JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration Guide     Oracle Solaris 10 8/11 Information Library
search filter icon
search icon

Document Information


1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

Task Map: Preparing an Oracle Solaris System for Trusted Extensions

Task Map: Preparing For and Enabling Trusted Extensions

Task Map: Configuring Trusted Extensions

3.  Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

6.  Configuring a Headless System With Trusted Extensions (Tasks)

A.  Site Security Policy

B.  Using CDE Actions to Install Zones in Trusted Extensions

C.  Configuration Checklist for Trusted Extensions



Task Map: Configuring Trusted Extensions

For a secure configuration process, create roles early. The order of tasks when roles configure the system is shown in the following task map.

1. Configure the global zone.
For Instructions
Protect machine hardware by requiring a password to change hardware settings.
Configure labels. Labels must be configured for your site. If you plan to use the default label_encodings file, you can skip this task.
If you are running an IPv6 network, you modify the /etc/system file to enable IP to recognize labeled packets.
If the CIPSO Domain of Interpretation (DOI) of your network nodes is different from 1, specify the DOI in the /etc/system file.
If you plan to use a ZFS snapshot to clone zones, create the ZFS pool.
Boot to activate a labeled environment. Upon login, you are in the global zone. The system's label_encodings file enforces mandatory access control (MAC).
Initialize the Solaris Management Console. This GUI is used to label zones, among other tasks.
Create the Security Administrator role and other roles that you plan to use locally. You create these roles just as you would create them in the Oracle Solaris OS.

You can delay this task until the end. For the consequences, see Devising a Configuration Strategy for Trusted Extensions.

Skip the next set of tasks if you are using local files to administer the system.

2. Configure a naming service.
For Instructions
If you plan to use files to administer Trusted Extensions, you can skip the following tasks.
No configuration is required for the files naming service.
If you have an existing Sun Java System Directory Server (LDAP server), add Trusted Extensions databases to the server. Then make your first Trusted Extensions system a proxy of the LDAP server.

If you do not have an LDAP server, then configure your first system as the server.

Manually set up an LDAP toolbox for the Solaris Management Console. The toolbox can be used to modify Trusted Extensions attributes on network objects.
For systems that are not the LDAP server or proxy server, make them an LDAP client.
In the LDAP scope, create the Security Administrator role and other roles that you plan to use.

You can delay this task until the end. For the consequences, see Devising a Configuration Strategy for Trusted Extensions.

3. Create labeled zones.
For Instructions
Run the txzonemgr command.

Follow the menus to configure the network interfaces, then create and customize the first labeled zone. Then, copy or clone the rest of the zones.

Or, use Trusted CDE actions.
(Optional) After all zones are successfully customized, add zone-specific network addresses and default routing to the labeled zones.

The following tasks might be necessary in your environment.

4. Complete system setup.
For Instructions
Identify additional remote hosts that require a label, one or more multilevel ports, or a different control message policy.
Create a multilevel home directory server, then automount the installed zones.
Configure auditing, mount file systems, and perform other tasks before enabling users to log in to the system.
Add users from an NIS environment to your LDAP server.
Add a host and its labeled zones to the LDAP server.