Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: November 2020

Resolving Security Issues Before Installing Trusted Extensions

For each server on which Trusted Extensions will be configured, you need to make some configuration decisions. For example, you need to decide whether to install the default Trusted Extensions configuration or customize your configuration.

Secure System Hardware and Make Security Decisions Before Enabling Trusted Extensions

For each server on which Trusted Extensions is going to be configured, make these configuration decisions before enabling the software.

  1. Decide how securely the server hardware needs to be protected.

      At a secure site, this step is performed on every Oracle Solaris server.

    • For SPARC servers, choose a PROM security level and provide a password.

    • For x86 servers, protect the BIOS and the GRUB menu.

    • On all servers, protect root with a password.

  2. Prepare your label_encodings file.

    If you have a site-specific label_encodings file, the file must be checked and installed before other configuration tasks can be started. If your site does not have a label_encodings file, you can use the default file that Oracle supplies. Oracle also supplies other label_encodings files, which you can find in the /etc/security/tsol directory. The Oracle files are demonstration files. They might not be suitable for production servers.

    To customize a file for your site, see Trusted Extensions Label Administration. For editing instructions, see How to Check and Install Your Label Encodings File. To install the encodings file after you enable Trusted Extensions but before you reboot, see Enable Trusted Extensions.

  3. From the list of labels in your label_encodings file, make a list of the labeled zones that you plan to create.

    For the default label_encodings file, the labels are the following, and the zone names can be similar to the following:

    Full Label Name
    Proposed Zone Name

    Note -  The automatic configuration method creates the public and internal zones.
  4. Decide when to create roles.

    Your site's security policy can require you to administer Trusted Extensions by assuming a role. If so, you must create these roles early in the configuration process. You can create your own roles, you can install the armor package of seven roles, or you can create roles in addition to the ARMOR roles. For a description of the ARMOR roles, see the ARMOR standard description.

    If you are not required to configure the server by using roles, you can choose to configure the server in the root role. This method of configuration is less secure. The root role can perform all tasks on the server, while other roles typically perform a more limited set of tasks. Therefore, configuration is more controlled when being performed by the roles that you create.

  5. Decide other security issues for each server and for the network.

      For example, you might want to consider the following security issues:

    • Determine which devices can be attached to the server and allocated for use.

    • Identify which printers at what labels are accessible from the server.

    • Identify any servers that have a limited label range, such as a gateway system or a public kiosk.

    • Identify which labeled servers can communicate with particular unlabeled systems.