This section provides all the procedures that may need to be done when using Sun Ray Software on Oracle Solaris Trusted Extensions. For the latest Oracle Solaris Trusted Extensions information, see http://download.oracle.com/docs/cd/E19253-01/index.html.
Based on your Sun Ray environment, perform the following procedures as root from ADMIN_LOW (global zone).
This procedure is required if your Sun Ray server is configured on a private network. See Chapter 20, Alternate Network Configurations for more information.
Use the Solaris Management Console (SMC) Security Templates to
assign the cipso
template to the Sun Ray
server. Assign all other Sun Ray devices on the network an
admin_low
label. The
admin_low
template is assigned to the range
of IP addresses you are planning to use in the
utadm command.
The /etc/security/tsol/tnrhdb
file should
contain the following entries when you finish:
192.168.128.1:cipso 192.168.128.0:admin_low
Become root from ADMIN_LOW (global zone).
Start the Solaris Management Console (SMC).
# smc &
Make the following selections:
In the SMC, select Management Tools->Select
hostname:Scope=Files, Policy=TSOL
.
Select System Configuration->Computers and
Networks->Security Templates->cipso
.
From the menu bar, choose
Action->Properties->Hosts Assigned to
Template
.
Select Host
and type the IP Address
of the Sun Ray interconnect
(for example, 192.168.128.1).
Click Add
and then
OK
.
Select System Configuration->Computers and
Networks->Security Families->admin_low
.
From the menu bar, choose
Action->Properties->Hosts Assigned to
Template
.
Select Wildcard
.
Type the IP Address of the Sun Ray Interconnect Network (192.168.128.0).
Click Add
and then
OK
.
Assign all Sun Ray servers in the failover group a
cipso
label.
Select System Configuration->Computers and
Networks->Security Families->cipso
.
From the menu bar, choose
Action->Properties->Hosts Assigned to
Template
.
Select Host
and type the IP Address
of the other Sun Ray server.
Click Add
and then
OK
.
Reboot the Sun Ray server.
# /usr/sbin/reboot
A shared multilevel port has to be added to the global zone for Sun Ray services in order to have access from a labeled zone.
Become root from ADMIN_LOW (global zone).
Start the Solaris Management Console (SMC).
# smc &
Go to Management Tools.
Select hostname:Scope=Files, Policy=TSOL
.
Select System Configuration->Computers and
Networks->Trusted Network Zones->global
.
From the menu bar, choose
Action->Properties
.
Click Add
under Multilevel Ports
for Shared IP Addresses
.
Add 7007 as Port Number
, select
TCP
as Protocol
, and
click OK
.
Repeat the previous step for ports 5999, 7010, and 7015.
Restart network services by running the following command:
# svcadm restart svc:/network/tnctl
Verify that these ports are listed as shared ports by running the following command:
# /usr/sbin/tninfo -m global
Reboot the Sun Ray server.
# /usr/sbin/reboot
The default entry in
/etc/security/tsol/tnzonecfg
makes three
displays available (6001-6003). Increase the number of available
X server ports per requirements.
Become root from ADMIN_LOW (global zone).
Start the Solaris Management Console (SMC).
# smc &
Go to Management Tools.
Select hostname:Scope=Files, Policy=TSOL
option.
Select System Configuration->Computers and
Networks->Trusted Network Zones->global
.
From the menu bar, choose
Action->Properties
.
Under Multilevel Ports for Zone's IP
Addresses
, select
6000-6003/tcp
.
Click Remove
.
Choose Add->Enable Specify A Port
Range
.
Type 6000
in Begin Port Range
Number
and 6050
(for 50
displays) in End Port Range Number
.
Select TCP
as the
Protocol
.
Click OK
.
Reboot the Sun Ray server.
# /usr/sbin/reboot
This procedure describes how to configure the Windows connector on Oracle Solaris Trusted Extensions.
For the Sun Ray Windows Connector to function properly on a Oracle Solaris Trusted Extensions server, the Windows terminal server must be made available at the desired level.
As superuser, open a shell window on the Sun Ray server.
To avoid errors that can occur if user environment settings are carried forward, use the following command:
% su - root
Make a Windows system available to the
public
template.
Start the Solaris Management Console.
# smc &
Make the following selections under Management Tools:
Select hostname:Scope=Files,
Policy=TSOL
.
Select System Configuration->Computers
and Networks->Security
Templates->public
.
Choose Action->Properties->Hosts Assigned
to Template
.
Select Host
.
Type the IP Address of the Windows system, for example, 10.6.100.100.
Click Add
.
Click OK
.
Configure port 7014 as a shared multilevel port for the uttscpd daemon.
If the Solaris Management Console is not already running, start it:
# smc &
Select hostname:Scope=Files,
Policy=TSOL
.
Select System Configuration->Computers and
Networks->Trusted Network Zones->global
.
Choose Action->Properties
.
Enable ports by clicking Add
under
Multilevel Ports for Shared IP
Addresses
.
Add 7014 as Port Number
, select
TCP
as the
Protocol
, and click
OK
.
Restart network services.
# svcadm restart svc:/network/tnctl
Verify that this port is listed as a shared port.
# /usr/sbin/tninfo -m global
Create entries for the uttscpd daemon in each local zone.
The /etc/services
file entry for the
SRWC proxy daemon is created automatically in the global
zone at configuration time. Corresponding entries need to be
created in the local zones.
These entries can be created manually or by
loopback-mounting the global zone
/etc/services
file into the local zones
for read access.
To create this entry manually, insert the following entry in the local zone file.
uttscpd 7014/tcp # SRWC proxy daemon
Loopback mount the /etc/opt/SUNWuttsc
directory in each local zone. The following example shows
how to do this for a zone named public
# zoneadm -z public halt # zonecfg -z public zonecfg:public> add fs zonecfg:public:fs> set dir=/etc/opt/SUNWuttsc zonecfg:public:fs> set special=/etc/opt/SUNWuttsc zonecfg:public:fs> set type=lofs zonecfg:public:fs> end # zoneadm -z public boot
(Optional) For TLS peer verification to work, make sure the
CA certificates to be trusted are available under the
/etc/sfw/openssl/certs
folder in each
local zone.
Reboot the Sun Ray server.
# /usr/sbin/reboot