All communications to and from a system that is configured with Trusted Extensions must follow the labeling rules of a single CIPSO Domain of Interpretation (DOI). The DOI that is used in each message is identified by an integer number in the CIPSO IP Option header. By default, the DOI in Trusted Extensions is 1.
If your DOI is not 1, you must add an entry to the /etc/system file and modify the doi value in the default security templates.
Type your DOI entry into the /etc/system file:
set default_doi = n
This positive, non-zero number must match the DOI number in the tnrhtp database for your node and for the systems that your node communicates with.
Before adding the tnrhtp database to your LDAP server, modify the doi value in the default entries and all entries for local addresses.
Trusted Extensions provides two templates in the tnrhtp database, cipso and admin_low. If you have added entries for local addresses, also modify these entries.
Open the tnrhtp database in the trusted editor.
# /usr/dt/bin/trusted_edit /etc/security/tsol/tnrhtp
In Solaris Trusted Extensions (CDE), you can instead use the Admin Editor action in the Trusted_Extensions folder in the Application Manager.
Copy the cipso template entry to another line.
Comment out one of the cipso entries.
Modify the doi value in the uncommented cipso entry.
Make this value the same as the default_doi value in the /etc/system file.
Change the doi value for the admin_low entry.
You are finished when every doi value in every entry in the tnrhtp database is the same.
If the /etc/system file sets a default_doi value other than 1, and a security template for this system sets a value that does not match this default_doi value, then messages similar to the following are displayed on the system console during interface configuration:
NOTICE: er10 failed: 10.17.1.12 has wrong DOI 4 instead of 1
Failed to configure IPv4 interface(s): er10
Interface configuration failure can result in login failure:
unknown console login: root
Oct 10 10:10:20 unknown login: pam_unix_cred: cannot load hostname Error 0
To correct the problem, boot the system into single-user mode and correct the security templates as described in this procedure.
For more information about the DOI, see Network Security Attributes in Trusted Extensions in Oracle Solaris Trusted Extensions Administrator’s Procedures.
To change the doi value in the security templates that you create, see How to Construct a Remote Host Template in Oracle Solaris Trusted Extensions Administrator’s Procedures.
To use the editor of your choice as the trusted editor, see How to Assign the Editor of Your Choice as the Trusted Editor in Oracle Solaris Trusted Extensions Administrator’s Procedures.