Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: November 2020

Configuration Checklist for Trusted Extensions

This checklist provides an overall view of the major configuration tasks for Trusted Extensions. The smaller tasks are outlined within the major tasks. The checklist does not replace following the steps in this guide.

Checklist for Configuring Trusted Extensions

The following list summarizes what is required to enable and configure Trusted Extensions at your site. Tasks that are covered elsewhere are cross-referenced.

  1. Read.

  2. Prepare.

    • Decide the root password.

    • Decide the PROM or BIOS security level.

    • Decide the PROM or BIOS password.

    • Decide if access to remote printers is permitted.

    • Decide if access to unlabeled networks is permitted.

    • Install the Oracle Solaris OS.

  3. Enable Trusted Extensions. See Installing and Enabling Trusted Extensions.

    1. Load the Trusted Extensions packages.

    2. Run the labeladm enable options command to enable the Trusted Extensions service.

    3. (Optional) Run the labeladm encodings encodings-file command to install your encodings file.

    4. Enable remote administration.

    5. Reboot.

  4. (Optional) Customize the global zone. See Setting Up the Global Zone in Trusted Extensions.

    1. If using a DOI different from 1, set the DOI in the /etc/system file and in every security template.

    2. Verify and install your site's label_encodings file.

    3. Reboot.

  5. Add labeled zones. See Creating Labeled Zones.

    1. Configure two labeled zones automatically.

    2. Configure your labeled zones manually.

  6. Configure the LDAP naming service. See Configuring LDAP for Trusted Extensions.

    Create either a Trusted Extensions proxy server or a Trusted Extensions LDAP server. The files naming service requires no configuration.

  7. Configure interfaces and routing for the global zone and for labeled zones. See Configuring the Network Interfaces in Trusted Extensions.

  8. Configure the network. See Labeling Hosts and Networks.

    • Identify single-label hosts and limited-range hosts.

    • Determine the labels to apply to incoming data from unlabeled hosts.

    • Customize the security templates.

    • Assign individual hosts to security templates.

    • Assign subnets to security templates.

  9. Perform further configurations.

    1. Configure network connections for LDAP.

      • Assign the LDAP server or proxy server to the cipso host type in all security templates.

      • Assign LDAP clients to the cipso host type in all security templates.

      • Make the local system a client of the LDAP server.

    2. Configure local users and local administrative roles. See Creating Roles and Users in Trusted Extensions.

      • Create the Security Administrator role.

      • Create a local user who can assume the Security Administrator role.

      • Create other roles and possibly other local users to assume these roles.

    3. Create home directories at every label that the user can access. See Creating Centralized Home Directories in Trusted Extensions.

      • Create home directories on an NFS server.

      • Create local ZFS home directories that can be encrypted.

      • (Optional) Prevent users from reading their lower-level home directories.

    4. Configure printing. See Configuring Labeled Printing.

    5. Configure Oracle Solaris features.

      • Configure auditing.

      • Configure system security values.

      • Enable particular LDAP clients to administer LDAP.

      • Configure users in LDAP.

      • Configure network roles in LDAP.

    6. Mount and share file systems. See Managing and Mounting Files in Trusted Extensions.