| Skip Navigation Links | |
| Exit Print View | |
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
6. Trusted Extensions Administration Concepts
7. Trusted Extensions Administration Tools
8. Security Requirements on a Trusted Extensions System (Overview)
9. Performing Common Tasks in Trusted Extensions
10. Users, Rights, and Roles in Trusted Extensions (Overview)
11. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
12. Remote Administration in Trusted Extensions (Tasks)
13. Managing Zones in Trusted Extensions
14. Managing and Mounting Files in Trusted Extensions
15. Trusted Networking (Overview)
16. Managing Networks in Trusted Extensions (Tasks)
17. Trusted Extensions and LDAP (Overview)
Quick Reference for the LDAP Naming Service in Trusted Extensions
18. Multilevel Mail in Trusted Extensions (Overview)
19. Managing Labeled Printing (Tasks)
20. Devices in Trusted Extensions (Overview)
21. Managing Devices for Trusted Extensions (Tasks)
22. Trusted Extensions Auditing (Overview)
23. Software Management in Trusted Extensions
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
To achieve uniformity of user, host, and network attributes within a security domain with multiple Trusted Extensions systems, a naming service is used for distributing most configuration information. The svc:/system/name-service/switch service determines which naming service is used. LDAP is the recommended naming service for Trusted Extensions.
The LDAP Server can provide the LDAP naming service for Trusted Extensions and Oracle Solaris clients. The server must include Trusted Extensions network databases, and the Trusted Extensions clients must connect to the server over a multilevel port. The security administrator specifies the multilevel port during system configuration.
Typically, this multilevel port is configured in the global zone for the global zone. Therefore, a labeled zone does not have write access to the LDAP directory. Rather, labeled zones send read requests through the multilevel proxy service that is running on their system or another trusted system on the network. Trusted Extensions also supports an LDAP configuration of one directory server per label. Such a configuration is required when users have different credentials per label.
Trusted Extensions adds two trusted network databases to the LDAP Server: tnrhdb and tnrhtp.
For information about the use of the LDAP naming service in Oracle Solaris, see Part III, LDAP Naming Services, in Oracle Solaris Administration: Naming and Directory Services.
Setting up the LDAP Server for Trusted Extensions is described in Chapter 5, Configuring LDAP for Trusted Extensions (Tasks). Trusted Extensions systems can be clients of an Oracle Solaris LDAP Server by using a proxy that is configured with Trusted Extensions.
Setting up clients of the Trusted Extensions LDAP Server is described in Creating a Trusted Extensions LDAP Client.
If a distributed naming service is not used at a site, administrators must ensure that configuration information for users, systems, and networks is identical on all systems. A change that is made on one system must be made on all systems.
On a locally managed Trusted Extensions system, configuration information is maintained in files in the /etc, /etc/security, and /etc/security/tsol directories, and by configuration properties in the name-service/switch SMF service.
Trusted Extensions extends the Directory Server's schema to accommodate the tnrhdb and tnrhtp databases. Trusted Extensions defines two new attributes, ipTnetNumber and ipTnetTemplateName, and two new object classes, ipTnetTemplate and ipTnetHost.
The attribute definitions are as follows:
ipTnetNumber
( 1.3.6.1.1.1.1.34 NAME 'ipTnetNumber'
DESC 'Trusted network host or subnet address'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )ipTnetTemplateName
( 1.3.6.1.1.1.1.35 NAME 'ipTnetTemplateName'
DESC 'Trusted network template name'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
The object class definitions are as follows:
ipTnetTemplate
( 1.3.6.1.1.1.2.18 NAME 'ipTnetTemplate' SUP top STRUCTURAL
DESC 'Object class for Trusted network host templates'
MUST ( ipTnetTemplateName )
MAY ( SolarisAttrKeyValue ) )
ipTnetHost
( 1.3.6.1.1.1.2.19 NAME 'ipTnetHost' SUP top AUXILIARY
DESC 'Object class for Trusted network host/subnet address
to template mapping'
MUST ( ipTnetNumber $ ipTnetTemplateName ) )
The cipso template definition in LDAP is similar to the following:
ou=ipTnet,dc=example,dc=example1,dc=exampleco,dc=com objectClass=top objectClass=organizationalUnit ou=ipTnet ipTnetTemplateName=cipso,ou=ipTnet,dc=example,dc=example1,dc=exampleco,dc=com objectClass=top objectClass=ipTnetTemplate ipTnetTemplateName=cipso SolarisAttrKeyValue=host_type=cipso;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH; ipTnetNumber=0.0.0.0,ou=ipTnet,dc=example,dc=example1,dc=exampleco,dc=com objectClass=top objectClass=ipTnetTemplate objectClass=ipTnetHost ipTnetNumber=0.0.0.0 ipTnetTemplateName=internal
|