| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris Trusted Extensions Administrator's Procedures Oracle Solaris 10 8/11 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris Trusted Extensions Administrator's Procedures Oracle Solaris 10 8/11 Information Library |
1. Trusted Extensions Administration Concepts
2. Trusted Extensions Administration Tools
3. Getting Started as a Trusted Extensions Administrator (Tasks)
4. Security Requirements on a Trusted Extensions System (Overview)
5. Administering Security Requirements in Trusted Extensions (Tasks)
6. Users, Rights, and Roles in Trusted Extensions (Overview)
7. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
8. Remote Administration in Trusted Extensions (Tasks)
Secure Remote Administration in Trusted Extensions
Methods for Administering Remote Systems in Trusted Extensions
Remote Login by a Role in Trusted Extensions
Remote Role-Based Administration From Unlabeled Hosts
Remote Login Management in Trusted Extensions
Administering Trusted Extensions Remotely (Task Map)
How to Log In Remotely From the Command Line in Trusted Extensions
How to Remotely Administer Trusted Extensions With dtappsession
How to Remotely Administer Systems by Using the Solaris Management Console From an Unlabeled System
How to Enable Specific Users to Log In Remotely to the Global Zone in Trusted Extensions
How to Use Xvnc to Remotely Access a Trusted Extensions System
9. Trusted Extensions and LDAP (Overview)
10. Managing Zones in Trusted Extensions (Tasks)
11. Managing and Mounting Files in Trusted Extensions (Tasks)
12. Trusted Networking (Overview)
13. Managing Networks in Trusted Extensions (Tasks)
14. Multilevel Mail in Trusted Extensions (Overview)
15. Managing Labeled Printing (Tasks)
16. Devices in Trusted Extensions (Overview)
17. Managing Devices for Trusted Extensions (Tasks)
18. Trusted Extensions Auditing (Overview)
19. Software Management in Trusted Extensions (Tasks)
A. Quick Reference to Trusted Extensions Administration
The following task map describes the tasks used to administer a remote Trusted Extensions system.
|
Note - The telnet command cannot be used for remote role assumption because this command cannot pass the primary and role identities to the pam_roles module.
Before You Begin
The user and the role must be identically defined on the local and the remote system.
The role must have the Remote Login authorization. By default, this authorization is in the Remote Administration, and the Maintenance and Repair rights profiles.
The security administrator has completed the procedure Enable Remote Login by a Role in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide on every system that can be remotely administered. If the system can be administered from an unlabeled system, the procedure Enable Remote Login From an Unlabeled System in Oracle Solaris Trusted Extensions Configuration Guide has also been completed.
Use the rlogin command, the ssh command, or the ftp command.
If the rlogin -l or ssh command is used to log in, all commands that are in the role's rights profiles are available.
If the ftp command is used, see the ftp(1) man page for the commands that are available.
The dtappsession program enables an administrator to administer a remote system that is running CDE.
dtappsession is useful when a remote system does not have a monitor. For example, dtappsession is often used to administer domains on large servers. For more information, see the dtappsession(1) man page.
Before You Begin
On a labeled system, you must be in an administrative role in the global zone. On an unlabeled system, you must assume a role that is defined on the remote system. You must then run the remote login from the role's profile shell.
To avoid confusion between the remote CDE applications and any local applications, dedicate an administrative role workspace to this procedure. For details, see How to Add a Workspace at a Particular Label in Oracle Solaris Trusted Extensions User’s Guide.
You can use the rlogin command or the ssh command.
$ ssh remote-host
In the terminal window, type the dtappsession command followed by the name of the local host.
$ /usr/dt/bin/dtappsession local-host
the Application Manager that is running on the remote host displays on the local host. Also, an Exit dialog box appears.
If you invoked the remote session from Trusted CDE, you can use actions in the Trusted_Extensions folder.
 | Caution - Closing the Application Manager does not end the login session and is not recommended. |
And use the hostname command to verify that you are on your local host.
$ exit $ hostname local-host
The Solaris Management Console provides a remote administration interface to manage users, rights, roles, and the network. You assume a role to use the Console. In this procedure, you run the Console on the local system and specify the remote system as the server.
Before You Begin
You have completed the following procedures:
On both systems – Initialize the Solaris Management Console Server in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide
On the remote system – Enable Remote Login by a Role in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide and Enable the Solaris Management Console to Accept Network Communications in Oracle Solaris Trusted Extensions Configuration Guide
On the remote system that is the LDAP server – Configuring the Solaris Management Console for LDAP (Task Map) in Oracle Solaris Trusted Extensions Configuration Guide
For details, see Initialize the Solaris Management Console Server in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide.
Then, choose one of the following scopes.
This Computer (ldap-server: Scope=LDAP, Policy=TSOL)
This Computer (ldap-server: Scope=Files, Policy=TSOL)
Then, choose the Scope=Files toolbox.
This Computer (remote-system: Scope=Files, Policy=TSOL)
When you select a tool such as User, a dialog box displays the Solaris Management Console server name, your user name, your role name, and a place to type the role's password. Make sure that the entries are correct.
Type the role's password and press Login as Role. You can now use the Solaris Management Console to manage the system.
Note - Although you can use the Solaris Management Console to run dtappsession, the simplest way to use dtappsession is described in How to Remotely Administer Trusted Extensions With dtappsession.
In this procedure, you run the Solaris Management Console client and server on the remote system, and display the Console on the local system.
Before You Begin
The Trusted Extensions system must have assigned the label ADMIN_LOW to the local system.
Note - A system that is not running the CIPSO protocol, such as a Trusted Solaris system, is an unlabeled system from the viewpoint of a Trusted Extensions system.
The Solaris Management Console server on the remote system must be configured to accept the remote connection. For the procedure, see Enable the Solaris Management Console to Accept Network Communications in Oracle Solaris Trusted Extensions Configuration Guide.
Both systems must have the same user who is assigned the same role that can use the Solaris Management Console. The user can have the normal user's label range, but the role must have the range from ADMIN_LOW to ADMIN_HIGH.
You must be in an administrative role in the global zone.
# xhost + TX-SMC-Server # echo $DISPLAY :n.n
# su - same-username-on-both-systems
$ rlogin -l same-rolename-on-both-systems TX-SMC-Server
$ DISPLAY=local:n.n $ export DISPLAY=local:n.n
$ LOGNAME=same-username-on-both-systems $ export LOGNAME=same-username-on-both-systems
$ USER=same-rolename-on-both-systems $ export USER=same-rolename-on-both-systems
$ /usr/sbin/smc &
When you select a tool such as User, a dialog box displays the Solaris Management Console server name, your user name, your role name, and a place to type the role's password. Make sure that the entries are correct.
Type the role's password and press Login as Role. You can now use the Solaris Management Console to manage the system.
Note - When you try to access network database information from a system that is not the LDAP server, the operation fails. The Console allows you to log in to the remote host and open the toolbox. However, when you try to access or change information, the following error message indicates that you have selected Scope=LDAP on a system that is not the LDAP server:
Management server cannot perform the operation requested. ... Error extracting the value-from-tool. The keys received from the client were machine, domain, Scope. Problem with Scope.
The user's default label range and the zone's default behavior are changed to enable remote login by a non-role. You might want to complete this procedure for a tester who is using a remote labeled system. For security reasons, the tester's system should be running a disjoint label from other users.
Before You Begin
You must have a very good reason why this user can log in to the global zone.
You must be in the Security Administrator role in the global zone.
Use the Solaris Management Console to assign a clearance of ADMIN_HIGH and a minimum label of ADMIN_LOW to each user. For details, see How to Modify a User's Label Range in the Solaris Management Console.
The user's labeled zones must also permit login.
Use the Solaris Management Console. Port 513 over the TCP protocol enables remote login. For an example, see How to Create a Multilevel Port for a Zone.
# tnctl -fz /etc/security/tsol/tnzonecfg
# svcadm restart svc:/network/login:rlogin
Virtual Network Computing (VNC) technology connects a client to a remote server, then displays the desktop of the remote server in a window on the client. Xvnc is the UNIX version of VNC, which is based on a standard X server. In Trusted Extensions, a client on any platform can connect to an Xvnc that is running Trusted Extensions software, log in to the Xvnc server, then display and work on a multilevel desktop.
Before You Begin
You have installed and configured Trusted Extensions software on the system that is going to be used as the Xvnc server. You have created and booted the labeled zones. Your Xvnc server recognizes the VNC clients by hostname or IP address.
You are superuser in the global zone of the system that is going to be used as the Xvnc server.
For more information, see the Xvnc(1) and vncconfig(1) man pages.
| Caution - If you are running the Solaris 10 10/08 or the Solaris 10 5/08 release, you must patch your system before configuring the server. For a SPARC system, install the latest version of patch 125719. For an x86 system, install the latest version of patch 125720. |
# mkdir -p /etc/dt/config
# cp /usr/dt/config/Xservers /etc/dt/config/Xservers
In this example, the entry is configured to log in to the server without a password. To successfully log in the desktop, the local UID must be none instead of console.
The entry is split for display purposes. The entry must be on one line.
# :0 Local local_uid@console root /usr/X11/bin/Xserver :0 -nobanner :0 Local local_uid@none root /usr/X11/bin/Xvnc :0 -nobanner -AlwaysShared -SecurityTypes None -geometry 1024x768x24 -depth 24
Note - A safer configuration is to require a password by using the -SecurityTypes VncAuth parameter. The Xvnc(1) man page describes password requirements.
# reboot
After reboot, verify that the Xvnc program is running.
# ps -ef | grep Xvnc root 2145 932 0 Jan 18 ? 6:15 /usr/X11/bin/Xvnc :0 -nobanner -AlwaysShared -SecurityTypes None -geometry 1024
For the client system, you have a choice of software. This example uses the Sun VNC software.
# cd SUNW-pkg-directory # pkgadd -d . SUNWvncviewer
% /usr/bin/vncviewer Xvnc-server-hostname
Continue with the login procedure. For a description of the remaining steps, see Logging In to Trusted Extensions in Oracle Solaris Trusted Extensions User’s Guide.
If you logged in to the server as superuser, you can administer the server immediately. If you logged in to the server as a user, you must assume a role to administer the system.
|