Solaris Trusted Extensions Installation and Configuration
Previous Next

Document Information

Preface

1.  Security Planning for Trusted Extensions

2.  Installation and Configuration Roadmap for Trusted Extensions

3.  Installing Solaris Trusted Extensions Software (Tasks)

Install Team Responsibilities

Installing or Upgrading the Solaris OS for Trusted Extensions

Install a Solaris System to Support Trusted Extensions

Prepare an Installed Solaris System for Trusted Extensions

Collecting Information and Making Decisions Before Installing Trusted Extensions

Collect System Information Before Installing Trusted Extensions

Make System and Security Decisions Before Installing Trusted Extensions

Installing the Solaris Trusted Extensions Packages (Tasks)

Install the Solaris Trusted Extensions Packages

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

6.  Configuring a Headless System With Trusted Extensions (Tasks)

A.  Site Security Policy

B.  Using CDE Actions to Install Zones in Trusted Extensions

C.  Configuration Checklist for Trusted Extensions

Glossary

Index

Installing or Upgrading the Solaris OS for Trusted Extensions

The choice of Solaris installation options can affect the use and security of Trusted Extensions:

Install a Solaris System to Support Trusted Extensions

This task applies to fresh installations of the Solaris OS. If you are upgrading, see Prepare an Installed Solaris System for Trusted Extensions.

  • When installing the Solaris OS, take the recommended action on the following installation choices.

    The choices follow the order of Solaris installation questions. Installation questions that are not mentioned in this table do not affect Trusted Extensions.

    Solaris Option

    Trusted Extensions Behavior

    Recommended Action

    NIS naming service

    NIS+ naming service

    Trusted Extensions supports files and LDAP for a naming service. For host name resolution, DNS can be used.

    Do not choose NIS or NIS+. You can choose None, which is equivalent to files. Later, you can configure LDAP to work with Trusted Extensions.

    Upgrade

    Trusted Extensions installs labeled zones with particular security characteristics.

    If you are upgrading, go to Prepare an Installed Solaris System for Trusted Extensions.

    root password

    Administration tools in Trusted Extensions require passwords. If the root user does not have a password, then root cannot configure the system.

    Provide a root password. Do not change the default crypt_unix password encryption method. For details, see Managing Password Information in System Administration Guide: Security Services.

    Developer Group

    Trusted Extensions uses the Solaris Management Console to administer the network. The End User group and smaller groups do not install the packages for the Solaris Management Console.

    On any system that you plan to use to administer other systems, do not install the End User, Core, or Reduced Networking Group.

    Select Products

    You can install Java ES Software from this screen.

    Do not select Solaris 10 Extra Value Software. You add Trusted Extensions software later, in Installing the Solaris Trusted Extensions Packages (Tasks).

    Custom Install

    Because Trusted Extensions installs zones, you might need more disk space in partitions than the default installation supplies.

    Choose Custom Install, and lay out the partitions.

    Consider adding extra swap space for roles. If you plan to clone zones, create a 2000 MB partition for the ZFS pool.

    For auditing files, best practice is to create a dedicated partition.

Prepare an Installed Solaris System for Trusted Extensions

This task applies to Solaris systems that have been in use, and on which you plan to add Trusted Extensions packages. Also, to install Trusted Extensions on an upgraded Solaris 10 system, follow this procedure. Other tasks that might modify an installed Solaris system can be done after the Trusted Extensions packages have been added.

Before You Begin

Trusted Extensions cannot be installed into some Solaris environments:

  • If your system is part of a cluster, Trusted Extensions cannot be installed.

  • The installation of Trusted Extensions into an alternate boot environment (BE) is not supported. Trusted Extensions can only be installed into the current boot environment.

    If live_upgrade tools have been used to install the Solaris OS on an alternate BE, the alternate BE must first be activated, and the system must be booted from the new BE before Trusted Extensions packages are added. Live upgrade and BE are explained in the live_upgrade(5) man page.

  1. If non-global zones are installed on your system, remove them.

    Or, you can re-install the Solaris OS. If you are going to re-install the Solaris OS, follow the instructions in Install a Solaris System to Support Trusted Extensions.

  2. If your system does not have a root password, create one.

    Administration tools in Trusted Extensions require passwords. If the root user does not have a password, then root cannot configure the system.

    Use the default crypt_unix password encryption method for the root user. For details, see Managing Password Information in System Administration Guide: Security Services.

    Note - Users must not disclose their passwords to another person, as that person might then have access to the data of the user and will not be uniquely identified or accountable. Note that disclosure can be direct, through the user deliberately disclosing her/his password to another person, or indirect, for example, through writing it down, or choosing an insecure password. The Solaris OS provides protection against insecure passwords, but cannot prevent a user from disclosing her or his password, or from writing it down.

  3. If you plan to administer the site from this system, add the Solaris packages for the Solaris Management Console.

    Trusted Extensions uses the Solaris Management Console to administer the network. If your system was installed with the End User group or a smaller group, the system does not have the packages for the Solaris Management Console.

  4. If you have created an xorg.conf file, you need to modify it.

    Add the following line to the end of the Module section in the /etc/X11/xorg.conf file.

    load "xtsol"

    Note - By default, the xorg.conf file does not exist. Do nothing if this file does not exist.

  5. If you are upgrading a Solaris Trusted Extensions system, read the following before installing the system:

    Solaris 10 Release Notes – To find pertinent information, search for the string Trusted Extensions.

  6. If you plan to clone zones, create a partition for the ZFS pool.

    To decide on your zone creation method, see Planning for Zones in Trusted Extensions.

  7. If you plan to install labeled zones on this system, check that your partitions have sufficient disk space for zones.

    Most systems that are configured with Trusted Extensions install labeled zones. Labeled zones can require more disk space than the installed system has set aside.

    However, some Trusted Extensions systems do not require that labeled zones be installed. For example, a multilevel printing server, a multilevel LDAP server, or a multilevel LDAP proxy server do not require labeled zones to be installed. These systems might not need the extra disk space.

  8. (Optional) Add extra swap space for roles.

    Roles administer Trusted Extensions. Consider adding extra swap for role processes.

  9. (Optional) Dedicate a partition for audit files.

    Trusted Extensions enables auditing by default. For audit files, best practice is to create a dedicated partition.

  10. (Optional) To run a hardened configuration, run the netservices limited command before you install Trusted Extensions.
    # netservices limited
Previous Next