How to Install and Configure Trusted Extensions

Perform the following tasks:

Ensure that the Oracle Solaris OS is installed to support Oracle Solaris Cluster and Trusted Extensions software. See How to Install Oracle Solaris Software for more information about installing Oracle Solaris software to meet Oracle Solaris Cluster software requirements.
If an external name service is used, ensure that an LDAP naming service is configured for use by Trusted Extensions. See Chapter 6, Configuring LDAP for Trusted Extensions in Trusted Extensions Configuration and Administration
Review requirements and guidelines for Trusted Extensions in a zone cluster. See Guidelines for Trusted Extensions in a Zone Cluster.

This procedure prepares the global cluster to use the Trusted Extensions feature of Oracle Solaris with zone clusters. If you do not plan to enable Trusted Extensions, proceed to Creating a Zone Cluster.

Perform this procedure on each node in the global cluster.

Assume the root role on a node of the global cluster.
Install and configure Trusted Extensions software.

Follow procedures in Chapter 3, Adding the Trusted Extensions Feature to Oracle Solaris in Trusted Extensions Configuration and Administration.
Disable the Trusted Extensions zoneshare and zoneunshare scripts.
The Trusted Extensions zoneshare and zoneunshare scripts support the ability to export home directories on the system. An Oracle Solaris Cluster configuration does not support this feature.

Disable this feature by replacing each script with a symbolic link to the /bin/true utility.
```
phys-schost# ln -s /bin/true /usr/lib/zones/zoneshare
phys-schost# ln -s /bin/true /usr/lib/zones/zoneunshare
```
Configure all logical-hostname and shared-IP addresses that are to be used in the zone cluster.

See How to Create a Default Trusted Extensions System in Trusted Extensions Configuration and Administration.
Enable remote login by the LDAP server to the global-cluster node.
1. In the /etc/default/login file, comment out the CONSOLE entry.
2. Enable remote login using ssh.
```
phys-schost# svcadm enable ssh
```
3. Modify the /etc/pam.conf file.
  1. Save a copy of the login file, then open the original file.
```
# cd /etc/pam.d
# cp login login.orig
# pfedit login
```
  2. Modify the account management entries by appending a Tab and typing allow_remote or allow_unlabeled respectively, as shown below.
```
other   account requisite       pam_roles.so.1        Tab  allow_remote
other   account required        pam_unix_account.so.1 Tab  allow_unlabeled
```
Modify the admin_low template.
1. Assign the admin_low template to each IP address that does not belong to a Trusted Extensions machine that is used by the global zone.
```
# tncfg -t admin_low
tncfg:admin_low> add host=ip-address1
tncfg:admin_low> add host=ip-address2
…
tncfg:admin_low> exit
```
2. Remove the wildcard address 0.0.0.0/32 from the tncfg template.
```
# tncfg -t admin_low remove host=0.0.0.0
```
Assign the cipso template to each IP address that does belong to a Trusted Extensions machine that is used by the global zone.
```
# tncfg -t cipso
tncfg:cipso> add host=ip-address1
tncfg:cipso> add host=ip-address2
…
tncfg:cipso> exit
```
Repeat Step 1 through Step 7 on each remaining node of the global cluster.

When all steps are completed on all global-cluster nodes, perform the remaining steps of this procedure on each node of the global cluster.
On each global-cluster node, add the IP address of the Trusted Extensions-enabled LDAP server to the /etc/inet/hosts file.

The LDAP server is used by the global zone and by the nodes of the zone cluster.
Make the global-cluster node an LDAP client.

See Chapter 6, Configuring LDAP for Trusted Extensions in Trusted Extensions Configuration and Administration.
Add Trusted Extensions users.

See Creating Roles and Users in Trusted Extensions in Trusted Extensions Configuration and Administration.

Next Steps

Create the zone cluster. Go to Creating a Zone Cluster.