solaris OS for Trusted Extensions

The choice of Solaris installation options can affect the use and security of Trusted Extensions:

To properly install Trusted Extensions, you must install the underlying Solaris OS securely. For Solaris installation choices that affect Trusted Extensions, see Install a Solaris System to Support Trusted Extensions.
If you have been using the Solaris OS, check your current configuration against the requirements for Trusted Extensions. For configuration choices that affect Trusted Extensions, see Prepare an Installed Solaris System for Trusted Extensions.

Install a Solaris System to Support Trusted Extensions

This task applies to fresh installations of the Solaris OS. If you are upgrading, see Prepare an Installed Solaris System for Trusted Extensions.

When installing the Solaris OS, take the recommended action on the following installation choices.

The choices follow the order of Solaris installation questions. Installation questions that are not mentioned in this table do not affect Trusted Extensions.

Solaris Option	Trusted Extensions Behavior	Recommended Action
NIS naming service NIS+ naming service	Trusted Extensions supports files and LDAP for a naming service. For host name resolution, DNS can be used.	Do not choose NIS or NIS+. You can choose None, which is equivalent to files. Later, you can configure LDAP to work with Trusted Extensions.
Upgrade	Trusted Extensions installs labeled zones with particular security characteristics.	If you are upgrading, go to Prepare an Installed Solaris System for Trusted Extensions.
`root` password	Administration tools in Trusted Extensions require passwords. If the `root` user does not have a password, then `root` cannot configure the system.	Provide a `root` password. Do not change the default `crypt_unix` password encryption method. For details, see Managing Password Information in System Administration Guide: Security Services.
Developer Group	Trusted Extensions uses the Solaris Management Console to administer the network. The End User group and smaller groups do not install the packages for the Solaris Management Console.	On any system that you plan to use to administer other systems, do not install the End User, Core, or Reduced Networking Group.
Select Products	You can install Java ES Software from this screen.	Do not select Solaris 10 Extra Value Software. You add Trusted Extensions software later, in Installing the Solaris Trusted Extensions Packages (Tasks).
Custom Install	Because Trusted Extensions installs zones, you might need more disk space in partitions than the default installation supplies.	Choose Custom Install, and lay out the partitions. Consider adding extra swap space for roles. If you plan to clone zones, create a 2000 MB partition for the ZFS pool. For auditing files, best practice is to create a dedicated partition.

Prepare an Installed Solaris System for Trusted Extensions

This task applies to Solaris systems that have been in use, and on which you plan to add Trusted Extensions packages. Also, to install Trusted Extensions on an upgraded Solaris 10 system, follow this procedure. Other tasks that might modify an installed Solaris system can be done after the Trusted Extensions packages have been added.

Before You Begin

Trusted Extensions cannot be installed into some Solaris environments:

If your system is part of a cluster, Trusted Extensions cannot be installed.
The installation of Trusted Extensions into an alternate boot environment (BE) is not supported. Trusted Extensions can only be installed into the current boot environment.

If live_upgrade tools have been used to install the Solaris OS on an alternate BE, the alternate BE must first be activated, and the system must be booted from the new BE before Trusted Extensions packages are added. Live upgrade and BE are explained in the live_upgrade(5) man page.

If non-global zones are installed on your system, remove them.

Or, you can re-install the Solaris OS. If you are going to re-install the Solaris OS, follow the instructions in Install a Solaris System to Support Trusted Extensions.

If your system does not have a root password, create one.

Administration tools in Trusted Extensions require passwords. If the root user does not have a password, then root cannot configure the system.

Use the default crypt_unix password encryption method for the root user. For details, see Managing Password Information in System Administration Guide: Security Services.

Note –
Users must not disclose their passwords to another person, as that person might then have access to the data of the user and will not be uniquely identified or accountable. Note that disclosure can be direct, through the user deliberately disclosing her/his password to another person, or indirect, for example, through writing it down, or choosing an insecure password. The Solaris OS provides protection against insecure passwords, but cannot prevent a user from disclosing her or his password, or from writing it down.

If you plan to administer the site from this system, add the Solaris packages for the Solaris Management Console.

Trusted Extensions uses the Solaris Management Console to administer the network. If your system was installed with the End User group or a smaller group, the system does not have the packages for the Solaris Management Console.

If you have created an xorg.conf file, you need to modify it.

Add the following line to the end of the Module section in the /etc/X11/xorg.conf file.
load "xtsol"
Note –
By default, the xorg.conf file does not exist. Do nothing if this file does not exist.

If you are upgrading a Solaris Trusted Extensions system, read the following before installing the system:
- Chapter 3, What’s New in the Solaris 10 8/07 Release, in Solaris 10 What’s New
- Solaris 10 11/06 Release Notes
Tip –
To find pertinent information, search for the string Trusted Extensions.

If you plan to clone zones, create a partition for the ZFS pool.

To decide on your zone creation method, see Planning for Zones in Trusted Extensions.

If you plan to install labeled zones on this system, check that your partitions have sufficient disk space for zones.

Most systems that are configured with Trusted Extensions install labeled zones. Labeled zones can require more disk space than the installed system has set aside.

However, some Trusted Extensions systems do not require that labeled zones be installed. For example, a multilevel printing server, a multilevel LDAP server, or a multilevel LDAP proxy server do not require labeled zones to be installed. These systems might not need the extra disk space.

(Optional) Add extra swap space for roles.

Roles administer Trusted Extensions. Consider adding extra swap for role processes.

(Optional) Dedicate a partition for audit files.

Trusted Extensions enables auditing by default. For audit files, best practice is to create a dedicated partition.

(Optional) To run a hardened configuration, run the netservices limited command before you install Trusted Extensions.
# netservices limited

Collecting Information and Making Decisions Before Installing Trusted Extensions

For each system on which Solaris Trusted Extensions is going to be configured, you need to know some information, and make some decisions about configuration. For example, because you are going to create labeled zones, you might want to set aside disk space where the zones can be cloned as a zettabyte file system (ZFS). Solaris ZFS provides additional isolation for the zones.

Collect System Information Before Installing Trusted Extensions

Determine the system's main hostname and IP address.

The hostname is the name of the host on the network, and is the global zone. On a Solaris system, the getent command returns the hostname, as in:
# getent hosts machine1 192.168.0.11 machine1

Determine the IP address assignments for labeled zones.

A system with two IP addresses can function as a multilevel server. A system with one IP address must have access to a multilevel server in order to print or perform multilevel tasks. For a discussion of IP address options, see Planning for Multilevel Access.

Most systems require a second IP address for the labeled zones. For example, the following is a host with a second IP address for labeled zones:
# getent hosts machine1-zones 192.168.0.12 machine1-zones

Collect LDAP configuration information.

For the LDAP server that is running Trusted Extensions software, you need the following information:
- The name of the Trusted Extensions domain that the LDAP server serves
- The IP address of the LDAP server
- The LDAP profile name that will be loaded
For an LDAP proxy server, you also need the password for the LDAP proxy.

Make System and Security Decisions Before Installing Trusted Extensions

For each system on which Solaris Trusted Extensions is going to be configured, make these configuration decisions before installing the packages.

Decide how securely the system hardware needs to be protected.

At a secure site, this step has been done for every installed Solaris system.
- For SPARC systems, a PROM security level and password has been provided.
- For x86 systems, the BIOS is protected.
- On all systems, root is protected with a password.

Prepare your label_encodings file.

If you have a site-specific label_encodings file, the file must be checked and installed before other configuration tasks can be started. If your site does not have a label_encodings file, you can use the default file that Sun supplies. Sun also supplies other label_encodings files, which you can find in the /etc/security/tsol directory. The Sun files are demonstration files. They might not be suitable for production systems.

To customize a file for your site, see Solaris Trusted Extensions Label Administration.

From the list of labels in your label_encodings file, make a list of the labeled zones you need to create.

For the default label_encodings file, the labels are the following, and the zone names can be similar to the following:

Label	Zone Name
`PUBLIC`	`public`
`CONFIDENTIAL : INTERNAL`	`internal`
`CONFIDENTIAL : NEED TO KNOW`	`needtoknow`
`CONFIDENTIAL : RESTRICTED`	`restricted`

For ease of NFS mounting, the zone name of a particular label must be identical on every system. Some systems, such as multilevel print servers, do not need to have labeled zones installed. However, if you do install labeled zones on a print server, the zone names must be identical to the zone names of other systems on your network.

Decide when to create roles.

Your site's security policy can require you to administer Trusted Extensions by assuming a role. If so, or if you are configuring the system to satisfy criteria for an evaluated configuration, you must create roles early in the configuration process.

If you are not required to configure the system by using roles, you can choose to configure the system as superuser. This method of configuration is less secure. Audit records do not indicate which user was superuser during configuration. Superuser can perform all tasks on the system, while a role can perform a more limited set of tasks. Therefore, configuration is more controlled when being performed by roles.

Choose a zone creation method.

You can create zones from scratch, copy zones, or clone zones. These methods differ in speed of creation, disk space requirements, and robustness. For the trade-offs, see Planning for Zones in Trusted Extensions.

Plan your LDAP configuration.

Using local files for administration is practical for non-networked systems.

LDAP is the naming service for a networked environment. A populated LDAP server is required when you configure several machines.
- If you have an existing Sun Java^TM System Directory Server (LDAP server), you can create an LDAP proxy server on a system that is running Trusted Extensions. The multilevel proxy server handles communications with the unlabeled LDAP server.
- If you do not have an LDAP server, you can configure a system that runs Trusted Extensions software as a multilevel LDAP server.

Decide other security issues for each system and for the network.

For example, you might want to consider the following security issues:
- Determine which devices can be attached to the system and allocated for use.
- Identify which printers at what labels are accessible from the system.
- Identify any systems that have a limited label range, such as a gateway system or a public kiosk.
- Identify which labeled systems can communicate with particular unlabeled systems.

Installing the Solaris Trusted Extensions Packages (Tasks)

Before you install the packages, you should have completed the tasks in Installing or Upgrading the Solaris OS for Trusted Extensions and Collecting Information and Making Decisions Before Installing Trusted Extensions.

Install the Solaris Trusted Extensions Packages

Packages can be added by using the Java wizard or the pkgadd command. For options to the pkgadd command, see the pkgadd(1M) man page.

Insert the Solaris installation media into the drive.

Navigate to the Trusted_Extensions directory.

# cd Solaris_release-number/ExtraValue/CoBundled/Trusted_Extensions

Load all packages.

Choose one of the following options:
- Use the Java wizard.
  # java wizard
  A Java installation GUI prompts you to install the packages.
- From the Packages directory, use the pkgadd command.
  # cd Packages # pkgadd -d .
  1. Press Return to load all the packages.
  2. Answer y to all the prompts.

Check for the proper installation of the packages.

In the Java wizard, click the Details button.

From the command line, scroll back through the log.

You can also go to the /var/sadm/install/logs directory and read the log.

Tip –

You can also use the pkginfo command to confirm that the packages are installed.

# pkginfo | grep Trust
system      SUNWdttshelp            Trusted Extensions, CDE Desktop Help
system      SUNWdttsr               Trusted Extensions, CDE Desktop, (Root)
system      SUNWdttsu               Trusted Extensions, CDE Desktop, (Usr)
system      SUNWmgts                Trusted Extensions, SMC
system      SUNWtsg                 Trusted Extensions global
system      SUNWtsman               Trusted Extensions Man Pages
application SUNWtsmc                Trusted Extensions SMC Server
system      SUNWtsr                 Trusted Extensions, (Root)
system      SUNWtsu                 Trusted Extensions, (Usr)
system      SUNWxwts                Trusted Extensions, X Window System

Troubleshooting

Java wizard – If the message Exception in thread "main" java.lang.NoClassDefFoundError: wizard appears, then you invoked the wizard from the wrong directory.

Next Steps

If you are upgrading a Solaris Trusted Extensions system, read the following before continuing:

Solaris 10 11/06 Release Notes