Trusted Extensions configurationtask maps configuring Trusted Extensionstask maps This chapter outlines the tasks for enabling and configuring Solaris Trusted Extensions software. roadmapsTask Map: Preparing a Solaris System for Trusted Extensions Task Map: Preparing a Solaris System for Trusted Extensions Ensure that the Solaris OS on which you plan to run Trusted Extensions supports the features of Trusted Extensions that you plan to use. Complete one of the two tasks that are described in the following task map.Task For Instructions Prepare an existing or upgraded Solaris installation for Trusted Extensions. Prepare an Installed Solaris System for Trusted Extensions Install the Solaris OS with Trusted Extensions features in mind. Install a Solaris System to Support Trusted Extensions roadmapsTask Map: Preparing For and Enabling Trusted Extensions Task Map: Preparing For and Enabling Trusted Extensions To prepare a Trusted Extensions system before configuring it, complete the tasks that are described in the following task map.Task For Instructions Complete the preparation of your Solaris system. Task Map: Preparing a Solaris System for Trusted Extensions Back up your system. For a Trusted Solaris 8 system, back up the system as described in the documentation for your release. A labeled backup can be restored to each identically labeled zone. For a Solaris system, see System Administration Guide: Basic Administration. Gather information and make decisions about your system and your Trusted Extensions network. Collecting Information and Making Decisions Before Enabling Trusted Extensions Enable Trusted Extensions. Enable Solaris Trusted Extensions Configure the system. For a system with a monitor, see Task Map: Configuring Trusted Extensions. For a headless system, see Headless System Configuration in Trusted Extensions (Task Map). For a Sun Ray, see Sun Ray Server Software 4.1 Installation and Configuration Guide for the Solaris Operating System. To configure initial client-server communication, see Configuring Trusted Network Databases (Task Map). For a laptop, go to the OpenSolaris Community: Security web page. Click Trusted Extensions. On the Trusted Extensions page under Laptop Configurations, click Laptop instructions. To prevent networks from communicating with the global zone, configure the vni0 interface. For an example, see the Laptop instructions.In the Solaris Express Community Edition, you do not need to configure the vni0 interface. By default, the lo0 interface is an all-zones interface. You can make your external connection, dhcp, be an all-zones interface. For instructions, see the Laptop instructions. roadmapsTask Map: Configuring Trusted Extensions Task Map: Configuring Trusted Extensions For a secure configuration process, create roles early. The order of tasks when roles configure the system is shown in the following task map.1. Configure the global zone. Tasks For Instructions Protect machine hardware by requiring a password to change hardware settings. Controlling Access to System Hardware in System Administration Guide: Security Services Configure labels. Labels must be configured for your site. If you plan to use the default label_encodings file, you can skip this task. Check and Install Your Label Encodings File If you are running an IPv6 network, you modify the /etc/system file to enable IP to recognize labeled packets. Enable IPv6 Networking in Trusted Extensions If the CIPSO Domain of Interpretation (DOI) of your network nodes is different from 1, specify the DOI in the /etc/system file. Configure the Domain of Interpretation If you plan to use a Solaris ZFS snapshot to clone zones, create the ZFS pool. Create ZFS Pool for Cloning Zones Boot to activate a labeled environment. Upon login, you are in the global zone. The system's label_encodings file enforces mandatory access control (MAC). Reboot and Log In to Trusted Extensions Initialize the Solaris Management Console. This GUI is used to label zones, among other tasks. Initialize the Solaris Management Console Server in Trusted Extensions Create the Security Administrator role and other roles that you plan to use locally. You create these roles just as you would create them in the Solaris OS.You can delay this task until the end. For the consequences, see Devising a Configuration Strategy for Trusted Extensions. Creating Roles and Users in Trusted ExtensionsVerify That the Trusted Extensions Roles Work Skip the next set of tasks if you are using local files administer the system.2. Configure a naming service. Tasks For Instructions If you plan to use files to administer Trusted Extensions, you can skip the following tasks. No configuration is required for the files naming service. If you have an existing Sun Java System Directory Server (LDAP server), add Trusted Extensions databases to the server. Then make your first Trusted Extensions system a proxy of the LDAP server.If you do not have an LDAP server, then configure your first system as the server. Chapter 5, Configuring LDAP for Trusted Extensions (Tasks) Manually set up an LDAP toolbox for the Solaris Management Console. The toolbox can be used to modify Trusted Extensions attributes on network objects. Configuring the Solaris Management Console for LDAP (Task Map) For systems that are not the LDAP server or proxy server, make them an LDAP client. Make the Global Zone an LDAP Client in Trusted Extensions In the LDAP scope, create the Security Administrator role and other roles that you plan to use.You can delay this task until the end. For the consequences, see Devising a Configuration Strategy for Trusted Extensions. Creating Roles and Users in Trusted ExtensionsVerify That the Trusted Extensions Roles Work 3. Create labeled zones. Tasks For Instructions Run the txzonemgr command. Follow the menus to configure the network interfaces, then create and customize the first labeled zone. Then, copy or clone the rest of the zones. Creating Labeled Zones Or, use Trusted CDE actions. Appendix B, Using CDE Actions to Install Zones in Trusted Extensions (Optional) After all zones are successfully customized, add zone-specific network addresses and default routing to the labeled zones. Adding Network Interfaces and Routing to Labeled Zones The following tasks might be necessary in your environment.4. Complete system setup. Tasks For Instructions Identify additional remote hosts that require a label, one or more multilevel ports, or a different control message policy. Configuring Trusted Network Databases (Task Map) Create a multilevel home directory server, then automount the installed zones. Creating Home Directories in Trusted Extensions Configure auditing, mount file systems, and perform other tasks before enabling users to log in to the system. Part II, Administration of Trusted Extensions Add users from an NIS environment to your LDAP server. Add an NIS User to the LDAP Server Add a host and its labeled zones to the LDAP server. Configuring Trusted Network Databases (Task Map)