OpenSolaris
Collectives
Discussions
Documentation
Download
Source Browser
Free CD
Log-in
|
en
Community Group security
:
Community Projects
>
Trusted Extensions
>
Installing the Solaris Trusted Extensions Software on a Laptop Computer
Top Menu
Show
:
Comments
Attachments
History
Information
Print
:
Print
Print preview
Export as PDF
Export as RTF
Export as HTML
Export as XAR
Wiki code for
Installing the Solaris Trusted Extensions Software on a Laptop Computer
Hide Line numbers
1: == Installing the Solaris Trusted Extensions Software on a Laptop Computer 2: 3: These instructions describe how to enable and configure a laptop system with the Solaris[tm] Trusted Extensions software to run in both connected and disconnected modes. These directions do not apply to previous Solaris 10 updates, nor to opensolaris.2008.05. Instructions for an upcoming opensolaris version will be available soon. The Solaris Trusted Extensions software is automatically installed beginning with the release of the Solaris 10 05/08 (update 5) Operating System and in Nevada builds starting with 76. 4: 5: This page includes the following tasks, which should be followed in this order: 6: 7: * [[How to Install and Configure the Solaris Operating System>>#InstallSolaris]] 8: * [[How to Enable the Solaris Trusted Extensions Software>>#EnableTX]] 9: * [[How to Configure Your Trusted Extensions System>>#ConfigureTX]] 10: * [[How to Create the Labeled Zones>>#CreateZones]] 11: * [[How to Install and Use inetmenu>>#InstallConfigureInetmenu]] 12: * [[How to Configure Network AutoMagic>>#ConfigureNWAM]] 13: * [[How to Run Trusted Extensions as a Normal User>>#RunTXNormalUser]] 14: 15: === How to Install and Configure the Solaris Operating System 16: 17: 1. Start the Solaris installation process by booting a Solaris DVD or booting from the network. 18: 1. Follow the instructions in the installation wizard to build the installation profile. 19: Use the default values to build the profile. 20: **Note -** You must reserve a file system slice that has at least 2 Gbytes of free space and call it /zone. 21: 1. Install the Solaris software. 22: 1. After the Solaris installation completes, use the /zone slice to create a ZFS pool by doing the following: 23: 11. Unmount the /zone slice. 24: # **umount /zone** 25: 11. Edit the /etc/vfstab file by commenting out the /zone entry. 26: 11. Create the pool. 27: # **zpool create -f zone** //slicename// 28: //slicename// should be of the format c//n//d//n//s//n//. 29: 1. This configuration uses a single shared all-zones interface for both the global zones and labeled zones. The default network label is PUBLIC unless you are connecting to the Sun Wide Area Network. 30: The networking configuration steps are different for Solaris 10 updates and for Nevada. For Solaris 10 you will use an application called inetmenu, to manually select your networking options. Nevada includes a service called Network AutoMagic, nwam which automatically handles changes to your wired or wireless network. 31: **If you are running Solaris 10 update 5**, follow these instructions: 32: 11. Create a directory called /opt/tx in which to download the inetmenu package and its Trusted Extensions modifications. 33: **Caution -** Do //not// install these packages or modifications at this time. 34: 11. Download the inetmenu package from the Laptop Community page on the OpenSolaris web site. 35: The file is called [[inetmenu-1.9.pkg.gz>>Community Group laptop.inetmenu-1.9.pkg.gz]]. 36: **Caution -** The inetmenu program might be replaced with another utility in the future. 37: 11. Download the inetmenu modifications from the Trusted Extensions page on the OpenSolaris web site. 38: These modifications enable the inetmenu script to operate properly on a system that runs the Solaris Trusted Extensions software. 39: The file is called [[inetmenu-tx.tar>>attach:inetmenu-tx.tar]]. 40: 11. Remove any network interface configuration files, such as /etc/hostname.* and /etc/dhcp.*. 41: # **rm /etc/hostname.*** 42: # **rm /etc/dhcp.*** 43: 11. Update your /etc/hosts and /etc/inet/ipnodes as follows: 44: 127.0.0.1 localhost loghost 45: 10.1.2.3 //your-hostname// 46: 11. Create the /etc/nodename file. 47: # **hostname >/etc/nodename** 48: 11. Add the following entry to the /etc/security/tsol/tnrhdb file: 49: 10.1.2.3:cipso 50: 11. Specify the virtual network interface (vni) for your system by adding the following to the /etc/hostname.vni0 file. 51: # **echo `hostname` all-zones >>/etc/hostname.vni0** 52: For more information, see the vni(7) man page. 53: 11. Add the following to the LOCAL DEFINITIONS section of the /etc/security/tsol/label_encodings file. 54: Default Label View is Internal; 55: This step addresses a problem with the default translation mode for the admin_low and admin_high labels. 56: 11. (Optional) If your system has NIS enabled, disable it by doing the following: 57: # **cp /etc/nsswitch.files /etc/nsswitch.conf** 58: # **mv /var/yp /var/yp.save** 59: **If you are running a Nevada build**, follow these instructions: 60: 11. Download the tx-nwam scripts from [[tx-nam.tar>>attach:tx-nwam.tar]] to the directory /etc/nwam. Don’t extract the tarball yet. 61: 11. Edit the file /usr/dt/config/Xinitrc.tjds, to explicitly set the DISPLAY variable prior to invoking gnome-session 62: **DISPLAY=localhost:0** 63: **export DISPLAY** 64: **PATH=/usr/bin:/usr/sbin:/usr/openwin/bin:/usr/X11/bin:/usr/dt/bin:/usr/sfw/bin** 65: The DISPLAY setting is required because of recent changes (build 85) in Xlib which no longer use TCP sockets if the DISPLAY hostname matches the string returned by the hostname command. The PATH setting is suggested as a convenience, especially when assuming roles. 66: === How to Enable the Solaris Trusted Extensions Software 67: 11. To enable Trusted Extensions, run the following command: 68: **svcadm enable -s labeld** 69: 11. Reboot the system. 70: When the reboot completes, the system is running the Solaris Trusted Extensions software. 71: === How to Configure Your Trusted Extensions System 72: 11. Log in to Trusted Extensions JDS (GNOME) as superuser. 73: 11. Open a terminal window. 74: 11. Get the network interface status. 75: # **ifconfig -a** 76: Verify that you have at least one all-zones interface. 77: If you are running Solaris 10 update 5, you should see that the IP address for the vni0 interface is the same as the one you specified in the hosts and ipnodes files. Also, the vni0 interface should include the all-zones option. 78: If you are running Nevada, you should see that lo0, the loopback interface, is all-zones. 79: 11. Start the Solaris Management Console. 80: # **smc &** 81: 111. From the Toolboxes menu, select the entry for your system that shows Scope=Files, Policy=TSOL. 82: 111. Click Open. 83: 11. Add yourself as a normal user. 84: 111. From the Navigation bar, select System Configuration, and then double-click the Users icon. 85: The login window opens. 86: 111. Log in as root. 87: 111. Click User Accounts, and then select Add User With Wizard from the Action menu. 88: Follow the instructions to add the user. 89: 11. After your account is created, double click your user icon to modify settings. 90: 111. (Optional) If you are going to be doing demonstrations, open the Rights tab and add these rights: 91: 111* Object Label Management 92: 111* Device Management 93: 111. Open the Trusted Extensions Attributes tab and modify these items: 94: 1111. Set the Clearance value to CONFIDENTIAL RESTRICTED. 95: 1111. Set the Lock Account After Maximum Failed Logins value to No. 96: 1111. Set the Idle Time value to Forever. 97: 1111. Click OK. 98: 11. Edit the /etc/user_attr file to append the following to your user entry: 99: ;roles=root 100: This step is a temporary workaround until you have verified that your system is working correctly. At that time, you should configure root as a role. 101: 11. Create security templates for the public and internal zones. 102: 111. From the Navigation bar, select System Configuration, and then double-click the Computers and Networks icon. 103: 111. Click Security Templates, and then choose Add Template from the Action menu. 104: 111. Specify the template name as public. 105: 111. Set the default label to PUBLIC. 106: 111. Set the Domain of Interpretation value to 1. 107: 111. Click OK. 108: 111. Choose Add Template from the Action menu. 109: 111. Specify the template name as internal. 110: 111. Set the default label to CONFIDENTIAL : INTERNAL USER ONLY. 111: 111. Set the Domain of Interpretation value to 1. 112: 111. Click OK. 113: 11. Manually update the kernel cache with trusted networking parameter values. 114: # **tnctl -T /etc/security/tsol/tnrhtp** 115: 11. Exit the Solaris Management Console. 116: === How to Create the Labeled Zones 117: 11. Run the txzonemgr script and follow each of these steps. 118: **Note -** You must click OK each time to continue. 119: 11. Create a new zone called public. 120: 111. Select Create A New Zone and click OK. 121: 111. Specify the zone name of public. 122: 111. Choose Select_Label and click OK. 123: 111. Choose PUBLIC. 124: 111. Choose Install to install the public zone. 125: A window opens to show you the progress of the zone installation process. 126: 111. Choose Zone_Console to open the zone console window. 127: 111. Choose Boot to boot the zone. 128: The public zone is rebooted automatically. 129: The public zone will reboot again automatically. 130: 11. From the zone terminal console window, log in as superuser and run the following commands: 131: 11* Run these commands on a Solaris 10 system: 132: # **rm /etc/auto_home_public** 133: # **netservices limited** 134: # **svcadm disable auditd** 135: # **svcadm disable cde-login** 136: # **exit** 137: 11* Run these commands on a Nevada system: 138: # **rm /etc/auto_home_public** 139: # **svcadm disable auditd** 140: # **svcadm disable cde-login** 141: # **exit** 142: 11. From txzonemgr, create the internal, needtoknow, and restricted zones. 143: 111. Choose Halt to halt the public zone. 144: 111. Choose Create_Snapshot to create a snapshot of the public zone. 145: 111. Choose Boot to boot the public zone. 146: 111. Choose Select Another Zone and click OK. 147: 111. Choose Create A New Zone and click OK. 148: 111. Name the new zone internal. 149: 111. Choose Select_Label and specify a value of CONFIDENTIAL : INTERNAL USE ONLY. 150: 111. Choose Clone and select zone/public@snapshot. 151: 111. Choose Zone_Console to open the zone console for the new zone. 152: 111. Choose Boot to boot the new zone. 153: 111. Repeat Steps d-j for the needtoknow and restricted zones, which use labels CONFIDENTIAL : NEED TO KNOW and CONFIDENTIAL : RESTRICTED, respectively. 154: 111. Choose Exit to exit the txzonemgr program. 155: === How to Install and Use inetmenu 156: If you are running Solaris 10 update 5, you should have downloaded these files from the OpenSolaris web site to the /opt/tx directory of the laptop you are installing: 157: 1* inetmenu-1.9.pkg.gz 158: 1* inetmenu-tx.tar 159: **Caution -** The inetmenu program might be replaced with another utility in the future. 160: 11. Become superuser. 161: 11. Change to the /opt/tx directory. 162: 11. Unzip and install the inetmenu software. 163: # **gunzip inetmenu-1.9.pkg.gz** 164: # **pkgadd -d inetmenu-1.9.pkg** 165: 11. Apply the Trusted Extensions modifications to inetmenu. 166: # **cd /; tar xvf /opt/tx/inetmenu-tx.tar** 167: 11. Run inetmenu. 168: # **inetmenu** 169: 11. Select the DHCP-NoNIS option. 170: Now, your network should be up with PUBLIC as the default label. You can run txzonemgr to verify that it is all-zones. 171: === How to Configure and Use nwam 172: If you are running Nevada, you should have downloaded the nwam scripts from the OpenSolaris web site to the /etc/nwam directory of the laptop you are installing. Extract them as follows: 173: # **cd /etc/nwam; tar xvf tx-nwam.tar** 174: nwamulp/check-conditionsINTERNAL_DOMAINsun.comINTERNAL_DOMAINinternalpublic 175: Now edit the file /etc/hosts and add the following entry: 176: **127.0.0.2 mynfs ** 177: The interface associated with mynfs will be private to the global zone, but will be accessible from all labeled zones. It can be used to share NFS mounts between zones. See the [[Administrator’s Guide>>http://docs.sun.com/app/docs/doc/819-7309/txconf-43?a=view]] for more information. 178: === How to Run Trusted Extensions as a Normal User 179: For most users, the public zone should provide network connectivity. However, if you are connected to the Sun Wide Area Network, the default label is CONFIDENTIAL : INTERNAL USE ONLY, so you must use the internal zone. 180: 11. Log out as superuser. 181: 11. Log in as yourself. 182: Choose the windowing system to use: Trusted Extensions CDE or Trusted Extensions Java[tm] Desktop System. CDE is no longer available in Nevada. 183: 11. Verify that you can assume the root role. 184: You will need to assume this role to run inetmenu.
Search
Collectives
Community Group
Academic and Research
Accessibility
Advocacy
Appliances
Approachability
Architecture Process and Tools
BrandZ
Chinese Users
Community Advisory Board
Databases
Desktop
Device Drivers
Distribution
Documentation
DTrace
Emerging Platforms
Fault Management
Games on OpenSolaris
HA Clusters
HPC Developer
Installation and Packaging
Internationalization and Localization
Laptop
Logical Domains
Modular Debugger (MDB)
Networking
NFS
Observability
OpenSolaris Governing Board (OGB)
OpenSolaris Printing
OS/Net (ON)
Performance
Power Management
PowerPC
Security
Service Management Facility (smf(5))
Software Porters
Solaris Volume Manager
Storage
Systems Administration Community Group
Testing
Tools Home
Unix File Systems (UFS)
Website Community
X Window System
Xen
ZFS
Zones
Project
ADSL Modem Enhancement
ARC Process Definition
ARM Platform Port
Automatic Data Migration
BIND Update
Bluetooth Stack & Drivers
Brocade FC HBA - Initiator
Brocade FC HBA - Target
Brussels - unified network link configuration
Caiman, Solaris Install Revisited
Celeste
Český portál
Chime Visualization Tool for DTrace
CIFS client for Solaris
CIFS Server
Clearview: Network Interface Coherence
Cluster Agent: Informix Dynamic Server
Cluster Agent: OpenSolaris Container
Cluster Agent: OpenSolaris xVM
Cluster Agent: Oracle E-Business Suite
Cluster agent: PostgreSQL
Cluster Agent: Samba
Cluster Agent: Tomcat
CMT
Coarse Data Flow Parallelism
Colorado: Open HA Cluster on OpenSolaris
Command Assistant
Common Array Manager
Companion - /opt/sfw: Free and Open Source software
COMSTAR: Common Multiprotocol SCSI Target
Content
Contest
CPU Observability
Credentials Process Groups
Crossbow: Network Virtualization and Resource Control
Crypto KMS Agent Toolkit
Cryptographic Framework
Data Migration Manager
Data Tethers
Deutsches Portal
Device Detection Tool
Device Driver Utility
Device Manager
Device Mapper
Direct Rendering Infrastructure & 3D drivers
DTrace Guide
Duckwater: Simplified name services management
Easy Tools
Emancipation
Emulex Fibre Channel Device Driver
Emulex Advanced Ethernet Device Driver
Enable/Enhance Solaris support for Intel Platform
Enhance the support of USB webcams
Enhanced SMF Profiles
Enhancements for AMD-based Platforms
Erlang DTrace Integration
Ethernet bridge module for Solaris
Evaluate Conary
Events Registry
Ext3 file system support
F/OSS Package Base
Facilitation
Fibre Channel over Ethernet
Fine Grained Access Policy (FGAP)
Fingerprint Authentication
Flexible Mandatory Access Control
Forensic Tools
Fully Open X Project
Fuse on Solaris
gcore
Generic Machine Check Architecture Improvements
Google SOC
HA-JBoss
HA-MySQL
Hadoop Live CD
Hitachi
HoneyComb Fixed Content Storage
HPC Stack
Image Packaging System
Improved Performance MIB
Indiana
Innovation Awards
Input Method
Intel Graphics
Internet Key Exchange, version 2
Interrupt Resource Management
IP Datapath Refactoring
IP over Infiniband
IPsec Tunnel Reform
iSCSI Extensions for Remote DMA (iSER)
iSNS Server
JeOS - Just enough Operating System
JKstat - a java binding for libkstat
Journaled File System (JFS)
K Desktop Environment
Kerberos
Kernel Sockets
Kernel SSL Enhancements
Key Management Framework
Korn Shell 93 integration/migration project
Labeled IPsec
LatencyTOP
Layer 2 Filtering
LDoms Manager
Lending
libMicro - portable microbenchmarks
Link Layer Discovery
Live Media: Technologies for distributions running from CD and other media
Locale Data
lofi compression and cryptography support
lx64 brand
Media Management System
Mega_sas
Mexico
MilaX minimal Live Distribution
MIPS Platform Port
Mozilla DTrace
MRSL.NONsharedDevice
Multi-lingual Glossary
Multi-pathing software (MPxIO)
Multiple disk sector size support
Multiple DOI
Muskoka: An open repository for OpenSolaris technical content
Navigator
Nemo: A Framework for High-Performance Networking
Network Auto-Magic
Network Data Management Protocol
Network MIBs
Network Storage
Network Time Protocol (NTP)
Nevada Globalization
New Design of 4over6 Mechanism Based on OpenSolaris
NFS RDMA transport update and performance analysis
NFS Server in non-Global Zones
NFS version 4.1 pNFS
NFSv4 namespace extensions
Nightingale: Port Songbird to OpenSolaris
NPort ID Virtualization (NPIV)
NUMA
Object Storage Device (OSD) support for Solaris
OHACGE Script Based Plug-in
ON/Nevada (ONNV) Project
Open Development Infrastructure
Open HA Cluster Utilities
Open Sound System
OpenGrok
OpenPegasus CIM Server
OpenRTI
OpenSolaris Busybox
OpenSolaris Desktop
OpenSolaris Hispano
OpenSolaris Security Audit
OpenSolaris support for the QEMU processor emulator: host and guest
PEF: Packet Event Framework
Performance Wrappers
Pkgfactory
Polski Portal
Portail Francophone
Portal Brasil
Portals
Power Management Usability Interfaces
Presto: Automatic Printing Configuration
Printable Many Page Solaris Manuals
Promise SuperTrak RAID HBA Driver
QLogic Converged Network Adapter GLDv3 NIC Driver
Quagga Routing Protocol Suite Integration
RAID Configuration Utility
RBridge (IETF TRILL) support
RDMA Offload Framework
Reno: Login Process Enhancements for Interop
Resource Management
s10brand
SAM/QFS
SCM Migration Project
SCSI RDMA Protocol
SDcard Drivers
Sensor Abstraction Layer
Session Initiation Protocol
SFW
Shell: bourne shell, korn shell, C shell, etc.
Sierra: Intel WiFi Chipsets Support
Simple Panels
SM-HBA Based SAS HBA Management
SMF Documentation
Solaris iSCSI Target
Solaris PowerPC Port
SourceJuicer
Sparks: name service switch/nscd enhancements
Squashfs
Star integration/migration project
Starfish
Starter Kit
Storage Power Management
Sun Security Toolkit
Sun StorageTek Availability Suite
Support for OpenFabrics User Verbs / API on OpenSolaris OS
Support gcc4/GCCfss in Solaris
Suspend/Resume
SVR4 Packaging
Systemz
Tamarack: Removable Media Enhancements in Solaris
Tesla: OpenSolaris Enhanced Power Management
Test Development
Tickless Kernel Architecture
TIPC
Trademarks
Trusted networking interface policy database for Trusted Extensions
Trusted Platform Module support
Use Case
Validated Execution Project
Virtual Console
Virtual Network Machines
Visual Panels
Visualization for HPC
Volo
VRRP: Virtual Router Redundancy Protocol Implementation
VSCAN service
Web Stack
Website
Winchester: Schema mapping and ID mapping for AD Interoperability
Wireless USB Support
Wireless Wide Area Network
X Consolidation
x86 Generic FMA Topology Enumerator
Xen Gate
Xfce: A lightweight desktop environment
ZFS Boot and Install
ZFS on disk encryption support
Zone Manager
Zone Statistics
Русский портал
البوابة العربية
भारतीय पोर्टल
中国门户
日本ポータル
한국 포탈
User Group
Adelaide
Argentina
Arizona
Atlanta
Baltimore-Washington
Bangalore
Bangkok
Bangladesh
Beijing
Bélem
Berlin
Bhimavaram
Bloomington
Campus Ambassadors
Capital Region
Cardiff
Charlotte
Chengdu
Chennai
Chihuahua
Chile
Cleveland
Colombia
Columbus
Connecticut
Cracow
Czech
Dallas/Ft. Worth
Danish
Delaware
Edinburgh
Egypt
Finland
Florida
Front Range
FuZhou
Great Lakes
Greece
Hangzhou
Hawaii
HeFei
Houston
Hyderabad
Indonesia
Irish
Israel
Italian
Jinan
Kabul
Kansas City
Latvia
London
Madurai
Manchester
Mato Grosso
Melbourne
Minas Gerais
Minnesota
Montreal
Moscow
Mumbai
Munich
NEA
Netherlands
New England
New York City
New Zealand
NIT Hamirpur
Noroeste
Oklahoma City
Osnabrück
Peru
Philadelphia
Piaski
Pittsburgh
Porto Alegre
Puget Sound
Pune
Queensland
Research Triangle Park
Romania
Russia
San Antonio
San Diego
San Francisco
São Paulo
Scottish
Serbia
Shanghai
Shenzhen
Silicon Valley
Singapore
Slovak
South African
Southern Connecticut
St. Louis
Sweden
Switzerland
Sydney
Szczecin
Taiwan
Tecum
Thames Valley
Tokyo
Toronto
Trondheim
Tulsa
Turkey
Ukraine
University of Melbourne
Vale do Paraíba
Vancouver
Venezuela
Welsh - Cymru
Wisconsin
Xi'an
Subsites
Code Reviews
Code Repositories
Package Search
Bugster
Bugzilla
Test Machines
Planet
Mailing Lists
Elections & Polls
ARC Case Logs
Source Juicer
Package Factory
User Authentication
Community Group security Pages
Files
Library
Username length
Secure Programming
Presentations
Community Projects
SSH
Auditing
Cryptographic Framework
Basic File Privs
Java
Kerberos
Pluggable Authentication Module
Privilege Debugging
RBAC - Role Based Access Control
Secure By Default
Trusted Extensions
Test Plan for txzonemgr