This section provides all the procedures that may need to be done when using Sun Ray Software on Oracle Solaris 10 Trusted Extensions. For more information, refer to the Oracle Solaris 10 8/11 Trusted Extensions Administrator's Procedures.
Oracle Solaris 10 uses zones to permit multiple virtualized operating system environments to coexist in a single instance of Oracle Solaris, allowing processes to run in isolation from other activity on the system for added security and control. Sun Ray Software is supported only in the global zone.
Based on your Sun Ray environment, perform the following procedures as root from ADMIN_LOW (global zone).
This procedure is required if your Sun Ray server is configured on a private network. See Chapter 19, Alternate Network Configurations for more information.
Use the Solaris Management Console (SMC) Security Templates to
assign the cipso
template to the Sun Ray
server. Assign all other Sun Ray devices on the network an
admin_low
label. The
admin_low
template is assigned to the range
of IP addresses you are planning to use in the
utadm command.
The /etc/security/tsol/tnrhdb
file should
contain the following entries when you finish:
192.168.128.1:cipso 192.168.128.0:admin_low
Become root from ADMIN_LOW (global zone).
Start the Solaris Management Console (SMC).
# smc &
Make the following selections:
In the SMC, select Management Tools > Select hostname:Scope=Files, Policy=TSOL.
Select System Configuration > Computers and Networks > Security Templates > cipso.
From the menu bar, choose Action > Properties > Hosts Assigned to Template.
Select Host and type the IP Address of the Sun Ray interconnect (for example, 192.168.128.1).
Click Add and then OK.
Select System Configuration > Computers and Networks > Security Families > admin_low.
From the menu bar, choose Action > Properties > Hosts Assigned to Template.
Select Wildcard.
Type the IP Address of the Sun Ray Interconnect Network (192.168.128.0).
Click Add and then OK.
Assign all Sun Ray servers in the failover group a cipso label.
Select System Configuration > Computers and Networks > Security Families > cipso.
From the menu bar, choose Action > Properties > Hosts Assigned to Template.
Select Host and type the IP Address of the other Sun Ray server.
Click Add and then OK.
Reboot the Sun Ray server.
# /usr/sbin/reboot
A shared multilevel port has to be added to the global zone for Sun Ray services in order to have access from a labeled zone.
Become root from ADMIN_LOW (global zone).
Start the Solaris Management Console (SMC).
# smc &
Go to Management Tools.
Select hostname:Scope=Files, Policy=TSOL.
Select System Configuration > Computers and Networks > Trusted Network Zones > global.
From the menu bar, choose Action > Properties.
Click Add under Multilevel Ports for Shared IP Addresses.
Add 7007 as Port Number, select TCP as Protocol, and click OK.
Repeat the previous step for ports 4120, 7010, and 7015.
Restart network services by running the following command:
# svcadm restart svc:/network/tnctl
Verify that these ports are listed as shared ports by running the following command:
# /usr/sbin/tninfo -m global
Reboot the Sun Ray server.
# /usr/sbin/reboot
The default entry in
/etc/security/tsol/tnzonecfg
makes three
displays available (6001-6003). Increase the number of available
X server ports per requirements.
Become root from ADMIN_LOW (global zone).
Start the Solaris Management Console (SMC).
# smc &
Go to Management Tools.
Select hostname:Scope=Files, Policy=TSOL option.
Select System Configuration > Computers and Networks > Trusted Network Zones > global.
From the menu bar, choose Action > Properties.
Under Multilevel Ports for Zone's IP Addresses, select 6000-6003/tcp.
Click Remove.
Choose Add > Enable Specify A Port Range.
Type 6000 in Begin Port Range Number and 6050 (for 50 displays) in End Port Range Number.
Select TCP as the Protocol.
Click OK.
Reboot the Sun Ray server.
# /usr/sbin/reboot
This procedure describes how to configure the Windows connector on Oracle Solaris Trusted Extensions.
For the Windows connector to function properly on a Oracle Solaris Trusted Extensions server, the Windows terminal server must be made available at the desired level.
As superuser, open a shell window on the Sun Ray server.
To avoid errors that can occur if user environment settings are carried forward, use the following command:
% su - root
Make a Windows system available to the
public
template.
Start the Solaris Management Console.
# smc &
Make the following selections under Management Tools:
Select hostname:Scope=Files, Policy=TSOL.
Select System Configuration > Computers and Networks > Security Templates > public.
Choose Action > Properties > Hosts Assigned to Template.
Select Host.
Type the IP Address of the Windows system, for example, 10.6.100.100.
Click Add.
Click OK.
Configure port 7014 as a shared multilevel port for the uttscpd daemon.
If the Solaris Management Console is not already running, start it:
# smc &
Select hostname:Scope=Files, Policy=TSOL.
Select System Configuration > Computers and Networks > Trusted Network Zones > global.
Choose Action > Properties.
Enable ports by clicking Add under Multilevel Ports for Shared IP Addresses.
Add 7014 as Port Number, select TCP as the Protocol, and click OK.
Restart network services.
# svcadm restart svc:/network/tnctl
Verify that this port is listed as a shared port.
# /usr/sbin/tninfo -m global
Create entries for the uttscpd daemon in each local zone.
The /etc/services
file entry for the
SRWC proxy daemon is created automatically in the global
zone at configuration time. Corresponding entries need to be
created in the local zones.
These entries can be created manually or by
loopback-mounting the global zone
/etc/services
file into the local zones
for read access.
To create this entry manually, insert the following entry in the local zone file.
uttscpd 7014/tcp # SRWC proxy daemon
Loopback mount the /etc/opt/SUNWuttsc
directory in each local zone. The following example shows
how to do this for the local zone named
public
.
# zoneadm -z public halt # zonecfg -z public zonecfg:public> add fs zonecfg:public:fs> set dir=/etc/opt/SUNWuttsc zonecfg:public:fs> set special=/etc/opt/SUNWuttsc zonecfg:public:fs> set type=lofs zonecfg:public:fs> end # zoneadm -z public boot
(Optional) For TLS peer verification to work, make sure the
CA certificates to be trusted are available under the
/etc/sfw/openssl/certs
folder in each
local zone.
Reboot the Sun Ray server.
# /usr/sbin/reboot