| Skip Navigation Links | |
| Exit Print View | |
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
Configuring LDAP on a Trusted Extensions Network (Task Map)
Configuring an LDAP Proxy Server on a Trusted Extensions System (Task Map)
Configuring the Oracle Directory Server Enterprise Edition on a Trusted Extensions System
Collect Information for the Directory Server for LDAP
Install the Oracle Directory Server Enterprise Edition
Create an LDAP Client for the Directory Server
Configure the Logs for the Oracle Directory Server Enterprise Edition
Configure a Multilevel Port for the Oracle Directory Server Enterprise Edition
Creating a Trusted Extensions Proxy for an Existing Oracle Directory Server Enterprise Edition
Creating a Trusted Extensions LDAP Client
Make the Global Zone an LDAP Client in Trusted Extensions
Part II Administration of Trusted Extensions
6. Trusted Extensions Administration Concepts
7. Trusted Extensions Administration Tools
8. Security Requirements on a Trusted Extensions System (Overview)
9. Performing Common Tasks in Trusted Extensions
10. Users, Rights, and Roles in Trusted Extensions (Overview)
11. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
12. Remote Administration in Trusted Extensions (Tasks)
13. Managing Zones in Trusted Extensions
14. Managing and Mounting Files in Trusted Extensions
15. Trusted Networking (Overview)
16. Managing Networks in Trusted Extensions (Tasks)
17. Trusted Extensions and LDAP (Overview)
18. Multilevel Mail in Trusted Extensions (Overview)
19. Managing Labeled Printing (Tasks)
20. Devices in Trusted Extensions (Overview)
21. Managing Devices for Trusted Extensions (Tasks)
22. Trusted Extensions Auditing (Overview)
23. Software Management in Trusted Extensions
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
The LDAP naming service is the supported naming service for Trusted Extensions. If your site is not yet running the LDAP naming service, configure an Oracle Directory Server Enterprise Edition (Directory Server) on a system that is configured with Trusted Extensions.
If your site is already running a Directory Server, then you need to add the Trusted Extensions databases to the server. To access the Directory Server, you then set up an LDAP proxy on a Trusted Extensions system.
Note - If you do not use this LDAP server as an NFS server or as a server for Sun Ray clients, then you do not need to install any labeled zones on this server.
The items are listed in the order of their appearance in the System Install Wizard.
| ||||||||||||||||||||||||||||||||
The Directory Server packages are available from the Oracle web site for Sun Software Products.
Before You Begin
You are on a Trusted Extensions system with a global zone. The system has no labeled zones. You must be in the root role in the global zone.
Trusted Extensions LDAP servers are configured for clients that use pam_unix to authenticate to the LDAP repository. With pam_unix, the password operations, and therefore the password policy, are determined by the client. Specifically, the policy set by the LDAP server is not used. For the password parameters that you can set on the client, see Managing Password Information in Oracle Solaris 11.1 Administration: Security Services. For information about pam_unix, see the pam.conf(4) man page.
Note - The use of pam_ldap on an LDAP client is not an evaluated configuration for Trusted Extensions.
The FQDN is the Fully Qualified Domain Name. This name is a combination of the host name and the administration domain, as in:
## /etc/hosts ... 192.168.5.5 myhost myhost.example-domain.com
Select the most recent software that is appropriate for your platform.
Answer the questions by using the information from Collect Information for the Directory Server for LDAP. For a full list of questions, defaults, and suggested answers, see Chapter 11, Setting Up Oracle Directory Server Enterprise Edition With LDAP Clients (Tasks), in Oracle Solaris Administration: Naming and Directory Services and Chapter 12, Setting Up LDAP Clients (Tasks), in Oracle Solaris Administration: Naming and Directory Services.
# $PATH /usr/sbin:.../opt/SUNWdsee/dsee6/bin:/opt/SUNWdsee/dscc6/bin:/opt/SUNWdsee/ds6/bin: /opt/SUNWdsee/dps6/bin
/opt/SUNWdsee/dsee6/man
# /usr/sbin/cacaoadm enable # /usr/sbin/cacaoadm start start: server (pid n) already running
Templates for the SMF services for the Directory Server are in the Oracle Directory Server Enterprise Edition packages.
# dsadm stop /export/home/ds/instances/your-instance # dsadm enable-service -T SMF /export/home/ds/instances/your-instance # dsadm start /export/home/ds/instances/your-instance
For information about the dsadm command, see the dsadm(1M) man page.
# dpadm stop /export/home/ds/instances/your-instance # dpadm enable-service -T SMF /export/home/ds/instances/your-instance # dpadm start /export/home/ds/instances/your-instance
For information about the dpadm command, see the dpadm(1M) man page.
# dsadm info /export/home/ds/instances/your-instance Instance Path: /export/home/ds/instances/your-instance Owner: root(root) Non-secure port: 389 Secure port: 636 Bit format: 32-bit State: Running Server PID: 298 DSCC url: - SMF application name: ds--export-home-ds-instances-your-instance Instance version: D-A00
Troubleshooting
For strategies to solve LDAP configuration problems, see Chapter 13, LDAP Troubleshooting (Reference), in Oracle Solaris Administration: Naming and Directory Services.
You use this client to populate your Directory Server for LDAP. You must perform this task before you populate the Directory Server.
You can create the client temporarily on the Trusted Extensions Directory Server, then remove the client on the server, or you can create an independent client.
Before You Begin
You are in the root role in the global zone.
You can use the Trusted Extensions Directory Server, or add Trusted Extensions to a separate system.
# svccfg -s name-service/switch listprop config config application config/value_authorization astring solaris.smf.value.name-service.switch config/default astring "files ldap" config/host astring "files dns" config/netgroup astring ldap config/printer astring "user files ldap"
# svccfg -s name-service/switch setprop config/host = astring: "files ldap dns"
In this example, the LDAP client is in the example-domain.com domain. The server's IP address is 192.168.5.5.
# ldapclient init -a domainName=example-domain.com -a profileName=default \
> -a proxyDN=cn=proxyagent,ou=profile,dc=example-domain,dc=com \
> -a proxyDN=cn=proxyPassword={NS1}ecc423aad0 192.168.5.5
System successfully configured# ldapclient -v mod -a enableShadowUpdate=TRUE \ > -a adminDN=cn=admin,ou=profile,dc=example-domain,dc=com System successfully configured
For information about the enableShadowUpdate parameter, see enableShadowUpdate Switch in Oracle Solaris Administration: Naming and Directory Services and the ldapclient(1M) man page.
This procedure configures three types of logs: access logs, audit logs, and error logs. The following default settings are not changed:
All logs are enabled and buffered.
Logs are placed in the appropriate /export/home/ds/instances/your-instance/logs/LOG_TYPE directory.
Events are logged at log level 256.
Logs are protected with 600 file permissions.
Access logs are rotated daily.
Error logs are rotated weekly.
The settings in this procedure meet the following requirements:
Audit logs are rotated daily.
Log files that are older than 3 months expire.
All log files use a maximum of 20,000 MBytes of disk space.
A maximum of 100 log files is kept, and each file is at most 500 MBytes.
The oldest logs are deleted if less than 500 MBytes free disk space is available.
Additional information is collected in the error logs.
Before You Begin
You must be in the root role in the global zone.
The LOG_TYPE for access is ACCESS. The syntax for configuring logs is the following:
dsconf set-log-prop LOG_TYPE property:value
# dsconf set-log-prop ACCESS max-age:3M # dsconf set-log-prop ACCESS max-disk-space-size:20000M # dsconf set-log-prop ACCESS max-file-count:100 # dsconf set-log-prop ACCESS max-size:500M # dsconf set-log-prop ACCESS min-free-disk-space:500M
# dsconf set-log-prop AUDIT max-age:3M # dsconf set-log-prop AUDIT max-disk-space-size:20000M # dsconf set-log-prop AUDIT max-file-count:100 # dsconf set-log-prop AUDIT max-size:500M # dsconf set-log-prop AUDIT min-free-disk-space:500M # dsconf set-log-prop AUDIT rotation-interval:1d
By default, the rotation interval for audit logs is one week.
In this configuration, you specify additional data to be collected in the error log.
# dsconf set-log-prop ERROR max-age:3M # dsconf set-log-prop ERROR max-disk-space-size:20000M # dsconf set-log-prop ERROR max-file-count:30 # dsconf set-log-prop ERROR max-size:500M # dsconf set-log-prop ERROR min-free-disk-space:500M # dsconf set-log-prop ERROR verbose-enabled:on
You can also configure the following settings for each log:
# dsconf set-log-prop LOG_TYPE rotation-min-file-size:undefined # dsconf set-log-prop LOG_TYPE rotation-time:undefined
For information about the dsconf command, see the dsconf(1M) man page.
To work in Trusted Extensions, the server port of the Directory Server must be configured as a multilevel port (MLP) in the global zone.
Before You Begin
You must be in the root role in the global zone.
# /usr/sbin/txzonemgr &
The port number is 389.
The port number is 389.
Several LDAP databases have been created or modified to hold Trusted Extensions data about label configuration, users, and remote systems. In this procedure, you populate the Directory Server databases with Trusted Extensions information.
Before You Begin
You must be in the root role in the global zone. You are on an LDAP client where shadow updating is enabled. For the prerequisites, see Create an LDAP Client for the Directory Server.
# mkdir -p /setup/files
# cd /etc # cp aliases group networks netmasks protocols /setup/files # cp rpc services auto_master /setup/files # cd /etc/security/tsol # cp tnrhdb tnrhtp /setup/files
 | Caution - Do not copy the *attr files. Rather, use the -S ldap option to the commands that add users, roles, and rights profiles to the LDAP repository. These commands add entries for the user_attr, auth_attr, exec_attr, and prof_attr databases. For more information, see the user_attr(4) and useradd(1M) man pages. |
# cp /zone/public/root/etc/auto_home_public /setup/files # cp /zone/internal/root/etc/auto_home_internal /setup/files # cp /zone/needtoknow/root/etc/auto_home_needtoknow /setup/files # cp /zone/restricted/root/etc/auto_home_restricted /setup/files
In the following list of automaps, the first of each pair of lines shows the name of the file. The second line of each pair shows the file contents. The zone names identify labels from the default label_encodings file that is included with the Trusted Extensions software.
Substitute your zone names for the zone names in these lines.
myNFSserver identifies the NFS server for the home directories.
/setup/files/auto_home_public * myNFSserver_FQDN:/zone/public/root/export/home/& /setup/files/auto_home_internal * myNFSserver_FQDN:/zone/internal/root/export/home/& /setup/files/auto_home_needtoknow * myNFSserver_FQDN:/zone/needtoknow/root/export/home/& /setup/files/auto_home_restricted * myNFSserver_FQDN:/zone/restricted/root/export/home/&
For example, the following command populates the server from the hosts file in the staging area.
# /usr/sbin/ldapaddent -D "cn=directory manager" \ -w dirmgr123 -a simple -f /setup/files/hosts hosts
In the global zone, run the ldapclient uninit command. Use verbose output to verify that the system is no longer an LDAP client.
# ldapclient -v uninit
For more information, see the ldapclient(1M) man page.
For instructions, see Labeling Hosts and Networks (Tasks).
|