JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration Guide     Oracle Solaris 10 8/11 Information Library
search filter icon
search icon

Document Information


1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)

Initial Setup Team Responsibilities

Installing or Upgrading the Oracle Solaris Operating System for Trusted Extensions

Install an Oracle Solaris System to Support Trusted Extensions

Prepare an Installed Oracle Solaris System for Trusted Extensions

Collecting Information and Making Decisions Before Enabling Trusted Extensions

Collect System Information Before Enabling Trusted Extensions

Make System and Security Decisions Before Enabling Trusted Extensions

Enabling the Trusted Extensions Service

Enable Trusted Extensions

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

6.  Configuring a Headless System With Trusted Extensions (Tasks)

A.  Site Security Policy

B.  Using CDE Actions to Install Zones in Trusted Extensions

C.  Configuration Checklist for Trusted Extensions



Installing or Upgrading the Oracle Solaris Operating System for Trusted Extensions

The choice of Oracle Solaris installation options can affect the use and security of Trusted Extensions:

Install an Oracle Solaris System to Support Trusted Extensions

This task applies to fresh installations of the Oracle Solaris OS. If you are upgrading, see Prepare an Installed Oracle Solaris System for Trusted Extensions.

Prepare an Installed Oracle Solaris System for Trusted Extensions

This task applies to Oracle Solaris systems that have been in use, and on which you plan to run Trusted Extensions. Also, to run Trusted Extensions on an upgraded Oracle Solaris system, follow this procedure. Other tasks that might modify an installed Oracle Solaris system can be done during Trusted Extensions configuration.

Before You Begin

Trusted Extensions cannot be enabled in some Oracle Solaris environments:

  1. If non-global zones are installed on your system, remove them.

    Or, you can re-install the Oracle Solaris OS. If you are going to re-install the Oracle Solaris OS, follow the instructions in Install an Oracle Solaris System to Support Trusted Extensions.

    Trusted Extensions use branded zones.

  2. If your system does not have a root password, create one.

    Administration tools in Trusted Extensions require passwords. If the root user does not have a password, then root cannot configure the system.

    Use the default crypt_unix password encryption method for the root user. For details, see Managing Password Information in System Administration Guide: Security Services.

    Note - Users must not disclose their passwords to another person, as that person might then have access to the data of the user and will not be uniquely identified or accountable. Note that disclosure can be direct, through the user deliberately disclosing her/his password to another person, or indirect, for example, through writing it down, or choosing an insecure password. The Oracle Solaris OS provides protection against insecure passwords, but cannot prevent a user from disclosing her or his password, or from writing it down.

  3. If you plan to administer the site from this system, add the Oracle Solaris packages for the Solaris Management Console.

    Trusted Extensions uses the Solaris Management Console to administer the network. If your system was installed with the End User group or a smaller group, the system does not have the packages for the Solaris Management Console.

  4. If you have created an xorg.conf file, you need to modify it.

    Add the following line to the end of the Module section in the /etc/X11/xorg.conf file.

    load "xtsol"

    Note - By default, the xorg.conf file does not exist. Do nothing if this file does not exist.

  5. In the Solaris 10 9/09 and Solaris 10 9/10 releases, if your system is part of an Oracle Solaris Cluster configuration, you can enable Trusted Extensions in the cluster.

    Note - Applications must run only in Oracle Solaris Cluster zone clusters.

    For more information about Oracle Solaris Cluster support of Trusted Extensions, see "How to Prepare for Trusted Extensions Use With Zone Clusters" in Chapter 7, "Creating Non-Global Zones and Zone Clusters" in the Oracle Solaris Cluster Software Installation Guide.

  6. If you are upgrading a Trusted Extensions system, read the following before upgrading the system:
    • Chapter 1, What’s New in the Solaris 10 10/08 Release, in Solaris 10 What’s New

    • Solaris 10 10/08 Release Notes

    Tip - To find pertinent information, search for the string Trusted Extensions.

  7. If you plan to clone zones, create a partition for the ZFS pool.

    To decide on your zone creation method, see Planning Your Labeled Zones in Trusted Extensions.

  8. If you plan to install labeled zones on this system, check that your partitions have sufficient disk space for zones.

    Most systems that are configured with Trusted Extensions install labeled zones. Labeled zones can require more disk space than the installed system has set aside.

    However, some Trusted Extensions systems do not require that labeled zones be installed. For example, a multilevel printing server, a multilevel LDAP server, or a multilevel LDAP proxy server do not require labeled zones to be installed. These systems might not need the extra disk space.

  9. (Optional) Add extra swap space for roles.

    Roles administer Trusted Extensions. Consider adding extra swap for role processes.

  10. (Optional) Dedicate a partition for audit files.

    Trusted Extensions enables auditing by default. For audit files, best practice is to create a dedicated partition.

  11. (Optional) To run a hardened configuration, run the netservices limited command before you enable Trusted Extensions.
    # netservices limited