JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration and Administration     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

Configuring LDAP on a Trusted Extensions Network (Task Map)

Configuring an LDAP Proxy Server on a Trusted Extensions System (Task Map)

Configuring the Oracle Directory Server Enterprise Edition on a Trusted Extensions System

Collect Information for the Directory Server for LDAP

Install the Oracle Directory Server Enterprise Edition

Create an LDAP Client for the Directory Server

Configure the Logs for the Oracle Directory Server Enterprise Edition

Configure a Multilevel Port for the Oracle Directory Server Enterprise Edition

Populate the Oracle Directory Server Enterprise Edition

Creating a Trusted Extensions Proxy for an Existing Oracle Directory Server Enterprise Edition

Create an LDAP Proxy Server

Creating a Trusted Extensions LDAP Client

Make the Global Zone an LDAP Client in Trusted Extensions

Part II Administration of Trusted Extensions

6.  Trusted Extensions Administration Concepts

7.  Trusted Extensions Administration Tools

8.  Security Requirements on a Trusted Extensions System (Overview)

9.  Performing Common Tasks in Trusted Extensions

10.  Users, Rights, and Roles in Trusted Extensions (Overview)

11.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

12.  Remote Administration in Trusted Extensions (Tasks)

13.  Managing Zones in Trusted Extensions

14.  Managing and Mounting Files in Trusted Extensions

15.  Trusted Networking (Overview)

16.  Managing Networks in Trusted Extensions (Tasks)

17.  Trusted Extensions and LDAP (Overview)

18.  Multilevel Mail in Trusted Extensions (Overview)

19.  Managing Labeled Printing (Tasks)

20.  Devices in Trusted Extensions (Overview)

21.  Managing Devices for Trusted Extensions (Tasks)

22.  Trusted Extensions Auditing (Overview)

23.  Software Management in Trusted Extensions

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Configuring the Oracle Directory Server Enterprise Edition on a Trusted Extensions System

The LDAP naming service is the supported naming service for Trusted Extensions. If your site is not yet running the LDAP naming service, configure an Oracle Directory Server Enterprise Edition (Directory Server) on a system that is configured with Trusted Extensions.

If your site is already running a Directory Server, then you need to add the Trusted Extensions databases to the server. To access the Directory Server, you then set up an LDAP proxy on a Trusted Extensions system.


Note - If you do not use this LDAP server as an NFS server or as a server for Sun Ray clients, then you do not need to install any labeled zones on this server.


Collect Information for the Directory Server for LDAP

Install the Oracle Directory Server Enterprise Edition

The Directory Server packages are available from the Oracle web site for Sun Software Products.

Before You Begin

You are on a Trusted Extensions system with a global zone. The system has no labeled zones. You must be in the root role in the global zone.

Trusted Extensions LDAP servers are configured for clients that use pam_unix to authenticate to the LDAP repository. With pam_unix, the password operations, and therefore the password policy, are determined by the client. Specifically, the policy set by the LDAP server is not used. For the password parameters that you can set on the client, see Managing Password Information in Oracle Solaris 11.1 Administration: Security Services. For information about pam_unix, see the pam.conf(4) man page.


Note - The use of pam_ldap on an LDAP client is not an evaluated configuration for Trusted Extensions.


  1. Before you install the Directory Server packages, add the FQDN to your system's hostname entry.

    The FQDN is the Fully Qualified Domain Name. This name is a combination of the host name and the administration domain, as in:

    ## /etc/hosts
    ...
    192.168.5.5 myhost myhost.example-domain.com
  2. Download the Oracle Directory Server Enterprise Edition packages from the Oracle web site for Sun Software Products.

    Select the most recent software that is appropriate for your platform.

  3. Install the Directory Server packages.

    Answer the questions by using the information from Collect Information for the Directory Server for LDAP. For a full list of questions, defaults, and suggested answers, see Chapter 11, Setting Up Oracle Directory Server Enterprise Edition With LDAP Clients (Tasks), in Oracle Solaris Administration: Naming and Directory Services and Chapter 12, Setting Up LDAP Clients (Tasks), in Oracle Solaris Administration: Naming and Directory Services.

  4. (Optional) Add the environment variables for the Directory Server to your path.
    # $PATH
    /usr/sbin:.../opt/SUNWdsee/dsee6/bin:/opt/SUNWdsee/dscc6/bin:/opt/SUNWdsee/ds6/bin:
    /opt/SUNWdsee/dps6/bin
  5. (Optional) Add the Directory Server man pages to your MANPATH.
    /opt/SUNWdsee/dsee6/man
  6. Enable the cacaoadm program and verify that the program is enabled.
    # /usr/sbin/cacaoadm enable
    # /usr/sbin/cacaoadm start
    start: server (pid n) already running
  7. Ensure that the Directory Server starts at every boot.

    Templates for the SMF services for the Directory Server are in the Oracle Directory Server Enterprise Edition packages.

    • For a Trusted Extensions Directory Server, enable the service.
      # dsadm stop /export/home/ds/instances/your-instance
      # dsadm enable-service -T SMF /export/home/ds/instances/your-instance
      # dsadm start /export/home/ds/instances/your-instance

      For information about the dsadm command, see the dsadm(1M) man page.

    • For a proxy Directory Server, enable the service.
      # dpadm stop /export/home/ds/instances/your-instance
      # dpadm enable-service -T SMF /export/home/ds/instances/your-instance
      # dpadm start /export/home/ds/instances/your-instance

      For information about the dpadm command, see the dpadm(1M) man page.

  8. Verify your installation.
    # dsadm info /export/home/ds/instances/your-instance
    Instance Path:         /export/home/ds/instances/your-instance
    Owner:                 root(root)
    Non-secure port:       389
    Secure port:           636
    Bit format:            32-bit
    State:                 Running
    Server PID:            298
    DSCC url:              -
    SMF application name:  ds--export-home-ds-instances-your-instance
    Instance version:      D-A00

Troubleshooting

For strategies to solve LDAP configuration problems, see Chapter 13, LDAP Troubleshooting (Reference), in Oracle Solaris Administration: Naming and Directory Services.

Create an LDAP Client for the Directory Server

You use this client to populate your Directory Server for LDAP. You must perform this task before you populate the Directory Server.

You can create the client temporarily on the Trusted Extensions Directory Server, then remove the client on the server, or you can create an independent client.

Before You Begin

You are in the root role in the global zone.

  1. Add Trusted Extensions software to a system.

    You can use the Trusted Extensions Directory Server, or add Trusted Extensions to a separate system.

  2. On the client, configure LDAP in the name-service/switch service.
    1. Display the current configuration.
      # svccfg -s name-service/switch listprop config
      config                       application
      config/value_authorization   astring       solaris.smf.value.name-service.switch
      config/default               astring       "files ldap"
      config/host                  astring       "files dns"
      config/netgroup              astring       ldap
      config/printer               astring       "user files ldap"
    2. Change the following property from the default:
      # svccfg -s name-service/switch setprop config/host = astring: "files ldap dns"
  3. In the global zone, run the ldapclient init command.

    In this example, the LDAP client is in the example-domain.com domain. The server's IP address is 192.168.5.5.

    # ldapclient init -a domainName=example-domain.com -a profileName=default \
    > -a proxyDN=cn=proxyagent,ou=profile,dc=example-domain,dc=com \
    > -a proxyDN=cn=proxyPassword={NS1}ecc423aad0 192.168.5.5
    System successfully configured
  4. Set the server's enableShadowUpdate parameter to TRUE.
    # ldapclient -v mod -a enableShadowUpdate=TRUE \
    > -a adminDN=cn=admin,ou=profile,dc=example-domain,dc=com
    System successfully configured

    For information about the enableShadowUpdate parameter, see enableShadowUpdate Switch in Oracle Solaris Administration: Naming and Directory Services and the ldapclient(1M) man page.

Configure the Logs for the Oracle Directory Server Enterprise Edition

This procedure configures three types of logs: access logs, audit logs, and error logs. The following default settings are not changed:

The settings in this procedure meet the following requirements:

Before You Begin

You must be in the root role in the global zone.

  1. Configure the access logs.

    The LOG_TYPE for access is ACCESS. The syntax for configuring logs is the following:

    dsconf set-log-prop LOG_TYPE property:value
    # dsconf set-log-prop ACCESS max-age:3M
    # dsconf set-log-prop ACCESS max-disk-space-size:20000M
    # dsconf set-log-prop ACCESS max-file-count:100
    # dsconf set-log-prop ACCESS max-size:500M
    # dsconf set-log-prop ACCESS min-free-disk-space:500M
  2. Configure the audit logs.
    # dsconf set-log-prop AUDIT max-age:3M
    # dsconf set-log-prop AUDIT max-disk-space-size:20000M
    # dsconf set-log-prop AUDIT max-file-count:100
    # dsconf set-log-prop AUDIT max-size:500M
    # dsconf set-log-prop AUDIT min-free-disk-space:500M
    # dsconf set-log-prop AUDIT rotation-interval:1d

    By default, the rotation interval for audit logs is one week.

  3. Configure the error logs.

    In this configuration, you specify additional data to be collected in the error log.

    # dsconf set-log-prop ERROR max-age:3M
    # dsconf set-log-prop ERROR max-disk-space-size:20000M
    # dsconf set-log-prop ERROR max-file-count:30
    # dsconf set-log-prop ERROR max-size:500M
    # dsconf set-log-prop ERROR min-free-disk-space:500M
    # dsconf set-log-prop ERROR verbose-enabled:on
  4. (Optional) Further configure the logs.

    You can also configure the following settings for each log:

    # dsconf set-log-prop LOG_TYPE rotation-min-file-size:undefined
    # dsconf set-log-prop LOG_TYPE rotation-time:undefined

    For information about the dsconf command, see the dsconf(1M) man page.

Configure a Multilevel Port for the Oracle Directory Server Enterprise Edition

To work in Trusted Extensions, the server port of the Directory Server must be configured as a multilevel port (MLP) in the global zone.

Before You Begin

You must be in the root role in the global zone.

  1. Start the txzonemgr.
    # /usr/sbin/txzonemgr &
  2. Add a multilevel port for the TCP protocol to the global zone.

    The port number is 389.

  3. Add a multilevel port for the UDP protocol to the global zone.

    The port number is 389.

Populate the Oracle Directory Server Enterprise Edition

Several LDAP databases have been created or modified to hold Trusted Extensions data about label configuration, users, and remote systems. In this procedure, you populate the Directory Server databases with Trusted Extensions information.

Before You Begin

You must be in the root role in the global zone. You are on an LDAP client where shadow updating is enabled. For the prerequisites, see Create an LDAP Client for the Directory Server.

  1. Create a staging area for files that you plan to use to populate the naming service databases.
    # mkdir -p /setup/files
  2. Copy the sample /etc files into the staging area.
    # cd /etc
    # cp aliases group networks netmasks protocols /setup/files
    # cp rpc services auto_master /setup/files
    
    # cd /etc/security/tsol
    # cp tnrhdb tnrhtp /setup/files

    Caution

    Caution - Do not copy the *attr files. Rather, use the -S ldap option to the commands that add users, roles, and rights profiles to the LDAP repository. These commands add entries for the user_attr, auth_attr, exec_attr, and prof_attr databases. For more information, see the user_attr(4) and useradd(1M) man pages.


  3. Remove the +auto_master entry from the /setup/files/auto_master file.
  4. Create the zone automaps in the staging area.
    # cp /zone/public/root/etc/auto_home_public /setup/files
    # cp /zone/internal/root/etc/auto_home_internal /setup/files
    # cp /zone/needtoknow/root/etc/auto_home_needtoknow /setup/files
    # cp /zone/restricted/root/etc/auto_home_restricted /setup/files

    In the following list of automaps, the first of each pair of lines shows the name of the file. The second line of each pair shows the file contents. The zone names identify labels from the default label_encodings file that is included with the Trusted Extensions software.

    • Substitute your zone names for the zone names in these lines.

    • myNFSserver identifies the NFS server for the home directories.

    /setup/files/auto_home_public
     * myNFSserver_FQDN:/zone/public/root/export/home/&
    
    /setup/files/auto_home_internal
     * myNFSserver_FQDN:/zone/internal/root/export/home/&
    
    /setup/files/auto_home_needtoknow
     * myNFSserver_FQDN:/zone/needtoknow/root/export/home/&
    
    /setup/files/auto_home_restricted
     * myNFSserver_FQDN:/zone/restricted/root/export/home/&
  5. Use the ldapaddent command to populate the Directory Server with every file in the staging area.

    For example, the following command populates the server from the hosts file in the staging area.

    # /usr/sbin/ldapaddent -D "cn=directory manager" \
    -w dirmgr123 -a simple -f /setup/files/hosts hosts
  6. If you ran the ldapclient command on the Trusted Extensions Directory Server, disable the client on that system.

    In the global zone, run the ldapclient uninit command. Use verbose output to verify that the system is no longer an LDAP client.

    # ldapclient -v uninit

    For more information, see the ldapclient(1M) man page.

  7. To populate the Trusted Extensions network databases in LDAP, use the tncfg command with the -S ldap option.

    For instructions, see Labeling Hosts and Networks (Tasks).